anais-apk-forensic 1.0.0

package/scripts/frida/dpt_dex_dumper.js

@@ -0,0 +1,145 @@
+
+console.log("[*] DPT-Shell DEX Dumper Started");
+
+// Hook file write operations to catch when decrypted DEX is written
+var open = Module.findExportByName("libc.so", "open");
+var write = Module.findExportByName("libc.so", "write");
+var close = Module.findExportByName("libc.so", "close");
+
+var targetFiles = {};
+
+// Monitor file opens
+Interceptor.attach(open, {
+    onEnter: function(args) {
+        var path = Memory.readUtf8String(args[0]);
+        this.path = path;
+        
+        // Check if it's writing to code_cache with our target filename
+        if (path.indexOf("code_cache") !== -1 && path.indexOf("i11111i111.zip") !== -1) {
+            console.log("[+] Target file being opened: " + path);
+            this.isTarget = true;
+        }
+    },
+    onLeave: function(retval) {
+        if (this.isTarget) {
+            var fd = retval.toInt32();
+            targetFiles[fd] = {
+                path: this.path,
+                data: []
+            };
+            console.log("[+] Tracking FD: " + fd);
+        }
+    }
+});
+
+// Capture writes to tracked files
+Interceptor.attach(write, {
+    onEnter: function(args) {
+        var fd = args[0].toInt32();
+        
+        if (targetFiles[fd]) {
+            var buf = args[1];
+            var count = args[2].toInt32();
+            
+            // Read the data being written
+            var data = Memory.readByteArray(buf, count);
+            targetFiles[fd].data.push(data);
+            
+            console.log("[+] Captured " + count + " bytes written to " + targetFiles[fd].path);
+        }
+    }
+});
+
+// When file is closed, save the complete data
+Interceptor.attach(close, {
+    onEnter: function(args) {
+        var fd = args[0].toInt32();
+        
+        if (targetFiles[fd]) {
+            console.log("[+] File closed, dumping data...");
+            
+            // Combine all chunks
+            var totalSize = 0;
+            targetFiles[fd].data.forEach(function(chunk) {
+                totalSize += chunk.byteLength;
+            });
+            
+            console.log("[+] Total size: " + totalSize + " bytes");
+            
+            // Save to file
+            var file = new File("/data/local/tmp/decrypted_dex.zip", "wb");
+            targetFiles[fd].data.forEach(function(chunk) {
+                file.write(chunk);
+            });
+            file.close();
+            
+            console.log("[+] ✅ Decrypted DEX dumped to: /data/local/tmp/decrypted_dex.zip");
+            console.log("[+] Pull it with: adb pull /data/local/tmp/decrypted_dex.zip");
+            
+            delete targetFiles[fd];
+        }
+    }
+});
+
+// Also hook DexFile.loadDex to catch DEX loading
+Java.perform(function() {
+    console.log("[*] Hooking DexFile.loadDex...");
+    
+    var DexFile = Java.use("dalvik.system.DexFile");
+    
+    DexFile.loadDex.overload('java.lang.String', 'java.lang.String', 'int').implementation = function(sourcePathName, outputPathName, flags) {
+        console.log("[+] DexFile.loadDex called:");
+        console.log("    Source: " + sourcePathName);
+        console.log("    Output: " + outputPathName);
+        console.log("    Flags: " + flags);
+        
+        var result = this.loadDex(sourcePathName, outputPathName, flags);
+        
+        // If this is our target, copy the file
+        if (sourcePathName.indexOf("i11111i111.zip") !== -1) {
+            console.log("[+] ✅ Found target DEX load! Copying file...");
+            
+            // Copy the decrypted file
+            var File = Java.use("java.io.File");
+            var source = File.$new(sourcePathName);
+            
+            if (source.exists()) {
+                console.log("[+] Source exists, size: " + source.length() + " bytes");
+                
+                // Use shell to copy
+                var Runtime = Java.use("java.lang.Runtime");
+                var runtime = Runtime.getRuntime();
+                runtime.exec("cp " + sourcePathName + " /data/local/tmp/decrypted_from_load.zip");
+                
+                console.log("[+] Copied to: /data/local/tmp/decrypted_from_load.zip");
+            }
+        }
+        
+        return result;
+    };
+    
+    console.log("[*] DexFile.loadDex hooked!");
+});
+
+// Hook BaseDexClassLoader to catch DEX loading
+Java.perform(function() {
+    console.log("[*] Hooking BaseDexClassLoader...");
+    
+    var BaseDexClassLoader = Java.use("dalvik.system.BaseDexClassLoader");
+    
+    BaseDexClassLoader.$init.overload('java.lang.String', 'java.io.File', 'java.lang.String', 'java.lang.ClassLoader').implementation = function(dexPath, optimizedDirectory, librarySearchPath, parent) {
+        console.log("[+] BaseDexClassLoader constructor called:");
+        console.log("    DEX path: " + dexPath);
+        console.log("    Optimized dir: " + optimizedDirectory);
+        
+        if (dexPath.indexOf("i11111i111.zip") !== -1) {
+            console.log("[+] ✅ Target DEX being loaded!");
+        }
+        
+        return this.$init(dexPath, optimizedDirectory, librarySearchPath, parent);
+    };
+    
+    console.log("[*] BaseDexClassLoader hooked!");
+});
+
+console.log("[*] All hooks installed, waiting for DEX decryption...");

