search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.08k stars 296 forks source link

[DETECTION] 5play string encryption #388

Open ghost opened 6 months ago

ghost commented 6 months ago

Describe the detection issue 5play recently implemented their own string encryption in smalis. It calls a native function from libRMS.so to decrypt strings. It would be great to detect it

File: /smali/ۨۦۤ.smali smali.zip

String replacement examples: Orig:

const-string v4, "FMOD"

Replaced:

    const v4, 0x599

    invoke-static {v4}, Lۨۦۤ;->۟ۦۥ(I)Ljava/lang/String;

    move-result-object v4

Orig:

const-string v0, "com.google.android.gms.dynamic.IObjectWrapper"

Replaced:

    const v0, 0x597

    invoke-static {v0}, Lۨۦۤ;->۟ۦۥ(I)Ljava/lang/String;

    move-result-object v0

APKiD current results... Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -

m@vm-virtual-machine:~$ apkid '/home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk' 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 2.x
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/arm64-v8a/libRMS.so
 |-> packer : 5play.ru
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/armeabi-v7a/libRMS.so
 |-> packer : 5play.ru

Sample https://5play.org/19123-moonvale-%E2%80%93-%D0%B4%D0%B5%D1%82%D0%B5%D0%BA%D1%82%D0%B8%D0%B2%D0%BD%D1%8B%D0%B9-%D1%82%D1%80%D0%B8%D0%BB%D0%BB%D0%B5%D1%80.html

enovella commented 6 months ago

Hi @Yehh22 ,

Do you have more samples to tweak the final fingerprint?

ghost commented 6 months ago

Hi @Yehh22 ,

Do you have more samples to tweak the final fingerprint?

Here is another one https://5play.org/11448-majnkraft.html (minecraft-1.20.81.01-mod-menu-5play.apk). Didn't reuploaded it because file is too large and my upload speed is too slow