Custom multidex and custom flutter packer (#372)

Reference ticket id: - #368 - #370
rednaga · Oct 27, 2023 · 0546b06 · 0546b06
1 parent 8086c8d
commit 0546b06
Showing 1 changed file with 94 additions and 1 deletion.
diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara
@@ -510,4 +510,97 @@ rule appguard_dex : packer
 
   condition:
     is_dex and any of them
-}
+}
+
+rule custom_multidex : packer
+{
+  meta:
+    description = "Custom Multidex"
+    sample1     = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993"
+    sample2     = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552"
+    author      = "ReBensk"
+
+  strings:
+    $cipher = {
+      1a00 ????       // const-string v0, // string@00c9
+      7110 ???? 0000  // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067
+      0c00            // move-result-object v0
+      6900 ????       // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊﾞᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏﾞˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069
+      1a00 ????       // const-string v0, "ﾞﹳﾞـⁱᐧʿـʿʿⁱᵎﹶʽʾﾞʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2
+      7110 ???? 0000  // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊﾞᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏﾞˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082
+      0c00            // move-result-object v0
+      6900 ????       // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊﾞᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏﾞˎˉ;.globalPass:Ljava/lang/String; // field@006a
+      0e00            // return-void
+    }
+    $cipher2 = {
+      1201            // const/4 v1, #int 0 // #0 
+      2203 ????       // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a
+      6e10 ???? 0700  // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f
+      0c04            // move-result-object v4
+      1a05 ????       // const-string v5, "AES" // string@001e
+      7030 ???? 4305  // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.<init>:([BLjava/lang/String;)V // method@0072
+      1a04 ????       // const-string v4, "AES" // string@001e
+      7110 ???? 0400  // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070
+      0c00            // move-result-object v0
+      1224            // const/4 v4, #int 2 // #2
+      6e30 ???? 4003  // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071
+      6e20 ???? 6000  // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f
+      0c01            // move-result-object v1
+      1101            // return-object v1
+      0d02            // move-exception v2
+      6e10 ???? 0200  // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043
+      28fb            // goto 001a // -0005
+    }
+    $cipher3 = {
+      7110 ???? 0100  // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊﾞᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏﾞˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085
+      0c00            // move-result-object v0 
+      6e10 ???? 0000  // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056
+      0c00            // move-result-object v0
+      1100            // return-object v0
+    }
+
+  condition:
+    is_dex and all of them
+}
+
+rule custom_flutter : packer 
+{
+  meta:
+    description = "Custom Flutter"
+    sample1     = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c"
+    sample2     = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0"
+    author      = "ReBensk"
+
+  strings:
+    $attachBaseContextOpcodes = {
+      6f20 0100 ba00  // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001
+      1a0b ????       // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005
+      7110 ???? 0b00  // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
+      0c0b            // move-result-object v11
+      1203            // const/4 v3, #int 0 // #0
+      6e30 ???? ba03  // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e
+      0c0b            // move-result-object v11
+      1a04 ????       // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3
+      7110 ???? 0400  // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
+      0c04            // move-result-object v4
+      6e30 ???? 4a03  // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e
+      0c04            // move-result-object v4
+      6e10 ???? 0400  // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020
+      0c05            // move-result-object v5
+      2155            // array-length v5, v5
+      3905 0d00       // if-nez v5, 0030 // +000d
+    }
+    $cipher = {
+      1a00 ????       // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding
+      7110 ???? 0000  // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
+      0c00            // move-result-object v0
+      1a01 ????       // const-string v1, "3662583155221358" // string@0001
+      1a02 ????       // const-string v2, "7243279461549821" // string@0002
+      7140 ???? 2140  // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006
+      0c04            // move-result-object v4
+      1104            // return-object v4
+    }
+
+  condition:
+    is_dex and all of them
+}