Can't decompile Hangouts v26

[PerLycke]

Information

1. 2.3.4-6231ed-SNAPSHOT
2. Mac
3. APK Mirror

Stacktrace/Logcat

I: Using Apktool 2.3.4-6231ed-SNAPSHOT on hangouts_old.apk
I: Loading resource table...
Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:53)
	at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:741)
	at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:67)
	at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:59)
	at brut.androlib.Androlib.getResTable(Androlib.java:68)
	at brut.androlib.ApkDecoder.setTargetSdkVersion(ApkDecoder.java:228)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:118)
	at brut.apktool.Main.cmdDecode(Main.java:164)
	at brut.apktool.Main.main(Main.java:73)
Caused by: java.io.IOException: Expected: 0x00000008, got: 0x00000202
	at brut.util.ExtDataInput.skipCheckShort(ExtDataInput.java:56)
	at brut.androlib.res.decoder.ARSCDecoder.readValue(ARSCDecoder.java:354)
	at brut.androlib.res.decoder.ARSCDecoder.readEntryData(ARSCDecoder.java:276)
	at brut.androlib.res.decoder.ARSCDecoder.readTableType(ARSCDecoder.java:252)
	at brut.androlib.res.decoder.ARSCDecoder.readTableTypeSpec(ARSCDecoder.java:175)
	at brut.androlib.res.decoder.ARSCDecoder.readTablePackage(ARSCDecoder.java:131)
	at brut.androlib.res.decoder.ARSCDecoder.readTableHeader(ARSCDecoder.java:82)
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:48)
	... 8 more

Steps to Reproduce

1. apktool d hangouts.apk

APK

https://www.apkmirror.com/apk/google-inc/hangouts/hangouts-26-0-205315597-release/hangouts-26-0-205315597-11-android-apk-download/

[iBotPeaches]

Confirmed. Crash very early before we can even read the ResPackages

[iBotPeaches]

The crash is occurring reading the ResValue of a spec. The size is always 8, but this is 0x202 or more commonly known as the type for specs. Something is wrong for sure.

[cgarst]

I'm also seeing a similar crash with Binance.

I: Using Apktool 2.3.4 on com.binance.dev-58.apk
I: Loading resource table...
Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:53)
	at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:741)
	at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:67)
	at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:59)
	at brut.androlib.Androlib.getResTable(Androlib.java:68)
	at brut.androlib.ApkDecoder.setTargetSdkVersion(ApkDecoder.java:228)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:118)
	at brut.apktool.Main.cmdDecode(Main.java:164)
	at brut.apktool.Main.main(Main.java:73)
Caused by: java.io.IOException: Expected: 0x00000008, got: 0x00000003
	at brut.util.ExtDataInput.skipCheckShort(ExtDataInput.java:56)
	at brut.androlib.res.decoder.ARSCDecoder.readValue(ARSCDecoder.java:354)
	at brut.androlib.res.decoder.ARSCDecoder.readEntryData(ARSCDecoder.java:276)
	at brut.androlib.res.decoder.ARSCDecoder.readTableType(ARSCDecoder.java:252)
	at brut.androlib.res.decoder.ARSCDecoder.readTableTypeSpec(ARSCDecoder.java:175)
	at brut.androlib.res.decoder.ARSCDecoder.readTablePackage(ARSCDecoder.java:131)
	at brut.androlib.res.decoder.ARSCDecoder.readTableHeader(ARSCDecoder.java:82)
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:48)
	... 8 more

https://play.google.com/store/apps/details?id=com.binance.dev

[iBotPeaches]

Merging duplicates in here. This is basically a non-ordered spec, since 202 is a spec, but we aren't expecting that.

[IzzySoft]

Having a similar issue with this APK and Apktool 2.5.0. Trace looks a bit different, though:

Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:53)
	at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:790)
	at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:67)
	at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:59)
	at brut.androlib.Androlib.getResTable(Androlib.java:66)
	at brut.androlib.ApkDecoder.setTargetSdkVersion(ApkDecoder.java:236)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:118)
	at brut.apktool.Main.cmdDecode(Main.java:179)
	at brut.apktool.Main.main(Main.java:82)
Caused by: java.io.EOFException
	at com.google.common.io.LittleEndianDataInputStream.readAndCheckByte(LittleEndianDataInputStream.java:232)
	at com.google.common.io.LittleEndianDataInputStream.readUnsignedShort(LittleEndianDataInputStream.java:98)
	at com.google.common.io.LittleEndianDataInputStream.readShort(LittleEndianDataInputStream.java:191)
	at brut.util.DataInputDelegate.readShort(DataInputDelegate.java:49)
	at brut.androlib.res.decoder.ARSCDecoder.readEntryData(ARSCDecoder.java:269)
	at brut.androlib.res.decoder.ARSCDecoder.readTableType(ARSCDecoder.java:252)
	at brut.androlib.res.decoder.ARSCDecoder.readTableTypeSpec(ARSCDecoder.java:175)
	at brut.androlib.res.decoder.ARSCDecoder.readTablePackage(ARSCDecoder.java:131)
	at brut.androlib.res.decoder.ARSCDecoder.readTableHeader(ARSCDecoder.java:82)
	at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:48)
	... 8 more

As you collect duplicates here, I decided to not create another one 😉

Hint for those just interested in the smali code: apktool d -r <apkfile> works in this case and doesn't trigger the exception (as it skips the resource file altogether).

[iBotPeaches]

Apologies how this took like 5 years. A few weeks ago I refactored the parser of AXML/ARSC and thus I understood it like 100x better than before.

So I looked at this again and it was something dumb. We never checked if an associated entry had a missing entry (NO_ENTRY). So we read too much and hit the next chunk. Adding a proper skip for what AOSP describes as:

a value of NO_ENTRY means that entry is not defined.

Then we get

➜  1874 apktool d 1874.apk -f
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.8.2-22eb80-SNAPSHOT on 1874.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/ibotpeaches/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory
➜  1874 apktool b 1874
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.8.2-22eb80-SNAPSHOT
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs... (/lib)
I: Copying libs... (/META-INF/services)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk into: 1874/dist/1874.apk
➜  1874 

No issue. Theres a few other applications in here, but to be honest - none of them have the same issue as the Google Hangouts one. So just focusing the original issue here.