search

strazzere / android-unpacker

Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
Apache License 2.0
1.12k stars 331 forks source link

Telman weird packed sample #4

Closed virqdroid closed 6 years ago

virqdroid commented 10 years ago

On a sample (29B06874BAFA07CD204DCCF2AE302F9E52DC2F78E463924E15B9767596559E1A) that is probably packed with Bangcle and APKProtect (??), the tool extracts the usual ~23kb main Bangcle dex file. I cannot set this (100%) as an issue, but it will be great if the tool can handle this "weird" sample.

Some info bellow:

Starting: Intent { cmp=com.google.android.ebk.hana.avaffafa/com.google.android.ebk.hana.kakao.MainActivity }
[*] Android Dalvik Unpacker/Unprotector - <diff@lookout.com>
 [+] Hunting for com.google.android.ebk.hana.avaffafa
 [+] 6448 is service pid
 [+] 6475 is clone pid
 [+] Attempting to detect packer/protector...
  [*] Found APKProtect!
 [+] Unpacked odex found in memory!
 [+] Attempting to dump memory region 0x4a73b000 to 0x4a741000
 [+] Unpacked/protected file dumped to : /data/local/tmp/com.google.android.ebk.hana.avaffafa.dumped_odex
4a738000-4a73a000 r--s 00015000 1f:01 570        /data/app/com.google.android.ebk.hana.avaffafa-1.apk
4a73a000-4a73b000 r--s 0012f000 1f:01 570        /data/app/com.google.android.ebk.hana.avaffafa-1.apk
4a73b000-4a741000 r--p 00000000 1f:01 908        /data/dalvik-cache/data@app@com.google.android.ebk.hana.avaffafa-1.apk@classes.dex
4a741000-4a742000 rw-p 00000000 00:07 79497      /dev/ashmem/dalvik-aux-structure (deleted)
4a742000-4a746000 rw-p 4a742000 00:00 0 
4a746000-4a747000 ---p 4a746000 00:00 0 
4a747000-4a846000 rw-p 4a747000 00:00 0 
4a847000-4a84a000 r-xp 00000000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so
4a84a000-4a86e000 rw-p 4a84a000 00:00 0 
4a86e000-4a86f000 ---p 4a86e000 00:00 0 
4a86f000-4a870000 r--p 00018000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so
4a870000-4a871000 rw-p 00019000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so
strazzere commented 10 years ago

Thanks for the report -- definitely appears to be a bug. Will try to look into it shortly

strazzere commented 10 years ago

Yea, this is insanity - they ran it through a packer (Bangcle -- newest version) and then a protector (APKProtector). I'm going to have to think about this one on how to solve it -- which I think it going to have to be manually telling it which one to work on first.

strazzere commented 6 years ago

This appears to be fixed in latest round of fixes.