GitHub - quarkslab/legu_unpacker_2019: Scripts to unpack APK protected by Legu
source link: https://github.com/quarkslab/legu_unpacker_2019
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Legu Unpacker
Scripts to unpack Android applications protected by Tencent Legu. It only works with versions 4.1.0.15 and 4.1.0.18 of Legu.
Overview
The original DEX files are located in assets/0OO00l111l1l with the following layout:
One can find the details of this structure in the Kaitai file: legu_packed_file.ks
The hashmap embedded in the second part is described in the legu_hashmap.ks file:
pylegu
pylegu contains the Python bindings to decrypt and uncompress the data embedded in assets/0OO00l111l1l.
To compile and install pylegu:
$ cd pylegu $ python3.7 ./setup.py build -j4 install --user $ python -c "import pylegu"
One could also use jap/pyucl to decompress the data and aguinet/dragonffi to bind the custom implementation of XTEA.
Get Started
The sample com.intotherain.voicechange.apk is a suspicious application that can be unpacked as follows:
$ python ./unpack.py ./samples/com.intotherain.voicechange.apk [+] Legu version: 4.1.0.15 [+] Password is 'IPk2Hw7AKTuIQBlc' [+] Number of dex files: 1 [+] Unpacking #1 DEX files ... [+] dex 0 compressed size: 0x1619a3 [+] dex 0 uncompressed size: 0x5671f8 [+] Unpacking #1 hashmap ... [+] hashmap 0 compressed size: 0x4399c [+] hashmap 0 uncompressed size: 0x95558 [+] Unpacking #1 packed methods ... [+] packed methods 0 compressed_size: 0xf4636 [+] packed methods 0 uncompressed_size: 0x1e3072 [+] Stage 2: Patching DEX files [+] Unpacked APK: unpacked.apk
The unpacked DEX files are located in the unpacked.apk file.
Requirements
- Python >= 3.7
- Kaitai Struct
- LIEF
- pylegu
Recommend
-
112
Introduction QuarkslaB Dynamic binary Instrumentation (QBDI) is a modular, cross-platform and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS and Windows operating systems running on x86, x86-64, ARM and AA...
-
69
android-unpacker - Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
-
85
PHP有两个重要的冷门函数: pack 和 unpack 。在网络编程,读写图像文件等场景,这两个函数几乎必不可少。鉴于文件读写/网络编程,或者说字节流处理的重要性,掌握这两个函数是迈向高级PHP编程的基础。...
-
52
-
40
This article will briefly explain methods behind the mobile malware unpacking. It will be focusing on Anubis since it is the latest trending malware for almost a year now. Actors use dropper applications as their primary...
-
27
SAP cluster table unpacker7-Oct-2017: SAP cluster table unpacker SAP has a special cluster tables located in SAPSR3.RFBLG table (as of Oracle RDBMS), which contains compressed blob data for tables like BSEG, BSET, BSEC, BSED,...
-
16
Oracle .msb files unpacker24-Nov-2010: Oracle .msb files unpacker .msb files are files that contain various messages, in compiled form. For
-
8
Getting error “unable to parse remote unpack status” when attempting to push to Azure Repo in Azure DevOps This blog post is about a situation where I went to push my latest local changes to my git repository up in Azure...
-
16
README.md PS4 PKG/PFS tool (c) 2017-2021 by flatz Dependencies:
-
4
摘要: PolkadotDecoded开放社区投票,QuarksLab发布XCMv2审计报告Polkadot 来源:PolkaWorld(ID:PolkaWorld)PolkadotPolkadotDecoded 已经开放社区的投票!欢迎大家为...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK