[DETECTION] 5play string encryption

Describe the detection issue
5play recently implemented their own string encryption in smalis. It calls a native function from libRMS.so to decrypt strings. It would be great to detect it

File: /smali/ۨۦۤ.smali
smali.zip

String replacement examples:
Orig:

const-string v4, "FMOD"

Replaced:

    const v4, 0x599

    invoke-static {v4}, Lۨۦۤ;->۟ۦۥ(I)Ljava/lang/String;

    move-result-object v4

Orig:

const-string v0, "com.google.android.gms.dynamic.IObjectWrapper"

Replaced:

    const v0, 0x597

    invoke-static {v0}, Lۨۦۤ;->۟ۦۥ(I)Ljava/lang/String;

    move-result-object v0

APKiD current results...
Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -

m@vm-virtual-machine:~$ apkid '/home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk' 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 2.x
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/arm64-v8a/libRMS.so
 |-> packer : 5play.ru
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] /home/vm/Skrivebord/moonvale-1.0.3-mod-t-5play.apk!lib/armeabi-v7a/libRMS.so
 |-> packer : 5play.ru

Sample
https://5play.org/19123-moonvale-%E2%80%93-%D0%B4%D0%B5%D1%82%D0%B5%D0%BA%D1%82%D0%B8%D0%B2%D0%BD%D1%8B%D0%B9-%D1%82%D1%80%D0%B8%D0%BB%D0%BB%D0%B5%D1%80.html

[enovella]

Hi @Yehh22 ,

Do you have more samples to tweak the final fingerprint?

Hi @Yehh22 ,

Do you have more samples to tweak the final fingerprint?

Here is another one https://5play.org/11448-majnkraft.html (minecraft-1.20.81.01-mod-menu-5play.apk). Didn't reuploaded it because file is too large and my upload speed is too slow

[enovella]

Do you mean this code snippet? Not sure if it's worth detecting it. We already matched the packer so you should expect these kind of things.

// default package

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/* loaded from: classes.dex */
public class ۨۦۤ {
    private static final List<String> ۤۗۧ;

    static {
        System.loadLibrary("RMS");
        ۤۗۧ = new ArrayList();
        int i = 0;
        byte[] bArr = ۢۡۚ(0);
        while (i < bArr.length) {
            byte b = bArr[i];
            ۤۗۧ.add(new String(Arrays.copyOfRange(bArr, i + 1, i + b + 1), StandardCharsets.UTF_8));
            i += b + 1;
        }
    }

    public static String ۟ۦۥ(int i) {
        return ۤۗۧ.get(i);
    }

    private static native byte[] ۢۡۚ(int i);
}