package/scripts/frida/frida_dex_dump.js

@@ -0,0 +1,145 @@
+
+// Frida script untuk dump DEX dari memory saat runtime
+// Berguna untuk bypass DPT - Shell, DexProtector, dan proteksi lainnya
+
+Java.perform(function () {
+    console.log("[*] Starting DEX Dump Script...");
+
+    // Hook DexFile class untuk intercept loaded DEX
+    var DexFile = Java.use("dalvik.system.DexFile");
+
+    // Hook openDexFile untuk capture DEX files
+    DexFile.openDexFile.overload('java.lang.String', 'java.lang.String', 'int').implementation = function (source, output, flags) {
+        console.log("[+] DexFile.openDexFile called");
+        console.log("    Source: " + source);
+        console.log("    Output: " + output);
+
+        var result = this.openDexFile(source, output, flags);
+
+        // Try to dump the DEX
+        try {
+            var file = Java.use("java.io.File").$new(source);
+            if (file.exists()) {
+                console.log("[+] DEX file exists, attempting to dump...");
+                dumpDexFile(source);
+            }
+        } catch (e) {
+            console.log("[-] Error dumping DEX: " + e);
+        }
+
+        return result;
+    };
+
+    // Hook DexClassLoader untuk capture dynamically loaded DEX
+    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
+    DexClassLoader.$init.overload('java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.ClassLoader').implementation = function (dexPath, optimizedDir, libraryPath, parent) {
+        console.log("[+] DexClassLoader initialized");
+        console.log("    DEX Path: " + dexPath);
+        console.log("    Optimized: " + optimizedDir);
+
+        // Dump the DEX before loading
+        dumpDexFile(dexPath);
+
+        return this.$init(dexPath, optimizedDir, libraryPath, parent);
+    };
+
+    // Hook PathClassLoader
+    var PathClassLoader = Java.use("dalvik.system.PathClassLoader");
+    PathClassLoader.$init.overload('java.lang.String', 'java.lang.ClassLoader').implementation = function (dexPath, parent) {
+        console.log("[+] PathClassLoader initialized");
+        console.log("    DEX Path: " + dexPath);
+
+        dumpDexFile(dexPath);
+
+        return this.$init(dexPath, parent);
+    };
+
+    // Function to dump DEX file
+    function dumpDexFile(dexPath) {
+        try {
+            var File = Java.use("java.io.File");
+            var FileInputStream = Java.use("java.io.FileInputStream");
+            var FileOutputStream = Java.use("java.io.FileOutputStream");
+
+            var srcFile = File.$new(dexPath);
+            if (!srcFile.exists()) {
+                console.log("[-] Source file doesn't exist: " + dexPath);
+                return;
+            }
+
+            var timestamp = Date.now();
+            var outputPath = "/sdcard/dumped_dex_" + timestamp + ".dex";
+            var dstFile = File.$new(outputPath);
+
+            var fis = FileInputStream.$new(srcFile);
+            var fos = FileOutputStream.$new(dstFile);
+
+            var buffer = Java.array('byte', []);
+            buffer = Java.use("java.lang.reflect.Array").newInstance(Java.use("java.lang.Byte").TYPE, 8192);
+
+            var bytesRead = 0;
+            while ((bytesRead = fis.read(buffer)) !== -1) {
+                fos.write(buffer, 0, bytesRead);
+            }
+
+            fis.close();
+            fos.close();
+
+            console.log("[+] DEX dumped to: " + outputPath);
+
+        } catch (e) {
+            console.log("[-] Error in dumpDexFile: " + e);
+        }
+    }
+
+    // Hook native methods that might decrypt DEX
+    // Common patterns in DPT-Shell and similar protectors
+
+    var System = Java.use("java.lang.System");
+    System.loadLibrary.implementation = function (libname) {
+        console.log("[+] Loading native library: " + libname);
+
+        // Common protection library names
+        var protectionLibs = ["dpt", "protect", "shell", "jiagu", "bangcle"];
+        var isProtectionLib = protectionLibs.some(function (name) {
+            return libname.toLowerCase().indexOf(name) !== -1;
+        });
+
+        if (isProtectionLib) {
+            console.log("[!] PROTECTION LIBRARY DETECTED: " + libname);
+            console.log("[!] DEX decryption may occur after this");
+        }
+
+        return this.loadLibrary(libname);
+    };
+
+    // Hook Runtime.load for additional native library monitoring
+    var Runtime = Java.use("java.lang.Runtime");
+    Runtime.load.implementation = function (libpath) {
+        console.log("[+] Runtime.load called: " + libpath);
+        return this.load(libpath);
+    };
+
+    // Dump all loaded classes periodically
+    setTimeout(function () {
+        console.log("[*] Enumerating loaded classes...");
+
+        Java.enumerateLoadedClasses({
+            onMatch: function (className) {
+                // Filter for potentially interesting classes
+                if (className.indexOf("com.") === 0 &&
+                    !className.startsWith("com.android") &&
+                    !className.startsWith("com.google")) {
+                    console.log("    " + className);
+                }
+            },
+            onComplete: function () {
+                console.log("[*] Class enumeration complete");
+            }
+        });
+    }, 5000);
+
+    console.log("[*] DEX Dump Script ready. Hooks installed.");
+    console.log("[*] Dumped files will be in /sdcard/dumped_dex_*.dex");
+    console.log("[*] Use 'adb pull /sdcard/dumped_dex_*.dex' to retrieve them");
+});