fix: decode system attributes before looking in string pool

delvinru · delvinru · commit 714fe06dc8b7 · 2026-02-19T12:03:31.000+03:00
diff --git a/crates/axml/src/structs/res_string_pool.rs b/crates/axml/src/structs/res_string_pool.rs
@@ -247,26 +247,31 @@ impl StringPool {
         self.strings.get(idx as usize)
     }
 
+    /// Get string from string pool
+    ///
+    /// Some malware defines its own strings in the manifest in a peculiar way, therefore,
+    /// for correct unpacking, we must first look at the system attributes.
+    ///
+    /// Examples:
+    ///     - 58442d3e3a49eb41986b1099e298c78afe6726edb93b75d0b8b7b38ecd41a4a0
+    ///     - 4057a9b12248b345e5c8dccf473e3df44e3663b342d48f4a63c8694e9d07c153
     #[inline]
     pub fn get_with_resources<'a>(
         &'a self,
         idx: u32,
         xml_resource: &'a XMLResourceMap,
         is_attribute_name: bool,
     ) -> Option<&'a str> {
-        self.strings
-            .get(idx as usize)
-            .map(|x| x.as_str())
-            .filter(|s| !s.is_empty())
-            .or_else(|| {
-                xml_resource.get_attr(idx).map(|x| {
-                    // need remove prefix if looked up in system attributes
-                    if is_attribute_name {
-                        x.strip_prefix("android:attr/").unwrap_or(x)
-                    } else {
-                        x
-                    }
-                })
+        xml_resource
+            .get_attr(idx)
+            .map(|x| {
+                // need remove prefix if looked up in system attributes
+                if is_attribute_name {
+                    x.strip_prefix("android:attr/").unwrap_or(x)
+                } else {
+                    x
+                }
             })
+            .or_else(|| self.strings.get(idx as usize).map(|x| x.as_str()))
     }
 }
