FIPS META-INF/HMAC.SHA256 (DEX modifies) ERROR - Android Q&A, Help & Troubleshooting

Hi,
I have a signed jar that cannot be allowed to be modified.
By adding it to the /libs folder in Android Studio, when the app is built into an .apk because of it (the .jar) being included in classes.dex the checksum changes and the jar's classes will crash.
Is there a way to import a jar into a project and ensure it does not get obfuscated/compressed/changed etc or kept outside of classes.dex and able to run the apk without problems?
I would have added it to the developers forum but I have a low post count.
Thanks in advance.

Related

Is it possible to use baksmali on the device

Basically I want to be able to decompile apks. And jar files directly on my phone. Can I do that?
Yes, you can. At least, for the most part. The main constraining factor is the small amount of memory available on the device.
1. run the dx util on baksmali.jar, to produce a classes.dex file
2. add the classes.dex file to a new jar (or you can just add it to baksmali.jar)
3. push the jar containing classes.dex to the device somewhere (let's say /data/local/baksmali.jar)
4. dalvikvm -classpath /data/local/baksmali.jar org.jf.baksmali.baksmali <normal baksmali options>
5. bonus points if you then proceded to run baksmali on baksmali.jar (and then the universe implodes)
note: I just tried this with the latest version of baksmali, and there's some weird issue with the baksmali jar file, where it contains duplicate entries of every class file, which causes dx to choke on it. I'll see if I can get that fixed soon, and get a new build out. In the meantime, you can probably find an older version without that problem.
Sweet, thanks for your input. I was out last night and I had this idea for an edit to make, only to become sad because I didn't have access to a computer.
This will help me out a lot.
JesusFreke said:
Yes, you can. At least, for the most part. The main constraining factor is the small amount of memory available on the device.
1. run the dx util on baksmali.jar, to produce a classes.dex file
2. add the classes.dex file to a new jar (or you can just add it to baksmali.jar)
3. push the jar containing classes.dex to the device somewhere (let's say /data/local/baksmali.jar)
4. dalvikvm -classpath /data/local/baksmali.jar org.jf.baksmali.baksmali <normal baksmali options>
5. bonus points if you then proceded to run baksmali on baksmali.jar (and then the universe implodes)
note: I just tried this with the latest version of baksmali, and there's some weird issue with the baksmali jar file, where it contains duplicate entries of every class file, which causes dx to choke on it. I'll see if I can get that fixed soon, and get a new build out. In the meantime, you can probably find an older version without that problem.
Click to expand...
Click to collapse
The problem seems to be within the buildprocess as the generated classes for baksmali and smali are added twice to the *-dev-jar-with-dependencies.jar. As I'm not familar with maven I didn't fixed the source of the error but I managed to get it working.
I attached a small pythonscript which is able to remove the dublicated files within the jar. Just run it over the file and get a fixed version which is processable by dx.
The script:
Code:
#!/usr/bin/python
import sys
from zipfile import *
if len(sys.argv) != 3:
print("Usage: %s input.jar output.jar" % sys.argv[0]);
sys.exit(-1)
input = ZipFile(sys.argv[1], "r")
output = ZipFile(sys.argv[2], "w")
seen = []
for file in input.namelist():
if file not in seen:
output.writestr(file, input.read(file))
seen.append(file)
else:
print("dub found: %s" % file)
input.close()
output.close()
sorry ...
Wrong place
JesusFreke said:
Yes, you can. At least, for the most part. The main constraining factor is the small amount of memory available on the device.
1. run the dx util on baksmali.jar, to produce a classes.dex file
2. add the classes.dex file to a new jar (or you can just add it to baksmali.jar)
3. push the jar containing classes.dex to the device somewhere (let's say /data/local/baksmali.jar)
4. dalvikvm -classpath /data/local/baksmali.jar org.jf.baksmali.baksmali <normal baksmali options>
5. bonus points if you then proceded to run baksmali on baksmali.jar (and then the universe implodes)
note: I just tried this with the latest version of baksmali, and there's some weird issue with the baksmali jar file, where it contains duplicate entries of every class file, which causes dx to choke on it. I'll see if I can get that fixed soon, and get a new build out. In the meantime, you can probably find an older version without that problem.
Click to expand...
Click to collapse
I realize this is a very old thread, but it is exactly what I am looking for However, it seems there are Java 8 features in smali/baksmali now and dx does not work. Is there a workaround for this or any other way to run smali/baksmali from terminal on Android? Thanks!
The older versions of smali may still work for you. Or what I've done is use Termux and download the jdk for arm64 and used the ndk to compile smali on my device.
Delgoth said:
The older versions of smali may still work for you. Or what I've done is use Termux and download the jdk for arm64 and used the ndk to compile smali on my device.
Click to expand...
Click to collapse
Thanks for the reply
However, I am not trying to compile smali on my device. I am trying to run the latest smali/baksmali on my device in Termux. Unfortunately, the older versions will not work for my needs. If you can help I would really appreciate it
But compiling the latest build of small on the device will allow you to use the latest build of smali.

