vincentcox / stacoan Goto Github PK

I've just started the server and added a file for upload. Then waited 5 minutes without any result. Only after anaylzing the file directly I saw there was an issue with the input:

$> ./stacoan -p sample.ipa 
[INFO] Decompiling app...
[ERROR] .ipa files not implemented yet.
$> ./stacoan -p sample.app 
[INFO] Decompiling app...
[ERROR] No mobile app detected, exiting! Hgnnnhh

The web server UI should reflect any errors and notify the user there was an issue with the provided file. Instead it indefinitely shows the 'Uploading…' message.

Please add
http://schemas.amazon.com/apk/res/android
http://schemas.androd.com/apk/res/android

It is recommended to add authentication module to the program to ensure that server resources are not abused.

thank you :)

When running the Mac release, the following output is shown:

[INFO] jadx return code: 0
[INFO] Decompiling done.
[INFO] Searching trough files
[INFO] Searching done.
[INFO] start generating report
[ERROR] ERROR: Unknown error: 'test-apk_apk'.

ToDo: Disable try catch wrapper on main function to find the root cause. Maybe make a --debug option to disable this try catch wrapper.

Consider adding these regular expressions which are not part of the list,

1. .([a-zA-Z0-9]-[a-zA-Z0-9]){3,10}. => To find salts, nonce used in code.
2. ([-]+(BEGIN\sRSA\sPRIVATE\sKEY)[-]+[A-Za-z\s0-9+/.=]{400}) => RSA Private keys
3. (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) => AWS Secret Keys
4. [0-9a-f]{32} => FB Secret Keys
5. ((xoxp)-[0-9]+-[A-Za-z0-9]+) => Slack Tokens

This list can also be extended to Twitter Keys, Tumblr keys.

Thanks old issue fixed.any though below 2 error?

367 INFO: checking Analysis
367 INFO: Building Analysis because out00-Analysis.toc is non existent
367 INFO: Initializing module dependency graph...
373 INFO: Initializing module graph hooks...
377 INFO: Analyzing base_library.zip ...
Traceback (most recent call last):
File "", line 41, in
File "", line 13, in walk_packages
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil. py", line 127, in iter_modules
for name, ispkg in iter_importer_modules(i, prefix):
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil. py", line 146, in _iter_file_finder_modules
import inspect
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\inspect. py", line 41, in
import linecache
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\linecach e.py", line 11, in
import tokenize
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\tokenize .py", line 33, in
import re
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\re.py", line 142, in
class RegexFlag(enum.IntFlag):
AttributeError: module 'enum' has no attribute 'IntFlag'

12236 INFO: Loading module hook "hook-encodings.py"...
Traceback (most recent call last):
File "", line 41, in
File "", line 13, in walk_packages
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil.py", line 127, in iter_modules
for name, ispkg in iter_importer_modules(i, prefix):
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil.py", line 146, in _iter_file_finder_modules
import inspect
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\inspect.py", line 41, in
import linecache
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\linecache.py", line 11, in
import tokenize
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\tokenize.py", line 33, in
import re
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\re.py", line 142, in
class RegexFlag(enum.IntFlag):

Hi, thank you for your efforts!

I just came across your project and wanted to look into it. However, it seems to have some unicode issues.
When I try to analyze the test-apk.apk, that comes with this repository, it fails:

python3 main.py test-apk.apk 
Decompiling app...
/home/???/dev/StaCoAn/test-apk/jadx_source_code
"/home/???/dev/StaCoAn/jadx/bin/jadx" -d "/home/???/dev/StaCoAn/test-apk/jadx_source_code" test-apk.apk
/bin/sh: 1: /home/???/dev/StaCoAn/jadx/bin/jadx: Permission denied
Decompiling done.
Searching trough files
Searching done.
start generating report
[...]
progress: 97.52%
progress: 98.14%
progress: 98.76%
progress: 99.38%
Traceback (most recent call last):
  File "main.py", line 124, in <module>
    program()
  File "main.py", line 107, in program
    print(Report_html.Tree_builder.tree_js_file(Project.projects[project_path]), file=f)
UnicodeEncodeError: 'ascii' codec can't encode characters in position 149599-149600: ordinal not in range(128)

