search

rovellipaolo / NinjaDroid

Ninja Reverse Engineering on Android APK packages
GNU General Public License v3.0
268 stars 49 forks source link

-e/--extract option not working correctly with snap #20

Open rovellipaolo opened 3 years ago

rovellipaolo commented 3 years ago

Using the snap version, the -e/--extract option does not work correctly. In particular, the APK is parsed and its entries extracted correctly, dex2jar seems to be executed without issues, but apktool execution is failing. It would seem a (sandbox) permission-related issue.

➜  ~ /snap/bin/ninjadroid MyApk.apk --all --extract output/ --verbose
  >> NinjaDroid: [DEBUG] Reading MyApk.apk...
  >> NinjaDroid: [DEBUG] Parsing APK file: filepath="MyApk.apk"
  >> NinjaDroid: [DEBUG] Reading file: filepath="MyApk.apk"
  >> NinjaDroid: [DEBUG] Extracting APK resource AndroidManifest.xml to /tmp/tmp6s19_4g3.ninjadroid/AndroidManifest.xml
  >> NinjaDroid: [DEBUG] AndroidManifest.xml looks like an AndroidManifest.xml file
  >> NinjaDroid: [DEBUG] Parsing AndroidManifest.xml file: filepath="/tmp/tmp6s19_4g3.ninjadroid/AndroidManifest.xml"
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/AndroidManifest.xml"
  >> NinjaDroid: [DEBUG] Parsing AndroidManifest.xml from DOM...
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-hdpi-v4/ic_launcher.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-hdpi-v4/ic_launcher.png
  >> NinjaDroid: [DEBUG] res/drawable-hdpi-v4/ic_launcher.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-hdpi-v4/ic_launcher.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-hdpi-v4/ic_launcher_logo.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-hdpi-v4/ic_launcher_logo.png
  >> NinjaDroid: [DEBUG] res/drawable-hdpi-v4/ic_launcher_logo.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-hdpi-v4/ic_launcher_logo.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-ldpi-v4/ic_launcher.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-ldpi-v4/ic_launcher.png
  >> NinjaDroid: [DEBUG] res/drawable-ldpi-v4/ic_launcher.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-ldpi-v4/ic_launcher.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-ldpi-v4/ic_launcher_logo.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-ldpi-v4/ic_launcher_logo.png
  >> NinjaDroid: [DEBUG] res/drawable-ldpi-v4/ic_launcher_logo.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-ldpi-v4/ic_launcher_logo.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-mdpi-v4/ic_launcher.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-mdpi-v4/ic_launcher.png
  >> NinjaDroid: [DEBUG] res/drawable-mdpi-v4/ic_launcher.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-mdpi-v4/ic_launcher.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-mdpi-v4/ic_launcher_logo.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-mdpi-v4/ic_launcher_logo.png
  >> NinjaDroid: [DEBUG] res/drawable-mdpi-v4/ic_launcher_logo.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-mdpi-v4/ic_launcher_logo.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-xhdpi-v4/ic_launcher.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-xhdpi-v4/ic_launcher.png
  >> NinjaDroid: [DEBUG] res/drawable-xhdpi-v4/ic_launcher.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-xhdpi-v4/ic_launcher.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/drawable-xhdpi-v4/ic_launcher_logo.png to /tmp/tmp6s19_4g3.ninjadroid/res/drawable-xhdpi-v4/ic_launcher_logo.png
  >> NinjaDroid: [DEBUG] res/drawable-xhdpi-v4/ic_launcher_logo.png looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/drawable-xhdpi-v4/ic_launcher_logo.png"
  >> NinjaDroid: [DEBUG] Extracting APK resource res/layout/main.xml to /tmp/tmp6s19_4g3.ninjadroid/res/layout/main.xml
  >> NinjaDroid: [DEBUG] res/layout/main.xml looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/res/layout/main.xml"
  >> NinjaDroid: [DEBUG] Extracting APK resource resources.arsc to /tmp/tmp6s19_4g3.ninjadroid/resources.arsc
  >> NinjaDroid: [DEBUG] resources.arsc looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/resources.arsc"
  >> NinjaDroid: [DEBUG] Extracting APK resource classes.dex to /tmp/tmp6s19_4g3.ninjadroid/classes.dex
  >> NinjaDroid: [DEBUG] classes.dex looks like a dex file
  >> NinjaDroid: [DEBUG] Parsing dex file: filepath="/tmp/tmp6s19_4g3.ninjadroid/classes.dex", filename="classes.dex"
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/classes.dex"
  >> NinjaDroid: [DEBUG] Extracting strings...
  >> NinjaDroid: [DEBUG] Strings extracted: 21
  >> NinjaDroid: [DEBUG] Extracting URLs...
  >> NinjaDroid: [DEBUG] URLs extracted: 0 
  >> NinjaDroid: [DEBUG] Extracting shell commands...
  >> NinjaDroid: [DEBUG] Shell commands extracted: 1
  >> NinjaDroid: [DEBUG] Extracting APK resource META-INF/MANIFEST.MF to /tmp/tmp6s19_4g3.ninjadroid/META-INF/MANIFEST.MF
  >> NinjaDroid: [DEBUG] META-INF/MANIFEST.MF looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/META-INF/MANIFEST.MF"
  >> NinjaDroid: [DEBUG] Extracting APK resource META-INF/CERT.SF to /tmp/tmp6s19_4g3.ninjadroid/META-INF/CERT.SF
  >> NinjaDroid: [DEBUG] META-INF/CERT.SF looks like a generic file
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/META-INF/CERT.SF"
  >> NinjaDroid: [DEBUG] Extracting APK resource META-INF/CERT.RSA to /tmp/tmp6s19_4g3.ninjadroid/META-INF/CERT.RSA
  >> NinjaDroid: [DEBUG] META-INF/CERT.RSA looks like a CERT file
  >> NinjaDroid: [DEBUG] Parsing CERT file: filepath="/tmp/tmp6s19_4g3.ninjadroid/META-INF/CERT.RSA", filename="META-INF/CERT.RSA"
  >> NinjaDroid: [DEBUG] Reading file: filepath="/tmp/tmp6s19_4g3.ninjadroid/META-INF/CERT.RSA"

Warning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
  >> NinjaDroid: [INFO] Creating output/...
  >> NinjaDroid: [DEBUG] apktool path: /snap/ninjadroid/3/bin/ninjadroid/use_cases/../apktool/apktool.jar
  >> NinjaDroid: [INFO] Executing apktool...
  >> NinjaDroid: [INFO] Creating output/smali/...
  >> NinjaDroid: [INFO] Creating output/AndroidManifest.xml...
  >> NinjaDroid: [INFO] Creating output/res/...
  >> NinjaDroid: [INFO] Creating output/assets/...
  >> NinjaDroid: [DEBUG] apktool command: `java -jar /snap/ninjadroid/3/bin/ninjadroid/use_cases/../apktool/apktool.jar -q decode -f MyApk.apk -o output`
Exception in thread "main" brut.androlib.AndrolibException: Could not load resources.arsc from file: ~/.local/share/apktool/framework/1.apk
    at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:797)
    at brut.androlib.res.AndrolibResources.loadFrameworkPkg(AndrolibResources.java:123)
    at brut.androlib.res.data.ResTable.getPackage(ResTable.java:84)
    at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:67)
    at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:63)
    at brut.androlib.res.decoder.ResAttrDecoder.decode(ResAttrDecoder.java:39)
    at brut.androlib.res.decoder.AXmlResourceParser.getAttributeValue(AXmlResourceParser.java:388)
    at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.getAttributeValue(XmlPullParserDelegate.java:69)
    at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.writeStartTag(StaticXmlSerializerWrapper.java:267)
    at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.event(StaticXmlSerializerWrapper.java:211)
    at brut.androlib.res.decoder.XmlPullStreamDecoder$1.event(XmlPullStreamDecoder.java:84)
    at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:143)
    at brut.androlib.res.decoder.ResStreamDecoderContainer.decode(ResStreamDecoderContainer.java:33)
    at brut.androlib.res.decoder.ResFileDecoder.decode(ResFileDecoder.java:141)
    at brut.androlib.res.decoder.ResFileDecoder.decode(ResFileDecoder.java:121)
    at brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:258)
    at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:129)
    at brut.androlib.ApkDecoder.decode(ApkDecoder.java:124)
    at brut.apktool.Main.cmdDecode(Main.java:179)
    at brut.apktool.Main.main(Main.java:82)
Caused by: brut.directory.DirectoryException: java.io.FileNotFoundException: ~/.local/share/apktool/framework/1.apk (Permission denied)
    at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55)
    at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38)
    at brut.directory.ExtFile.getDirectory(ExtFile.java:52)
    at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:787)
    ... 19 more
Caused by: java.io.FileNotFoundException: ~/.local/share/apktool/framework/1.apk (Permission denied)
    at java.base/java.io.RandomAccessFile.open0(Native Method)
    at java.base/java.io.RandomAccessFile.open(RandomAccessFile.java:345)
    at java.base/java.io.RandomAccessFile.<init>(RandomAccessFile.java:259)
    at java.base/java.io.RandomAccessFile.<init>(RandomAccessFile.java:214)
    at java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1285)
    at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:1251)
    at java.base/java.util.zip.ZipFile$CleanableResource.<init>(ZipFile.java:732)
    at java.base/java.util.zip.ZipFile$CleanableResource.get(ZipFile.java:849)
    at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:247)
    at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:177)
    at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:191)
    at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53)
    ... 22 more
  >> NinjaDroid: [DEBUG] dex2jar path: /snap/ninjadroid/3/bin/ninjadroid/use_cases/../dex2jar/d2j-dex2jar.sh
  >> NinjaDroid: [INFO] Executing dex2jar...
  >> NinjaDroid: [INFO] Creating output/MyApk.jar...
  >> NinjaDroid: [DEBUG] dex2jar command: `/snap/ninjadroid/3/bin/ninjadroid/use_cases/../dex2jar/d2j-dex2jar.sh -f MyApk.apk -o output/MyApk.jar`
dex2jar MyApk.apk -> output/MyApk.jar
  >> NinjaDroid: [INFO] Extracting certificate file...
  >> NinjaDroid: [INFO] Creating output/META-INF/CERT.RSA...
  >> NinjaDroid: [INFO] Extracting DEX files...
  >> NinjaDroid: [INFO] Creating output/classes.dex...
  >> NinjaDroid: [INFO] Generating JSON report file...
  >> NinjaDroid: [INFO] Creating output/report-MyApk.json...
rovellipaolo commented 3 years ago

A temporarily workaround (while investigating and fixing this) is to install the snap in devmode:

$ snap install ninjadroid --devmode --channel=beta

Indeed, since in devmode the snap has full access to system resources, the -e/--extract option is working as expected.