Closed springrider closed 6 years ago
strazzere
commented
6 years ago It would seem that there is an issue reading the memory. This could be a few different things;
My gut says it's the latter.
Can you share the hash and/or file? Can't test or reproduce it without.
springrider
commented
6 years ago of course, I have mailed you the file, thanks!
strazzere
commented
6 years ago I haven't seemed to receive anything - can send to strazz at gmail or upload to a public sharing site?
springrider
commented
6 years ago sure, sent to your gmail. yesterday I sent to the mailbox which is on your github profile :)
springrider
commented
6 years ago and here is the public link: https://send.firefox.com/download/3401016355/#2mc_0b3Z9ZBalPRnVKfoYQ
ymmud01
commented
6 years ago i'm having the same issue packer type - |-> packer : Jiagu.
this is the log from kisskiss :
[] Android Dalvik Unpacker/Unprotector - strazz@gmail.com [+] Hunting for (some com...) [+] 596 is service pid [+] 659 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [] No packer found on clone_pid 659, falling back to service_pid 596 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!
this is the log from rednaga :
[+] APKiD 1.2.1 :: from RedNaga :: rednaga.io [] /input/Classified.apk!classes.dex |-> compiler : dexlib 2.x [] /input/Classified.apk!assets/libjiagu.so |-> obfuscator : Obfuscator-LLVM version 3.6.1 [] /input/Classified.apk!assets/libjiagu_x86.so |-> obfuscator : Obfuscator-LLVM version 3.6.1 [] /input/Classified.apk |-> packer : Jiagu
P.S Thanks for them great tools
strazzere
commented
6 years ago Confirmed, this is an issue with the binary trying to "protect itself" via usage of mprotect. Two quick fixes would be to;
1 - Use a LD_PRELOAD type attack and just hook the mprotect call to return lies to the app about setting it calling it right
2 - Use FRIDA or whatever to do a similar attack at a different level.
Skimming the binary it doesn't look like it's checking against a LD_PRELOAD like attack though, so that'd be pretty easy to do. In fact you could like'y just steal this; https://github.com/strazzere/android-unpacker/tree/master/hide-emu and modify it slightly.
I'll try to check back in later if I have time, however, this might be an exercise best left for someone else :)
ymmud01
commented
6 years ago Thank you for the fast reply, will try those two quick fixes. Though as a beginner on everything, it might take a while.
springrider
commented
6 years ago thanks a lot for the help. it seems checked LD_PRELOAD, after set prop and launch the app, it just rebooted the celphone...
I will try other ways, thanks a lot for your time!
hacker1024
commented
4 years ago Did you get this working in the end? I have this same issue with VMOS, a Jaigu packed app. I modded hide-emu to override mprotect to do nothing and always return zero, but this just makes the app hang on the splash screen. The app's native process seems to be unable to launch, and the following is logged a few times:
Zygote : Process <PID> exited due to signal 9 (Killed)You're likely looking at a different version with different protections. This issue is closed and from well over two years ago.
the log is:
and in the same time the app froze and no response at all. does this means qihoo recognized the unpacker and stopped it?