[DETECTION] Add Unknown Packer #370

ReBensk · 2023-10-21T17:51:38Z

APKiD current results...

[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[] ./com.rihjzvyvdmwsz.wfglmgpoijgnc.apk!classes.dex
|-> compiler : dexlib 2.x
[] ./com.zxqlzbjtkwugo.oekyzihfuspse.apk!classes.dex
|-> compiler : dexlib 2.x
[*] ./classes.dex
|-> compiler : dexlib 2.x

rule CustomMultiDexPacker : packer
{
meta:

description = "Custom packer"
sample1      = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993"
sample2      = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552"

strings:

$cipher = {

	1a00 ????	//const-string v0, "UTF-8" // string@023c
	7110 ???? 0000	//invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@016d
	0c00		//move-result-object v0
	6900 ????	//sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.defaultCharset:Ljava/nio/charset/Charset; // field@0115
	1a00 ????	//const-string v0, "ⁱʻʽⁱˈˈᵢᵔˈᴵٴʼᐧˈˋʽᵢʽᴵᐧיʾʽﹶˊﾞˉʾⁱʼⁱʿʽיⁱᐧˎʾˈ" // string@047d
	7110 ???? 0000	// invoke-static {v0}, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@01f4
	0c00		//move-result-object v0
	6900 ????	//sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.globalPass:Ljava/lang/String; // field@0116
	0e00		//return-void
	1201		//const/4 v1, #int 0 // #0
	2203 ????	//new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a
	6e10 ???? 0700	//invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f
	0c04		//move-result-object v4
	1a05 ????	//const-string v5, "AES" // string@001e
	7030 ???? 4305	//invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.<init>:([BLjava/lang/String;)V // method@0072
	1a04 ????	//const-string v4, "AES" // string@001e
	7110 ???? 0400	//invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070
	0c00		//move-result-object v0
	1224		//const/4 v4, #int 2 // #2
	6e30 ???? 4003	//invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071
	6e20 ???? 6000	//invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f
	0c01		//move-result-object v1
	1101		//return-object v1
	0d02		//move-exception v2
	6e10 ???? 0200	//invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043
	28fb		//goto 001a // -0005
	7110 ???? 0300	//invoke-static {v3}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊﾞᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏﾞˎˉ;.encodeToMD5:(Ljava/lang/String;)Ljava/lang/String; // method@0084
	0c00		//move-result-object v0
	1301 0800	//const/16 v1, #int 8 // #8
	1302 1800	//const/16 v2, #int 24 // #18
	6e30 ???? 1002	//invoke-virtual {v0, v1, v2}, Ljava/lang/String;.substring:(II)Ljava/lang/String; // method@0055
	0c00		//move-result-object v0
	1100		//return-object v0

}

condition:

is_dex and $cipher

}

The text was updated successfully, but these errors were encountered:

enovella · 2023-10-23T07:01:17Z

Could you open this rule into a pull-request? Thanks

ReBensk · 2023-10-23T15:25:24Z

rule opened into a pull-request

Reference ticket id: rednaga#368 rednaga#370

Reference ticket id: - #368 - #370

ReBensk added a commit to ReBensk/APKiD that referenced this issue Oct 24, 2023

Custom_multidex and custom_flutter Packer

87cdfb8

Reference ticket id: rednaga#368 rednaga#370

ReBensk mentioned this issue Oct 24, 2023

Custom multidex and custom flutter packer #372

Merged

enovella pushed a commit that referenced this issue Oct 27, 2023

Custom multidex and custom flutter packer (#372)

0546b06

Reference ticket id: - #368 - #370

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DETECTION] Add Unknown Packer #370

[DETECTION] Add Unknown Packer #370

ReBensk commented Oct 21, 2023

enovella commented Oct 23, 2023

ReBensk commented Oct 23, 2023

[DETECTION] Add Unknown Packer #370

[DETECTION] Add Unknown Packer #370

Comments

ReBensk commented Oct 21, 2023

enovella commented Oct 23, 2023

ReBensk commented Oct 23, 2023