fix: add rule for G-Presto (rednaga#421)

* add rule for G-Presto * improve gpresto apk rule * Identify gpresto as anti_cheat * improve gpresto rule * enhance gpresto rule --------- Co-authored-by: Eduardo Novella <[email protected]>
AbhiTheModder · Nov 19, 2024 · 5ce7b38 · 5ce7b38
1 parent 59dcd1d
commit 5ce7b38
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 0 deletions.
diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara
@@ -1082,3 +1082,20 @@ rule nesun_apk : packer
   condition:
     is_apk and $lib
 }
+
+rule gpresto_apk : packer
+{
+  meta:
+    description = "G-Presto (anti-cheat)"
+    url         = "https://www.largosoft.co.kr/"
+    sample      = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488"
+    author      = "Abhi"
+
+  strings:
+    $lib       = /lib\/(arm.*|x86.*)\/libATG_L\.so/
+    $assets    = /assets\/ATG_E.*\.sec/
+    $assetslib = "assets/libData.so"
+
+  condition:
+    is_apk and 2 of them
+}
diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara
@@ -637,6 +637,26 @@ rule nesun_dex : packer
     is_dex and all of them
 }
 
+rule gpresto_dex : packer
+{
+  meta:
+    description = "G-Presto (anti-cheat)"
+    url         = "https://www.largosoft.co.kr/"
+    sample      = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488"
+    author      = "Abhi"
+
+  strings:
+    $class = { 00 22 4C 63 6F 6D 2F 62 69 73 68 6F 70 73 6F 66 74 2F 50 72 65 73 74 6F 2F 53 44 4B 2F 50 72 65 73 74 6F 3B 00 } // ."Lcom/bishopsoft/Presto/SDK/Presto;.
+
+    // code segment of the injected methods plus junk opcodes
+    $code_segment = {
+	  02 00 01 00 00 00 00 00 ?? ?? ?? ?? 11 00 00 00 00 (1? | 2? | 3? | 4? | 5? | 6? | 7? | 8? | 9? | a? | b? | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7)
+    }
+  
+  condition:
+    is_dex and all of them
+}
+
 rule dingxiang_dex : packer
 {
   meta:

diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara
@@ -956,3 +956,26 @@ rule nesun_elf : packer
   condition:
     is_elf and any of them
 }
+
+rule gpresto_elf : packer
+{
+  meta:
+    description = "G-Presto (anti-cheat)"
+    url         = "https://www.largosoft.co.kr/"
+    sample      = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488"
+    author      = "Abhi"
+
+  strings:
+    $class = { 00 [0-2] 4C 63 6F 6D 2F 62 69 73 68 6F 70
+               73 6F 66 74 2F 50 72 65 73 74 6F 2F 53 44 4B
+               2F 50 72 65 73 74 6F 3B 00 } // .()Lcom/bishopsoft/Presto/SDK/Presto;.
+    $name  = { 00 6C 69 62 41 54 47 5F 4C 2E 73 6F 00 } // libATG_L.so
+    $name2 = { (00 | 20) 47 2D 50 72 65 73 74 6F (20 | 00) } // G-Presto
+    $name3 = "\x00<Presto_E>\x00"
+    $name4 = "\x00largosoft.co.kr\x00"
+  
+  condition:
+    is_elf
+    and $class
+    and 2 of ($name*)
+}