View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000658 | file | General | public | 2025-05-15 16:52 | 2025-05-15 16:52 |
| Reporter | adepasquale | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 5.46 | ||||
| Summary | 0000658: Update magic for JAR and APK | ||||
| Description | I found a valid JAR file that contains the folder "META-INF/" as the first ZIP record (instead of the more common "META-INF/MANIFEST.MF" file as the first ZIP record). Before/after the patch: 722bb1ea9755703003316854a32e49721e209f97de9e9260f64ad5b5a14f6e87: Zip archive data, at least v2.0 to extract, compression method=deflate 722bb1ea9755703003316854a32e49721e209f97de9e9260f64ad5b5a14f6e87: Java archive data (JAR) The sample is malicious, but if needed I can provide a harmless one for testing. | ||||
| Tags | No tags attached. | ||||
|
|
jar_magic.patch (4,030 bytes)
diff --git a/magic/Magdir/archive b/magic/Magdir/archive index 89f46d11..95851d5b 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1808,6 +1808,40 @@ >8 use zipcompression >0x161 string WINZIP \b, WinZIP self-extracting +# Zip archives that can be either APK or JAR. Checks for resources.arsc, classes.dex, etc. +0 name apk_or_jar +# Contains resources.arsc (near the end, in the central directory) +>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar + 0 string PK\003\004 !:strength +1 # IOS/IPadOS IPA file (Zip archive) @@ -1843,40 +1877,14 @@ >>>-22 string PK\005\006 >>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block # Starts with META-INF/MANIFEST.MF (file name length = 20) -# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files >26 uleshort 20 >>30 string META-INF/MANIFEST.MF -# Contains resources.arsc (near the end, in the central directory) ->>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc -!:mime application/vnd.android.package-archive -!:ext apk ->>>>-22 string PK\005\006 ->>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>-512 default x -# Contains classes.dex (near the end, in the central directory) ->>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>-22 string PK\005\006 ->>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>-512 default x -# Contains lib/armeabi (near the end, in the central directory) ->>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>-22 string PK\005\006 ->>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>>-512 default x -# Contains drawables (near the end, in the central directory) ->>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>>-22 string PK\005\006 ->>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block -# It may or may not be an APK file, but it's definitely a Java JAR file ->>>>>>-512 default x Java archive data (JAR) -!:mime application/java-archive -!:ext jar +>>0 use apk_or_jar +# Starts with META-INF/ folder (file name length = 9) +>26 uleshort 9 +>>30 string META-INF/ +>>0 use apk_or_jar + # Starts with zipflinger virtual entry (28 + 104 = 132 bytes) # See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 >4 string \x00\x00\x00\x00\x00\x00 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-05-15 16:52 | adepasquale | New Issue | |
| 2025-05-15 16:52 | adepasquale | File Added: jar_magic.patch |
