From 5ce7b381f9a71cf112aaed8ea4d02e9f522cc7fa Mon Sep 17 00:00:00 2001 From: Abhi <85984486+AbhiTheModder@users.noreply.github.com> Date: Tue, 19 Nov 2024 20:35:27 +0530 Subject: [PATCH] fix: add rule for G-Presto (#421) * add rule for G-Presto * improve gpresto apk rule * Identify gpresto as anti_cheat * improve gpresto rule * enhance gpresto rule --------- Co-authored-by: Eduardo Novella --- apkid/rules/apk/packers.yara | 17 +++++++++++++++++ apkid/rules/dex/packers.yara | 20 ++++++++++++++++++++ apkid/rules/elf/packers.yara | 23 +++++++++++++++++++++++ 3 files changed, 60 insertions(+) diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara index d33e0d0..1f2889b 100644 --- a/apkid/rules/apk/packers.yara +++ b/apkid/rules/apk/packers.yara @@ -1082,3 +1082,20 @@ rule nesun_apk : packer condition: is_apk and $lib } + +rule gpresto_apk : packer +{ + meta: + description = "G-Presto (anti-cheat)" + url = "https://www.largosoft.co.kr/" + sample = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488" + author = "Abhi" + + strings: + $lib = /lib\/(arm.*|x86.*)\/libATG_L\.so/ + $assets = /assets\/ATG_E.*\.sec/ + $assetslib = "assets/libData.so" + + condition: + is_apk and 2 of them +} diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 1a523eb..652cf85 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -637,6 +637,26 @@ rule nesun_dex : packer is_dex and all of them } +rule gpresto_dex : packer +{ + meta: + description = "G-Presto (anti-cheat)" + url = "https://www.largosoft.co.kr/" + sample = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488" + author = "Abhi" + + strings: + $class = { 00 22 4C 63 6F 6D 2F 62 69 73 68 6F 70 73 6F 66 74 2F 50 72 65 73 74 6F 2F 53 44 4B 2F 50 72 65 73 74 6F 3B 00 } // ."Lcom/bishopsoft/Presto/SDK/Presto;. + + // code segment of the injected methods plus junk opcodes + $code_segment = { + 02 00 01 00 00 00 00 00 ?? ?? ?? ?? 11 00 00 00 00 (1? | 2? | 3? | 4? | 5? | 6? | 7? | 8? | 9? | a? | b? | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7) + } + + condition: + is_dex and all of them +} + rule dingxiang_dex : packer { meta: diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara index 6d47a19..73ab449 100644 --- a/apkid/rules/elf/packers.yara +++ b/apkid/rules/elf/packers.yara @@ -956,3 +956,26 @@ rule nesun_elf : packer condition: is_elf and any of them } + +rule gpresto_elf : packer +{ + meta: + description = "G-Presto (anti-cheat)" + url = "https://www.largosoft.co.kr/" + sample = "44558c6c758b1ecf42ecda9981240d50c32f42e0d2be4693e37e39f8eb3a3488" + author = "Abhi" + + strings: + $class = { 00 [0-2] 4C 63 6F 6D 2F 62 69 73 68 6F 70 + 73 6F 66 74 2F 50 72 65 73 74 6F 2F 53 44 4B + 2F 50 72 65 73 74 6F 3B 00 } // .()Lcom/bishopsoft/Presto/SDK/Presto;. + $name = { 00 6C 69 62 41 54 47 5F 4C 2E 73 6F 00 } // libATG_L.so + $name2 = { (00 | 20) 47 2D 50 72 65 73 74 6F (20 | 00) } // G-Presto + $name3 = "\x00\x00" + $name4 = "\x00largosoft.co.kr\x00" + + condition: + is_elf + and $class + and 2 of ($name*) +}