APKiD icon indicating copy to clipboard operation
APKiD copied to clipboard
verified publisher icon rednaga

Update packers.yara

Open apkunpacker opened this issue 4 years ago • 6 comments

Tightening Rule Based on sample https://github.com/rednaga/APKiD/files/6277082/THOPTV_45.2.1.apk.zip

apkunpacker avatar Apr 08 '21 13:04 apkunpacker

Some remarks:

  • Please specify better the title, so we can identify which packer you're updating.
  • Perhaps, we can add a sample2 tag with your sample. Verify that this sample is accessible thru Koodoous or VT.
  • Have you found more samples with this asset? assets/libshellx-super.2019.so What about a regex here?
   273284  2021-04-05 20:50   assets/libshellx-super.2019.so
   208672  2021-04-05 20:50   lib/armeabi-v7a/libshell-super.2019.so
      408  2021-04-05 20:50   lib/armeabi-v7a/libshella-4.1.0.29.so
   290496  2021-04-05 20:50   lib/arm64-v8a/libshell-super.2019.so
      408  2021-04-05 20:50   lib/arm64-v8a/libshella-4.1.0.29.so
     2436  2021-04-05 20:50   classes2.dex
   260136  2021-04-05 20:50   classes.dex
    36860  2021-04-05 20:49   AndroidManifest.xml
       31  2021-04-05 20:49   assets/tosversion
      120  2021-04-05 20:50   assets/o0oooOO0ooOo.dat
  6541848  2021-04-05 20:50   assets/0OO00l111l1l
       32  2021-04-05 20:50   tencent_stub

enovella avatar Apr 08 '21 15:04 enovella

Thanks for adding a rule! As for a review, basically everything @enovella said 💯

Also: Why do you think this is a variant of Tencent's Legu packer and not something totally different? I get that some of the asset names look similar. So if you do have good reason to think it's Legu, do you think it's an older or newer variant? Is it a totally new version or just a different configuration?

CalebFenton avatar Apr 08 '21 21:04 CalebFenton

Another sample : https://koodous.com/apks/acee9632ec30687588098b437b9b21840c9e67201996948473461741b3216f6e Current APKiD scan :

$ apkid acee9632ec30687588098b437b9b21840c9e67201996948473461741b3216f6e.apk [+] APKiD 2.1.1 :: from RedNaga :: rednaga.io [] acee9632ec30687588098b437b9b21840c9e67201996948473461741b3216f6e.apk |-> packer : Tencent's Legu [] acee9632ec30687588098b437b9b21840c9e67201996948473461741b3216f6e.apk!classes.dex |-> anti_disassembly : non-zero link offset, non-zero link size |-> compiler : dexlib 2.x |-> packer : Mobile Tencent Protect $

Another sample used in https://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html itself have assets/libshellx-super.2019.so hash : 708e6967920dcf2789b7183d714e73ab79a2f8b3ca71929b12aadeb2c58c2867 https://github.com/quarkslab/legu_unpacker_2019/blob/master/samples/com.intotherain.voicechange.apk

apkunpacker avatar Apr 09 '21 02:04 apkunpacker

Add this info in the rule please. Also, highlight source code with back-tips

enovella avatar Apr 09 '21 07:04 enovella

can we close this PR? Or you want to address the changes

enovella avatar Apr 05 '22 08:04 enovella

can we close this PR? Or you want to address the changes

you can close the PR without merging as i think adding this will relaxation the rule instead of making it better. it already detected fine

apkunpacker avatar Apr 06 '22 13:04 apkunpacker