[Q] APK modding Deskclock - Please Help

So i have this Deskclock.apk and i want to add this.
No Problem with the ".xml" Files. I can edit them easily after i decompile the apk with the "apkTool". But where will i find the ".java" Files? After decompiling the apk i only see ".smali".
So i found out that the ".java" files are in "classes.dex" from the apk.
I use "dex2jar" to get a ".jar" File.
Then i use "jd-gui" to get ".java" Files.
So i can edit it and put the needed Strings in the .java files.
But how to put them back to a "classes.dex" File which i can put back to the apk??
I hope i get a bit help here.
You can use APKTool. It will automaticly extract all the classes (.dex), resources (.asrc), then it will convert binary XML to human-readable XML, and it will also dissassemble the classes for you.
Just tell APKTool to decode the APK into a directory, then modify what you want, and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to read it, and even edit it if you're familiar with jasmin. If you want Java source, please go over the Manual way.
Sent from my VS910 4G using XDA
Thx...I know how to use APKTool but i need to put the ".java" Files back into the "classes.dex". Thats my Problem.
There's info on the process here: http://stackoverflow.com/questions/10261147/converting-java-back-to-classes-dex
Essentially it looks like you need to compile the .java to .class files with javac and then create classes.dex with dx. Hope this link is helpful.

[Q] DexMerger not working?

I've always searched for a way to dex jar libraries once and then simply merge them when building the Android app.
Now the current version of dx (from the Android SDK 4.1.1) contains a DexMerger class.
You can call it directly with java -cp com.android.merge.DexMerger to merge 2 .dex files together.
dx itself uses this class when you dex a directory with .class files and there are archives (.zip, .jar, .apk) containing a classes.dex file. These classes.dex files are then merged with the dex file to be built from the .class files.
The problem is that dex files created with DexMerger do not work. APKs built this way are not installed.
Does anyone know how to make this work?
Where could I contact the Android SDK developers to ask them directly?
Tom

[Q] Is APK signature verification extra fields bug patched in older API versions?

Hi guys,
Sorry in advance if I posted this to the wrong place as I am not allowed to post into Android devs-only forum.
I am currently investigating the extra fields flaw in apk signature verification discovered in juli 2013 by trying to replicate it on the AVD.
First of all...this is research only as I am trying to understand my system's internals and especially permissions handling.
What i try to achieve is to root the AVD by using the elevated permissions of a apk signed with the platform key.
1. I have an apk signed with the platform key from my cyanogenmod 10.2 device and a classes.dex with size under 65k that will try to install SuperSU on my AVD
2. When creating a new apk I put the original classes.dex into the extras field of the corresponding ZIP entry and pad it to have a size of 65533
3. The rooting classes.dex goes into the data field of the ZIP entry and extra lengh is set to 65533 or -3 as seen by the buggy verifier. This classes.dex is also padded to have the exact size of the original classes.dex
4. My MainActivity tries to install the just assembled apk
Expected result: As the verifier is validating the original classes by jumping 3 backwards instead of 65533 forward the apk should be installed having elevated system privileges.
Actual result: AVD refuses installation of the apk with error code -103 as the "digest of classes.dex does not match those in the apk".
My thoughts on what may cause this:
A) I know that google merged the fix for this bug into HEAD but it still should work on AVD 2.3 and 4.1.
Or are all versions of AVD patched agains extras field expliotation? As I update my APIs everyday the fix is likely to be in my AVD.
Correct me if i am wrong.
B) As I use a cyanogenmod 10.2 apk as the base the platform keys may not match those of the AVD.
If so the error should be different to -103 but something like "system user signature does not match"
Please would someone point me into the right direction?

Re-compiling AndroidManifest.xml only

Is there a way to compile just AndroidManifest.xml?
I'm de-compiling an apk using --force-manifest flag in apktool and can't seem to be able to re-compile the manifest, so i'm unable to use the app. (I signed the apk after building)
Guyishay said:
Is there a way to compile just AndroidManifest.xml?
I'm de-compiling an apk using --force-manifest flag in apktool and can't seem to be able to re-compile the manifest, so i'm unable to use the app. (I signed the apk after building)
Click to expand...
Click to collapse
Hmm... I don't think that's possible, but you may get something similar, according to APKTOOL Documentation using these options:
Code:
--no-assets
Prevents decoding/copying of unknown asset files.
Code:
--no-res
This will prevent the decompile of resources. This keeps the resources.arsc intact without any decode. If only editing Java (smali) then this is the recommended action for faster decompile & rebuild
Code:
--no-src
This will prevent the disassembly of the dex file(s). This keeps the apk dex file(s) and simply moves it during build. If you are only editing the resources. This is the recommended action for faster disassemble & assemble

Categories

Resources