Closed jumbofreak closed 6 years ago
Correct this is clearly a new version, they moved away from the UPX GPL bullshit. I'll look into this as I have some more time :)
If it is close to their olders revisions, they're encrypting and doing junk in memory 🎱 MAGICCC
The odex actually appears to float between boundaries sometimes, likely need to add a check to see if the file needs to dumped across multiple regions... If you're reading this, maybe you figured that out and want to add a pull request ;)
This seems to work in the latest round of code changes.
Guessing it's bangcle based on libsecmain.so sha1 : 3646c8361252876012402878b84763403928b588
https://blog.lookout.com/blog/2016/06/27/leveldropper/
[+] Hunting for com.xuhdx.lev [+] 7827 is service pid [+] 8112 is clone pid [+] Attempting to detect packer/protector... [*] Nothing special found, assuming Bangcle... [!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!
lib/armeabi/libsecmain.so res/color/common_google_signin_btn_text_da res/color/common_google_signin_btn_text_li res/color/common_plus_signin_btn_text_dark