ytsutano / axmldec Goto Github PK

View Code? Open in Web Editor NEW

203.0 8.0 31.0 350 KB

Stand-alone binary AndroidManifest.xml decoder

License: ISC License

CMake 4.84% C++ 95.16%

androidmanifest apk android binary xml parser decoder boost property-tree

axmldec's People

Contributors

Stargazers

Watchers

axmldec's Issues

dyld: Library not loaded: /usr/local/opt/icu4c/lib/libicudata.69.dylib

dyld: Library not loaded: /usr/local/opt/icu4c/lib/libicudata.69.dylib
  Referenced from: /usr/local/opt/boost/lib/libboost_locale-mt.dylib
  Reason: image not found
[1]    22324 abort      axmldec

Got this error trying to run it on macOS. Seems like it needs libicudata but it's not able to load it?

Get Info by axmldec

Should be necessary get informations from apk like list of paths of images.
Is possible today?

Segfault reading manifest directly from APKs

Running in the mode where axmldec reads the manifest directly from the .apk, axmldec always segfaults.

Steps to Reproduce

axmldec anyapp.apk

Environment

I've tried with numerous APKs; one was created in 2015 (old project), and one was just created today with an Android SDK I installed this week.

axmldec: b0a73d27b108a55
OS: Linux 5.5.2-arch1-1
Linked libraries:
- /usr/lib/libboost_system.so.1.72.0
- /usr/lib/libboost_iostreams.so.1.72.0
- /usr/lib/libboost_program_options.so.1.72.0
- /usr/lib/libboost_locale.so.1.72.0
- /usr/lib/libboost_chrono.so.1.72.0
- /usr/lib/libboost_thread.so.1.72.0
- /usr/lib/libpthread.so.0
- /usr/lib/libz.so.1
- /usr/lib/libstdc++.so.6
- /usr/lib/libm.so.6
- /usr/lib/libgcc_s.so.1
- /usr/lib/libc.so.6
- /usr/lib/librt.so.1
- /usr/lib/libbz2.so.1.0
- /usr/lib/liblzma.so.5
- /usr/lib/libzstd.so.1
- /usr/lib/libicudata.so.65
- /usr/lib/libicui18n.so.65
- /usr/lib/libicuuc.so.65
- /usr/lib64/ld-linux-x86-64.so.2
- /usr/lib/libdl.so.2

gbd Information

I'm not a C developer and don't really know how to use gdb effectively, but here's at least some information:

Reading symbols from ./axmldec...
(gdb) run
Starting program: /home/ser/Software/axmldec/axmldec /home/ser/workspace/TimeTracker/bin/TimeTracker.apk
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
/usr/lib/../share/gcc-9.2.0/python/libstdcxx/v6/xmethods.py:731: SyntaxWarning: list indices must be integers or slices, not str; perhaps you missed a comma?
  refcounts = ['_M_refcount']['_M_pi']

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78dd897 in fseeko64 () from /usr/lib/libc.so.6
(gdb) where
#0  0x00007ffff78dd897 in fseeko64 () from /usr/lib/libc.so.6
#1  0x000055555558cc90 in fseek64_file_func ()
#2  0x000055555558a5af in unzOpenInternal ()
#3  0x000055555556fb85 in extract_manifest (input_filename=...)
    at /usr/include/c++/9.2.0/bits/basic_string.h:2300
#4  0x00005555555703b2 in process_file (
    input_filename="/home/ser/workspace/TimeTracker/bin/TimeTracker.apk", output_filename="")
    at /home/ser/Software/axmldec/main.cpp:125
#5  0x000055555556f616 in main (argc=<optimized out>, argv=<optimized out>)
    at /home/ser/Software/axmldec/main.cpp:188
(gdb) list
127             jitana::read_axml(ims, pt);
128         }
129         else if (ifs.peek() == 0x03) {
130             jitana::read_axml(ifs, pt);
131         }
132         else {
133             boost_pt::read_xml(ifs, pt, boost_pt::xml_parser::trim_whitespace);
134         }
135
136         // Write the tree as an XML file.
(gdb)

can u add encode xml ?

it is very useful for a lot of people, can u add this feature?

Add a flag to parse arbitrary XML files?

