From 7a6a19760f54e33ab508480d806fcefd021e4660 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Fri, 3 Nov 2023 13:50:06 +0530 Subject: [PATCH 01/12] JiaguK - packer --- apkid/rules/dex/packers.yara | 72 ++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index b3e6215..12a82cc 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -604,3 +604,75 @@ rule custom_flutter : packer condition: is_dex and all of them } + +rule jiagu_k : packer +{ + meta: + description = "Jiagu K" + sample1 = "aa666b75ffb3588dd41c8e546d53e353cda67cf278b167c7737b1169262856bb" + sample2 = "d9baf66e7ac116a8c68599ef16fae5397ac4fd0847e2fcfe3ee2c155ecf4f850" + author = "ReBensk" + + strings: + $attachBaseContextOpcodes = { + 7502 0100 1700 //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 + 6901 ???? //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c + 7401 ???? 1800 //invoke-virtual/range {v24}, Landroid/content/Context;.getFilesDir:()Ljava/io/File; // method@0008 + 0c03 //move-result-object v3 + 6e10 ???? 0300 //invoke-virtual {v3}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@001b + 0c03 //move-result-object v3 + 2204 ???? //new-instance v4, Ljava/io/File; // type@0015 + 7020 ???? 3400 //invoke-direct {v4, v3}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.exists:()Z // method@001a + 0a05 //move-result v5 + 3905 0500 //if-nez v5, 0021 // +0005 + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.mkdir:()Z // method@001c + 2204 ???? //new-instance v4, Ljava/lang/StringBuilder; // type@0025 + 7010 ???? 0400 //invoke-direct {v4}, Ljava/lang/StringBuilder;.:()V // method@003c + 6e20 ???? 3400 //invoke-virtual {v4, v3}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d + 1243 //const/4 v3, #int 4 // #4 + 2335 ???? //new-array v5, v3, [B // type@0036 + 2605 ???? 0000 //fill-array-data v5, 0000075a // +0000072e + 7110 ???? 0500 //invoke-static {v5}, Lv45e7a802/l45e7a802;.h:([B)Ljava/lang/String; // method@0067 + 0c05 //move-result-object v5 + 6e20 ???? 5400 //invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/lang/StringBuilder;.toString:()Ljava/lang/String; // method@003e + 0c04 //move-result-object v4 + 2205 ???? //new-instance v5, Ljava/io/File; // type@0015 + 7020 ???? 4500 //invoke-direct {v5, v4}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 + 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.exists:()Z // method@001a + 0a06 //move-result v6 + 3906 0500 //if-nez v6, 0048 // +0005 + 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.mkdir:()Z // method@001c + 7401 0500 1700 //invoke-virtual/range {v23}, Landroid/app/Application;.getPackageName:()Ljava/lang/String; // method@0005 + 0c05 //move-result-object v5 + } + + /** + public static String h(byte[] bArr) { + for (int i2 = 0; i2 < bArr.length; i2++) { + bArr[i2] = (byte) (bArr[i2] ^ 105); + } + return new String(bArr, 0, bArr.length); + } + */ + $xor_key = { + 1200 //const/4 v0, #int 0 // #0 + 1201 //const/4 v1, #int 0 // #0 + 2132 //array-length v2, v3 + 3521 0c00 //if-ge v1, v2, 000f // +000c + 4802 0301 //aget-byte v2, v3, v1 + df02 0269 //xor-int/lit8 v2, v2, #int 105 // #69 + 8d22 //int-to-byte v2, v2 + 4f02 0301 //aput-byte v2, v3, v1 + d801 0101 //add-int/lit8 v1, v1, #int 1 // #01 + 28f4 //goto 0002 // -000c + 2201 ???? //new-instance v1, Ljava/lang/String; // type@0024 + 2132 //array-length v2, v3 + 7040 ???? 3120 //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.:([BII)V // method@0035 + 1101 //return-object v1 + } + + condition: + is_dex and all of them +} From fec7ed1d9a2113019f2aeb578b23f298d61ac16d Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Mon, 23 Oct 2023 20:49:02 +0530 Subject: [PATCH 02/12] Update packers.yara --- apkid/rules/dex/packers.yara | 95 +----------------------------------- 1 file changed, 1 insertion(+), 94 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index b3e6215..08fb03d 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -510,97 +510,4 @@ rule appguard_dex : packer condition: is_dex and any of them -} - -rule custom_multidex : packer -{ - meta: - description = "Custom Multidex" - sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993" - sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552" - author = "ReBensk" - - strings: - $cipher = { - 1a00 ???? // const-string v0, // string@00c9 - 7110 ???? 