Some other apk I fed to it also failed, but at a different stage:

[...]
progress: 8.59%
progress: 8.72%
Traceback (most recent call last):
  File "main.py", line 124, in <module>
    program()
  File "main.py", line 72, in program
    print(overview_html.gethtml(), file=f)
UnicodeEncodeError: 'ascii' codec can't encode character '\u0580' in position 5519: ordinal not in range(128)

I shortly peeked into the code, but was insecure, whether it is an issue with yattag or this repo here, maybe you know?

Hi,

When i run the docker command i get this :

[ERROR] ERROR: Unknown error: [Errno 21] Is a directory: 'myapp.apk'.

didn't understand why... did anyone get this too?

• Documentation about the releases (how to run the executables)
• Keep window open on windows
• no arguments given -> servermode?

python: can't open file '/StaCoAn/src/main.py': [Errno 2] No such file or directory

Any idea what am missing?
Using Windows 7
C:\Users\XXXXXX\StaCoAn-master\StaCoAn-master>pyinstaller main.py --onefile --add-data jadx:jadx -p jadx --icon icon.ico --name stacoan --clean
usage: pyinstaller [-h] [-v] [-D] [-F] [--specpath DIR] [-n NAME]
[--add-data <SRC;DEST or SRC:DEST>]
[--add-binary <SRC;DEST or SRC:DEST>] [-p DIR]
[--hidden-import MODULENAME]
[--additional-hooks-dir HOOKSPATH]
[--runtime-hook RUNTIME_HOOKS] [--exclude-module EXCLUDES]
[--key KEY] [-d] [-s] [--noupx] [-c] [-w]
[-i <FILE.ico or FILE.exe,ID or FILE.icns>]
[--version-file FILE] [-m ] [-r RESOURCE]
[--uac-admin] [--uac-uiaccess] [--win-private-assemblies]
[--win-no-prefer-redirects]
[--osx-bundle-identifier BUNDLE_IDENTIFIER]
[--runtime-tmpdir PATH] [--distpath DIR]
[--workpath WORKPATH] [-y] [--upx-dir UPX_DIR] [-a]
[--clean] [--log-level LEVEL]
scriptname [scriptname ...]
pyinstaller: error: argument --add-data: invalid add_data_or_binary value: 'jadx:jadx'

Summary:
See the attached images. The app didn't show any errors.
The generated report contains gibberish data. Tried to rebuild the report 3 times, ended with the same result.

Details:
.apk file: https://play.google.com/store/apps/details?id=com.mkdingo.goran.signlangugage
The file was downloaded via APKPure.
os: Linux mint

Proof of error:
StaCoAn

Jadx:

Additional info:
The app uses Cyrillic characters for resources(ex: R.id.в, R.id.ж).
Could this be the cause of the problem?

We can try to incorporate test cases that can be used to identify issues with SSL/TLS in Android apps. Reference Doc: https://developer.android.com/training/articles/security-ssl

1. Loading custom certificates into the Android KeyStore.
   This is usually done to accept self-signed certs or certs signed using unknown CA.
   Regex Used: .keyStore.setCertificateEntry.

2. HostName Verifier.
   Failing to check the hostname for a certificate.
   Regex: *public boolean verify(.String.SSLSession.)

NOTE:
===> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with .return true;.

3. Overriding SSLCheck in WebViews
   This is already a part of owasp_static_android.txt

4. Overriding SSL Check
   Android apps can override SSL checks thus suppressing any SSL validation error.
   Regex: checkServerTrusted.*{}

NOTE:
====> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with an empty string.

5. SSLSocket
   According to the official Android doc,

Caution: SSLSocket does not perform hostname verification. It is up to your app to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.

Regex: .*SSLSocket.createSocket(.

StaCoAn is a hard name to remember and pronounce. It could help to rebrand it to something else, for example 'Stacy'.

