GitHub - quarkslab/legu_unpacker_2019: Scripts to unpack APK protected by Legu
source link: https://github.com/quarkslab/legu_unpacker_2019
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Legu Unpacker
Scripts to unpack Android applications protected by Tencent Legu. It only works with versions 4.1.0.15 and 4.1.0.18 of Legu.
Overview
The original DEX files are located in assets/0OO00l111l1l with the following layout:
One can find the details of this structure in the Kaitai file: legu_packed_file.ks
The hashmap embedded in the second part is described in the legu_hashmap.ks file:
pylegu
pylegu contains the Python bindings to decrypt and uncompress the data embedded in assets/0OO00l111l1l.
To compile and install pylegu:
$ cd pylegu $ python3.7 ./setup.py build -j4 install --user $ python -c "import pylegu"
One could also use jap/pyucl to decompress the data and aguinet/dragonffi to bind the custom implementation of XTEA.
Get Started
The sample com.intotherain.voicechange.apk is a suspicious application that can be unpacked as follows:
$ python ./unpack.py ./samples/com.intotherain.voicechange.apk [+] Legu version: 4.1.0.15 [+] Password is 'IPk2Hw7AKTuIQBlc' [+] Number of dex files: 1 [+] Unpacking #1 DEX files ... [+] dex 0 compressed size: 0x1619a3 [+] dex 0 uncompressed size: 0x5671f8 [+] Unpacking #1 hashmap ... [+] hashmap 0 compressed size: 0x4399c [+] hashmap 0 uncompressed size: 0x95558 [+] Unpacking #1 packed methods ... [+] packed methods 0 compressed_size: 0xf4636 [+] packed methods 0 uncompressed_size: 0x1e3072 [+] Stage 2: Patching DEX files [+] Unpacked APK: unpacked.apk
The unpacked DEX files are located in the unpacked.apk file.
Requirements
- Python >= 3.7
- Kaitai Struct
- LIEF
- pylegu
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK