search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
1.98k stars 290 forks source link

Bad CRC32 header #286

Open cryptax opened 2 years ago

cryptax commented 2 years ago

When parsing this sample: https://koodous.com/apks/5e30b1bcfc94bd41c69f33b24329297eda7f65f8b29490d7c3c6e169ecbcf494 I get errors "negative seek value -2", "Bad CRC-32 for file 'tex.header'", "Bad magic number for file header".

Run this: apkid ./5e30b1bcfc94bd41c69f33b24329297eda7f65f8b29490d7c3c6e169ecbcf494.apk

[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
Exception scanning tex.bytes in None, depth=1: Traceback (most recent call last):
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 156, in _scan_zip
    self._scan_zip_entry(zf, info, results, depth)
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 164, in _scan_zip_entry
    with zf.open(info) as entry:
  File "/usr/lib/python3.8/zipfile.py", line 1530, in open
    fheader = zef_file.read(sizeFileHeader)
  File "/usr/lib/python3.8/zipfile.py", line 763, in read
    self._file.seek(self._pos)
ValueError: negative seek value -2

Exception scanning tex.header in None, depth=1: Traceback (most recent call last):
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 156, in _scan_zip
    self._scan_zip_entry(zf, info, results, depth)
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 166, in _scan_zip_entry
    entry_buffer: IO = io.BytesIO(entry.read(4))
  File "/usr/lib/python3.8/zipfile.py", line 940, in read
    data = self._read1(n)
  File "/usr/lib/python3.8/zipfile.py", line 1030, in _read1
    self._update_crc(data)
  File "/usr/lib/python3.8/zipfile.py", line 958, in _update_crc
    raise BadZipFile("Bad CRC-32 for file %r" % self.name)
zipfile.BadZipFile: Bad CRC-32 for file 'tex.header'

Exception scanning data.bytes in None, depth=1: Traceback (most recent call last):
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 156, in _scan_zip
    self._scan_zip_entry(zf, info, results, depth)
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 164, in _scan_zip_entry
    with zf.open(info) as entry:
  File "/usr/lib/python3.8/zipfile.py", line 1530, in open
    fheader = zef_file.read(sizeFileHeader)
  File "/usr/lib/python3.8/zipfile.py", line 763, in read
    self._file.seek(self._pos)
ValueError: negative seek value -3

Exception scanning tex0.bytes in None, depth=1: Traceback (most recent call last):
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 156, in _scan_zip
    self._scan_zip_entry(zf, info, results, depth)
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 164, in _scan_zip_entry
    with zf.open(info) as entry:
  File "/usr/lib/python3.8/zipfile.py", line 1535, in open
    raise BadZipFile("Bad magic number for file header")
zipfile.BadZipFile: Bad magic number for file header

Exception scanning tex0.header in None, depth=1: Traceback (most recent call last):
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 156, in _scan_zip
    self._scan_zip_entry(zf, info, results, depth)
  File "/home/axelle/softs/APKiD/apkid/apkid.py", line 166, in _scan_zip_entry
    entry_buffer: IO = io.BytesIO(entry.read(4))
  File "/usr/lib/python3.8/zipfile.py", line 940, in read
    data = self._read1(n)
  File "/usr/lib/python3.8/zipfile.py", line 1030, in _read1
    self._update_crc(data)
  File "/usr/lib/python3.8/zipfile.py", line 958, in _update_crc
    raise BadZipFile("Bad CRC-32 for file %r" % self.name)
zipfile.BadZipFile: Bad CRC-32 for file 'tex0.header'

Unzip seems nothing special with the APK:

$ unzip -l ~/samples/5e30b1bcfc94bd41c69f33b24329297eda7f65f8b29490d7c3c6e169ecbcf494.apk 
Archive:  /home/axelle/samples/5e30b1bcfc94bd41c69f33b24329297eda7f65f8b29490d7c3c6e169ecbcf494.apk
  Length      Date    Time    Name
---------  ---------- -----   ----
     7097  2020-09-22 17:31   META-INF/MANIFEST.MF
     7150  2020-09-22 17:31   META-INF/CERT.SF
     1714  2020-09-22 17:31   META-INF/CERT.RSA
    53011  2020-09-22 17:31   assets/tt_mime_type.pro
...

The DEX seems okay:

[*] /home/axelle/samples/jsonpacker/5e30b1bcfc94bd41c69f33b24329297eda7f65f8b29490d7c3c6e169ecbcf494.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
 |-> packer : JsonPacker
enovella commented 2 years ago

FYI - I can reproduce it

Yehh22 commented 4 months ago

I found an APK with tons of CRC32 error. Looks like some sort of anti extraction

Can you add option to ignore exeptions to keep output clean?

https://mega.nz/file/3ZZ2GSbD#7Swal-MfeVaGBOQJkcWs-xd0UZyr1fJ8e_4bPyF31tQ