Scripts to unpack Android applications protected by Tencent Legu. It only works with versions 4.1.0.15 and 4.1.0.18 of Legu.
Blog post: https://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html
The original DEX files are located in assets/0OO00l111l1l with the following layout:
One can find the details of this structure in the Kaitai file: legu_packed_file.ks
The hashmap embedded in the second part is described in the legu_hashmap.ks file:
pylegu contains the Python bindings to decrypt and uncompress the data embedded in assets/0OO00l111l1l.
To compile and install pylegu:
$ cd pylegu
$ python3.7 ./setup.py build -j4 install --user
$ python -c "import pylegu"One could also use jap/pyucl to decompress the data and aguinet/dragonffi to bind the custom implementation of XTEA.
The sample com.intotherain.voicechange.apk is a suspicious application that can be unpacked as follows:
$ python ./unpack.py ./samples/com.intotherain.voicechange.apk
[+] Legu version: 4.1.0.15
[+] Password is 'IPk2Hw7AKTuIQBlc'
[+] Number of dex files: 1
[+] Unpacking #1 DEX files ...
[+] dex 0 compressed size: 0x1619a3
[+] dex 0 uncompressed size: 0x5671f8
[+] Unpacking #1 hashmap ...
[+] hashmap 0 compressed size: 0x4399c
[+] hashmap 0 uncompressed size: 0x95558
[+] Unpacking #1 packed methods ...
[+] packed methods 0 compressed_size: 0xf4636
[+] packed methods 0 uncompressed_size: 0x1e3072
[+] Stage 2: Patching DEX files
[+] Unpacked APK: unpacked.apkThe unpacked DEX files are located in the unpacked.apk file.
- Python >= 3.7
- Kaitai Struct
- LIEF
- pylegu