Scripts to unpack Android applications protected by Tencent Legu. It only works with versions 126.96.36.199 and 188.8.131.52 of Legu.
The original DEX files are located in
assets/0OO00l111l1l with the following layout:
One can find the details of this structure in the Kaitai file: legu_packed_file.ks
The hashmap embedded in the second part is described in the legu_hashmap.ks file:
pylegu contains the Python bindings to decrypt and uncompress the data embedded in
To compile and install
$ cd pylegu $ python3.7 ./setup.py build -j4 install --user $ python -c "import pylegu"
$ python ./unpack.py ./samples/com.intotherain.voicechange.apk [+] Legu version: 184.108.40.206 [+] Password is 'IPk2Hw7AKTuIQBlc' [+] Number of dex files: 1 [+] Unpacking #1 DEX files ... [+] dex 0 compressed size: 0x1619a3 [+] dex 0 uncompressed size: 0x5671f8 [+] Unpacking #1 hashmap ... [+] hashmap 0 compressed size: 0x4399c [+] hashmap 0 uncompressed size: 0x95558 [+] Unpacking #1 packed methods ... [+] packed methods 0 compressed_size: 0xf4636 [+] packed methods 0 uncompressed_size: 0x1e3072 [+] Stage 2: Patching DEX files [+] Unpacked APK: unpacked.apk
The unpacked DEX files are located in the
- Python >= 3.7
- Kaitai Struct