Not all versions of Qihoo packer are supported

[strazzere]

Reported via twitter that the packer is "not working" (https://twitter.com/0xr0ot/status/511822872684560384) -- no confirmed version of the package which the author was talking about. Did some searching and turned up a few samples;

"Defence version 0.9.5.6.5" does not currently work - though "0.9.7.9" does.

[robots]

Hi, i got some newer version of Qihoo that is not directly supported.

root@generic:/ # /data/kisskiss com.foo.bar [] Android Dalvik Unpacker/Unprotector - strazz@gmail.com [+] Hunting for com.foo.bar [+] 1179 is service pid [+] 1257 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [] No packer found on clone_pid 1257, falling back to service_pid 1179 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

It seems that the application will notice kisskiss and kill itself before it can dump anything.

I was able to send SIGSTOP to both processes application had, so the watchdog process will be halted:

root@generic:/ # ps ... u0_a52 1386 55 282504 74296 ffffffff b6f4f5cc S com.foo.bar u0_a52 1399 1386 192024 13580 c00b4d78 b6f4e158 S com.foo.bar ... root@generic:/ # kill -SIGSTOP 1386 root@generic:/ # kill -SIGSTOP 1399

after this it worked ...

[] Android Dalvik Unpacker/Unprotector - strazz@gmail.com [+] Hunting for com.foo.bar [+] 1386 is service pid [+] 1477 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [] No packer found on clone_pid 1477, falling back to service_pid 1386 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [+] Found 2 potentially interesting memory locations... [+] Attempting to search inside memory region 0xaa917000 to 0xaae9a000 [+] Memory region 0xaa917000 to 0xaae9a000 contained anticipated class path com/gooclient/def [+] Unpacked/protected file dumped to : /data/local/tmp/com.foo.bar.dumped_odex_0 [+] Attempting to search inside memory region 0xaaea5000 to 0xaaeee000 [-] Likely a system file found, ignoring...

happy hunting!

[strazzere]

Any chance you could provide a hash so I can retest and see if something needs to get done on myside?

I'm guessing the original package has the path "com/gooclient/def" in it? :)

-Tim Strazzere

On Sat, Mar 3, 2018 at 2:59 AM, Michal notifications@github.com wrote:

Hi, i got some newer version of Qihoo that is not directly supported.

root@generic:/ # /data/kisskiss com.foo.bar [

] Android Dalvik Unpacker/Unprotector - strazz@gmail.com strazz@gmail.com [+] Hunting for com.foo.bar [+] 1179 is service pid [+] 1257 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [

] No packer found on clone_pid 1257, falling back to service_pid 1179 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Error peeking at memory : Not a directory [!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

It seems that the application will notice kisskiss and kill itself before it can dump anything.

I was able to send SIGSTOP to both processes application had, so the watchdog process will be halted:

root@generic:/ # ps ... u0_a52 1386 55 282504 74296 ffffffff b6f4f5cc S com.foo.bar u0_a52 1399 1386 192024 13580 c00b4d78 b6f4e158 S com.foo.bar ... root@generic:/ # kill -SIGSTOP 1386 root@generic:/ # kill -SIGSTOP 1399

after this it worked ...

[

] Android Dalvik Unpacker/Unprotector - strazz@gmail.com strazz@gmail.com [+] Hunting for com.foo.bar [+] 1386 is service pid [+] 1477 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [

] No packer found on clone_pid 1477, falling back to service_pid 1386 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [+] Found 2 potentially interesting memory locations... [+] Attempting to search inside memory region 0xaa917000 to 0xaae9a000 [+] Memory region 0xaa917000 to 0xaae9a000 contained anticipated class path com/gooclient/def [+] Unpacked/protected file dumped to : /data/local/tmp/com.foo.bar. dumped_odex_0 [+] Attempting to search inside memory region 0xaaea5000 to 0xaaeee000 [-] Likely a system file found, ignoring...

happy hunting!

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/strazzere/android-unpacker/issues/2#issuecomment-370138779, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmERpxNQWtVeBXGOyLVjQsJMDEa0XmHks5tand6gaJpZM4CioKd .

[robots]

you are right, my effort to mask it was not successful :)

what kind of hash would you like ? Hash of the original package ?

Here is one hash for you: md5(123456) = e10adc3949ba59abbe56e057f20f883e

[robots]

https://apkpure.com/goolink/com.gooclient.def its the latest 2.5.3 version

[robots]

I have checked the extracted dex for completeness. All onCreate methods from activities are made native and not included in the dex.

[strazzere]

All current versions I can find work. Closing.