ap1459777123
commented
9 years ago Or if it was the sample 'org.jessies.dlavikexplorer'? May I get some available apks?
Closed ap1459777123 closed 9 years ago
ap1459777123
commented
9 years ago Or if it was the sample 'org.jessies.dlavikexplorer'? May I get some available apks?
strazzere
commented
9 years ago Can you provide a hash of the exact file? You're saying it's APKProtect'ed, though the tool appears to be not seeing it as such. This might be an unsupported version of APKProtect that we need to update here.
ap1459777123
commented
9 years ago md5: cbef6952d07f85593915fc4463a6e157 sha1: 99affa441ee56f0dcef3c7727515bcef13f0e005 sha256: 3d14fc903193a6ab1cba743fd938315f9647015e3876aae2b2a267bd1c7846a3 The files(origin and protected) can be downloaded here: https://drive.google.com/file/d/0B_F6xL0p43p1ei1CSS1xcHcwaEE/view?usp=sharing
Thanks!
strazzere
commented
9 years ago Thank you, I should be able to investigate this today.
strazzere
commented
9 years ago So this is not actually protected with the "packer" version of apkprotect. This is just the "inject bad code" version (an early variant). This is handled properly by baksmali, so there is nothign to actually "dump" from memory as the normal dex file is fine. The code which is meant to trip up the debugger is as follows;
.class public Lorg/jessies/dalvikexplorer/a;
.super Ljava/lang/Object;
.source "Currency Symbol: "
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 3
invoke-direct {p0}, Ljava/lang/Object;-><init>()V
return-void
.end method
# virtual methods
.method public a()Ljava/lang/String;
.registers 2
.prologue
.line 12
const p154, -0x6e5958ae
.end method
.method public b()I
.registers 2
.prologue
.line 7
double-to-int p13, p8
aget-wide p243, p200, p37
.end methodThat code, in theory, will cause out of bounds errors for disassemblers which might try to access the code which should not ever be executed.
Hi, recently I was using android-unpacker to de-obfuscate apps that have been modified by APKProtect offline tool. A problem occurred when I try to run executable 'kisskiss' on AVD, always got the message: [] Android Dalvik Unpacker/Unprotector - diff@lookout.com [+] Hunting for org.jessies.dalvikexplorer [+] 240 is service pid [+] 245 is clone pid [+] Attempting to detect packer/protector... [] Nothing special found, assuming Bangcle... [+] Unpacked odex found in memory! [+] Attempting to dump memory region 0xb000d000 to 0xb0016000 [!] pread seems to have failed! [!] An issue occured trying to dump the memory to a file!
Where the region 0xb000d000 to 0xb0016000 is the last blank section in /proc/[pid]/maps, should be the place contained odex.
afd42000-afd4d000 rwxp afd42000 00:00 0 b0001000-b000c000 r-xp 00001000 1f:00 615 /system/bin/linker b000c000-b000d000 rwxp 0000c000 1f:00 615 /system/bin/linker b000d000-b0016000 rwxp b000d000 00:00 0 bed8e000-beda3000 rwxp befeb000 00:00 0 [stack]
Is there anything I misunderstood causing the function 'peek_memory' doesn't work?
I am also wondering if it is a experiment environment setup problem, here is my setup information: AVD provided by Google sdk API level 10, Android 2.3.3 CPU/ABI: ARM (armeabi) RAM 512; VM Heap 32 Storage 200MB, SD Card 100MB
and the native-unpacker is build with ndk version android-ndk-r10d.
Thanks!