Skip to content

Commit 826de6c

Browse files
apkunpackerapkunpacker
authored
Add files via upload
1 parent 05effb0 commit 826de6c

20 files changed

+3402
-0
lines changed

AntiDebug.js

Lines changed: 192 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,192 @@
1+
/* Bypass Frida Detection Based On Port Number */
2+
Interceptor.attach(Module.findExportByName("libc.so", "connect"), {
3+
onEnter: function(args) {
4+
var memory = Memory.readByteArray(args[1], 64);
5+
var b = new Uint8Array(memory);
6+
if (b[2] == 0x69 && b[3] == 0xa2 && b[4] == 0x7f && b[5] == 0x00 && b[6] == 0x00 && b[7] == 0x01) {
7+
this.frida_detection = true;
8+
}
9+
},
10+
onLeave: function(retval) {
11+
if (this.frida_detection) {
12+
console.log("Frida Bypassed");
13+
retval.replace(-1);
14+
}
15+
}
16+
});
17+
Interceptor.attach(Module.findExportByName(null, "connect"), {
18+
onEnter: function(args) {
19+
var family = Memory.readU16(args[1]);
20+
if (family !== 2) {
21+
return
22+
}
23+
var port = Memory.readU16(args[1].add(2));
24+
port = ((port & 0xff) << 8) | (port >> 8);
25+
if (port === 27042) {
26+
console.log('frida check');
27+
Memory.writeU16(args[1].add(2), 0x0101);
28+
}
29+
}
30+
});
31+
/* Bypass TracerPid Detection Based On Pid Status */
32+
var fgetsPtr = Module.findExportByName("libc.so", "fgets");
33+
var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
34+
Interceptor.replace(fgetsPtr, new NativeCallback(function(buffer, size, fp) {
35+
// console.warn(buffer);
36+
var retval = fgets(buffer, size, fp);
37+
var bufstr = Memory.readUtf8String(buffer);
38+
if (bufstr.indexOf("TracerPid:") > -1) {
39+
Memory.writeUtf8String(buffer, "TracerPid:\t0");
40+
console.log("Bypassing TracerPID Check");
41+
}
42+
return retval;
43+
}, 'pointer', ['pointer', 'int', 'pointer']))
44+
/* Bypass Ptrace Checks */
45+
Interceptor.attach(Module.findExportByName(null, "ptrace"), {
46+
onEnter: function(args) {},
47+
onLeave: function(retval) {
48+
console.log("Ptrace Bypassed");
49+
retval.replace(0);
50+
}
51+
})
52+
/* Watch Child Process Forking */
53+
var fork = Module.findExportByName(null, "fork")
54+
Interceptor.attach(fork, {
55+
onEnter: function(args) {},
56+
onLeave: function(retval) {
57+
var pid = parseInt(retval.toString(16), 16)
58+
console.log("Child Process PID : ", pid)
59+
}
60+
})
61+
/*
62+
Interceptor.attach(Module.getExportByName(null,"__android_log_print"), {
63+
onEnter: function (args) {
64+
console.warn(args[0],args[1].readCString(),args[2].readCString(),);
65+
}
66+
}
67+
);
68+
*/
69+
/* Screenshot Detection Bypass */
70+
Java.perform(function() {
71+
try {
72+
var surface_view = Java.use('android.view.SurfaceView');
73+
var set_secure = surface_view.setSecure.overload('boolean');
74+
set_secure.implementation = function(flag) {
75+
set_secure.call(false);
76+
}
77+
var window = Java.use('android.view.Window');
78+
var SFlag = window.setFlags.overload('int', 'int');
79+
var window_manager = Java.use('android.view.WindowManager');
80+
var layout_params = Java.use('android.view.WindowManager$LayoutParams');
81+
SFlag.implementation = function(flags, mask) {
82+
flags = (flags.value & ~layout_params.FLAG_SECURE.value);
83+
SFlag.call(this, flags, mask);
84+
}
85+
} catch (err) {
86+
console.error(err);
87+
}
88+
})
89+
/* Xposed Detection Bypass */
90+
Java.perform(function() {
91+
try {
92+
var cont = Java.use("java.lang.String");
93+
cont.contains.overload("java.lang.CharSequence").implementation = function(checks) {
94+
var check = checks.toString();
95+
if (check.indexOf("libdexposed") >= 0 || check.indexOf("libsubstrate.so") >= 0 || check.indexOf("libepic.so") >= 0 || check.indexOf("libxposed") >= 0) {
96+
var BypassCheck = "libpkmkb.so";
97+
return this.contains.call(this, BypassCheck);
98+
}
99+
return this.contains.call(this, checks);
100+
}
101+
} catch (erro) {
102+
console.error(erro);
103+
}
104+
try {
105+
var StacktraceEle = Java.use("java.lang.StackTraceElement");
106+
StacktraceEle.getClassName.overload().implementation = function() {
107+
var Flag = false;
108+
var ClazzName = this.getClassName();
109+
if (ClazzName.indexOf("com.saurik.substrate.MS$2") >= 0 || ClazzName.indexOf("de.robv.android.xposed.XposedBridge") >= 0) {
110+
console.log("STE Classes : ", this.getClassName())
111+
Flag = true;
112+
if (Flag) {
113+
var StacktraceEle = Java.use("java.lang.StackTraceElement");
114+
StacktraceEle.getClassName.overload().implementation = function() {
115+
var gMN = this.getMethodName();
116+
if (gMN.indexOf("handleHookedMethod") >= 0 || gMN.indexOf("handleHookedMethod") >= 0 || gMN.indexOf("invoked") >= 0) {
117+
console.log("STE Methods : ", this.getMethodName());
118+
return "ulala.ulala";
119+
}
120+
return this.getMethodName();
121+
}
122+
}
123+
return "com.android.vending"
124+
}
125+
return this.getClassName();
126+
}
127+
} catch (errr) {
128+
console.error(errr);
129+
}
130+
})
131+
/* VPN Related Checks */
132+
Java.perform(function() {
133+
var NInterface = Java.use("java.net.NetworkInterface");
134+
try {
135+
NInterface.isUp.overload().implementation = function() {
136+
//console.log("Network Down");
137+
return false;
138+
// may cause connectivity lose in rare case so be careful
139+
}
140+
} catch (err) {
141+
console.error(err);
142+
}
143+
try {
144+
var NInterface = Java.use("java.net.NetworkInterface");
145+
NInterface.getName.overload().implementation = function() {
146+
var IName = this.getName();
147+
if (IName == "tun0" || IName == "ppp0" || IName == "p2p0" || IName == "ccmni0" || IName == "tun") {
148+
console.log("Detected Interface Name : ", JSON.stringify(this.getName()));
149+
return "FuckYou";
150+
}
151+
return this.getName();
152+
}
153+
} catch (err) {
154+
console.error(err);
155+
}
156+
try {
157+
var GetProperty = Java.use("java.lang.System");
158+
GetProperty.getProperty.overload("java.lang.String").implementation = function(getprop) {
159+
if (getprop.indexOf("http.proxyHost") >= 0 || getprop.indexOf("http.proxyPort") >= 0) {
160+
var newprop = "CKMKB"
161+
return this.getProperty.call(this, newprop);
162+
}
163+
return this.getProperty(getprop);
164+
}
165+
} catch (err) {
166+
console.error(err);
167+
}
168+
try {
169+
var NCap = Java.use("android.net.NetworkCapabilities");
170+
NCap.hasTransport.overload("int").implementation = function(values) {
171+
console.log("HasTransport Check Detected ");
172+
if (values == 4)
173+
return false;
174+
else
175+
return this.hasTransport(values);
176+
}
177+
} catch (e) {
178+
console.error(e);
179+
}
180+
})
181+
/* Developer Mod Check Bypass */
182+
Java.perform(function() {
183+
var SSecure = Java.use("android.provider.Settings$Secure");
184+
SSecure.getStringForUser.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(Content, Name, Flag) {
185+
if (Name.indexOf("development_settings_enabled") >= 0) {
186+
console.log(Name);
187+
var Fix = "fuckyou";
188+
return this.getStringForUser.call(this, Content, Fix, Flag);
189+
}
190+
return this.getStringForUser(Content, Name, Flag);
191+
}
192+
})

