Closed brandonros closed 11 months ago
This isn't an issue with the module directly as it seems the app is detecting root or Zygisk/LSPosed. Did you install Shamiko and enabled the app in Magisk's DenyList? Make sure to not enable "Enforce DenyList" for Shamiko to work correctly.
That worked. Thank you very much.
@BlackMesa123 if you have to add an app to Magisk's DenyList, is there a way to still blend it with LSPosed/Xposed hooks or not really? It's all or nothing?
@BlackMesa123 if you have to add an app to Magisk's DenyList, is there a way to still blend it with LSPosed/Xposed hooks or not really? It's all or nothing?
Enabling an app in the DenyList will make sure Magisk disables itself completely for that specific app to avoid root detection (Shamiko actually does the job in this case as it hides every Magisk/Zygisk/LSPosed traces to the apps in the list), so you can’t do that unless you manage to bypass the root checks in the apps via the hooks (which requires anyway to remove the app from DenyList) https://github.com/BlackMesa123/KnoxPatch/issues/21#issuecomment-1545791101
so if I have an app that:
when on the deny list, works
when not on the deny list, even with Shamiko, doesn't work
it means the app is able to bypass Shamiko still for anti-root detection?
I'm deep into gdb
, I can try to figure out what it's doing. It's a packed .ELF
with many tricks going on, but nothing the community hasn't seen before I'm sure. Might just need some massaging to make it more up to date? What do you think, too large of an endeavor/very difficult?
when not on the deny list, even with Shamiko, doesn't work
it means the app is able to bypass Shamiko still for anti-root detection?
Shamiko will not hide root to apps that are not in the DenyList
I'm deep into
gdb
, I can try to figure out what it's doing. It's a packed.ELF
with many tricks going on, but nothing the community hasn't seen before I'm sure. Might just need some massaging to make it more up to date? What do you think, too large of an endeavor/very difficult?
You can probably start by looking at the (little) source code snippets you can find online to see what the binary could check:
https://github.com/vvb2060/MagiskDetector https://github.com/canyie/MagiskKiller https://github.com/LSPosed/NativeDetector
There’s a newer app called “Momo” now to check your device’s root detection, unfortunately like Shamiko it’s closed sourced to avoid sharing those “detection methods” in the wild: https://t.me/magiskalpha/529
Shamiko will not hide root to apps that are not in the DenyList
Sorry, to clarify:
Install Shamiko module
In Magisk settings, configure DenyList, add target app, but keep Enforce DenyList
off because otherwise Shamiko Magisk Module will say "Shamiko doens't work since enforce denylist is enabled"?
$ md5 assets/appsuit/momo
MD5 (assets/appsuit/momo) = 91eca337d818d48f30a9a583a43a194a
Yes, the app I'm debugging has both native armeabi lipAppSuit.so
and then assets/appsuit/momo
as well.
I am guessing libAppSuit.so
is a multi-stage ELF with many spoofs that then depends/calls on momo
? I am at the stage where libAppSuit
itself without calling to momo
is able to SIGSEGV
due to root detection (guessing)
Install Shamiko module
In Magisk settings, configure DenyList, add target app, but keep
Enforce DenyList
off because otherwise Shamiko Magisk Module will say "Shamiko doens't work since enforce denylist is enabled"?
Correct, all you have to do now is add/remove apps in Magisk DenyList, Shamiko will do the rest.
I am guessing
libAppSuit.so
is a multi-stage ELF with many spoofs that then depends/calls onmomo
? I am at the stage wherelibAppSuit
itself without calling tomomo
is able toSIGSEGV
due to root detection (guessing)
Might I know what app are you testing it out? I saw the package name ends with o.smartlauncher
but I couldn't find such app anywhere
Thank you for the help, it is appreciated.
I could send it to you. I'd prefer to keep it offline. I redacted the string you mentioned.
Might I ask your opinion on this... It's doing this weird trick.
When you launch the .apk
, it has something like this:
public class a {
static {
System.loadLibrary("AppSuit");
}
}
That's fine. Thanks to the amazing work of LSPosed/Magisk/Shamiko, the app is able to run if you set it up correctly (aka root and LSPosed can't be detected/are hidden).
The problem I'm facing now (and I don't know if it's specifically due to the libAppSuit.so
library) is that the process is spawning a child process that is ptrace()ing
itself, preventing me from being able to attach with a debugger or even dump the memory so I can see how the hidden/obfuscated/encrypted classes get loaded.
For example, the AndroidManifest.xml
mentions a class that doesn't show up in classes.dex
(which has next to nothing), which lets me think it's doing some kind of reflection/importing the classes at runtime.
I've tried LD_PRELOAD
via like setprop wrap.com.redacted.redacted LD_PRELOAD=/data/local/tmp/lipMyPreload.so
but that didn't work. Curious if you would know how to get around this ptrace
protection?
@BlackMesa123 sorry to bother you on this, want to ask you a question.
com.highcapable.yukihookapi.hook.entity.YukiBaseHooker
injects itself + runs at runtime/launch, but apps protected with AppSuit load themselves in stages
How would you catch this? I want to hook certain things that eventually get loaded. findClass
from what I understand won't work because not all classes are loaded at app init/launch.
Devs at @LSPosed probably know more stuff than me, try opening an issue there. https://github.com/LSPosed/LSPosed
import com.highcapable.yukihookapi.hook.factory.onLoadClass
appClassLoader.onLoadClass { clazz ->
val stringifiedClass = clazz.toString()
loggerD(msg = "$TAG: onLoadClass. ${stringifiedClass}")
if (stringifiedClass.equals("class redacted")) {
loadApp(Constants.REDACTED, ReadctedServiceHooks)
}
}
I was able to extend what you did in MainHook.kt and add this, thank you!
https://www.stealien.com/en/products/series AppSuit