Closed ohyeah521 closed 1 week ago
jpstotz
commented
5 months ago It is a known problem that ZIP implementation of Java does not support archives with unknown compression methods. As you can see from the stack trace this happens when creating the ZipFile instance, thus there is no way to ignore or skip this error.
The only way to solve this problem would be using a completely different ZIP implementation.
ohyeah521
commented
5 months ago You are right. Maybe we can analyze the source code by referring to the zip of the source code and ignore some of the verification fields that throw exceptions.
jpstotz
commented
5 months ago To my knowledge there is no option or other possibility to skip this check. initCEN is always executed when opening a new ZIP file
ohyeah521
commented
5 months ago It is true that Java is very difficult to implement. Perhaps introducing an external decompression tool is a better choice. Instead of calling the system library directly, it can be made into a configuration option. When encountering confusion, users can choose the decompression tool themselves. In this way, decompilation can continue. I think this implementation is better than exiting directly.
jpstotz
commented
5 months ago You have the sample file. Feel free to test other libraries but to my knowledge there are not many like ZIP libraries that have an own implementation. Just two candidates come to my mind: apache-commons-compress and zip4j.
skylot
commented
5 months ago @jpstotz I tried zip4j, but it also not support fake compression method :cry:
Caused by: net.lingala.zip4j.exception.ZipException: Unknown compression method
at net.lingala.zip4j.model.enums.CompressionMethod.getCompressionMethodFromCode(CompressionMethod.java:52)
at net.lingala.zip4j.headers.HeaderReader.readLocalFileHeader(HeaderReader.java:543)
at net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry(ZipInputStream.java:115)
at net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry(ZipInputStream.java:105)
at jadx.api.plugins.utils.ZipSecurity.visitZipEntries(ZipSecurity.java:135)Will try other lib :confused:
skylot
commented
5 months ago Apache Commons Compress also doesn't support fake compression method:
Caused by: org.apache.commons.compress.archivers.zip.UnsupportedZipFeatureException: Unsupported feature compression method used in entry AndroidManifest.xml
at org.apache.commons.compress.archivers.zip.ZipUtil.checkRequestedFeatures(ZipUtil.java:145)
at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.read(ZipArchiveInputStream.java:915)Looks like the only way to fight such tampering is to write own zip reader implementation :rofl:
jackwpa
commented
5 months ago Looks like the only way to fight such tampering is to write own zip reader implementation
It must be what JEB has done (link to JEB API). It's working fine for me with JEB 5.12:
skylot
commented
5 months ago I actually implemented my own zip parser, and it is working fine :rofl: But looks like this sample use some tricks to prevent parsing AndroidManifest.xml (maybe related to #2182), so I will keep working on this issue.
skylot
commented
1 week ago Fixed in PR #2298 by @qfalconer :tada:
ohyeah521
commented
1 week ago Well done, I provide another idea: I first check whether the apk file has modified the zip file format through a third-party tool. If so, use it to decompress, and then use jadx to analyze the dex file. Since this implementation requires the use of third-party tools, I did not provide a PR
Issue details
The malware exploits the Android system's failure to verify zip flag tampering, causing an exception to be thrown when parsing the apk.
Relevant log output or stacktrace
Provide sample and class/method full name
test.zip
Jadx version
1.5.0