3

I recently came across an app that is protected with DexGuard. DexGuard claims to offer Runtime Application Self Protection (RASP), which comprises of app obfuscation and various runtime tampering checks (anti debugger/emulator/hooking/repackage/root/etc). However, while the app I discovered is rather well obfuscated, there were several rather glaring issues. For example, the type of device checks were described in a DeviceCheck class file, which have static variables for each type of check (e.g. EMULATOR = 1, HOOKED = 5, etc). By hooking onto the relevant method and returning false for each of these values, I was able to disable all checks.

This seems trivially simple to bypass given that DexGuard claims to be an enterprise level RASP solution, so I'm wondering if it was a misconfiguration or incorrect implementation on the developer's part. I'm unable to find any documentation of DexGuard online on implementation guidelines, so I'm hoping someone here who has experience would be able to shed some light.

Thanks!

user1118764
  • 359
  • 1
  • 5
  • 9

1 Answers1

1

Well, I think it was a poor implementation, because any other cracked dexguard protected app out there, most of them require root to implement patch, i.e., the patcher waits for DexGuard to do its job. And these are old situations let alone the new protections added. I myself cracked a VMP protected app not long ago. And the author VMed important functions and didn't pay attention to return values. it was like this

push XXXXX ----->handle
call YYYYY  ----->VM
return value ----> x=registered on server Y=registered on another machine Z=no connection P=error registering

The bottom line is, that with a little debugging skill and good tools which are present nowadays, and if the attacker can understand the encryption algorithm, he can inline his patches without any worries.

auspicious99
  • 474
  • 3
  • 16
shetal
  • 51
  • 4
  • Are there any recommended implementations of DexGuard? I couldn't find any documentation presumably because it's a commercial product. – user1118764 Mar 08 '20 at 12:54
  • well, there are some unpacking tutorials scattered here and there for OLD versions. but for new versions, the reverser doesn't leak any nfo as it means extra work for him on newer versions like securerom whose clean unpacks can be found but no tuts or nfo. I think you can contact android authors who used it. for example if i recall correctly Titanuim backup was using it. – shetal Mar 09 '20 at 11:23