![]() We can see lots of referenced code in the manifest which doesn’t actually exist in the current decompiled DEX file, this is another very big indicator that we’re dealing with an encoded DEX file in this APK. ![]() This parent file is an APK with a similar looking obfuscation as the other files I had looked at from reading reports! So these obfuscated APKs are creating these Anubis DEX files which is actually a common occurrence with packed APK files that keep an encoded DEX file on board as a resource.Īnother hint that this is packed is by taking a look at the manifest inside this APK. ![]() This file bundle is just a zipped up x file, using the ITW tab again we see it was created during the execution of another file. We can then pivot backwards from this file to see where this dex file came from by utilizing the ITW(In The Wild) tab which will show that it came from a file bundle. Searching for the twitter address from the aforementioned writeup leads us to a number of dex files in VirusTotal Take a look at the jadx-gui picture in this phishlabs writeup, in this writeup we can see a number of strings but if we search for the twitter address on VirusTotal then we come up with a number of x files.Įxample hash: 7118e74f6a1bad86fa0a72c3e5e424c36c11087c4e369b09dcb7bf5c3ace78fa So what do you do in this situation? Well you learn how to search basically, just like you have to learn how to use your favorite search engine if you have a virustotal account you end up having to figure out how to search for whatever you’re looking for. Obviously there are blog posts describing the unpack files but all the hashes are leading me to the packed versions. So on Xee I rolled back to 3.5.I’ve been seeing people talk about Anubis lately so I decided to take a look at it, unfortunately these led me to a whole bunch of packed APK files. Some pages show up as noise, where as other programs(like Comic Reader). I should mention Xee 3.5.3(marketed by the same company) inherited a bug in the new release, that it can no longer reliably read. Quit button disappears.) and the program hangs. Then somehow “The Unarchiver” memory gets corrupted, and the menus no longer work(e.g. BTW, there seems to be another bug that comes up if you select more than about 250 files from Finder and invoke “The Unarchiver”. So i am temporarily using command line tools to do the operations. Now, randomly I get a notofication about the encoding the compressed file uses. Before the last two versions, I could choose ‘Compress “some directory”’ from the finder menu, and then few minutes later I could uncompress it by using “The Unarchiver”. However there are more problems with version 3.11.3. Then they had a problem with 3.11.2, which they think they fixed in 3.11.3. Until this version 3.1.2 it was a 5 star now maybe 4 If you could implement something like that in your next update that would be greatly appreciated! Again, thank you for developing this application, beacuse it is really awesome and allows me to get my job more done more efficiently, but please don't put pop-ups in your software. The developers allow you to display the normal icon for the app or the #StandwithUkraine version. Spark, an excellent email client, is a great example of this. I don't want to be reminded of this when I am unzipping some files on the job, please remove this in your next build or at least give us the option to remove it. I stand with Ukraine and have donated to the cause of helping them get on their feet and fight during this time of war. But why I am writing this review is because of a very frustrating pop-up within The Unarchiver. Amazing utility, but with the annoyance of pop-upsįirst of all MacPaw, love what you guys do, Setapp and CleanMyMacX are staples of the amazing apps and services available for the Mac platform, and developers like you guys keep the Mac such an enticing platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |