refactor: Improve renaming/injection of resources in stripped APKs #4041
Conversation
* Strict entry spec naming ensures that invalid entry names (incl. attempts of directory traversal) are replaced. * Inject generic entries for missing resources to ensure that stripped APKs can be recompiled without any changes. Normally missing attributes or missing ID resources for enum/flag attribute items. * Default resolve mode changed to KEEP (instead of REMOVE), otherwise stripped APKs can't be recompiled. DUMMY mode can still be used to include unused dummy resources (rarely useful). REMOVE mode can still be used to ignore missing resources altogether (rarely useful). Output for non-stripped APKs is already identical between all of the modes. * The rest is just style and micro-optimization.
Brother, okay, I was right, there was a problem. Actually, I have limited resources because I don't have a PC, and I had to repeatedly build and recheck the jar on my phone. That's why you were able to do it in 1-2 days, but it took me 7-8 days, and I don't know how many builds I did. At one point, I thought of giving up, but then I thought I should at least send you what I've done so you get an idea of the problem, because nowadays most APKs are obfuscated, so this change was important. By the way, you could have created an independent aapt tool like ARSCLib, but it's good to see that you're still based on Google's official AOSP aapt. 😎 I have a humble request: could you please add "aapt2" for Android as well? Sourcehttps://github.com/Maximoff/binaries/blob/main/bin/arm64-v8a/sdk35/aapt2
https://github.com/TechnoIndian/aapt2/releases/download/main/aapt2-arm64-v8a |
@iBotPeaches manages the aapt2 binaries separately. Can't help with that. |
iBotPeaches
left a comment
iBotPeaches
left a comment
There was a problem hiding this comment.
Before we cut v3, I want to test out the CVE apks I got from the traversal problems to be sure thats still good.
Haha, I tried forking your repo, and it's mostly working on all those obfuscated APKs where attributes were missing. But did you forget to include the missing format (or rather, the format that was forcefully added to the resource files) in the already existing attributes? PACKAGE NAME - APK LINK - Whatsapp Decompile Logs Recompile Logs |
I didn't forget anything. I tested with the 3 APKs you mentioned:
The only proper hack would be to make |
Android doesn't verify that a value encoded in an binary XML was encoded with a format that's supported by the attribute. The attr's "format" attribute is only enforced by aapt2 during build-time, so some obfuscators manipulate it in a way that doesn't match with actual usage. Let the binary XML decoder add missing formats whenever necessary. No change in output for APKs that weren't obfuscated in this specific way.
|
@TechnoIndian555 try the latest commit. |
Nice, now it's working successfully 🤗 |
bro can you check this app too? as you said its working but with latest commit, its still missing format, check resource APKTOOL_DUMMY_0x7f040880 and see attrs.xml for it, |
|
i use keep res mode but used dummy just to show here or reach exactly at the point i was asking for, |
In all multi-format cases, a value's type is determined automatically by a predetermined order of priority: |
understood now, thanks mate for always pointing and explaining stuff ;) |
1 more question, i recompiled that app and rechecked resource type, it still says ANY, not float, does aapt2 pickup above stuff when it read resource on runtime or compile it to predetermined resource type? |
The attr's type/format is |
Technically integer format for enum/flags is allowed, but rarely used.
We have to handle this scenario properly. An example from framework-res.apk:
<attr name="numColumns" format="integer" min="0">
<enum name="auto_fit" value="-1" />
</attr>
We solve this by checking if an attribute value has any matching symbols via nameAttr.hasSymbolsForValue(value).
This commit also improves caching for ResEnum/ResFlags symbols to avoid conversion of raw integer values to symbols more than once.
The caching is done lazily to avoid unnecessary overheads in case certain defined attribute were never used (i.e. never formatted a value).
This commit changes nothing in any known APK, just handles a theoretical edge case.
|
I think I covered all cases now. Tested on large scale, everything as designed. |
4 participants
enum/flagattribute items.attrformats according to actual usage to ensure that stripped APKs can be recompiled without any changes.KEEP(instead ofREMOVE), otherwise stripped APKs can't be recompiled.DUMMYmode can still be used to include unused dummy resources (rarely useful).REMOVEmode can still be used to ignore missing resources altogether (rarely useful). Output for non-stripped APKs is already identical between all of the modes.