Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DETECTION] Unknown "String2C" protection #392

Open
ghost opened this issue Aug 24, 2024 · 6 comments
Open

[DETECTION] Unknown "String2C" protection #392

ghost opened this issue Aug 24, 2024 · 6 comments
Labels
detection-issue Bad detection or no detection

Comments

@ghost
Copy link

ghost commented Aug 24, 2024

Describe the protection
I discovered a really interesting "String2C" protection, all the strings from the smali gets converted and encrypted to C++ (the liblzuvfr.so file). Possibly custom VNGGames protection

All string gets replaced with C0585.m5678([id]) which is the call to the native.

image

In the lib, all symbols are stripped from the lib and obfuscated, I barely find interesting strings, however I found the following strings that indicates that the protection might be nicknamed bshield and it was generated and compiled under Linux server

/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/Unwinder.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/DwarfMemory.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/

Sample
Võ Hồn Đại Lục VNG 1.2.2: https://apkcombo.com/vo-hon-dai-luc-vng/vnggames.soulland.daula.reloaded/

1.1.7 did not have any protections

APKiD current results...
Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -

vm@vm-virtual-machine:~$ apkid '/home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk' 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : unknown (please file detection issue!)
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes6.dex
 |-> anti_vm : network operator name check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes7.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
@ghost ghost added the detection-issue Bad detection or no detection label Aug 24, 2024
@rednaga rednaga deleted a comment Aug 26, 2024
@rednaga rednaga deleted a comment Aug 26, 2024
@rednaga rednaga deleted a comment Aug 26, 2024
@enovella
Copy link
Collaborator

enovella commented Aug 26, 2024
edited
Loading

Hi @AndroidMaster24,

thanks a lot for the detailed ticket. Appreciate it.

Do you know if this bshield belongs to this website?

@ghost
Copy link
Author

ghost commented Aug 26, 2024

Hi @AndroidMaster24,

thanks a lot for the detailed ticket. Appreciate it.

Do you know if this bshield belongs to this website?

Could be possible. Sadly, I could not find other samples with bshield yet

@rednaga rednaga deleted a comment Aug 27, 2024
@rednaga rednaga deleted a comment Aug 27, 2024
@rednaga rednaga deleted a comment from yiweifengyan Aug 27, 2024
@rednaga rednaga deleted a comment Aug 28, 2024
@ghost
Copy link
Author

ghost commented Aug 28, 2024

whats up with the spam? can't you block them @rednaga ?

@github-staff github-staff deleted a comment Aug 28, 2024
@strazzere
Copy link
Member

whats up with the spam? can't you block them @rednaga ?

Sadly this is a github problem with spam bots trying to spread malware using compromised accounts. Nothing we can do really outside of just deleting the comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection-issue Bad detection or no detection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@strazzere @enovella and others