APK file Camouflage zip64 format case

Software Sample: http://files.cnblogs.com/files/mmmmar/FMRMemoryCleaner.apk

In the forum to see in the Netizen to help a small app to ads, download a look is to clean up the memory, just start to let him off the Internet access right, but think about it or help change it.

But the software was thrown into the Android killer (Jeb is not) inside the anti-compilation when the error, shown as follows:

I: Using Shakaapktool2.0.0-20150914>exceptioninchThread"Main"b.a.d:b.d.f:java.util.zip.zipexception:invalid CEN Header (bad signature)>At b.a.e.g (Unknown Source)>At B.a.e.a (Unknown Source)>At b.b.a.a (Unknown Source)>At b.b.a.a (Unknown Source)>At Com.rover12421.shaka.cli.Main.main (Unknown Source)>caused by:b.d.f:java.util.zip.zipexception:invalid CEN header (bad signature)> at b.d.j.<init>(Unknown Source)> at b.d.j.<init>(Unknown Source)>At b.a.d.c.a.a (Unknown Source)> ...5 More>caused by:java.util.zip.ZipException:invalid CEN header (bad signature)>At Java.util.zip.ZipFile.open (Native Method)> at java.util.zip.zipfile.<init> (zipfile.java: -)> at java.util.zip.zipfile.<init> (zipfile.java: Max)> at java.util.zip.zipfile.<init> (zipfile.java:164)> ...8moreapk Anti-compilation failed to continue next source decompile!

According to the error message that should be the decompression apk when there is a problem, with good pressure to try but can open normally.

Try to unzip it with good pressure and then repack it and throw it into Android kill.

But what is the principle of this defensive approach?

First, based on the error message invalid CEN header search, found this error and ZIP64 related, Java1.6 version of ZipFile does not support the ZIP64 format. and found it on the wiki.

The Android6.0 system supports the ZIP64 format, so you can guess that this is not a zip64 format file, but an ordinary zip file is disguised as a ZIP64 format by the software author, and the Android system does not judge when it is installed, but it crashes the anti-compiler program.

Since it is disguised as a zip64 format, it should be a change to some of the file's flag bits.

The earliest zip format can only break this limit for the 4GB,ZIP64 format.

It uses a "normal" central directory entry for a file, followed by an optional "ZIP64" directory entry, which have the larg ER fields

and then we searched the data structure of the ZIP archive.

The zip file consists of the following sections,

[Local file header]                         [Encryption Header]                         [File Data] [Data Descriptor] [Archive decryption Header]  [Archive extra data record]                 [Central Directory Header] [Central Directory Header] [Zip64 end of Central directory record] [Zip64 end of Central directory locator]  [end of central directory record]

Each section has some fixed bits that describe the section itself.

Like data descriptor.

Offset	Bytes	Description
0	4	Optional Data Descriptor signature = 0x08074b50
4	4	CRC-32
8	4	Compressed size
12	4	Uncompressed size

Start with 4 byte-size signature as the start flag

Zip64 about Zip64 end of central directory record and Zip64 end of Central Directory locator These two parts of their signatur E is 0x06064b50 and 0x07064b50 , respectively.

Then we search the sample file for two flags.

We can find out.

Look at the files that you re-pack with good pressure.

At the end of the file, only the signature of the end of the central directory record is searched , and there is no signature related to ZIP64.

Therefore, the sample file in 4 b - 4 B in this paragraph after the deletion of the Android killer

You can see that the anti-compilation is complete.

From this you can judge:

The software author does not support the ZIP64 format through the anti-compilation software, and the Android system does not detect the APK file in this aspect when installing the app, adding ZIP64 signature to the APK file to prevent third party from making changes

Of course, the simplest method is to use compression software (such as good pressure) to unpack and repackage.

The data structure is not understood, so the argument may not be appropriate, welcome to correct

Related information

Https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT

https://en.wikipedia.org/wiki/Zip_%28file_format%29#cite_note-29

APK file Camouflage zip64 format case