These two apks are crashing after a simple unpack/repack with Soot

[louison]

Hi there, I'm trying to instrument APKs in order to hook some of their methods. For the two following APKs, I'm able to unpack-repack-align-sign them successfully but when I'm starting to run them on an Emulator, they both crash for the same reason :

• le_monde.apk :

  07-24 13:46:28.512 22875 22875 E AndroidRuntime: java.lang.ExceptionInInitializerError
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.google.firebase.appindexing.internal.zzs.<init>(Unknown Source:0)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.google.firebase.appindexing.internal.zzq.<init>(Unknown Source:5)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.google.firebase.appindexing.FirebaseUserActions.a(Unknown Source:21)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.lemonde.androidapp.java.analytic.GoogleElementIndexer.a(Unknown Source:299)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.lemonde.androidapp.java.manager.ElementTrackingManager.a(Unknown Source:120)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.lemonde.androidapp.java.manager.ElementTrackingManager.onElementAvailableEvent(Unknown Source:47)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.squareup.otto.EventHandler.a(Unknown Source:43)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.squareup.otto.Bus.b(Unknown Source:0)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.squareup.otto.Bus.a(Unknown Source:70)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.squareup.otto.Bus.c(Unknown Source:92)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.lemonde.androidapp.java.fragment.AbstractElementFragment$ElementResponseListener.a(Unknown Source:47)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.lemonde.androidapp.java.manager.element.ElementManager$ResponseRunnable.run(Unknown Source:4)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at android.os.Handler.handleCallback(Handler.java:790)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:99)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:164)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:6494)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime: Caused by: java.lang.ClassCastException: com.google.android.gms.internal.zzatp cannot be cast to com.google.android.gms.internal.zzath
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    at com.google.android.gms.internal.zzasn.<clinit>(Unknown Source:33)
  07-24 13:46:28.512 22875 22875 E AndroidRuntime:    ... 20 more

• leboncoin.apk :

  07-24 13:56:40.207 24047 24047 E AndroidRuntime: java.lang.ExceptionInInitializerError
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at com.google.android.gms.appindexing.AppIndex.<clinit>(Unknown Source:0)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.manager.GoogleApiClientManager.<init>(Unknown Source:42)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.dagger.module.UtilsModule.provideGoogleApiClientManager(Unknown Source:7)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.dagger.module.UtilsModule_ProvideGoogleApiClientManagerFactory.get(Unknown Source:12)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.dagger.module.UtilsModule_ProvideGoogleApiClientManagerFactory.get(Unknown Source:0)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at dagger.internal.DoubleCheck.get(Unknown Source:15)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.feature.home.HomeFragment_MembersInjector.injectMembers(Unknown Source:98)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.feature.home.HomeFragment_MembersInjector.injectMembers(Unknown Source:4)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.dagger.component.DaggerAppComponent$HomeComponentImpl.resolveDependencies(Unknown Source:2)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.feature.home.HomeFragment.onCreate(Unknown Source:15)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.Fragment.performCreate(Unknown Source:15)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.moveToState(Unknown Source:760)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentTransition.addToFirstInLastOut(Unknown Source:255)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentTransition.calculateFragments(Unknown Source:20)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentTransition.startTransitions(Unknown Source:53)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.executeOpsTogether(Unknown Source:148)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.removeRedundantOperationsAndExecute(Unknown Source:97)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.execPendingActions(Unknown Source:22)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.executePendingTransactions(Unknown Source:0)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.ui.navigation.AbstractNavigationController.setFragment(Unknown Source:92)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.ui.navigation.AbstractNavigationController.onNavigate(Unknown Source:1003)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at fr.leboncoin.ui.activities.MainActivity.onCreate(Unknown Source:310)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.Activity.performCreate(Activity.java:7009)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.Activity.performCreate(Activity.java:7000)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1214)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2731)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2856)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.ActivityThread.-wrap11(Unknown Source:0)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1589)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:164)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:6494)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime: Caused by: java.lang.ClassCastException: com.google.android.gms.internal.zzauz cannot be cast to com.google.android.gms.internal.zzaur
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    at com.google.android.gms.internal.zzatv.<clinit>(Unknown Source:33)
  07-24 13:56:40.207 24047 24047 E AndroidRuntime:    ... 35 more

I order to debug that, I did not instrumented the applications and only unpacked and repackaged them. I also tried to do the same with apktool and it appears that it works fine with it. (No crash for both of the apps).

Does someone know how soot handles the repackaging of an apk after loading it ?

