Description
This is a continuation of the Android Spyware Maybank2u APK where I dig deeper specifically on the decompilation failure. Although several solution was found previously, I did not fully understand on the issue and thats the reason I’m having the research here
The Issue
The APK was not able to decompile as shown below.
|
|
|
|
Analysis
To fully understand that happened, I used apkInspector
tool to understand the information behind it.
|
|
Based on this information, it mentioned that the “general purpose bit flag” (GPBF) was different. After researching on this, I found a good article that discussed about it: https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html.
After understanding it, the “general purpose bit flag” is something in the local file headers and central directory file header.
Local file headers (LFH)
Here’s how a local file headers looks like:
based on the images, there are several important information
- signature is 0x0 to 0x3 and it is always
\x50\x4b\x03\x04
- the GPBF AKA flag is 0x06 and 0x07
Central Directory file headers (CDFH)
Here’s how a central directory file headers looks like:
- signature is 0x0 to 0x3 and it is always
\x50\x4b\x01\x02
- the GPBF AKA flag is 0x08 and 0x09
Comparison of LFH and CDFH on the APK
To compare the LFH and CDFH, I will first need to identify where the information is located. I used both xxd
and https://hexed.it/.
|
|
|
|
Noticed that:
- the GPBF for LFH
AndroidManifest.xml
is\x08\x08
in position 0x06 and 0x07 - the GPBF for CBFH
AndroidManifest.xml
is\x09\x08
in position 0x08 and 0x09
Based on this, it is confirmed that there’s a different in the GPBF. This is the main reason why it is unable to decompile.
Why password prompt when using unzip ?
Password was asked when trying to unzip
the APK file.
This is because of the GPBF. the GPBF is in hex number but it actually have meaning on the binary number.
\x08\x08
=00001000 00001000
(little endian)- bit 3 is set which is data descriptor
- bit 11 is set which is language encoding (UTF-8)
\x09\x08
=00001000 00001001
(little endian)- bit 0 is set which is encrypted file
- bit 3 is set which is data descriptor
- bit 11 is set which is language encoding (UTF-8)
So because of this minor changes, the APK has changed from unencrypted to encrypted and the confused the ZIP.
How to fix it ?
Well this is simple because now I understand about it. Just changed the value in CDFH \x09\x08
back to the value in LFH \x08\x08
will do the trick. Other methods includes using the zip
to try fixing it or use the latest jadx
version will do.