search

JesusFreke / smali

smali/baksmali
6.26k stars 1.07k forks source link

Invalid Smali Code generated from Meitu APK #842

Closed fmresearchnovak closed 2 years ago

fmresearchnovak commented 2 years ago

I use apktool to more easily obtain smali code. I noticed that the smali code generated for this particular APK seems to be invalid. Please see the bug I filed on the apktool project. (https://github.com/iBotPeaches/Apktool/issues/2721) The author suggested that the bug is not in apktool, but is actually here in the smali project. For your convenience I have re-written the details of that bug report below.

Information

  1. Apktool Version (apktool -version) - $ apktool --version 2.6.0

  2. Operating System (Mac, Linux, Windows) - $ cat /etc/issue Ubuntu 18.04.6 LTS \n \l

  3. APK From? (Playstore, ROM, Other) - Meitu Photo Editor obtained from APKMirror (a copy is NOT attached since github won't allow .apk files) https://www.apkmirror.com/apk/meitu/meitu-beauty-camera-selfie-drawing-photo-editor/meitu-beauty-camera-selfie-drawing-photo-editor-9-3-6-8-release/

    Stacktrace/Logcat

No relevant stracktrace

Steps to Reproduce

  1. apktool d meitu.apk

  2. open ./meitu/smali_classes4/com/meitu/library/mtmediakit/widget/GestureScissorView.smali

  3. Observe the method .method private d(FF)Landroid/graphics/PointF; (line 1121)

  4. Observe the first few instructions which instantiate two 32-bit constants and then attempt to execute an invalid aget-object using them.

    .locals 12

    const/4 v6, 0x0`

    const/4 v7, 0x0

    .line 372
    aget-object v1, v6, v7

    const/4 v8, 0x1

It seems to me that this short sequence of instructions cannot be valid. Am I missing something?

Frameworks

N/A I believe

APK

If this APK can be freely shared, please upload/attach a link to it. https://www.apkmirror.com/apk/meitu/meitu-beauty-camera-selfie-drawing-photo-editor/meitu-beauty-camera-selfie-drawing-photo-editor-9-3-6-8-release/

Version 9.3.6.8 I found this bug with the apk. I didn't test the bundle.

Questions to ask before submission

  1. Have you tried apktool d, apktool b without changing anything? Yes
  2. If you are trying to install a modified apk, did you resign it? Not relevant, but yes I can/do re-sign it
  3. Are you using the latest apktool version? I believe so, yes.
JesusFreke commented 2 years ago

baksmali just disassembles what's there.

using the "dump" functionality, here is an annotated dump of the bytecode you mentioned

158ae8: 1206               |    const/4 v6, 0
158aea: 1207               |    const/4 v7, 0
158aec: 4601 0607          |    aget-object v1, v6, v7
158af0: 1218               |    const/4 v8, 1

So yes, that is the bytecode for that method. It looks "valid" at the bytecode level. It would be roughly equivalent to

Object[] array = null;
Object value = array[0];

So it would just result in an NPE if it was ever actually ran.

fmresearchnovak commented 2 years ago

Interesting! I guess the original Java code of the app is probably also invalid (maybe the original Java code is exactly what you suggested). I wonder if it could be "dead code" that is never executed. That would explain why the Meitu developers haven't removed it.

Anyway, thank you!