Hello,
I am currently in need of a way of batch parsing the string.xml file of several thousands of apks.
Since axmldec is able to perform batch processing of manifest files I was wondering if it is possible to modify it in order to parse the string.xml file rather than the manifest.
Ideally, it would be nice to have a command line parameter to specify which file to parse.
I am willing to look onto it myself but it's been ages since I've last done some C programming and I could use some pointers on where to start looking.

 mov    dword ptr [rax], edx

but rax=0xfffffffffffffff8 , this could lead crash


Program received signal SIGSEGV, Segmentation fault.
0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
145		: first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────
*RAX  0xfffffffffffffff8
*RBX  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RCX  0x7fffffffd9c0 ◂— 0xd0000001e
*RDX  0xd
*RDI  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RSI  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*R8   0x6bc250 ◂— 0x0
 R9   0x0
*R10  0x6bee40 ◂— 0x74c00080003
*R11  0x246
*R12  0x7fffffffd9c0 ◂— 0xd0000001e
*R13  0x1
 R14  0x0
*R15  0x1
*RBP  0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
*RSP  0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
*RIP  0x480234 ◂— mov    dword ptr [rax], edx
───────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────────────
 ► 0x480234    mov    dword ptr [rax], edx
   0x480236    mov    rax, qword ptr [rbp - 0x18]
   0x48023a    mov    rdi, rax
   0x48023d    call   0x47d668
 
   0x480242    mov    edx, dword ptr [rax]
   0x480244    mov    rax, qword ptr [rbp - 8]
   0x480248    mov    dword ptr [rax + 4], edx
   0x48024b    nop    
   0x48024c    leave  
   0x48024d    ret    
 
   0x48024e    push   rbp
───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────
   140 
   141       template<class _U1, class _U2, class = typename
   142 	       enable_if<__and_<is_convertible<_U1, _T1>,
   143 				is_convertible<_U2, _T2>>::value>::type>
   144 	constexpr pair(_U1&& __x, _U2&& __y)
 ► 145 	: first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
   146 
   147       template<class _U1, class _U2, class = typename
   148 	       enable_if<__and_<is_convertible<_U1, _T1>,
   149 				is_convertible<_U2, _T2>>::value>::type>
   150 	constexpr pair(pair<_U1, _U2>&& __p)
───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
01:0008│      0x7fffffffd8c8 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
02:0010│      0x7fffffffd8d0 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
03:0018│      0x7fffffffd8d8 ◂— 0xfffffffffffffff8
04:0020│ rbp  0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
05:0028│      0x7fffffffd8e8 —▸ 0x4802ab ◂— nop    
06:0030│      0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
07:0038│      0x7fffffffd8f8 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
─────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────
 ► f 0           480234
   f 1           4802ab
   f 2           47efa7
   f 3           47d6d5
   f 4           47c184 jitana::axml_parser::parse_start_namespace()+156
   f 5           47b9a9 jitana::axml_parser::parse()+519
   f 6           47abd7
   f 7           45cefc
   f 8           45d6a6 main+1753
   f 9     7ffff6de4830 __libc_start_main+240
Program received signal SIGSEGV (fault address -0x8)
pwndbg> bt
#0  0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
#1  0x00000000004802ab in __gnu_cxx::new_allocator<std::pair<unsigned int, unsigned int> >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (this=0x6bbff8, __p=0xfffffffffffffff8) at /usr/include/c++/5/ext/new_allocator.h:120
#2  0x000000000047efa7 in std::allocator_traits<std::allocator<std::pair<unsigned int, unsigned int> > >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (__a=..., __p=0xfffffffffffffff8) at /usr/include/c++/5/bits/alloc_traits.h:530
#3  0x000000000047d6d5 in std::vector<std::pair<unsigned int, unsigned int>, std::allocator<std::pair<unsigned int, unsigned int> > >::emplace_back<unsigned int&, unsigned int&> (this=0x6bbff8) at /usr/include/c++/5/bits/vector.tcc:96
#4  0x000000000047c184 in jitana::axml_parser::parse_start_namespace (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:380
#5  0x000000000047b9a9 in jitana::axml_parser::parse (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:275
#6  0x000000000047abd7 in jitana::read_axml (stream=..., pt=...) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:1881
#7  0x000000000045cefc in process_file (input_filename="poc", output_filename="") at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:130
#8  0x000000000045d6a6 in main (argc=2, argv=0x7fffffffe508) at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:188
#9  0x00007ffff6de4830 in __libc_start_main (main=0x45cfcd <main(int, char**)>, argc=2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291
#10 0x000000000045c839 in _start ()
pwndbg>

The binary and poc

https://gitee.com/hac425/fuzz_data/blob/master/axmldec_bin_poc.zip

Encode the AndroidManifest.xml

How can I encode the AndroidManifest.xml again? This would be very useful.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.