0000 // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067 - 0c00 // move-result-object v0 - 6900 ???? // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069 - 1a00 ???? // const-string v0, "゙ﹳ゙ـⁱᐧʿـʿʿⁱᵎﹶʽʾ゙ʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2 - 7110 ???? 0000 // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082 - 0c00 // move-result-object v0 - 6900 ???? // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.globalPass:Ljava/lang/String; // field@006a - 0e00 // return-void - } - $cipher2 = { - 1201 // const/4 v1, #int 0 // #0 - 2203 ???? // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a - 6e10 ???? 0700 // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f - 0c04 // move-result-object v4 - 1a05 ???? // const-string v5, "AES" // string@001e - 7030 ???? 4305 // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.:([BLjava/lang/String;)V // method@0072 - 1a04 ???? // const-string v4, "AES" // string@001e - 7110 ???? 0400 // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070 - 0c00 // move-result-object v0 - 1224 // const/4 v4, #int 2 // #2 - 6e30 ???? 4003 // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071 - 6e20 ???? 6000 // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f - 0c01 // move-result-object v1 - 1101 // return-object v1 - 0d02 // move-exception v2 - 6e10 ???? 0200 // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043 - 28fb // goto 001a // -0005 - } - $cipher3 = { - 7110 ???? 0100 // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085 - 0c00 // move-result-object v0 - 6e10 ???? 0000 // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056 - 0c00 // move-result-object v0 - 1100 // return-object v0 - } - - condition: - is_dex and all of them -} - -rule custom_flutter : packer -{ - meta: - description = "Custom Flutter" - sample1 = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c" - sample2 = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0" - author = "ReBensk" - - strings: - $attachBaseContextOpcodes = { - 6f20 0100 ba00 // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 - 1a0b ???? // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005 - 7110 ???? 0b00 // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c0b // move-result-object v11 - 1203 // const/4 v3, #int 0 // #0 - 6e30 ???? ba03 // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e - 0c0b // move-result-object v11 - 1a04 ???? // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3 - 7110 ???? 0400 // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c04 // move-result-object v4 - 6e30 ???? 4a03 // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e - 0c04 // move-result-object v4 - 6e10 ???? 0400 // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020 - 0c05 // move-result-object v5 - 2155 // array-length v5, v5 - 3905 0d00 // if-nez v5, 0030 // +000d - } - $cipher = { - 1a00 ???? // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding - 7110 ???? 0000 // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c00 // move-result-object v0 - 1a01 ???? // const-string v1, "3662583155221358" // string@0001 - 1a02 ???? // const-string v2, "7243279461549821" // string@0002 - 7140 ???? 2140 // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006 - 0c04 // move-result-object v4 - 1104 // return-object v4 - } - - condition: - is_dex and all of them -} +} \ No newline at end of file From 6a3ed04f0be63426ad9486a1fc3cad605af3e8af Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Fri, 3 Nov 2023 22:00:00 +0530 Subject: [PATCH 03/12] Revert "Update packers.yara" This reverts commit 57d5f34cf477718889533b1d9f24b6a82b905401, reversing changes made to fec7ed1d9a2113019f2aeb578b23f298d61ac16d. --- apkid/rules/dex/packers.yara | 171 +---------------------------------- 1 file changed, 1 insertion(+), 170 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 76d31ad..08fb03d 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -510,173 +510,4 @@ rule appguard_dex : packer condition: is_dex and any of them -<<<<<<< HEAD -} -======= -} - -rule custom_multidex : packer -{ - meta: - description = "Custom Multidex" - sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993" - sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552" - author = "ReBensk" - - strings: - $cipher = { - 1a00 ???? // const-string v0, // string@00c9 - 7110 ???? 0000 // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067 - 0c00 // move-result-object v0 - 6900 ???? // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069 - 1a00 ???? // const-string v0, "゙ﹳ゙ـⁱᐧʿـʿʿⁱᵎﹶʽʾ゙ʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2 - 7110 ???? 0000 // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082 - 0c00 // move-result-object v0 - 6900 ???? // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.globalPass:Ljava/lang/String; // field@006a - 0e00 // return-void - } - $cipher2 = { - 1201 // const/4 v1, #int 0 // #0 - 2203 ???? // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a - 6e10 ???? 0700 // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f - 0c04 // move-result-object v4 - 1a05 ???? // const-string v5, "AES" // string@001e - 7030 ???? 4305 // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.:([BLjava/lang/String;)V // method@0072 - 1a04 ???? // const-string v4, "AES" // string@001e - 7110 ???? 0400 // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070 - 0c00 // move-result-object v0 - 1224 // const/4 v4, #int 2 // #2 - 6e30 ???? 4003 // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071 - 6e20 ???? 6000 // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f - 0c01 // move-result-object v1 - 1101 // return-object v1 - 0d02 // move-exception v2 - 6e10 ???? 0200 // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043 - 28fb // goto 001a // -0005 - } - $cipher3 = { - 7110 ???? 0100 // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085 - 0c00 // move-result-object v0 - 6e10 ???? 0000 // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056 - 0c00 // move-result-object v0 - 1100 // return-object v0 - } - - condition: - is_dex and all of them -} - -rule custom_flutter : packer -{ - meta: - description = "Custom Flutter" - sample1 = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c" - sample2 = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0" - author = "ReBensk" - - strings: - $attachBaseContextOpcodes = { - 6f20 0100 ba00 // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 - 1a0b ???? // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005 - 7110 ???? 0b00 // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c0b // move-result-object v11 - 1203 // const/4 v3, #int 0 // #0 - 6e30 ???? ba03 // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e - 0c0b // move-result-object v11 - 1a04 ???? // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3 - 7110 ???? 0400 // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c04 // move-result-object v4 - 6e30 ???? 4a03 // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e - 0c04 // move-result-object v4 - 6e10 ???? 0400 // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020 - 0c05 // move-result-object v5 - 2155 // array-length v5, v5 - 3905 0d00 // if-nez v5, 0030 // +000d - } - $cipher = { - 1a00 ???? // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding - 7110 ???? 0000 // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 - 0c00 // move-result-object v0 - 1a01 ???? // const-string v1, "3662583155221358" // string@0001 - 1a02 ???? // const-string v2, "7243279461549821" // string@0002 - 7140 ???? 