New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Could not decode arsc file #964

Closed
srasthofer opened this Issue May 29, 2015 · 8 comments

Comments

Projects
None yet
4 participants
@srasthofer

srasthofer commented May 29, 2015

During the decompilation of a malicious apk, I get the following exception:

java -jar apktool_2.0.0rc5.jar d -o /OUTPUT/ /HippoSMS/5c70988fc9751f283b2f2b5733f9e7f2a54afa69.apk 
I: Using Apktool 2.0.0 on 5c70988fc9751f283b2f2b5733f9e7f2a54afa69.apk
I: Loading resource table...
Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
    at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:52)
    at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:538)
    at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:63)
    at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:55)
    at brut.androlib.Androlib.getResTable(Androlib.java:64)
    at brut.androlib.ApkDecoder.setTargetSdkVersion(ApkDecoder.java:209)
    at brut.androlib.ApkDecoder.decode(ApkDecoder.java:92)
    at brut.apktool.Main.cmdDecode(Main.java:165)
    at brut.apktool.Main.main(Main.java:81)
Caused by: java.io.IOException: Expected: 0x00000008, got: 0x00000002
    at brut.util.ExtDataInput.skipCheckShort(ExtDataInput.java:56)
    at brut.androlib.res.decoder.ARSCDecoder.readValue(ARSCDecoder.java:238)
    at brut.androlib.res.decoder.ARSCDecoder.readEntry(ARSCDecoder.java:201)
    at brut.androlib.res.decoder.ARSCDecoder.readConfig(ARSCDecoder.java:189)
    at brut.androlib.res.decoder.ARSCDecoder.readType(ARSCDecoder.java:157)
    at brut.androlib.res.decoder.ARSCDecoder.readPackage(ARSCDecoder.java:114)
    at brut.androlib.res.decoder.ARSCDecoder.readTable(ARSCDecoder.java:78)
    at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:47)
    ... 8 more

Here would be the malicious apk: https://drive.google.com/file/d/0B7mw1J0o156uMS1nNFNiSnY5LUU/view?usp=sharing
PW: infected

Thanks in advance.

@iBotPeaches

This comment has been minimized.

Show comment
Hide comment
@iBotPeaches

iBotPeaches Jun 3, 2015

Owner

I duplicate. Must be some good trickery to break apktool that early in the decode.

Owner

iBotPeaches commented Jun 3, 2015

I duplicate. Must be some good trickery to break apktool that early in the decode.

@gizmaniac

This comment has been minimized.

Show comment
Hide comment
@gizmaniac

gizmaniac Jun 16, 2015

This also breaks with the latest version of K-9 Mail in the Play Store (5.006), which one would hope is not malicious.

gizmaniac commented Jun 16, 2015

This also breaks with the latest version of K-9 Mail in the Play Store (5.006), which one would hope is not malicious.

@minsko

This comment has been minimized.

Show comment
Hide comment
@minsko

minsko Jun 19, 2015

Contributor

The same issue occurs when attempting to decode any apk created with SDK Build Tools v23.0.0-rc2. Here is a simple "Hello World" created with 22.0.1 and 23.0.0-rc2. https://drive.google.com/file/d/0B5BNATXQ2jdIbWJGWjNRYVZMR28/view?usp=sharing

Contributor

minsko commented Jun 19, 2015

The same issue occurs when attempting to decode any apk created with SDK Build Tools v23.0.0-rc2. Here is a simple "Hello World" created with 22.0.1 and 23.0.0-rc2. https://drive.google.com/file/d/0B5BNATXQ2jdIbWJGWjNRYVZMR28/view?usp=sharing

@iBotPeaches

This comment has been minimized.

Show comment
Hide comment
@iBotPeaches

iBotPeaches Jun 22, 2015

Owner

Thanks. I will build the exact same application using different build tools and figure out what is changing and why.

Owner

iBotPeaches commented Jun 22, 2015

Thanks. I will build the exact same application using different build tools and figure out what is changing and why.

@minsko

This comment has been minimized.

Show comment
Hide comment
@minsko

minsko Jun 22, 2015

Contributor

FYI, RC4 does not have this issue with apk's created by the new tools.

Contributor

minsko commented Jun 22, 2015

FYI, RC4 does not have this issue with apk's created by the new tools.

@iBotPeaches

This comment has been minimized.

Show comment
Hide comment
@iBotPeaches

iBotPeaches Jul 1, 2015

Owner

Hmmm.

I tried

    buildToolsVersion "23.0.0-rc2"
and
    buildToolsVersion "22.0.1"

The built apks could be decompiled without error. Now the original APK still breaks, but not having much luck building a test apk to duplicate this issue.

Owner

iBotPeaches commented Jul 1, 2015

Hmmm.

I tried

    buildToolsVersion "23.0.0-rc2"
and
    buildToolsVersion "22.0.1"

The built apks could be decompiled without error. Now the original APK still breaks, but not having much luck building a test apk to duplicate this issue.

@minsko

This comment has been minimized.

Show comment
Hide comment
@minsko

minsko Jul 1, 2015

Contributor

I just built from source (commit d5f3b3f) and could NOT reproduce the issue (regarding the build tools) anymore. I had previously reproduced it with the 2.0.0 release and had assumed it was related to the original issue listed concerning the Malware.apk (which still fails with this latest build.) Sorry for any confusion. Thanks.

Contributor

minsko commented Jul 1, 2015

I just built from source (commit d5f3b3f) and could NOT reproduce the issue (regarding the build tools) anymore. I had previously reproduced it with the 2.0.0 release and had assumed it was related to the original issue listed concerning the Malware.apk (which still fails with this latest build.) Sorry for any confusion. Thanks.

@iBotPeaches

This comment has been minimized.

Show comment
Hide comment
@iBotPeaches

iBotPeaches Dec 15, 2015

Owner

I believe this is fixed now as of - eabb7d8

It had the same problem as #1031 if anyone is curious of the cause.

Owner

iBotPeaches commented Dec 15, 2015

I believe this is fixed now as of - eabb7d8

It had the same problem as #1031 if anyone is curious of the cause.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment