Awesome

🫙 kavanoz 🫙

Statically unpacking common android banker malware. Ever wanted to get payload from packed malware without running android emulator ? Me neither.

:eyes: Installation

pip install kavanoz

:zap: Usage

from cmdline

kavanoz /tmp/filepath

from python library

from kavanoz.core import Kavanoz
from kavanoz import utils

utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
    if plugin_result["status"] == "success":
        print("Unpacked")
        print(plugin_result)
        break

:snake: Scripts:

• rc4.py Generic rc4 encrypted asset file. Script covers multiple versions.
• old_rc4.py Another Generic rc4 encrypted asset file.
• subapp.py Decryption of file with key derived from Manifest file ProtectKey variable
• multidex.py Multidex like loader with inflated packed file. (zlib compression)
• coper.py Extract rc4 key from native lib with emulation (AndroidNativeEmu)
• moqhao.py Emulation for moqhau unpacking.
• sesdex.py
• simple_aes.py
• simple_xor.py
• simple_xor2.py
• simple_xor_zlib.py
• subapp.py Decrypt asset with package name

:gear: Development

To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.

def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):

Add following function to make early exit from plugin.

def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):

If extraction is successful assign self.decrypted_payload_path with extracted file path. You can use helper functions from unpacker class:

• get_array_data
• get_smali
• find_method(class_name,method_name,descriptor="")
• check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : "external-{m[:8]}.dex"

:book: Tips

• self.dexes hold dex objects. You can get class with dex.get_class(smali_annotation_of_class).
• You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in smali_regexes.py file to lookup.
• Most of the time packers use file from asset folder. You can get files with self.apk_object.get_files()
• Most of the time packers use Application class to start unpacking sequence. Use application = self.apk_object.get_attribute_value("application", "name") to get application class defined in manifest file.

Thanks:

apkdetect.com for unique samples to work with.