Hello @vincentcox ,
I am facing this error after supplying the apk
UnboundLocalError: local variable 'sorted_tosort' referenced before assignment
[WARNING] 127.0.0.1 - - [10/Oct/2018 19:35:59] code 404, message File not found

A new zero-day vulnerability has been release by Pangu Lab: https://zipperdown.org/. We can check for the following package to report this vulnerability,

https://developer.android.com/reference/java/util/zip/package-summary
Regex: .java.util.zip..

You can create a GitHub wiki to describe how to use the tool on the different platforms. This will shorten your repo's README file, which improves it imho (readability, length, ease of access, ...)

https://docs.python.org/3/library/argparse.html

argument to specify html folder, disable automatic browser opening, ...

The fancy TreeView does not display on FF and IE browsers. TV invisible not initializing properly. Also the upload process seem to sometimes fail, silently.

Console IE:

HTML1527: DOCTYPE expected. Consider adding a valid HTML5 doctype: "".
start.html (1,1)

HTML1504: Unexpected end tag. -- repeatedly

jQuery.Deferred exception: Unable to get property 'length' of undefined or null reference TypeError: Unable to get property 'length' of undefined or null reference

SCRIPT5022: Fancytree assertion failed: Need a valid store.

SCRIPT5007: Unable to get property 'length' of undefined or null reference

SCRIPT5007: Unable to get property 'getItem' of undefined or null reference

Console FF:

This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”.

Request to access cookie or storage on “start.html” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

Uncaught DOMException: The operation is insecure. => jquery.fancytree-all-deps.min.js:1

Uncaught DOMException: The operation is insecure. => jquery.fancytree.persist.js:40

Uncaught Error: Could not apply extension 'persist' (it is not registered, did you forget to include it?) => /report/tree_js_content.js:2, jquery.min.js:2:1979

Uncaught DOMException: The operation is insecure. => report.js:8

Uncaught DOMException: The operation is insecure. => start.html:16

Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: /report/html/jquery.fancytree-all-deps.min.js
Source Map URL: jquery.fancytree-all-deps.min.js.map

sad :-(

It is worth to wait for new versions ?

Can this be run from a command line?

hello,
trying to use StaCoAn on windows using bash I'm having the following error
No module named 'yattag',
any clue? thx

[INFO] Decompiling app...
[ERROR] .ipa files not implemented yet.��

im used window

When using an apk from a different directory

On Macs, your download (V.6) is not working. Below is the error. I believe you have hard coded some paths into the app. My mac is on Python 2.7.10

[INFO] serving report server at port: 8080
[INFO] serving dragdrop server at port: 8000
0:38: execution error: File some object wasn’t found. (-43)
^CTraceback (most recent call last):
  File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 264, in <module>
  File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 151, in program
  File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 117, in server
  File "/usr/local/Cellar/python/3.6.4_3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 1056, in join
  File "/usr/local/Cellar/python/3.6.4_3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 1072, in _wait_for_tstate_lock
KeyboardInterrupt

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 264, in <module>
KeyboardInterrupt
[9549] Failed to execute script stacoan
L-75

I did a rewrite of your old Docker container (#47) to reduce the size from 1.44GB to 264MB.
At that time, I did not know Docker well enough and now I think that I can further optimize the container's image size by combining RUN commands.

Maybe some packages can be installed virtual that are only needed during build steps (info). Don't know this for sure since I don't know the Dockerfile that well. (First look suggests pip3 is one of those packages)

I'll try this tonight, it will be good to see if there is a noticeable difference.

To make it even more awesome, you could generate a nice Github Page: https://pages.github.com (Project site > Use a theme)

Hi, thank for this app. Docker build seem's to be broken:

Step 3/12 : RUN echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list && echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886 && apt-get update ---> Running in 2b8ae552b233 deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.OIwaWMnA25 --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver keyserver.ubuntu.com --recv-keys EEA14886 gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com ?: keyserver.ubuntu.com: Connection refused gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused gpg: no valid OpenPGP data found. gpg: Total number processed: 0 The command '/bin/sh -c echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list && echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886 && apt-get update' returned a non-zero code: 2