Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom multidex and custom flutter packer #372

Merged
95 changes: 94 additions & 1 deletion apkid/rules/dex/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -510,4 +510,97 @@ rule appguard_dex : packer

condition:
is_dex and any of them
}
}

rule custom_multidex : packer
{
meta:
description = "Custom Multidex"
sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993"
sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552"
author = "ReBensk"

strings:
$cipher = {
1a00 ???? // const-string v0, // string@00c9
7110 ???? 0000 // invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@0067
0c00 // move-result-object v0
6900 ???? // sput-object v0, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.defaultCharset:Ljava/nio/charset/Charset; // field@0069
1a00 ???? // const-string v0, "゙ﹳ゙ـⁱᐧʿـʿʿⁱᵎﹶʽʾ゙ʽٴיᵎﹶʼʼʽˑˉᵎʼٴי// ˋᵎʼـʿʿʼˈʽᵔ" // string@01a2
7110 ???? 0000 // invoke-static {v0}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@0082
0c00 // move-result-object v0
6900 ???? // sput-object v0 Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.globalPass:Ljava/lang/String; // field@006a
0e00 // return-void
}
$cipher2 = {
1201 // const/4 v1, #int 0 // #0
2203 ???? // new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a
6e10 ???? 0700 // invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f
0c04 // move-result-object v4
1a05 ???? // const-string v5, "AES" // string@001e
7030 ???? 4305 // invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.<init>:([BLjava/lang/String;)V // method@0072
1a04 ???? // const-string v4, "AES" // string@001e
7110 ???? 0400 // invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070
0c00 // move-result-object v0
1224 // const/4 v4, #int 2 // #2
6e30 ???? 4003 // invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071
6e20 ???? 6000 // invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f
0c01 // move-result-object v1
1101 // return-object v1
0d02 // move-exception v2
6e10 ???? 0200 // invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043
28fb // goto 001a // -0005
}
$cipher3 = {
7110 ???? 0100 // invoke-static {v1}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD516:(Ljava/lang/String;)Ljava/lang/String; // method@0085
0c00 // move-result-object v0
6e10 ???? 0000 // invoke-virtual {v0}, Ljava/lang/String;.toLowerCase:()Ljava/lang/String; // method@0056
0c00 // move-result-object v0
1100 // return-object v0
}

condition:
is_dex and all of them
}

enovella marked this conversation as resolved.
Show resolved Hide resolved
rule custom_flutter : packer
{
meta:
description = "Custom Flutter"
sample1 = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c"
sample2 = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0"
author = "ReBensk"

strings:
$attachBaseContextOpcodes = {
6f20 0100 ba00 // invoke-super {v10, v11}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001
1a0b ???? // const-string v11, "AppasyOlsoNaMdq_XoCdqeMx" // string@0005
7110 ???? 0b00 // invoke-static {v11}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
0c0b // move-result-object v11
1203 // const/4 v3, #int 0 // #0
6e30 ???? ba03 // invoke-virtual {v10, v11, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e
0c0b // move-result-object v11
1a04 ???? // const-string v4, "ipwaIyIlxoxajdm_VdNeDx" // string@00f3
7110 ???? 0400 // invoke-static {v4}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
0c04 // move-result-object v4
6e30 ???? 4a03 // invoke-virtual {v10, v4, v3}, Lcom/zzWrgZUeZn;.getDir:(Ljava/lang/String;I)Ljava/io/File; // method@000e
0c04 // move-result-object v4
6e10 ???? 0400 // invoke-virtual {v4}, Ljava/io/File;.listFiles:()[Ljava/io/File; // method@0020
0c05 // move-result-object v5
2155 // array-length v5, v5
3905 0d00 // if-nez v5, 0030 // +000d
}
$cipher = {
1a00 ???? // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding
7110 ???? 0000 // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
0c00 // move-result-object v0
1a01 ???? // const-string v1, "3662583155221358" // string@0001
1a02 ???? // const-string v2, "7243279461549821" // string@0002
7140 ???? 2140 // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006
0c04 // move-result-object v4
1104 // return-object v4
}

condition:
is_dex and all of them
}