From d30d1038f55c8f7bd44fd82cf583e316d9a2983f Mon Sep 17 00:00:00 2001
From: Abhi <85984486+AbhiTheModder@users.noreply.github.com>
Date: Mon, 14 Oct 2024 17:29:18 +0530
Subject: [PATCH] improve yidun(NetEase) detection rule (#404)

---
 apkid/rules/apk/packers.yara | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara
index f110904..36f7c71 100644
--- a/apkid/rules/apk/packers.yara
+++ b/apkid/rules/apk/packers.yara
@@ -786,9 +786,11 @@ rule yidun : packer
     $entry_point = "Lcom/netease/nis/wrapper/Entry"
     $jni_func = "Lcom/netease/nis/wrapper/MyJni"
     $lib = "libnesec.so"
+    $nedata = "assets/nedata.db"
+    $nedig = "assets/nedig.properties"
 
   condition:
-    is_apk and (#lib > 1) or ($anti_trick and $entry_point and $jni_func)
+    is_apk and (#lib > 1 or ($anti_trick and $entry_point and $jni_func) or ($nedata and $nedig))
 }
 
 rule apkpacker : packer