Arxankiller-v41.js

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
const Libg = {
2+
init: function() {
3+
Libg.module = Process.findModuleByName('libg.so');
4+
Libg.size = Libg.module.size;
5+
Libg.begin = Libg.module.base;
6+
Libg.lib = Libg.begin;
7+
Libg.end = ptr(Libg.begin.toInt32() + Libg.size);
8+
9+
Libg.AntiCheat = {};
10+
Libg.AntiCheat.addr = {};
11+
Libg.AntiCheat.addr.guard_callback = Libg.offset(0x3A9414);
12+
},
13+
offset: function(a) {
14+
return Libg.lib.add(a);
15+
}
16+
};
17+
18+
const MemoryPatcher = {
19+
patch: function(pointer, arr) {
20+
Memory.protect(pointer, arr.length, "rwx");
21+
Memory.writeByteArray(pointer, arr);
22+
}
23+
}
24+
25+
const ArxanPatcher = {
26+
init: function() {
27+
Interceptor.replace(Libg.AntiCheat.addr.guard_callback, new NativeCallback(function(t) {
28+
console.log("guard_callback(" + t + ") : " + this.returnAddress.sub(Libg.begin));
29+
}, 'void', ['int']));
30+
31+
Interceptor.attach(Libg.offset(0x6ED940), function() { // Messaging::connect
32+
console.log("Messaging::connect - possible frida detection, bypassing.");
33+
this.context.r0 = 0;
34+
this.context.r3 = 0;
35+
});
36+
37+
Interceptor.attach(Libg.offset(0x315248), function() { // createGameMain
38+
console.log("Arxan random jump address " + this.context.r0.sub(Libg.begin) + ", setting valid address!");
39+
this.context.r0 = Libg.offset(0x3152A0);
40+
});
41+
42+
Interceptor.attach(Libg.offset(0x312150), function() { // createGameMain - getaddrinfo protection
43+
console.log("Arxan random jump address " + this.context.r0.sub(Libg.begin) + ", setting valid address!");
44+
this.context.r0 = Libg.offset(0x3152A0);
45+
});
46+
47+
Interceptor.attach(Libg.offset(0x715C84), function() { // LoginMessage::encode
48+
console.log("Login: Arxan random jump address " + this.context.r0.sub(Libg.begin) + ", setting valid address!");
49+
this.context.r0 = Libg.offset(0x716AE4);
50+
});
51+
52+
Interceptor.attach(Libg.offset(0x66821C), function() { // InputSystem::update
53+
console.log("InputSystem: random jump bypassed");
54+
this.context.r0 = Libg.offset(0x669178);
55+
});
56+
57+
Interceptor.attach(Libg.offset(0x78D8C0), function() { // CombatHUD::ultiButtonActivated
58+
console.log("Ulti: random jump bypassed");
59+
this.context.r0 = Libg.offset(0x78DA9C);
60+
});
61+
}
62+
};
63+
64+
const Core = {
65+
init: function() {
66+
Process.setExceptionHandler(function(trace) {
67+
console.error('EXCEPTION:', trace, trace.address);
68+
console.error(' Address:', trace.address + ' (' + trace.address.sub(Libg.begin) + ')');
69+
console.error(' LR:', trace.context.lr + ' (' + trace.context.lr.sub(Libg.begin) + ')');
70+
console.error(' LIBG:', Libg.begin);
71+
return false;
72+
});
73+
try {
74+
Libg.init();
75+
ArxanPatcher.init();
76+
console.log("Initialization complete");
77+
} catch (exc) {
78+
console.error('Initialization failed:', exc);
79+
}
80+
}
81+
}
82+
83+
rpc.exports.init = Core.init;

Billing.js

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
Java.perform(function() {
2+
var Redirect = Java.use("android.content.Intent");
3+
Redirect.$init.overload("java.lang.String").implementation = function(INITS) {
4+
if (INITS.indexOf("billing") >= 0 || INITS.indexOf("license") >= 0) {
5+
Redirect.setPackage.overload('java.lang.String').implementation = function(pkg) {
6+
if (pkg == 'com.android.vending') {
7+
var pkgFix = "com.android.vendinf";
8+
console.warn("setPackage Fixed :) ");
9+
return this.setPackage.call(this, pkgFix);
10+
} else {
11+
return this.setPackage.call(this, pkg);
12+
}
13+
}
14+
}
15+
return this.$init(INITS);
16+
}
17+
try {
18+
var EV = Java.use("com.android.org.conscrypt.OpenSSLSignature");
19+
EV.engineVerify.overload('[B').implementation = function(signatures) {
20+
console.warn("engineVerify From Conscrypt Fixed");
21+
return true;
22+
}
23+
} catch (e) {}
24+
try {
25+
var EV = Java.use("org.apache.harmony.xnet.provider.jsse.OpenSSLSignature");
26+
EV.engineVerify.overload('[B').implementation = function(signatures) {
27+
console.warn("engineVerify From Harmoney.xnet Fixed");
28+
return true;
29+
}
30+
} catch (e) {}
31+
var VerifySign = Java.use("java.security.Signature");
32+
VerifySign.verify.overload('[B').implementation = function(paramBool) {
33+
console.warn("Verify From java.security.Signature Fixed");
34+
return true;
35+
}
36+
var MD = Java.use("java.security.MessageDigest");
37+
MD.isEqual.overload("[B", "[B").implementation = function() {
38+
return true;
39+
}
40+
try {
41+
var VerifyDPayload = Java.use("com.sigmateam.iap.gpm.Purchases");
42+
VerifyDPayload.verifyDeveloperPayload.overload('org.onepf.oms.appstore.googleUtils.Purchase').implementation = function(paramBool) {
43+
console.warn("Verify From com.sigmateam.iap.gpm.Purchases;->verifyDeveloperPayload Fixed");
44+
return true;
45+
}
46+
} catch (e) {}
47+
try {
48+
var VerifyP = Java.use("org.onepf.oms.appstore.googleUtils.Security");
49+
VerifyP.verifyPurchase.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(p1, p2, p3) {
50+
console.warn("Verify From org.onepf.oms.appstore.googleUtils.Security;->verifyPurchase Fixed");
51+
return true;
52+
}
53+
} catch (e) {}
54+
})

0 commit comments

Comments
 (0)