APKiD icon indicating copy to clipboard operation
APKiD copied to clipboard
verified publisher icon rednaga

[DETECTION] Roblox executors - Unknown .so packer

Open AndroidMaster25 opened this issue 6 months ago • 2 comments

Provide the file https://arceusx.com/

APK links at the bottom

Describe the detection issue I found an interesting lib packer from known Roblox mods, Arceus X

File: libpairipcore.so (Not a Google Play Integrity, it has been fully removed and replaced with a mod lib)

Notice that there are little blue mark in the bar, it is a unpacking logic and it's using CryptoPP library. I don't have much knowledge on packer related stuff but I have seen similar packer on EXE file

Image

**APKiD current results...**
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes3.dex
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x

AndroidMaster25 avatar Jun 19 '25 15:06 AndroidMaster25

Any other clue to fingerprint this packed library? @AndroidMaster25

enovella avatar Jun 30 '25 18:06 enovella

Hmm I don't have idea yet. Anyway, I found another Roblox executor mod that also using packed lib, with same 3rd party libraries but the unpacking logic is slightly different. If you use IDA Pro, you can press SHIFT+F7 and look at .init_array to see some interesting calls

Files

\lib\arm64-v8a\libgloop.so
\lib\armeabi-v7a\libgloop.so

Download links: https://deltaexploits.gg/delta-executor-android

https://delta.webfiles.pro/android.html

Also, the armv7 lib of libroblox.so is being detected as Appdome but I think it's false positive

PS C:\Users\xxx> apkid "xxx\Delta Roblox\Delta-2.679.762.apk"
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes3.dex
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible ro.secure check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/armeabi-v7a/libroblox.so
 |-> protector : Appdome


PS C:\Users\xxx> apkid "xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk"
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes3.dex
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible ro.secure check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.x86_64.apk!lib/x86_64/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.arm64_v8a.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.armeabi_v7a.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.armeabi_v7a.apk!lib/armeabi-v7a/libroblox.so
 |-> protector : Appdome
PS C:\Users\xxx>

AndroidMaster25 avatar Jul 11 '25 13:07 AndroidMaster25