Jump to content

Recommended Posts

  • Administrators
Posted

If these files are flushed to disk after decryption (which is required for running .dex and .so), they can be copied while they are on the disk.

The trick is very simple - you need to know the name of the file and copy it from under the root.
For copying, an infinite loop is started in the console.

while true; do cp /data/data/pkg/some.file /sdcard/; done

Where /data/data/pkg/some.file is the file we need to copy, and /sdcard/ is where we will copy.
Run this script in the console, run the desired apk and see the desired file copied.

 

If the filename is autogenerated and changes each time it is run, for example
/data/data/com.applisto.appcloner/app_outdex/libdexprotector.16994q0.8902.so
/data/data/com.applisto.appcloner/app_outdex/libdexprotector.16994q0.9114.so
Then you can specify a mask, instead of the file name:
/data/data/com.applisto.appcloner/app_outdex/libdexprotector.*.so

Or if you need to copy several files:
/data/data/com.applisto.appcloner/app_outdex/*.so


Let's move on to an example. I trained on SBGameHacker 3.1 (further GH). There is some sbhack.jar in assets. It's encrypted.
Run GH in the Droid4X. We pass to the console. There we find the pid of the process in the output of the ps command:

u0_a57 15615 165 925264 45788 ffffffff b7508a27 S org.sbtools.gamehack

This is 15615.
We look at the memory regions map

cat /proc/15615/maps

Among other things there will be this:

14800000-14805000 r-xp 00000000 08:13 147416 /data/data/org.sbtools.gamehack/app_load2/libencode.so (deleted)
14805000-14806000 r - p 00004000 08:13 147416 /data/data/org.sbtools.gamehack/app_load2/libencode.so (deleted)
14806000-14807000 rw-p 00005000 08:13 147416 /data/data/org.sbtools.gamehack/app_load2/libencode.so (deleted)

98742000-987ef000 r - p 00000000 08:13 147428 /data/data/org.sbtools.gamehack/app_load1/sbhack.dex (deleted)
987ef000-987f0000 r - s 0003e000 08:13 147429 /data/data/org.sbtools.gamehack/app_load1/sbhack.jar (deleted)

Actually, we see the paths we need. In this case, it is /data/data/org.sbtools.gamehack/app_load1/sbhack.jar
Now start the script in the console:

while true; do cp /data/data/org.sbtools.gamehack/app_load1/sbhack.jar /sdcard/; done

Restart the GH. Done, in the root of the memory card appeared the necessary file - /sdcard/sbhack.jar.

Similarly, you could copy all the other files:
/data/data/org.sbtools.gamehack/app_load2/libencode.so
or
/data/data/org.sbtools.gamehack/app_load1/sbhack.dex

 

The method of encryption of files does not matter. It matters only whether they are on disk or not. And if .dex, in theory, can be loaded without creating a file, then with .so such a focus will not work, which means that you can always get the decrypted file.
If this is not possible at first time - restart the application until the desired file appears.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.