(enhance) rules: little refactoring (rednaga#419)

AbhiTheModder · Nov 14, 2024 · 4c35708 · 4c35708
1 parent 0322a8c
commit 4c35708
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 16 deletions.
diff --git a/apkid/rules/dex/anti-vm.yara b/apkid/rules/dex/anti-vm.yara
@@ -169,7 +169,7 @@ rule checks_build_brand : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule checks_build_device : anti_vm
@@ -187,7 +187,7 @@ rule checks_build_device : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule checks_build_product : anti_vm
@@ -246,7 +246,7 @@ rule checks_build_board : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule checks_build_id : anti_vm
@@ -264,7 +264,7 @@ rule checks_build_id : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule possible_build_serial_check : anti_vm
@@ -298,7 +298,7 @@ rule checks_build_tags : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule checks_build_user : anti_vm
@@ -316,7 +316,7 @@ rule checks_build_user : anti_vm
   condition:
     uses_build_class
     and $prop
-    and 1 of ($str_*)
+    and $str_1
 }
 
 rule checks_sim_operator : anti_vm
@@ -549,7 +549,8 @@ rule checks_qemu_file : anti_vm
     $i = "/dev/socket/baseband_genyd"
 
   condition:
-    1 of them
+    is_dex
+    and 1 of them
 }
 
 rule possible_vm_check : anti_vm
@@ -562,5 +563,6 @@ rule possible_vm_check : anti_vm
     $a = "isEmulator"
 
   condition:
-    any of them
+    is_dex
+    and all of them
 }
diff --git a/apkid/rules/dex/obfuscators.yara b/apkid/rules/dex/obfuscators.yara
@@ -156,7 +156,8 @@ rule dexguard_c : obfuscator
     }
 
   condition:
-    any of them
+    is_dex
+    and any of them
 }
 
 rule dexguard_d : obfuscator
@@ -346,7 +347,7 @@ rule allatori_demo : obfuscator
     $s = { 00 0D 41 4C 4C 41 54 4F 52 49 78 44 45 4D 4F 00 }  // ALLATORIxDEMO
 
   condition:
-    $s and is_dex
+    is_dex and $s
 }
 
 rule aamo_str_enc : obfuscator
@@ -402,7 +403,7 @@ rule aamo_str_enc : obfuscator
     $b = { 00 14 67 65 74 53 74 6f 72 61 67 65 45 6e 63 72 79 70 74 69 6f 6e 00 } //getStorageEncryption
 
   condition:
-    1 of ($opcodes*) and all of ($a, $b)
+    is_dex and 1 of ($opcodes*) and all of ($a, $b)
 }
 
 rule appsuit_a : obfuscator
@@ -455,7 +456,7 @@ rule gemalto_sdk : obfuscator
     $p3 = "Lcom/gemalto/ezio/mobile/sdk/"
 
   condition:
-    any of them and is_dex
+    is_dex and any of them
 }
 
 rule kiwi_amazon : obfuscator
@@ -470,7 +471,7 @@ rule kiwi_amazon : obfuscator
     $class = { 00 19 4B69776956657273696F6E456E637279707465722E6A617661 00 } // 00+len+"KiwiVersionEncrypter.java"+00
 
   condition:
-    all of them
+    is_dex and all of them
 }
 
 rule unreadable_field_names : obfuscator

diff --git a/apkid/rules/elf/anti-vm.yara b/apkid/rules/elf/anti-vm.yara
@@ -38,5 +38,5 @@ rule check_qemu_entropy : anti_vm
     $b = "_qemuFingerPrint"
 
   condition:
-    any of them
+    is_elf and any of them
 }
diff --git a/apkid/rules/elf/obfuscators.yara b/apkid/rules/elf/obfuscators.yara
@@ -790,7 +790,7 @@ rule dexprotector : obfuscator
     $dp_elf_header = { 7f45 4c46 (01|02) 01 0100 4450 4c46 }
 
   condition:
-    $dp_elf_header at 0
+    is_elf and $dp_elf_header at 0
 }
 
 rule dexprotector_a : obfuscator

diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara
@@ -406,7 +406,7 @@ rule appsealing_core_2_10_10 : packer
     $core_ver = "APPSEALING-CORE-VERSION_2.10.10"
 
   condition:
-    $core_ver
+    is_elf and $core_ver
 }
 
 rule appsuit_packer_a : packer