The AVD doesn't create dumps in the /data/data/<package_name> area

[Disane]

Hey there,

I'd like to let you know that I tested android_unpacker on a few packers. For some reason no OAT data was created in the /data/data/<package_name> area. I verified that the AVD's libart.so was correctly modified by pulling it from the system folder and disassembled it looking for the changes like the added fstream include and the _unpacked_oat string.

Here are the hashes of the malware I tried to unpack:

BangCLE:
35c0a075cbc6135d957bd10769e3a620 - banksteal
eefd2101e6a0b016e5a1e9859e9c443e - feejar

Please check if the code that you have uploaded on GitHub does indeed work for you. For me, there are no results whatsoever, although setting up the unpacker is a rather time consuming task.

Please let me know which samples did you use to test your AVD and post their hashes.
Thank you!

Regards,
Disane

[chkp-slavam]

Hi,

We tested the supplied hashes

35c0a075cbc6135d957bd10769e3a620 - com.example.banksteal - banksteal
eefd2101e6a0b016e5a1e9859e9c443e - com.dmu.sannon18 - feejar

The APKs are malformed, it seems they can be installed but cannot be executed.
We tested this on emulator and in addition on a real device without any changes related to unpacking.

You can try this malware, which is packed with Bangcle.
b05d60a5c37ca1efbc7cd8a573cea3669595393a3265693e5ec74d05111f6af0 - com.sex.foreign

Cheers,
Slava and Avi

[jumbofreak]

First of all thanks for uploading this tool, good effort.
I tried this malware b05d60a5c37ca1efbc7cd8a573cea3669595393a3265693e5ec74d05111f6af0 you posted, unpacker.sh script doesn't seem to wait for emulator to load properly and exits the scripts without pulling the dex file.
I tried to repeat the steps manually on the emulator and i was able to extract unpacked file.

i'm using Android Debug Bridge version 1.0.39

[chkp-slavam]

Thank you for contacting us. This project is no longer active and we are not supporting it anymore.