LIAPP New Version

[toddsharpe]

I was running this unpacker against com.teamblind.blind and received the error message: Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

I found the dex manually by dumping the process memory manually, searching for application strings in the dump, then resolving the dump address to the page address and finally trimming the dump file. I found that:

1. The dex file doesn't start off on a page boundary, it actually starts at offset 0x10 on this page. The first 0x10 bytes appear to be junk, atleast to me
2. The magic signature is dex\n035 instead of dey\n036 that the unpacker looks for

The line in the maps file is: {start_address}-{end_address} rw-p 00000000 00:00 0 [anon:libc_malloc]

Like I said, I did this all manually but at some point I might try to code up a formal pull for this repro. Until then, somebody might beat me to the coding or at the very least I hope this helps somebody.

[JohnWickJM]

Hey @toddsharpe, Quick follow up, did you use frida or the usual route of gdb etc? Thanks

[strazzere]

Sorry for the delay, I've just noticed this. Thanks for the report. Can you please share the binary in question or at least the hash? Sounds like a simple enough fix.

[JohnWickJM]

Running on Blind app version v.2.2.6

[strazzere]

Sorry, so - this app? https://play.google.com/store/apps/details?id=com.teamblind.blind&hl=en

[JohnWickJM]

My bad, I should have provided a link but yes. Also the get_clone_pid method doesn't do the trick for ptrace. Seem like they are doing something similar to http://www.vantagepoint.sg/blog/89-more-android-anti-debugging-fun....

[toddsharpe]

Sorry for the delay! Yes that is the correct app link.

I'm a Linux novice so I just used the maps file as a guide to dump the memory file (using just fseeko). Then I searched for strings I thought might be in the Memory and looked for where the boundaries of the section were. That's how I noticed the different header and it occurring at an offset rather than at position 0.

I didn't run into any more anti-debugging protection other than LIAPP. I just executed the app, ran a modified kisskiss, collected the dump and cropped to the region of interest for further investigation.

Thanks!

[darkknightjm]

@strazzere Just checking if you ever did get a chance to update the tool?

[strazzere]

@darkknightjm For this specific packer? No - it's pretty easy to manually unpack. I may have some time this upcoming weekend and could add a fix for it. Though I do suggest you check it out for yourself and maybe submit a fix. The learning there is well worth it. The original reporter basically outlines how to do this :) I was sort of leaving this to someone else to take a stab at it. Likely only a few lines to change.

Basically, you need to identify the specific packer - then when looking for the like, seek 0x10 bytes into the memory section to look for the dex header.

[darkknightjm]

@strazzere Ok will have a go at it :)

[strazzere]

Awesome! Please let me know if you need any help!

[strazzere]

The reason the latest LIAPP is deflecting things is because all the pids are being ptraced by the linker file which is being dropped. If you kill this file - it will cause all the pids to exit as well.

[Ark-kun]

@toddsharpe Sorry for necroposting. Were you able to uncover anything useful in those .dex files or were they too obfuscated?

[strazzere]

Closing this long dead thread as it is currently out of scope. Unsure if there are newer LIAPP protectors, but all the ones I could find are correctly working with the latest HEAD of this repo.