2140 // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006 - 0c04 // move-result-object v4 - 1104 // return-object v4 - } - - condition: - is_dex and all of them -} - -rule jiagu_k : packer -{ - meta: - description = "Jiagu K" - sample1 = "aa666b75ffb3588dd41c8e546d53e353cda67cf278b167c7737b1169262856bb" - sample2 = "d9baf66e7ac116a8c68599ef16fae5397ac4fd0847e2fcfe3ee2c155ecf4f850" - author = "ReBensk" - - strings: - $attachBaseContextOpcodes = { - 7502 0100 1700 //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 - 6901 ???? //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c - 7401 ???? 1800 //invoke-virtual/range {v24}, Landroid/content/Context;.getFilesDir:()Ljava/io/File; // method@0008 - 0c03 //move-result-object v3 - 6e10 ???? 0300 //invoke-virtual {v3}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@001b - 0c03 //move-result-object v3 - 2204 ???? //new-instance v4, Ljava/io/File; // type@0015 - 7020 ???? 3400 //invoke-direct {v4, v3}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.exists:()Z // method@001a - 0a05 //move-result v5 - 3905 0500 //if-nez v5, 0021 // +0005 - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.mkdir:()Z // method@001c - 2204 ???? //new-instance v4, Ljava/lang/StringBuilder; // type@0025 - 7010 ???? 0400 //invoke-direct {v4}, Ljava/lang/StringBuilder;.:()V // method@003c - 6e20 ???? 3400 //invoke-virtual {v4, v3}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d - 1243 //const/4 v3, #int 4 // #4 - 2335 ???? //new-array v5, v3, [B // type@0036 - 2605 ???? 0000 //fill-array-data v5, 0000075a // +0000072e - 7110 ???? 0500 //invoke-static {v5}, Lv45e7a802/l45e7a802;.h:([B)Ljava/lang/String; // method@0067 - 0c05 //move-result-object v5 - 6e20 ???? 5400 //invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/lang/StringBuilder;.toString:()Ljava/lang/String; // method@003e - 0c04 //move-result-object v4 - 2205 ???? //new-instance v5, Ljava/io/File; // type@0015 - 7020 ???? 4500 //invoke-direct {v5, v4}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 - 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.exists:()Z // method@001a - 0a06 //move-result v6 - 3906 0500 //if-nez v6, 0048 // +0005 - 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.mkdir:()Z // method@001c - 7401 0500 1700 //invoke-virtual/range {v23}, Landroid/app/Application;.getPackageName:()Ljava/lang/String; // method@0005 - 0c05 //move-result-object v5 - } - - /** - public static String h(byte[] bArr) { - for (int i2 = 0; i2 < bArr.length; i2++) { - bArr[i2] = (byte) (bArr[i2] ^ 105); - } - return new String(bArr, 0, bArr.length); - } - */ - $xor_key = { - 1200 //const/4 v0, #int 0 // #0 - 1201 //const/4 v1, #int 0 // #0 - 2132 //array-length v2, v3 - 3521 0c00 //if-ge v1, v2, 000f // +000c - 4802 0301 //aget-byte v2, v3, v1 - df02 0269 //xor-int/lit8 v2, v2, #int 105 // #69 - 8d22 //int-to-byte v2, v2 - 4f02 0301 //aput-byte v2, v3, v1 - d801 0101 //add-int/lit8 v1, v1, #int 1 // #01 - 28f4 //goto 0002 // -000c - 2201 ???? //new-instance v1, Ljava/lang/String; // type@0024 - 2132 //array-length v2, v3 - 7040 ???? 3120 //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.:([BII)V // method@0035 - 1101 //return-object v1 - } - - condition: - is_dex and all of them -} ->>>>>>> 7a6a19760f54e33ab508480d806fcefd021e4660 +} \ No newline at end of file From 20ff668f205d87f15fb3b17fa19c8b633335d8b2 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Fri, 3 Nov 2023 22:07:04 +0530 Subject: [PATCH 04/12] Revert "Update packers.yara" This reverts commit fec7ed1d9a2113019f2aeb578b23f298d61ac16d. --- apkid/rules/dex/packers.yara | 95 +++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 08fb03d..b3e6215 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -510,4 +510,97 @@ rule appguard_dex : packer condition: is_dex and any of them -} \ No newline at end of file +} + +rule custom_multidex : packer +{ + meta: + description = "Custom Multidex" + sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993" + sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552" + author = "ReBensk" + + strings: + $cipher = { + 1a00 ???? // const-string v0, // string@00c9 + 7110 ???? 