ytsutano / axmldec Goto Github PK
View Code? Open in Web Editor NEWStand-alone binary AndroidManifest.xml decoder
License: ISC License
Stand-alone binary AndroidManifest.xml decoder
License: ISC License
it is very useful for a lot of people, can u add this feature?
Should be necessary get informations from apk like list of paths of images.
Is possible today?
How can I encode the AndroidManifest.xml again? This would be very useful.
Sometimes, for some apks I am getting this error, error: invalid resource id.
What does this mean? What could possibly cause this?
When load the poc file with gdb . I got that It call jitana::axml_parser::parse_start_namespace
function . and it access memroy using rax's value
mov dword ptr [rax], edx
but rax=0xfffffffffffffff8
, this could lead crash
Program received signal SIGSEGV, Segmentation fault.
0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────
*RAX 0xfffffffffffffff8
*RBX 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RCX 0x7fffffffd9c0 ◂— 0xd0000001e
*RDX 0xd
*RDI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RSI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*R8 0x6bc250 ◂— 0x0
R9 0x0
*R10 0x6bee40 ◂— 0x74c00080003
*R11 0x246
*R12 0x7fffffffd9c0 ◂— 0xd0000001e
*R13 0x1
R14 0x0
*R15 0x1
*RBP 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
*RSP 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
*RIP 0x480234 ◂— mov dword ptr [rax], edx
───────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────────────
► 0x480234 mov dword ptr [rax], edx
0x480236 mov rax, qword ptr [rbp - 0x18]
0x48023a mov rdi, rax
0x48023d call 0x47d668
0x480242 mov edx, dword ptr [rax]
0x480244 mov rax, qword ptr [rbp - 8]
0x480248 mov dword ptr [rax + 4], edx
0x48024b nop
0x48024c leave
0x48024d ret
0x48024e push rbp
───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────
140
141 template<class _U1, class _U2, class = typename
142 enable_if<__and_<is_convertible<_U1, _T1>,
143 is_convertible<_U2, _T2>>::value>::type>
144 constexpr pair(_U1&& __x, _U2&& __y)
► 145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
146
147 template<class _U1, class _U2, class = typename
148 enable_if<__and_<is_convertible<_U1, _T1>,
149 is_convertible<_U2, _T2>>::value>::type>
150 constexpr pair(pair<_U1, _U2>&& __p)
───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
01:0008│ 0x7fffffffd8c8 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
02:0010│ 0x7fffffffd8d0 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
03:0018│ 0x7fffffffd8d8 ◂— 0xfffffffffffffff8
04:0020│ rbp 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
05:0028│ 0x7fffffffd8e8 —▸ 0x4802ab ◂— nop
06:0030│ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
07:0038│ 0x7fffffffd8f8 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
─────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────
► f 0 480234
f 1 4802ab
f 2 47efa7
f 3 47d6d5
f 4 47c184 jitana::axml_parser::parse_start_namespace()+156
f 5 47b9a9 jitana::axml_parser::parse()+519
f 6 47abd7
f 7 45cefc
f 8 45d6a6 main+1753
f 9 7ffff6de4830 __libc_start_main+240
Program received signal SIGSEGV (fault address -0x8)
pwndbg> bt
#0 0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
#1 0x00000000004802ab in __gnu_cxx::new_allocator<std::pair<unsigned int, unsigned int> >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (this=0x6bbff8, __p=0xfffffffffffffff8) at /usr/include/c++/5/ext/new_allocator.h:120
#2 0x000000000047efa7 in std::allocator_traits<std::allocator<std::pair<unsigned int, unsigned int> > >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (__a=..., __p=0xfffffffffffffff8) at /usr/include/c++/5/bits/alloc_traits.h:530
#3 0x000000000047d6d5 in std::vector<std::pair<unsigned int, unsigned int>, std::allocator<std::pair<unsigned int, unsigned int> > >::emplace_back<unsigned int&, unsigned int&> (this=0x6bbff8) at /usr/include/c++/5/bits/vector.tcc:96
#4 0x000000000047c184 in jitana::axml_parser::parse_start_namespace (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:380
#5 0x000000000047b9a9 in jitana::axml_parser::parse (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:275
#6 0x000000000047abd7 in jitana::read_axml (stream=..., pt=...) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:1881
#7 0x000000000045cefc in process_file (input_filename="poc", output_filename="") at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:130
#8 0x000000000045d6a6 in main (argc=2, argv=0x7fffffffe508) at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:188
#9 0x00007ffff6de4830 in __libc_start_main (main=0x45cfcd <main(int, char**)>, argc=2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291
#10 0x000000000045c839 in _start ()
pwndbg>
The binary and poc
https://gitee.com/hac425/fuzz_data/blob/master/axmldec_bin_poc.zip
Please i need steps to install this tool on my ubuntu.
Thank you
Running in the mode where axmldec reads the manifest directly from the .apk, axmldec always segfaults.
axmldec anyapp.apk
I've tried with numerous APKs; one was created in 2015 (old project), and one was just created today with an Android SDK I installed this week.
I'm not a C developer and don't really know how to use gdb effectively, but here's at least some information:
Reading symbols from ./axmldec...
(gdb) run
Starting program: /home/ser/Software/axmldec/axmldec /home/ser/workspace/TimeTracker/bin/TimeTracker.apk
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
/usr/lib/../share/gcc-9.2.0/python/libstdcxx/v6/xmethods.py:731: SyntaxWarning: list indices must be integers or slices, not str; perhaps you missed a comma?
refcounts = ['_M_refcount']['_M_pi']
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78dd897 in fseeko64 () from /usr/lib/libc.so.6
(gdb) where
#0 0x00007ffff78dd897 in fseeko64 () from /usr/lib/libc.so.6
#1 0x000055555558cc90 in fseek64_file_func ()
#2 0x000055555558a5af in unzOpenInternal ()
#3 0x000055555556fb85 in extract_manifest (input_filename=...)
at /usr/include/c++/9.2.0/bits/basic_string.h:2300
#4 0x00005555555703b2 in process_file (
input_filename="/home/ser/workspace/TimeTracker/bin/TimeTracker.apk", output_filename="")
at /home/ser/Software/axmldec/main.cpp:125
#5 0x000055555556f616 in main (argc=<optimized out>, argv=<optimized out>)
at /home/ser/Software/axmldec/main.cpp:188
(gdb) list
127 jitana::read_axml(ims, pt);
128 }
129 else if (ifs.peek() == 0x03) {
130 jitana::read_axml(ifs, pt);
131 }
132 else {
133 boost_pt::read_xml(ifs, pt, boost_pt::xml_parser::trim_whitespace);
134 }
135
136 // Write the tree as an XML file.
(gdb)
dyld: Library not loaded: /usr/local/opt/icu4c/lib/libicudata.69.dylib
Referenced from: /usr/local/opt/boost/lib/libboost_locale-mt.dylib
Reason: image not found
[1] 22324 abort axmldec
Got this error trying to run it on macOS. Seems like it needs libicudata
but it's not able to load it?
Hello,
I am currently in need of a way of batch parsing the string.xml file of several thousands of apks.
Since axmldec is able to perform batch processing of manifest files I was wondering if it is possible to modify it in order to parse the string.xml file rather than the manifest.
Ideally, it would be nice to have a command line parameter to specify which file to parse.
I am willing to look onto it myself but it's been ages since I've last done some C programming and I could use some pointers on where to start looking.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.