rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

Wrong method references in multidex APK

Open haeter525 opened this issue 3 years ago • 0 comments

Hi. I found there may be an issue parsing method references in multidex APKs. Some of the xrefs provided by Rizin are wrong, especially those pointing to external libraries.

Since #2609 describes a bug related to opening multidex APKs, I doubt whether it's the root cause of this issue.

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 22.04
File format of the file you reverse (mandatory) APK
Architecture/bits of the file (mandatory) Dalvik
rizin -v full output, not truncated (mandatory) rizin 0.5.0 @ linux-x86-64
commit: 782fcd5257f6f16f924162675c2f0f6189f864a4, build: 2022-06-10__06:35:56

Expected behavior

Xrefs in multidex APK are linked to the correct methods.

Actual behavior

Some of the xrefs are linked to the incorrect ones.

For example, after opening this sample, I found the xrefs at two addresses, 0x10096caf0 and 0x100969820 are incorrect.

[0x100966804]> pdq 1 @ 0x10096caf0
0x10096caf0 invoke-virtual {v3, v4}, Lcom/downloader/request/DownloadRequest;->setOnPauseListener(Lcom/downloader/OnPauseListener;)Lcom/dow
[0x100966804]> axf @ 0x10096caf0
C 0x800000041a sym.Landroid_app_job_JobScheduler_.enqueue_Landroid_app_job_JobInfo_Landroid_app_job_JobWorkItem__I ; sym.Landroid_app_job_JobScheduler_.enqueue_Landroid_app_job_JobInfo_Landroid_app_job_JobWorkItem__I
[0x100966804]>

At 0x10096caf0, the expected callee is Lcom/downloader/request/DownloadRequest; setOnPauseListener(Lcom/downloader/OnPauseListener;)Lcom/dow. But, the callee found by Rizin is Landroid/app/job/JobScheduler; enqueue(Landroid/app/job/JobInfo;Landroid/app/job/JobWorkItem;)I.

[0x100966804]> pdq 1 @ 0x100969820
0x100969820   fcn.100969820:
0x100969820 invoke-direct {v1}, Landroidx/databinding/MergedDataBinderMapper;-><init>()V
[0x100966804]> axf @ 0x100969820
C 0x8000000314 sym.Landroid_app_Notification_MediaStyle_._init___V ; sym.Landroid_app_Notification_MediaStyle_._init___V
[0x100966804]>

At 0x100969820, the expected callee is Landroidx/databinding/MergedDataBinderMapper; <init>()V. But, the callee found by Rizin is Landroid/app/Notification/MediaStyle; <init>()V.

Steps to reproduce the behavior

  • Open the APK with Rizin. (Password: infected)
  • Run the following commands.
aaa
pdq 1 @ 0x10096caf0; axf @ 0x10096caf0
pdq 1 @ 0x100969820; axf @ 0x100969820

haeter525 avatar Jun 10 '22 14:06 haeter525