[DETECTION] Roblox executors - Unknown .so packer

[AndroidMaster25]

Provide the file
https://arceusx.com/

APK links at the bottom

Describe the detection issue
I found an interesting lib packer from known Roblox mods, Arceus X

File: libpairipcore.so (Not a Google Play Integrity, it has been fully removed and replaced with a mod lib)

Notice that there are little blue mark in the bar, it is a unpacking logic and it's using CryptoPP library. I don't have much knowledge on packer related stuff but I have seen similar packer on EXE file

**APKiD current results...**
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes3.dex
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Roblox.Arceus.X.NEO.1.7.1.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x

[enovella]

Any other clue to fingerprint this packed library? @AndroidMaster25

[AndroidMaster25]

Hmm I don't have idea yet. Anyway, I found another Roblox executor mod that also using packed lib, with same 3rd party libraries but the unpacking logic is slightly different. If you use IDA Pro, you can press SHIFT+F7 and look at .init_array to see some interesting calls

Files

\lib\arm64-v8a\libgloop.so
\lib\armeabi-v7a\libgloop.so

Download links:
https://deltaexploits.gg/delta-executor-android

https://delta.webfiles.pro/android.html

Also, the armv7 lib of libroblox.so is being detected as Appdome but I think it's false positive

PS C:\Users\xxx> apkid "xxx\Delta Roblox\Delta-2.679.762.apk"
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes3.dex
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible ro.secure check
 |-> compiler : dexlib 2.x
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Delta-2.679.762.apk!lib/armeabi-v7a/libroblox.so
 |-> protector : Appdome


PS C:\Users\xxx> apkid "xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk"
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes2.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes3.dex
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!com.roblox.client.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible ro.secure check
 |-> compiler : r8
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.x86_64.apk!lib/x86_64/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.arm64_v8a.apk!lib/arm64-v8a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.armeabi_v7a.apk!lib/armeabi-v7a/libpairipcore.so
 |-> protector : Google Play Integrity
[*] xxx\Delta Roblox\Roblox_2.679.762_apkcombo.com.xapk!config.armeabi_v7a.apk!lib/armeabi-v7a/libroblox.so
 |-> protector : Appdome
PS C:\Users\xxx>