From 0546b0613b42fc0ee78627974d9de8393a9c65bf Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:03:09 +0530 Subject: [PATCH] Custom multidex and custom flutter packer (#372) Reference ticket id: - https://github.com/rednaga/APKiD/issues/368 - https://github.com/rednaga/APKiD/issues/370 --- apkid/rules/dex/packers.yara | 95 +++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 08fb03d..b3e6215 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -510,4 +510,97 @@ rule appguard_dex : packer condition: is_dex and any of them -} \ No newline at end of file +} + +rule custom_multidex : packer +{ + meta: + description = "Custom Multidex" + sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993" + sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552" + author = "ReBensk" + + strings: + $cipher = { + 1a00 ???? // const-string v0, // string@00c9 + 7110 ???? 0000 // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067 + 0c00 // move-result-object v0 + 6900 ???? // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069 + 1a00 ???? // const-string v0, "゙ﹳ゙ـⁱᐧʿـʿʿⁱᵎﹶʽʾ゙ʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2 + 7110 ???? 0000 // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082 + 0c00 // move-result-object v0 + 6900 ???? // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.globalPass:Ljava/lang/String; // field@006a + 0e00 // return-void + } + $cipher2 = { + 1201 // const/4 v1, #int 0 // #0 + 2203 ???? // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a + 6e10 ???? 0700 // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f + 0c04 // move-result-object v4 + 1a05 ???? // const-string v5, "AES" // string@001e + 7030 ???? 4305 // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.:([BLjava/lang/String;)V // method@0072 + 1a04 ???? // const-string v4, "AES" // string@001e + 7110 ???? 0400 // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070 + 0c00 // move-result-object v0 + 1224 // const/4 v4, #int 2 // #2 + 6e30 ???? 4003 // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071 + 6e20 ???? 6000 // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f + 0c01 // move-result-object v1 + 1101 // return-object v1 + 0d02 // move-exception v2 + 6e10 ???? 0200 // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043 + 28fb // goto 001a // -0005 + } + $cipher3 = { + 7110 ???? 0100 // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085 + 0c00 // move-result-object v0 + 6e10 ???? 0000 // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056 + 0c00 // move-result-object v0 + 1100 // return-object v0 + } + + condition: + is_dex and all of them +} + +rule custom_flutter : packer +{ + meta: + description = "Custom Flutter" + sample1 = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c" + sample2 = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0" + author = "ReBensk" + + strings: + $attachBaseContextOpcodes = { + 6f20 0100 ba00 // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 + 1a0b ???? // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005 + 7110 ???? 0b00 // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c0b // move-result-object v11 + 1203 // const/4 v3, #int 0 // #0 + 6e30 ???? ba03 // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e + 0c0b // move-result-object v11 + 1a04 ???? // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3 + 7110 ???? 0400 // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c04 // move-result-object v4 + 6e30 ???? 4a03 // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e + 0c04 // move-result-object v4 + 6e10 ???? 0400 // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020 + 0c05 // move-result-object v5 + 2155 // array-length v5, v5 + 3905 0d00 // if-nez v5, 0030 // +000d + } + $cipher = { + 1a00 ???? // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding + 7110 ???? 0000 // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c00 // move-result-object v0 + 1a01 ???? // const-string v1, "3662583155221358" // string@0001 + 1a02 ???? // const-string v2, "7243279461549821" // string@0002 + 7140 ???? 2140 // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006 + 0c04 // move-result-object v4 + 1104 // return-object v4 + } + + condition: + is_dex and all of them +}