Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update protectors.yara to add Codestage Anti-Cheat #299

Closed
wants to merge 5 commits into from
Closed

Update protectors.yara to add Codestage Anti-Cheat #299

wants to merge 5 commits into from

Conversation

apkunpacker
Copy link
Contributor

@apkunpacker apkunpacker commented Apr 16, 2022
edited
Loading

For issue
#297

Some point to noticed -

$code  = "Code Stage"
$code2  = "Anti-Cheat Toolkit"

is always present .

Choosed any 1 of them only . why ?
Because all games are different and not all of them required all anti cheat so developer add according to game but as Anticheat is used , any 1 of them must be exist

    $detection1  = "Obscured Cheating Detector"
    $detection2  = "Speed Hack Detector"
    $detection3  = "Time Cheating Detector"
    $detection4  = "WallHack Detector"
    $detection5  = "Injection Detector"

70% of samples have its codestage.net website present as string and rest not have so it is not must but it can be used as detection if occurred with 1st two rules along with $check* strings

@apkunpacker
Copy link
Contributor Author

Updated detection a bit to cover possible missed things because of cheats addition is developer dependent ( specifically to cover walk/see/shoot though walls ) .
if wall hack is disabled then rule will miss that sample so changed a little bit

@CalebFenton CalebFenton mentioned this pull request Apr 21, 2022
Open
enovella
enovella reviewed Apr 24, 2022
View reviewed changes
apkid/rules/elf/protectors.yara
$detection6 = "walk through the walls"
$detection7 = "see through the walls"
$detection8 = "shoot through the walls"
$detection9 = "http://codestage.net"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about using a regex in case you find https?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding https would add some potential future-proofing

@apkunpacker
Copy link
Contributor Author

Added Kiwisec Rule but as last pr was not merged yet , it done with that

this rule was taken from a list of chinese rules

["ijiami.dat","ijiami.ajm","libexecmain.so"]
["libprotectClass.so","libjiagu.so"]
["libBugly-yaq.so","libtosprotection.armeabi.so","libtosprotection.armeabi-v7a.so","libtosprotection.x86.so","tosversion"]
["Lcom\/tencent\/bugly\/","Lcom\/tencent\/legu\/","Lcom\/wrapper\/proxyapplication\/","La\/a\/","La\/b\/a\/","La\/c\/","La\/d\/","La\/e\/","La\/f\/a\/","La\/g\/a\/"]
["libshell.so","libtup.so","mix.dex","mixz.dex","\blibshella-.*\\.so","\blibshellx-.*\\.so"]
["Lcom\/tencent\/bugly\/","Lcom\/tencent\/legu\/"]
["libsecexe.so","libsecmain.so","libSecShell.so"]
["Landroidx\/constraintlayout\/","Lcom\/aograph\/","Lcom\/alibaba\/fastjson\/","Lcom\/alibaba\/sdk\/android\/","Lcom\/google\/zxing\/","Lcom\/google\/firebase\/","Lcom\/secneo\/apkwrapper\/","Lcom\/yanzhenjie\/permission\/"]
["libDexHelper.so","libDexHelper-x86.so"]
["Lcom\/aograph\/","Lcom\/alibaba\/fastjson\/","Lcom\/alibaba\/sdk\/android\/","Lcom\/google\/zxing\/","Lcom\/secneo\/apkwrapper\/","Lcom\/yanzhenjie\/permission\/"]
["libddog.so","libedog.so","libchaosvmp.so","libddog.solibfdog.so","libvdog","libvdog64","libvdog-x86"]
["libNSaferOnly.so","libegis.so"]
["aliprotect.dat"]
["libfakejni.so","libzuma.so"]
["libbaiduprotect.so"]
["Landroid\/","Landroidx\/","Lorg\/apache\/","Ljson\/"]
["libsagittarius6.so","libsagittarius6_x86","sagittarius6-sec.dex"]
["Landroid\/support\/v4\/","Landroidx\/","Lcom\/bumptech\/glide\/","Lcom\/bytedance\/","Lcom\/github\/ybq\/android\/spinkit\/","Lcom\/google\/android\/material\/","Lcom\/google\/gson\/","Lcom\/iflytek\/","Lcom\/sagittarius\/v6\/","Lcom\/ss\/android\/","Lcom\/tencent\/","Lio\/reactivex\/rxjava3\/disposables\/","Ljp\/co\/cyberagent\/android\/gpuimage\/","Lkotlinx\/coroutines\/","Lokhttp\/","Lorg\/apache\/commons\/compress\/"]
["libnqshield.so"]
["libnesec.so","libunisec.so","libunisec_x86.so","libunisec2.so","libunisec2_x86.so"]
["libAPKProtect.so"]
["dp.arm-v7.so.dat","dp.arm.so.dat"]
["libkwscmm.so","libkwscr.so","libkwslinker.so","libKwProtectSDK.so","libKwAppGuardSDK.so","kwmkadp_arm64-v8a","kwmkadp_armeabi-v7a","kiwiguard.lic"]
["libx3g.so","libdx-ld.so","libcsn.so"]
["L_se_\/","Lcom\/dingxiang\/"]
["libitsec.so"]
["libapssec.so"]
["librsprotect.so"]
["libuusafe.jar.so","libuusafe.so","libuusafeempty.so"]
["mogosec_classes","libcmvmp.so","libmogosecurity.so"]
["libreincp.so","libreincp_x86.so"]
["mxsafe.data","mxsafe.jar"]
["kqkticwjgzy_a32.so","kqkticwjgzy_a64.so","kqkticwjgzy_x86.so","kqkticwjgzy_x64.so"]

CalebFenton
CalebFenton requested changes Sep 24, 2022
View reviewed changes
apkid/rules/apk/protectors.yara
$kw8 = "kiwiguard.lic"

condition:
is_apk and any of ($kw*)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be 2 of without loss of accuracy?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found a sample (https://www.vmos.com/) that it might help you to clean up the rule:

   147168  1979-11-29 17:00   lib/armeabi-v7a/libvmtools.so
    83976  2022-02-19 09:58   lib/armeabi-v7a/libkiwi_dumper.so
    55132  2022-02-19 09:58   lib/armeabi-v7a/libkiwicrash.so
   130128  2022-02-19 09:58   lib/arm64-v8a/libkiwi_dumper.so
    80304  2022-02-19 09:58   lib/arm64-v8a/libkiwicrash.so
  9368512  2022-02-19 10:02   lib/arm64-v8a/libKwProtectSDK.so
  1705820  2022-02-19 10:04   lib/armeabi-v7a/libKwProtectSDK.so

apkid/rules/elf/protectors.yara
$detection9 = "http://codestage.net"

condition:
is_elf and $code and $code2 and 2 of ($detection*)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These strings are a little generic. Can this be 3 of without loss of accuracy?

apkid/rules/elf/protectors.yara
$detection6 = "walk through the walls"
$detection7 = "see through the walls"
$detection8 = "shoot through the walls"
$detection9 = "http://codestage.net"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding https would add some potential future-proofing

@apkunpacker apkunpacker closed this by deleting the head repository Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enovella enovella enovella left review comments

@CalebFenton CalebFenton CalebFenton requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@apkunpacker @CalebFenton @enovella