[DETECTION] Unknown "String2C" protection #392
Description
Describe the protection
I discovered a really interesting "String2C" protection, all the strings from the smali gets converted and encrypted to C++ (the liblzuvfr.so file). Possibly custom VNGGames protection
All string gets replaced with C0585.m5678([id]) which is the call to the native.
In the lib, all symbols are stripped from the lib and obfuscated, I barely find interesting strings, however I found the following strings that indicates that the protection might be nicknamed bshield and it was generated and compiled under Linux server
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/Unwinder.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/DwarfMemory.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/
Sample
Võ Hồn Đại Lục VNG 1.2.2: https://apkcombo.com/vo-hon-dai-luc-vng/vnggames.soulland.daula.reloaded/
1.1.7 did not have any protections
APKiD current results...
Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -
vm@vm-virtual-machine:~$ apkid '/home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk'
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : unknown (please file detection issue!)
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, possible VM check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes2.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes3.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes4.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes5.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes6.dex
|-> anti_vm : network operator name check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes7.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
|-> compiler : dexlib 2.x
|-> obfuscator : unreadable field names