I think it was less than a week after I announced my little Android Manifest auditor tool, Manitree, that Anthony Desnos, the developer of Androguard, sent me a message in the tone of “hey, why didn’t you use Androguard for that?” If nothing else, why didn’t I use Andoguard’s native AXML converter?
Andoguard is this immense Android app analysis project. If you take a look at the first page, you may get overwhelmed pretty quickly. I hope Anthony doesn’t take this the wrong way because it’s an impressive tool when I’ve seen it working, and it’s great for all kinds of things besides malware analysis. For instance it can analyze apks, diff binary apps, visualize the flow of an app between classes — fun stuff. But for my dinky project, most of the work was focused on the AndroidManifest.xml file. But the simplest feature was most impressive to me: a native python Android XML file format converter. As of writing this, I’ve not seen someone publicly do this.
Mandatory technical background: The AndroidManifest.xml file is stored in a format called the Android XML format or AXML. This is an optimized binary format and not a lot of fun to look through. So tools like AXMLPrinter, AXMLPrinter2, aapt, and apktool converted these files back to a standard XML format that it was originally created in. This format was created to link to the resources.arsc file without having to duplicate efforts. For instance instead of calling the name of a string value over and over in a Manifest, the resources.arsc file is linked to it so actually what you’ll see in the binary is the location of the value in this file.
For the reason above, this weekend, a few of us have started to extract Androguard’s AXML into a separate project that aims to be a native python library for parsing AXML files. It’s up on github and is still in progress but the goal is that it can be useful as a standalone python module without having to import all of Androguard. https://github.com/antitree/AxmlParserPY
Here’s a quick example that takes in AndroidManifest.xml in binary format and spits it out in xml:
from xml.dom import minidom
ap = axmlprinter.AXMLPrinter(open('AndroidManifest.xml', 'rb').read())
buff = minidom.parseString(ap.getBuff()).toxml()
if __name__ == "__main__":
Every month we do the 2600 meetings. Lately I send out this ridiculous email to my circles and social networks explaining a theme of the meeting. It looks something like the one I did for January:
Only 12 months away from the end of days where the Earth’s polarity will completely flip causing server faults to erupt with hot Java and spew volcanic bash. Sudonomies will destroy cities and cause packet storms. 2012 will mark the return of the Carriage causing lines to break all over the world.
This month’s pre-apocalypse meeting will cover topics completely unrelated to your apocalyptic survival. In fact, the skills learned will most likely be completely useless in the face of actual danger. These are the presentations that are happening this month. The titles do not represent any of the subject matter nor the presenters names.
0) Antitree: Things I Learned By Not Attending 28c3
1) Algorythm: Why My SSLScan is Better Than yours
2) Punkrokk: Would You Like To Ride My Pwnie (Pwnie Plug talk)
3) SecCaoBoi: Mopping The Network With a WPAD Attack
4) JewNinja: XSS Attacks: Finding A Hole In a Brick Wall
Doors open to the public at 7pm.
The 2600 meeting is a copyright of Emmanual Goldstein and his band of merry hackers. All usage of the 2600 name and logo is directly prohibited without the direct written consent of Captain Crunch. The world may not end in 2012 but it is up to the user to kiss his or her own ass goodbye prior to any apocalyptic event. Ass kissing assistance will not be provide in any case. Members are prohibited from attending meetings. Requests for membership can only be made if you are an existing member and in good standing with Heidi Potter and a resident of the great state of Alaska.
First of all, I recognize how this is very frightening to most. I’ve seen responses like “Where do you get your drugs” or “who the eff is this guy?” Punkrokk showed this to Heidi Potter (the organizer of Shmoocon) and I’m sure it raised an eyebrow. So to explain why I do it here it goes: I don’t know – it makes me giggly.
The random emails have had a consistent reference to how members of 2600 were not invited and you had to not be a member to get in. This came from whenever someone asked me about 2600, they would say “How do you become a member” or “How many members do you have.” To me this was a sign that they had never been to a 2600 meeting and, as Zach Fasel said to me on my first 2600 meeting ever: “Newb.” Of course I’m supposed to say there’s nothing wrong with that, blah blah blah but it was another opportunity to have an inside joke with people that had been to the meetings. So all the references to “Non-members only” was my joke to myself (albeit not even that funny) mostly to entertain myself when only 4 people came to meetings.
What’s also funny is that people at the hackerspace, where we hold the meetings, took “non-members only” to mean that Interlock members were not invited to the meetings which made me laugh as well.
So look at me and my hilariousness. Aren’t I so funny! I’ve created inside jokes that have grown out of control. There. Done.