ARM64 ELF Loader is a high-performance, stealth-focused runtime ELF binary loader tailored for ARM64 (AArch64) platforms on Android. It enables secure, dynamic execution of encrypted and compressed ELF payloads via Zygisk integration, featuring advanced memory handling, TLS setup, and symbol resolution.
| Field | Description |
|---|---|
| Author | Nikka |
| Architecture | ARM64 (AArch64) |
| Platform | Android (Zygisk module integration) |
| Language | C++17 |
| Compression | LZMA with custom error handling |
| Encryption | XOR-based cipher with dynamic key mutation and bit-shifting |
| Obfuscation | Heavy: OBFUSCATE macros, base64 paths, encrypted strings |
| Threading | Multi-threaded via std::thread |
| TLS | Manual ARM64 TLS setup (TPIDR_EL0) |
| Symbol Resolution | Hybrid: dlsym + manual lookup via .dynsym/.dynstr |
- Security: Anti-reversing measures, obfuscated strings/paths, memory layout randomization.
- Dynamic ELF Support: Manual parsing of ELF headers, relocation resolution, TLS segment setup.
- Performance: Fast execution with minimal overhead, threaded network operations.
- Integration: Embedded as part of a Zygisk module, executed during the app specialization phase.
- JNI/Java Interop: Safe JNI attachment with obfuscated network access via
HttpURLConnection.
- Trigger: Hooked via
preAppSpecialize/postAppSpecializein Zygisk. - Linker Wait: Loader dynamically waits for
linker64initialization. - Payload Handling:
- Decrypts embedded ELF binary via XOR cipher.
- Decompresses using LZMA.
- ELF Mapping:
- Allocates memory via
mmapwith R/W/X. - Parses and loads relevant segments (PT_LOAD, PT_TLS).
- Allocates memory via
- Relocations:
- Supports:
R_AARCH64_RELATIVE,GLOB_DAT,JUMP_SLOT.
- Supports:
- Execution: Calls ELF entry point post-relocation.
load_elf(),unload_elf(),resolve_symbol()xor_cipher(),decompress_lzma()- complete ELF lifecycle management
- Base64 encoding for critical paths
- Tamper detection (host file scanning for blacklisted keywords)
- Randomized memory allocation to mitigate static analysis
- LLVM IR-level obfuscation hints (OLLVM) (nosub, fla, split attributes)
- Android NDK (r24 or later)
- CMake + Ninja
- Zygisk module boilerplate
to integrate your elf binary in loader, encrypt the elf binary with FileCompressor, then use this file to bytes converter to get bytes of your encrypted binary and put the bytes as chdata char array in data.h
Android Studio with r24 ndk
Place the built .so in your Zygisk module’s zygisk/ directory, rename it to arm64-v8a.so.
This project is licensed under the GNU General Public License v3.0 (GPL-3.0). See LICENSE for more information.