Subject: Improve APK detection (FC Stegerman) Origin: FILE5_44-22-g6d565d82 Upstream-Author: Christos Zoulas Date: Sat Jan 14 19:43:33 2023 +0000 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1531,7 +1531,7 @@ !:mime application/vnd.android.package-archive !:ext apk # Starts with META-INF/MANIFEST.MF (file name length = 20) -# NB: checks for resources.arsc or drawables as well to avoid matching JAR files +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files >26 uleshort 20 >>30 string META-INF/MANIFEST.MF # Contains resources.arsc (near the end, in the central directory) @@ -1540,13 +1540,27 @@ >>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block !:mime application/vnd.android.package-archive !:ext apk ->>>-512 default x -# Contains drawables (near the end, in the central directory) ->>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex >>>>>-22 string PK\005\006 >>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block !:mime application/vnd.android.package-archive !:ext apk +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk # Starts with zipflinger virtual entry (28 + 104 = 132 bytes) # See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 >4 string \x00\x00\x00\x00\x00\x00