0000 // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067 + 0c00 // move-result-object v0 + 6900 ???? // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069 + 1a00 ???? // const-string v0, "゙ﹳ゙ـⁱᐧʿـʿʿⁱᵎﹶʽʾ゙ʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2 + 7110 ???? 0000 // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082 + 0c00 // move-result-object v0 + 6900 ???? // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.globalPass:Ljava/lang/String; // field@006a + 0e00 // return-void + } + $cipher2 = { + 1201 // const/4 v1, #int 0 // #0 + 2203 ???? // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a + 6e10 ???? 0700 // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f + 0c04 // move-result-object v4 + 1a05 ???? // const-string v5, "AES" // string@001e + 7030 ???? 4305 // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.:([BLjava/lang/String;)V // method@0072 + 1a04 ???? // const-string v4, "AES" // string@001e + 7110 ???? 0400 // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070 + 0c00 // move-result-object v0 + 1224 // const/4 v4, #int 2 // #2 + 6e30 ???? 4003 // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071 + 6e20 ???? 6000 // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f + 0c01 // move-result-object v1 + 1101 // return-object v1 + 0d02 // move-exception v2 + 6e10 ???? 0200 // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043 + 28fb // goto 001a // -0005 + } + $cipher3 = { + 7110 ???? 0100 // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085 + 0c00 // move-result-object v0 + 6e10 ???? 0000 // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056 + 0c00 // move-result-object v0 + 1100 // return-object v0 + } + + condition: + is_dex and all of them +} + +rule custom_flutter : packer +{ + meta: + description = "Custom Flutter" + sample1 = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c" + sample2 = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0" + author = "ReBensk" + + strings: + $attachBaseContextOpcodes = { + 6f20 0100 ba00 // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 + 1a0b ???? // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005 + 7110 ???? 0b00 // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c0b // move-result-object v11 + 1203 // const/4 v3, #int 0 // #0 + 6e30 ???? ba03 // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e + 0c0b // move-result-object v11 + 1a04 ???? // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3 + 7110 ???? 0400 // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c04 // move-result-object v4 + 6e30 ???? 4a03 // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e + 0c04 // move-result-object v4 + 6e10 ???? 0400 // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020 + 0c05 // move-result-object v5 + 2155 // array-length v5, v5 + 3905 0d00 // if-nez v5, 0030 // +000d + } + $cipher = { + 1a00 ???? // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding + 7110 ???? 0000 // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012 + 0c00 // move-result-object v0 + 1a01 ???? // const-string v1, "3662583155221358" // string@0001 + 1a02 ???? // const-string v2, "7243279461549821" // string@0002 + 7140 ???? 2140 // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006 + 0c04 // move-result-object v4 + 1104 // return-object v4 + } + + condition: + is_dex and all of them +} From ba6af93d61316e3ecd96e4168c3dec8f52f87c0b Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Fri, 3 Nov 2023 23:15:41 +0530 Subject: [PATCH 05/12] Update packers.yara --- apkid/rules/dex/packers.yara | 72 ++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index b3e6215..12a82cc 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -604,3 +604,75 @@ rule custom_flutter : packer condition: is_dex and all of them } + +rule jiagu_k : packer +{ + meta: + description = "Jiagu K" + sample1 = "aa666b75ffb3588dd41c8e546d53e353cda67cf278b167c7737b1169262856bb" + sample2 = "d9baf66e7ac116a8c68599ef16fae5397ac4fd0847e2fcfe3ee2c155ecf4f850" + author = "ReBensk" + + strings: + $attachBaseContextOpcodes = { + 7502 0100 1700 //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 + 6901 ???? //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c + 7401 ???? 1800 //invoke-virtual/range {v24}, Landroid/content/Context;.getFilesDir:()Ljava/io/File; // method@0008 + 0c03 //move-result-object v3 + 6e10 ???? 0300 //invoke-virtual {v3}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@001b + 0c03 //move-result-object v3 + 2204 ???? //new-instance v4, Ljava/io/File; // type@0015 + 7020 ???? 3400 //invoke-direct {v4, v3}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.exists:()Z // method@001a + 0a05 //move-result v5 + 3905 0500 //if-nez v5, 0021 // +0005 + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.mkdir:()Z // method@001c + 2204 ???? //new-instance v4, Ljava/lang/StringBuilder; // type@0025 + 7010 ???? 0400 //invoke-direct {v4}, Ljava/lang/StringBuilder;.:()V // method@003c + 6e20 ???? 3400 //invoke-virtual {v4, v3}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d + 1243 //const/4 v3, #int 4 // #4 + 2335 ???? //new-array v5, v3, [B // type@0036 + 2605 ???? 0000 //fill-array-data v5, 0000075a // +0000072e + 7110 ???? 0500 //invoke-static {v5}, Lv45e7a802/l45e7a802;.h:([B)Ljava/lang/String; // method@0067 + 0c05 //move-result-object v5 + 6e20 ???? 5400 //invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d + 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/lang/StringBuilder;.toString:()Ljava/lang/String; // method@003e + 0c04 //move-result-object v4 + 2205 ???? //new-instance v5, Ljava/io/File; // type@0015 + 7020 ???? 4500 //invoke-direct {v5, v4}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 + 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.exists:()Z // method@001a + 0a06 //move-result v6 + 3906 0500 //if-nez v6, 0048 // +0005 + 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.mkdir:()Z // method@001c + 7401 0500 1700 //invoke-virtual/range {v23}, Landroid/app/Application;.getPackageName:()Ljava/lang/String; // method@0005 + 0c05 //move-result-object v5 + } + + /** + public static String h(byte[] bArr) { + for (int i2 = 0; i2 < bArr.length; i2++) { + bArr[i2] = (byte) (bArr[i2] ^ 105); + } + return new String(bArr, 0, bArr.length); + } + */ + $xor_key = { + 1200 //const/4 v0, #int 0 // #0 + 1201 //const/4 v1, #int 0 // #0 + 2132 //array-length v2, v3 + 3521 0c00 //if-ge v1, v2, 000f // +000c + 4802 0301 //aget-byte v2, v3, v1 + df02 0269 //xor-int/lit8 v2, v2, #int 105 // #69 + 8d22 //int-to-byte v2, v2 + 4f02 0301 //aput-byte v2, v3, v1 + d801 0101 //add-int/lit8 v1, v1, #int 1 // #01 + 28f4 //goto 0002 // -000c + 2201 ???? //new-instance v1, Ljava/lang/String; // type@0024 + 2132 //array-length v2, v3 + 7040 ???? 3120 //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.:([BII)V // method@0035 + 1101 //return-object v1 + } + + condition: + is_dex and all of them +} From 93b7c571d5f276aa4fb00ed2621578c73359e5a4 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Sun, 5 Nov 2023 20:44:52 +0530 Subject: [PATCH 06/12] Update packers.yara --- apkid/rules/dex/packers.yara | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 12a82cc..02c360d 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -614,6 +614,28 @@ rule jiagu_k : packer author = "ReBensk" strings: + $classNameStrings = { 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 } // Lvirbox/StubApp + + /** + public void attachBaseContext(Context context0) { + int v5; + l16f56f57 l16f56f570 = this; + Context context1 = context0; + super.attachBaseContext(context0); + l16f56f57.i = context1; + String s = context0.getFilesDir().getAbsolutePath(); + File file0 = new File(s); + if(!file0.exists()) { + file0.mkdir(); + } + + String s1 = s + l16f56f57.h(new byte[]{70, 71, 26, 26}); + File file1 = new File(s1); + if(!file1.exists()) { + file1.mkdir(); + } + } + */ $attachBaseContextOpcodes = { 7502 0100 1700 //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 6901 ???? //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c @@ -656,13 +678,13 @@ rule jiagu_k : packer return new String(bArr, 0, bArr.length); } */ - $xor_key = { + $xorKeyOpcodes = { 1200 //const/4 v0, #int 0 // #0 1201 //const/4 v1, #int 0 // #0 2132 //array-length v2, v3 3521 0c00 //if-ge v1, v2, 000f // +000c 4802 0301 //aget-byte v2, v3, v1 - df02 0269 //xor-int/lit8 v2, v2, #int 105 // #69 + df02 02?? //xor-int/lit8 v2, v2, #int 105 // #69 8d22 //int-to-byte v2, v2 4f02 0301 //aput-byte v2, v3, v1 d801 0101 //add-int/lit8 v1, v1, #int 1 // #01 @@ -672,7 +694,7 @@ rule jiagu_k : packer 7040 ???? 