Skip to content
master
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Legu Unpacker

Scripts to unpack Android applications protected by Tencent Legu. It only works with versions 4.1.0.15 and 4.1.0.18 of Legu.

Blog post: https://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html

Overview

The original DEX files are located in assets/0OO00l111l1l with the following layout:


One can find the details of this structure in the Kaitai file: legu_packed_file.ks

The hashmap embedded in the second part is described in the legu_hashmap.ks file:


pylegu

pylegu contains the Python bindings to decrypt and uncompress the data embedded in assets/0OO00l111l1l.

To compile and install pylegu:

$ cd pylegu
$ python3.7 ./setup.py build -j4 install --user
$ python -c "import pylegu"

One could also use jap/pyucl to decompress the data and aguinet/dragonffi to bind the custom implementation of XTEA.

Get Started

The sample com.intotherain.voicechange.apk is a suspicious application that can be unpacked as follows:

$ python ./unpack.py ./samples/com.intotherain.voicechange.apk

[+] Legu version: 4.1.0.15
[+] Password is 'IPk2Hw7AKTuIQBlc'
[+] Number of dex files: 1
[+] Unpacking #1 DEX files ...
[+] dex 0 compressed size:   0x1619a3
[+] dex 0 uncompressed size: 0x5671f8

[+] Unpacking #1 hashmap ...
[+] hashmap 0 compressed size:   0x4399c
[+] hashmap 0 uncompressed size: 0x95558

[+] Unpacking #1 packed methods ...
[+] packed methods 0 compressed_size:   0xf4636
[+] packed methods 0 uncompressed_size: 0x1e3072

[+] Stage 2: Patching DEX files
[+] Unpacked APK: unpacked.apk

The unpacked DEX files are located in the unpacked.apk file.

Requirements

  • Python >= 3.7
  • Kaitai Struct
  • LIEF
  • pylegu

About

Scripts to unpack APK protected by Legu

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published