Here are the two apks : • le_monde.apk: https://transfer.sh/XbUq9/le_monde.apk • leboncoin.apk: https://transfer.sh/VRcW6/leboncoin.apk

In order to reproduce the bug you must :

1. Init soot with the following options :

   Options.v().set_allow_phantom_refs(true);
   Options.v().set_validate(true);
   Options.v().set_src_prec(Options.src_prec_apk);
   Options.v().set_android_jars(PATH_TO_ANDROID_JARS);
   Options.v().set_process_dir(Collections.singletonList(apk.getAbsolutePath()));
   Options.v().set_process_multiple_dex(true);
   Options.v().set_whole_program(true);
   Options.v().set_output_dir(outputDirectory);
   Options.v().set_output_format(Options.output_format_dex);
   Options.v().set_force_overwrite(true);
   Scene.v().loadNecessaryClasses();

2. Repackage the application using :

   PackManager.v().writeOutput();

3. zipalignand sign the output apk
4. Install and run the apk in an emulator.
   • For le_monde.apk the app will not crash until you try to navigate on an article (it's a newspaper app)
   • For leboncoin.apkthe app will crash as soon as it will try to load the Main activity.

Thank you in advance for your help, Best,

Louison

[mbenz89]

I order to debug that, I did not instrumented the applications and only unpacked and repackaged them. I guess this also led to the exception you state?

Generally, it is hard to say what went wrong here. I also stumbled across some apps which Soot was not able to correctly reassemble. I'm afraid you will have to track down the problem yourself. Maybe you could start with comparing the SootClasses that are read in and written out with the original classes and see if there are obvious things missing/incorrect which would have an impact on the cast stated in the exception.

Are these class names obfuscated?

[louison]

Hi @mbenz89, I bypassed the problem for a while by only using apktool. But now I encounter the problem again and I feel bad for not having answered to your previous answer. Sorry for that.

The classes names are obfuscated and it seems that it is always linked to classes belonging to com.google.android.gms.internal

Where and how would you advise me to start my investigation to compare read in and written out SootClasses ?

Thank you in advance

[louison]

So I investigated this bug a bit closer by translating dex to java source code and I found the following :

// leboncoin.apk original (not repackaged by Soot) --> source code

@Hide
public final class zzatv
{
  @Hide
  private static Api.zzf<zzaux> zzefb = new Api.zzf();
  private static final Api.zza<zzaux, Api.ApiOptions.NoOptions> zzefc = new zzatw();
  public static final Api<Api.ApiOptions.NoOptions> zzefd = new Api("AppDataSearch.LIGHTWEIGHT_API", zzefc, zzefb);
  private static zzaur zzefe = new zzauz();
}

// leboncoin.apk repackaged by Soot  --> source code

@Hide
public final class zzatv
{
  @Hide
  private static Api.zzf<zzaux> zzefb = new Api.zzf();
  private static final Api.zza<zzaux, Api.ApiOptions.NoOptions> zzefc = new zzatw();
  public static final Api<Api.ApiOptions.NoOptions> zzefd = new Api("AppDataSearch.LIGHTWEIGHT_API", zzefc, zzefb);
  private static zzaur zzefe = (zzaur)new zzauz();
}

It looks like Soot had wrongly interpreted a part of the byte code. Does someone know where I can investigate further to find out where did Soot make this wrong ?

Thank you

[StevenArzt]

The casts are normally introduced by the type assigner. In the last line of your code snippet, the declared type of the variable is "zzaur", which is apparently correct, since it is the same type as in the original APK file. The right side also constructs an instance of the same class, i.e., "zzauz". The question now is: What is the relationship between "zzaur" and "zzauz"? The original code can only work if "zzaur" is a (transitrive) superclass of "zzauz" (or an interface that some class along the hierarchy implements). Is this the case? If not, the original code is already buggy.

If the class hierarchy is correct in the original APK, you need to check it in the Soot-generated APK as well. Is "zzaur" still a superclass of "zzauz" there or is it still an interface implemented by some class along the way? If not, that's your bug and Soot messes up the hierarchy.

If the hierarchy is still correct, we're facing something weird and need to talk again.

[mbenz89]

I'm witnessing the same issue with another app:

04-10 13:08:36.888  5508  5578 E AndroidRuntime: FATAL EXCEPTION: pool-10-thread-1
04-10 13:08:36.888  5508  5578 E AndroidRuntime: Process: com.mal.saul.coinmarketcap, PID: 5508
04-10 13:08:36.888  5508  5578 E AndroidRuntime: java.lang.ExceptionInInitializerError
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.d.b.a(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.internal.b.gr.<clinit>(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.b.a.a(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.internal.d.fd.b(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.internal.d.fd.a(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.internal.d.fe.run(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at java.lang.Thread.run(Thread.java:761)
04-10 13:08:36.888  5508  5578 E AndroidRuntime: Caused by: java.lang.ClassCastException: com.google.android.gms.internal.j.d cannot be cast to com.google.android.gms.d.i
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    at com.google.android.gms.d.b.<clinit>(dalvik_source_com.mal.saul.coinmarketcap-51.apk)
04-10 13:08:36.888  5508  5578 E AndroidRuntime:    ... 9 more

App: com.mal.saul.coinmarketcap-51.apk