search

strazzere / android-unpacker

Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
Apache License 2.0
1.12k stars 331 forks source link

Unable to unpack a Qihoo app #43

Closed kurocygnus closed 6 years ago

kurocygnus commented 6 years ago

[] Android Dalvik Unpacker/Unprotector - diff@lookout.com [+] Hunting for com.brazil.vod [+] 1949 is service pid [+] 2003 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, assuming Bangcle... [+] Unpacked odex found in memory! [+] Attempting to dump memory region 0xb7781000 to 0xb7782000 [!] pread seems to have failed! [!] An issue occured trying to dump the memory to a file!

I'm using Nox Emulator to do this since I don't have a rooted device.

strazzere commented 6 years ago

Nox emulator? Can you provide a link for that?

Can you please also upload the file in question?

strazzere commented 6 years ago

I'd also suggest doing a git pull because it appears you're running some code that is minimally 3 years old per https://github.com/strazzere/android-unpacker/commit/97ad55d700068c6b0f3880f3ee87414ee67f497a

kurocygnus commented 6 years ago

Sure. Nox Emulator (It's good for doing this because protectors don't found out that this is a emu): https://www.bignox.com/ Files (both I got the same result): https://drive.google.com/open?id=1PylaWBGA4vTWmOQgvVpVCp9PDtzP3CNq https://drive.google.com/open?id=1UQ305iRw8DW_Sz6w58Q4BMOGY8R6aeQL

strazzere commented 6 years ago

Ok, so, it does look fairly similar to issue #42 - however I won't close this issue until you can rerun the new code against it.

I do think that this is just, the same packer and will complain due to mprotect usage about i/o issues.

kurocygnus commented 6 years ago

Hey. Tried with the new version.

[] Android Dalvik Unpacker/Unprotector - strazz@gmail.com [+] Hunting for com.brazil.live [+] 3880 is service pid [+] 3972 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [] No packer found on clone_pid 3972, falling back to service_pid 3880 [+] Attempting to detect packer/protector... [] Nothing special found, hunting for all dex and odex magic bytes... [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [!] pread seems to have failed : I/O error [!] Error peeking at memory : I/O error [+] Found 1 potentially interesting memory locations... [+] Attempting to search inside memory region 0x7f5b3000 to 0x7f63e000 [-] Likely a system file found, ignoring...

strazzere commented 6 years ago

Ok cool, seem to be the same issue as #42 -- it's likely do to mprotect. There are some suggestion in that issue on how to handle this, but for the time being I'm going to close this one since it's a duplicate.