3120 //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.:([BII)V // method@0035 1101 //return-object v1 } - + condition: - is_dex and all of them + is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and all of them } From 9c3b37ae98b854dda4d157b80706a5eb4f9b140d Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Mon, 6 Nov 2023 14:03:12 +0530 Subject: [PATCH 07/12] Update packers.yara --- apkid/rules/dex/packers.yara | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 02c360d..71f18e8 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -614,7 +614,7 @@ rule jiagu_k : packer author = "ReBensk" strings: - $classNameStrings = { 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 } // Lvirbox/StubApp + $classNameString = { 00 10 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 3B 00 } // Lvirbox/StubApp; /** public void attachBaseContext(Context context0) { @@ -696,5 +696,5 @@ rule jiagu_k : packer } condition: - is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and all of them + is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString } From 4d87c1d737540a3f747a707d679563097d94fbc1 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:38:19 +0530 Subject: [PATCH 08/12] Update packers.yara --- apkid/rules/dex/packers.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 71f18e8..430f6ae 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -696,5 +696,5 @@ rule jiagu_k : packer } condition: - is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString + is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString and $attachBaseContextOpcodes and $xorKeyOpcodes } From 224c4d30891d93db813124d52651bb955dce28f6 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:42:43 +0530 Subject: [PATCH 09/12] Update packers.yara --- apkid/rules/dex/packers.yara | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 430f6ae..daaca45 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -696,5 +696,7 @@ rule jiagu_k : packer } condition: - is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString and $attachBaseContextOpcodes and $xorKeyOpcodes + is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString + and $attachBaseContextOpcodes and $xorKeyOpcodes } + From d322b3560fd646069c800c182ba46cf2d7389a4e Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Tue, 7 Nov 2023 12:27:37 +0530 Subject: [PATCH 10/12] Update packers.yara --- apkid/rules/dex/packers.yara | 81 ------------------------------------ 1 file changed, 81 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index daaca45..20d5b87 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -615,88 +615,7 @@ rule jiagu_k : packer strings: $classNameString = { 00 10 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 3B 00 } // Lvirbox/StubApp; - - /** - public void attachBaseContext(Context context0) { - int v5; - l16f56f57 l16f56f570 = this; - Context context1 = context0; - super.attachBaseContext(context0); - l16f56f57.i = context1; - String s = context0.getFilesDir().getAbsolutePath(); - File file0 = new File(s); - if(!file0.exists()) { - file0.mkdir(); - } - - String s1 = s + l16f56f57.h(new byte[]{70, 71, 26, 26}); - File file1 = new File(s1); - if(!file1.exists()) { - file1.mkdir(); - } - } - */ - $attachBaseContextOpcodes = { - 7502 0100 1700 //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001 - 6901 ???? //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c - 7401 ???? 1800 //invoke-virtual/range {v24}, Landroid/content/Context;.getFilesDir:()Ljava/io/File; // method@0008 - 0c03 //move-result-object v3 - 6e10 ???? 