Fix permission analysis in the radare2 core for APKs with UTF-8 encod…

…ing (#602)
quark-engine · Jan 20, 2024 · 5e47b0e · 5e47b0e
1 parent 8e4d342
commit 5e47b0e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/quark/core/axmlreader/__init__.py b/quark/core/axmlreader/__init__.py
@@ -165,6 +165,7 @@ def __init__(self, file_path, core_library="rizin", structure_path=None):
             )
 
         self._stringCount = string_pool_header[1]["value"]
+        self._isUtf8Used = (string_pool_header[3]["value"] & (1 << 8)) != 0
         stringStart = string_pool_header[4]["value"]
 
         self._core.cmd(f"f string_pool_header @ 0x8 ")
@@ -284,11 +285,17 @@ def axml_size(self):
     def get_string(self, index):
         if index < 0 or index >= self._stringCount:
             return None
+        if self._isUtf8Used:
+            stringFormat = "z"
+            stringKey = "value"
+        else:
+            stringFormat = "Z"
+            stringKey = "string"
 
         return self._core.cmdj(
-            f"pfj Z @ string_pool_data + `pfv n4 "
+            f"pfj {stringFormat} @ string_pool_data + `pfv n4 "
             f"@ string_pool_index+ {index}*4` + 2"
-        )[0]["string"]
+        )[0][stringKey]
 
     def get_attributes(self, chunk: ResChunkHeader) -> List[ResValue]:
         """Get the attributes of a resource chunk

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -29,6 +29,13 @@
             "/raw/master/malware-samples/Ahmyth.apk"
         ),
         "fileName": "Ahmyth.apk"
+    },
+    {
+        "sourceUrl": (
+            "https://github.com/quark-engine/apk-samples"
+            "/raw/master/vulnerable-samples/pivaa.apk"
+        ),
+        "fileName": "pivaa.apk"
     }
 ]
 
@@ -62,3 +69,8 @@ def SAMPLE_PATH_13667(tmp_path_factory: pytest.TempPathFactory) -> str:
 @pytest.fixture(scope="session")
 def SAMPLE_PATH_Ahmyth(tmp_path_factory: pytest.TempPathFactory) -> str:
     return downloadSample(tmp_path_factory, SAMPLES[2])
+
+
+@pytest.fixture(scope="session")
+def SAMPLE_PATH_pivaa(tmp_path_factory: pytest.TempPathFactory) -> str:
+    return downloadSample(tmp_path_factory, SAMPLES[3])
diff --git a/tests/core/test_axmlreader.py b/tests/core/test_axmlreader.py
@@ -11,7 +11,6 @@
 from quark.core.axmlreader import AxmlReader, ResValue
 
 
-
 @pytest.fixture(
     scope="function",
     params=(("radare2"), ("rizin")),
@@ -35,6 +34,11 @@ def MANIFEST_PATH_14d9f(SAMPLE_PATH_14d9f):
     return extractManifest(SAMPLE_PATH_14d9f)
 
 
+@pytest.fixture(scope="session")
+def MANIFEST_PATH_pivaa(SAMPLE_PATH_pivaa):
+    return extractManifest(SAMPLE_PATH_pivaa)
+
+
 class TestAxmlReader:
     @staticmethod
     def testIter(core_library, MANIFEST_PATH_14d9f) -> None:
@@ -57,10 +61,15 @@ def testAxmlSize(core_library, MANIFEST_PATH_14d9f):
         assert axmlReader.axml_size == 7676
 
     @staticmethod
-    def testGetString(core_library, MANIFEST_PATH_14d9f):
+    def testGetStringFromUtf16Apk(core_library, MANIFEST_PATH_14d9f):
         axmlReader = AxmlReader(MANIFEST_PATH_14d9f, core_library)
         assert axmlReader.get_string(13) == "manifest"
 
+    @staticmethod
+    def testGetStringFromUtf8Apk(core_library, MANIFEST_PATH_pivaa):
+        axmlReader = AxmlReader(MANIFEST_PATH_pivaa, core_library)
+        assert axmlReader.get_string(58) == "manifest"
+
     @staticmethod
     def testGetAttributes(core_library, MANIFEST_PATH_14d9f):
         axmlReader = AxmlReader(MANIFEST_PATH_14d9f, core_library)