Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DETECTION] NHNent AppGuard improve ELF rule (libloader.so) #364

Open
enovella opened this issue Sep 16, 2023 · 0 comments
Open

[DETECTION] NHNent AppGuard improve ELF rule (libloader.so) #364

enovella opened this issue Sep 16, 2023 · 0 comments
Labels
detection-issue Bad detection or no detection

Comments

@enovella
Copy link
Collaborator

Sample

> apkid Project_WorldChampion_2.6.0_apkcombo.com.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] Project_WorldChampion_2.6.0_apkcombo.com.apk
 |-> packer : AppGuard (TOAST-NHNent)
[*] Project_WorldChampion_2.6.0_apkcombo.com.apk!classes.dex
 |-> compiler : dexlib 2.x
[*] Project_WorldChampion_2.6.0_apkcombo.com.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : unknown (please file detection issue!)
 |-> yara_issue : yara issue - dex file recognized by apkid but not yara module
> apkid sample2.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] sample2.apk
 |-> packer : AppGuard (TOAST-NHNent)
[*] sample2.apk!classes.dex
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, device ID check, network operator name check, possible VM check
 |-> compiler : dexlib 2.x
 |-> protector : WhiteCryption
[*] sample2.apk!classes4.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes5.dex
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes6.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible VM check
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes7.dex
 |-> compiler : dexlib 2.x
[*] sample2.apk!classes8.dex
 |-> anti_vm : Build.BOARD check, Build.MANUFACTURER check, device ID check, possible VM check
 |-> compiler : dexlib 2.x
[*] sample2.apk!lib/arm64-v8a/libSecureKeyBoxJava.so
 |-> protector : WhiteCryption
[*] sample2.apk!lib/armeabi-v7a/libSecureKeyBoxJava.so
 |-> protector : WhiteCryption
[*] sample2.apk!lib/x86/libSecureKeyBoxJava.so
 |-> protector : WhiteCryption
[*] sample2.apk!lib/x86_64/libSecureKeyBoxJava.so
 |-> protector : WhiteCryption

Info

> unzip -l Project_WorldChampion_2.6.0_apkcombo.com.apk|egrep -i "appguard|loader"
        6  01-01-1981 01:01   META-INF/androidx.loader_loader.version
  2683840  01-01-1981 01:01   lib/arm64-v8a/libloader.so

> unzip -l sample2.apk|egrep -i "appguard|loader"
        6  01-01-1981 01:01   META-INF/androidx.loader_loader.version
       90  01-01-1981 01:01   META-INF/services/kotlin.reflect.jvm.internal.impl.builtins.BuiltInsLoader
  1722768  01-01-1981 01:01   lib/arm64-v8a/libloader.so
  1386648  01-01-1981 01:01   lib/armeabi/libloader.so
  1386648  01-01-1981 01:01   lib/armeabi-v7a/libloader.so
  2522256  01-01-1981 01:01   lib/x86/libloader.so
  2592768  01-01-1981 01:01   lib/x86_64/libloader.so
> r2 libloader.so
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- Thanks for using radare2!
[0x0006df50]> izzq~+appguard
0x188fa0 32 31 29AppGuardCallbackJavaClassImpl
0x188fc0 28 27 25AppGuardCallbackJavaClass
0x189080 41 40 38ComNhnentAppguardAppguardJavaClassImpl
0x1890b0 37 36 34ComNhnentAppguardAppguardJavaClass
0x1a8b98 115 114 /Users/nhn/.jenkins/workspace/AppGuard_AOS_master/Client/Loader/jni/../../../Library/src/mbedtls/library/ssl_cli.c
0x1aa150 115 114 /Users/nhn/.jenkins/workspace/AppGuard_AOS_master/Client/Loader/jni/../../../Library/src/mbedtls/library/ssl_msg.c
0x1abf64 115 114 /Users/nhn/.jenkins/workspace/AppGuard_AOS_master/Client/Loader/jni/../../../Library/src/mbedtls/library/ssl_srv.c
0x1ad220 115 114 /Users/nhn/.jenkins/workspace/AppGuard_AOS_master/Client/Loader/jni/../../../Library/src/mbedtls/library/ssl_tls.c
[0x0006df50]>
@enovella enovella added the detection-issue Bad detection or no detection label Sep 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection-issue Bad detection or no detection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@enovella