0300 //invoke-virtual {v3}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@001b - 0c03 //move-result-object v3 - 2204 ???? //new-instance v4, Ljava/io/File; // type@0015 - 7020 ???? 3400 //invoke-direct {v4, v3}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.exists:()Z // method@001a - 0a05 //move-result v5 - 3905 0500 //if-nez v5, 0021 // +0005 - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/io/File;.mkdir:()Z // method@001c - 2204 ???? //new-instance v4, Ljava/lang/StringBuilder; // type@0025 - 7010 ???? 0400 //invoke-direct {v4}, Ljava/lang/StringBuilder;.:()V // method@003c - 6e20 ???? 3400 //invoke-virtual {v4, v3}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d - 1243 //const/4 v3, #int 4 // #4 - 2335 ???? //new-array v5, v3, [B // type@0036 - 2605 ???? 0000 //fill-array-data v5, 0000075a // +0000072e - 7110 ???? 0500 //invoke-static {v5}, Lv45e7a802/l45e7a802;.h:([B)Ljava/lang/String; // method@0067 - 0c05 //move-result-object v5 - 6e20 ???? 5400 //invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d - 6e10 ???? 0400 //invoke-virtual {v4}, Ljava/lang/StringBuilder;.toString:()Ljava/lang/String; // method@003e - 0c04 //move-result-object v4 - 2205 ???? //new-instance v5, Ljava/io/File; // type@0015 - 7020 ???? 4500 //invoke-direct {v5, v4}, Ljava/io/File;.:(Ljava/lang/String;)V // method@0018 - 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.exists:()Z // method@001a - 0a06 //move-result v6 - 3906 0500 //if-nez v6, 0048 // +0005 - 6e10 ???? 0500 //invoke-virtual {v5}, Ljava/io/File;.mkdir:()Z // method@001c - 7401 0500 1700 //invoke-virtual/range {v23}, Landroid/app/Application;.getPackageName:()Ljava/lang/String; // method@0005 - 0c05 //move-result-object v5 - } - - /** - public static String h(byte[] bArr) { - for (int i2 = 0; i2 < bArr.length; i2++) { - bArr[i2] = (byte) (bArr[i2] ^ 105); - } - return new String(bArr, 0, bArr.length); - } - */ - $xorKeyOpcodes = { - 1200 //const/4 v0, #int 0 // #0 - 1201 //const/4 v1, #int 0 // #0 - 2132 //array-length v2, v3 - 3521 0c00 //if-ge v1, v2, 000f // +000c - 4802 0301 //aget-byte v2, v3, v1 - df02 02?? //xor-int/lit8 v2, v2, #int 105 // #69 - 8d22 //int-to-byte v2, v2 - 4f02 0301 //aput-byte v2, v3, v1 - d801 0101 //add-int/lit8 v1, v1, #int 1 // #01 - 28f4 //goto 0002 // -000c - 2201 ???? //new-instance v1, Ljava/lang/String; // type@0024 - 2132 //array-length v2, v3 - 7040 ???? 3120 //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.:([BII)V // method@0035 - 1101 //return-object v1 - } condition: is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString - and $attachBaseContextOpcodes and $xorKeyOpcodes } - From 636202fd5341a6ebd6968ee36a3869b34d313fd3 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Tue, 7 Nov 2023 13:37:40 +0530 Subject: [PATCH 11/12] Update packers.yara --- apkid/rules/dex/packers.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 20d5b87..f614bfb 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -617,5 +617,5 @@ rule jiagu_k : packer $classNameString = { 00 10 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 3B 00 } // Lvirbox/StubApp; condition: - is_dex and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size and $classNameString + is_dex and $classNameString and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size } From dff6bc268b4ebbe82ef1e42bb06add8c7e300056 Mon Sep 17 00:00:00 2001 From: ReBensk <146695244+ReBensk@users.noreply.github.com> Date: Tue, 7 Nov 2023 17:04:32 +0530 Subject: [PATCH 12/12] Update packers.yara Replaced "$classNameString" to "all of them" --- apkid/rules/dex/packers.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index f614bfb..a90d322 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -617,5 +617,5 @@ rule jiagu_k : packer $classNameString = { 00 10 4C 76 69 72 62 6F 78 2F 53 74 75 62 41 70 70 3B 00 } // Lvirbox/StubApp; condition: - is_dex and $classNameString and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size + is_dex and all of them and (dex.header.data_size + dex.header.data_offset) < dex.header.file_size }