Apktool icon indicating copy to clipboard operation
Apktool copied to clipboard

Published 20 hours ago verified publisher icon iBotPeaches

Error When Decoding Manifest

Open iAlexAR opened this issue 6 years ago • 3 comments

Information

  1. Apktool Version (apktool -version) - 2.4.0
  2. Operating System (Mac, Linux, Windows) - Windows
  3. APK From? (Playstore, ROM, Other) - PlayStore & APKPure

Stacktrace/Logcat

F:\Workplace>apktool d DEC.apk
I: Using Apktool 2.4.0 on DEC.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: C:\Users\alepe\AppData\Local\apktool\framework\1.apk
Exception in thread "main" brut.androlib.err.RawXmlEncounteredException: Could not decode XML
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:148)
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decodeManifest(XmlPullStreamDecoder.java:154)
        at brut.androlib.res.decoder.ResFileDecoder.decodeManifest(ResFileDecoder.java:161)
        at brut.androlib.res.AndrolibResources.decodeManifestWithResources(AndrolibResources.java:204)
        at brut.androlib.Androlib.decodeManifestWithResources(Androlib.java:136)
        at brut.androlib.ApkDecoder.decode(ApkDecoder.java:122)
        at brut.apktool.Main.cmdDecode(Main.java:167)
        at brut.apktool.Main.main(Main.java:76)
Caused by: java.io.EOFException
        at com.google.common.io.LittleEndianDataInputStream.readAndCheckByte(LittleEndianDataInputStream.java:226)
        at com.google.common.io.LittleEndianDataInputStream.readInt(LittleEndianDataInputStream.java:116)
        at brut.util.DataInputDelegate.readInt(DataInputDelegate.java:61)
        at brut.androlib.res.decoder.AXmlResourceParser.doNext(AXmlResourceParser.java:890)
        at brut.androlib.res.decoder.AXmlResourceParser.next(AXmlResourceParser.java:102)
        at brut.androlib.res.decoder.AXmlResourceParser.nextToken(AXmlResourceParser.java:112)
        at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.nextToken(XmlPullParserDelegate.java:105)
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:141)
        ... 7 more

Steps to Reproduce

  1. apktool d APKName.apk

Frameworks

If this APK is from an OEM ROM (Samsung, HTC, LG). Please attach framework files (.apks that live in /system/framework or /system/priv-app) - using the usual framework apk

APK

If this APK can be freely shared, please upload/attach a link to it.

  • PlayStore - https://play.google.com/store/apps/details?id=com.klab.yuhaku_maji_battle
  • APKPure - https://apkpure.com/%E5%B9%BD%E9%81%8A%E7%99%BD%E6%9B%B8-100-%E6%9C%AC%E6%B0%97-%E3%83%9E%E3%82%B8-%E3%83%90%E3%83%88%E3%83%AB/com.klab.yuhaku_maji_battle

Questions to ask before submission

  1. Have you tried apktool d, apktool b without changing anything?
  • YES, -d won't work and I need to decode the manifest (only -r will work but is usless in my case)
  1. If you are trying to install a modified apk, did you resign it?
  • not related to my issue
  1. Are you using the latest apktool version?
  • yes, v2.4.0

iAlexAR avatar Apr 28 '19 19:04 iAlexAR

This looks similar to the https://github.com/iBotPeaches/Apktool/issues/1131 issues...

~Ibuprophen

Ibuprophen avatar Apr 28 '19 21:04 Ibuprophen

Confirmed.

iBotPeaches avatar Jun 02 '19 21:06 iBotPeaches

I'm not sure about a fix for this because the manifest seems incorrect, but Android Studio / aapt are able to parse and present the file correctly. Anyway, here's what I found:

  • APKTool seems to be able the decode most of AndroidManifest.xml - the file created in the output folder after the failure contains the end of the expected file (the closing 'manifest' tag)
  • The AndroidManifest.xml in the APKs contains 2 namespaces: 
    <manifest
  xmlns:amazon="http://schemas.amazon.com/apk/res/android"
  xmlns:android="http://schemas.android.com/apk/res/android" 
  ...
  • The decoding fails when 2 namespace-end chunks are expected, but only one is found.
  • According to this post, the chunk header for namespace start looks like: 00 01 10 00 18 and for namespace end it looks like 01 01 10 00 18.
  • In the old version of the APK, the binary format of the AndroidManifest does include only a single namespace-end chunk, even though it has 2 namespace-start chunks.
  • The end of the manifest from the new version:
000056e0  00 00 ff ff ff ff ff ff  ff ff 46 00 00 00 03 01  |..........F.....|
000056f0  10 00 18 00 00 00 02 00  00 00 ff ff ff ff ff ff  |................|
00005700  ff ff 8f 00 00 00 01 01  10 00 18 00 00 00 02 00  |................|
00005710  00 00 ff ff ff ff 2e 00  00 00 8c 00 00 00 01 01  |................|
00005720  10 00 18 00 00 00 02 00  00 00 ff ff ff ff 2d 00  |..............-.|
00005730  00 00 8b 00 00 00                                 |......|
00005736
  • And from the old version:
00004900  00 00 00 ff ff ff ff 08  00 00 12 ff ff ff ff 03  |................|
00004910  01 10 00 18 00 00 00 2a  01 00 00 ff ff ff ff ff  |.......*........|
00004920  ff ff ff 7d 00 00 00 03  01 10 00 18 00 00 00 4a  |...}...........J|
00004930  00 00 00 ff ff ff ff ff  ff ff ff 3d 00 00 00 03  |...........=....|
00004940  01 10 00 18 00 00 00 02  00 00 00 ff ff ff ff ff  |................|
00004950  ff ff ff 7a 00 00 00 01  01 10 00 18 00 00 00 02  |...z............|
00004960  00 00 00 ff ff ff ff 28  00 00 00 77 00 00 00     |.......(...w...|
0000496f

In newer versions of the application the issue can no longer be reproduced, so I'm attaching a zip with thinner versions of the APKs and old/new manifest files.

2070-error-decoding-manifest.zip The zip contains:

  • v5.7.5_apkpure.com.withoutAssetsAndLibs.apk and v4.0.1_apkpure.com.withoutAssetsAndLibs.apk - a smaller version of the APK mentioned in the issue description. The v5.7.5 one can be decompiled successfully.
  • AndroidManifest.works.xml (from v5.7.5) and AndroidManifest.fails.xml (from v4.0.1) extracted from the APKs.

Comnir avatar Apr 17 '21 16:04 Comnir

Thanks for the detailed research @Comnir. With the recent refactors and my increased knowledge of arsc/axml from those refactors this was easily patchable from your research.

It looks like either a complete mistake or some inner knowledge of AOSP not reading past EOF, so I do the same when reading axml chunks.

➜  2070 apktool d 2070.apk -f
I: Using Apktool 2.8.2-22eb80-SNAPSHOT on 2070.apk
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: /home/ibotpeaches/.local/share/apktool/framework/1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
W: AXML hit unexpected end of file at byte: 0x48F8
I: Regular manifest package...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
➜  2070 apktool b 2070 --use-aapt2
I: Using Apktool 2.8.2-22eb80-SNAPSHOT
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs... (/lib)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk into: 2070/dist/2070.apk
➜  2070

Will close when above PR is merged and sorry for the many year delay.

iBotPeaches avatar Jul 26 '23 11:07 iBotPeaches