[DETECTION] Unidentified Ubisoft protection #437
Labels
detection-issue
Bad detection or no detection
Comments
|
appdome? $ apkid Invincible_\ Guarding\ the\ Globe_1.3.10_apkcombo.app.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, ro.hardware check, ro.kernel.qemu check
|-> compiler : dexlib 2.x
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes2.dex
|-> compiler : r8 without marker (suspicious)
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes3.dex
|-> compiler : dexlib 2.x
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!lib/arm64-v8a/libcrashlytics-common.so
|-> anti_hook : syscalls
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!lib/armeabi-v7a/libgrpc_csharp_ext.so
|-> protector : Appdome |
|
Checking the other APK: $ unzip -l config.arm64_v8a.apk
Archive: config.arm64_v8a.apk
Length Date Time Name
--------- ---------- ----- ----
1132 1981-01-01 01:01 AndroidManifest.xml
9211536 1981-01-01 01:01 lib/arm64-v8a/libCysharp.Net.Http.YetAnotherHttpHandler.Native.so
82912 1981-01-01 01:01 lib/arm64-v8a/libFirebaseCppAnalytics.so
6062992 1981-01-01 01:01 lib/arm64-v8a/libFirebaseCppApp-12_2_0.so
42832 1981-01-01 01:01 lib/arm64-v8a/libFirebaseCppCrashlytics.so
1855136 1981-01-01 01:01 lib/arm64-v8a/libIKJyYOQQpVxkK.so // CHECKING THIS
1669624 1981-01-01 01:01 lib/arm64-v8a/libMxPrivacyCore.so
59328 1981-01-01 01:01 lib/arm64-v8a/lib_burst_generated.so
755864 1981-01-01 01:01 lib/arm64-v8a/libcrashlytics-common.so
185960 1981-01-01 01:01 lib/arm64-v8a/libcrashlytics-handler.so
9584 1981-01-01 01:01 lib/arm64-v8a/libcrashlytics-trampoline.so
195568 1981-01-01 01:01 lib/arm64-v8a/libcrashlytics.so
93363272 1981-01-01 01:01 lib/arm64-v8a/libil2cpp.so
6728 1981-01-01 01:01 lib/arm64-v8a/libmain.so
6177840 1981-01-01 01:01 lib/arm64-v8a/libubiservices.so
20288208 1981-01-01 01:01 lib/arm64-v8a/libunity.so
32 1981-01-01 01:01 stamp-cert-sha256
1619 1981-01-01 01:01 META-INF/BNDLTOOL.SF
1396 1981-01-01 01:01 META-INF/BNDLTOOL.RSA
1511 1981-01-01 01:01 META-INF/MANIFEST.MF
--------- -------
139973074 20 files |
That could be it. i just checked the old version and it uses the same code but the lib file is larger (6 MB)
|
|
I am afraid that the appdome match got wrongly triggered with this regex: (keyword is_elf and not appdome_elf and
// Match at least 2 section names from hook,.hookname,adinit,.adi,ipcent,ipcsel
for 2 i in (0..elf.number_of_sections):
(elf.sections[i].name matches /(hook|\.hookname|adinit|\.adi|ipcent|ipcsel)/)
|
|
@AndroidMaster25 can you find another app with the same protection? |
Sure but it will take long time until I discover another one. However you can check older versions of this game https://apkcombo.app/invincible-guarding-the-globe/com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk/old-versions/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Provide the file
Invincible: Guarding the Globe 2.1.12
https://apkcombo.app/invincible-guarding-the-globe/com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk/download/apk
Describe the detection issue
This game is calling to a lib with randomized lib name
IKJyYOQQpVxkK. My friend claims it has signature check that can to prevent login and it connects to a remote server that the developer can enable certain security features remotely. I don't know much inside the lib because it is obfuscatedIn smali, it's making some calls to the lib
APKiD current results...
Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -
The text was updated successfully, but these errors were encountered: