trueseeing 2.2.2__tar.gz → 2.2.4__tar.gz

{trueseeing-2.2.2 → trueseeing-2.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: trueseeing
-Version: 2.2.2
+Version: 2.2.4
 Summary: Trueseeing is a non-decompiling Android application vulnerability scanner.
 Keywords: android,security,pentest,hacking
 Author-email: Takahiro Yoshimura <alterakey@protonmail.com>
@@ -16,7 +16,6 @@ Classifier: License :: OSI Approved :: GNU General Public License v3 or later (G
 Requires-Dist: lxml~=5.0
 Requires-Dist: pyyaml~=6.0
 Requires-Dist: jinja2~=3.1
-Requires-Dist: attrs~=23.2
 Requires-Dist: pypubsub~=4.0
 Requires-Dist: termcolor~=2.4
 Requires-Dist: progressbar2~=4.3
@@ -25,6 +24,8 @@ Requires-Dist: asn1crypto~=1.5
 Requires-Dist: zstandard~=0.22
 Requires-Dist: aiohttp~=3.9
 Requires-Dist: lief~=0.14
+Requires-Dist: pyaxmlparser~=0.3
+Requires-Dist: prompt-toolkit~=3.0
 Requires-Dist: mypy~=1.7 ; extra == "dev"
 Requires-Dist: pyproject-flake8~=6.1 ; extra == "dev"
 Requires-Dist: typing_extensions~=4.1 ; extra == "dev"
@@ -83,7 +84,7 @@ Alternatively, you can install our package with pip as follows. This form of ins
 You can interactively scan/analyze/patch/etc. apps -- making it the ideal choice for manual analysis:
 
     $ trueseeing target.apk
-    [+] trueseeing 2.2.2
+    [+] trueseeing 2.2.4
     ts[target.apk]> ?
     ...
     ts[target.apk]> i                      # show generic information

{trueseeing-2.2.2 → trueseeing-2.2.4}/README.md

@@ -50,7 +50,7 @@ Alternatively, you can install our package with pip as follows. This form of ins
 You can interactively scan/analyze/patch/etc. apps -- making it the ideal choice for manual analysis:
 
     $ trueseeing target.apk
-    [+] trueseeing 2.2.2
+    [+] trueseeing 2.2.4
     ts[target.apk]> ?
     ...
     ts[target.apk]> i                      # show generic information

{trueseeing-2.2.2 → trueseeing-2.2.4}/pyproject.toml

@@ -22,7 +22,6 @@ dependencies = [
     "lxml~=5.0",
     "pyyaml~=6.0",
     "jinja2~=3.1",
-    "attrs~=23.2",
     "pypubsub~=4.0",
     "termcolor~=2.4",
     "progressbar2~=4.3",
@@ -31,6 +30,8 @@ dependencies = [
     "zstandard~=0.22",
     "aiohttp~=3.9",
     "lief~=0.14",
+    "pyaxmlparser~=0.3",
+    "prompt-toolkit~=3.0",
 ]
 requires-python = ">=3.9"
 dynamic = ['version', 'description']
@@ -59,6 +60,7 @@ module = [
   "jinja2",
   "pubsub",
   "asn1crypto.*",
+  "pyaxmlparser.*",
 ]
 ignore_missing_imports = true
 

{trueseeing-2.2.2 → trueseeing-2.2.4}/trueseeing/__init__.py

@@ -1,2 +1,2 @@
 """Trueseeing is a non-decompiling Android application vulnerability scanner."""
-__version__ = '2.2.2'
+__version__ = '2.2.4'

{trueseeing-2.2.2 → trueseeing-2.2.4}/trueseeing/api.py

@@ -10,9 +10,12 @@ if TYPE_CHECKING:
   from trueseeing.core.android.context import APKContext
   from trueseeing.core.model.issue import Issue, IssueConfidence
 
+  ModifierEvent = Literal['begin', 'end']
+
   CommandEntrypoint = Callable[[deque[str]], Coroutine[Any, Any, None]]
   CommandlineEntrypoint = Callable[[str], Coroutine[Any, Any, None]]
   CommandPatternEntrypoints = Union[CommandEntrypoint, CommandlineEntrypoint]
+  ModifierListenerEntrypoint = Callable[[ModifierEvent, str], Coroutine[Any, Any, None]]
   SignatureEntrypoint = Callable[[], Coroutine[Any, Any, None]]
   FormatHandlerEntrypoint = Callable[[str], Optional[Context]]
   ConfigGetterEntrypoint = Callable[[], Any]
@@ -34,7 +37,7 @@ if TYPE_CHECKING:
     pass
 
   class ModifierEntry(Entry):
-    pass
+    e: Optional[ModifierListenerEntrypoint]  # type: ignore[misc]
 
   class ConfigEntry(TypedDict):
     g: ConfigGetterEntrypoint

{trueseeing-2.2.2 → trueseeing-2.2.4}/trueseeing/app/cmd/__init__.py

@@ -8,11 +8,10 @@ if TYPE_CHECKING:
 def discover() -> Iterator[Type[Command]]:
   from trueseeing.api import Command
   from importlib import import_module
-  from trueseeing.core.model.cmd import CommandMixin
   from trueseeing.core.tools import get_public_subclasses, get_missing_methods, discover_modules_under
 
   for mod in discover_modules_under('trueseeing.app.cmd'):
     m = import_module(mod)
-    for c in get_public_subclasses(m, Command, [CommandMixin]):  # type:ignore[type-abstract]
+    for c in get_public_subclasses(m, Command, 'CommandMixin'):  # type:ignore[type-abstract]
       assert not get_missing_methods(c)
       yield c

{trueseeing-2.2.2 → trueseeing-2.2.4}/trueseeing/app/cmd/android/asm.py

@@ -47,16 +47,24 @@ class AssembleCommand(CommandMixin):
       ui.fatal('need root path')
 
     import os
+    import re
     import time
     from tempfile import TemporaryDirectory
     from trueseeing.core.android.asm import APKAssembler
     from trueseeing.core.android.tools import move_apk
 
     root = args.popleft()
-    origapk = apk.replace('.apk', '.apk.orig')
+    origapk = re.sub(r'(\.x?apk)$', r'\1.orig', apk)
 
-    if os.path.exists(origapk) and not cmd.endswith('!'):
-      ui.fatal('backup file exists; force (!) to overwrite')
+    stem = re.sub(r'\.x?apk$', '', apk)
+    for typ in ['apk', 'xapk']:
+      print(origapk, f'{stem}.{typ}.orig')
+      if os.path.exists(f'{stem}.{typ}.orig') and not cmd.endswith('!'):
+        ui.fatal('backup file exists; force (!) to overwrite')
+
+    if apk.endswith('.xapk'):
+      ui.warn('assembling xapk is not supported; assembling as merged apk')
+      apk = apk.replace('.xapk', '.apk')
 
     opts = self._helper.get_effective_options(self._helper.get_modifiers(args))
 
@@ -140,7 +148,7 @@ class AssembleCommand(CommandMixin):
     at = time.time()
 
     with TemporaryDirectory() as td:
-      await APKDisassembler.disassemble_to_path(apk, td, nodex=nodex)
+      await APKDisassembler.disassemble_to_path(apk, td, nodex=nodex, merge=apk.endswith('.xapk'))
 
       if not archive:
         with FileTransferProgressReporter('disassemble: writing').scoped() as progress:
@@ -185,7 +193,7 @@ class AssembleCommand(CommandMixin):
 
     at = time.time()
     extracted = 0
-    context = self._helper.get_context().require_type('apk')
+    context = self._helper.get_context()
     q = context.store().query()
 
     if not archive:

trueseeing-2.2.2/trueseeing/app/cmd/android/exploit.py → trueseeing-2.2.4/trueseeing/app/cmd/android/engage.py

@@ -7,45 +7,55 @@ from trueseeing.core.model.cmd import CommandMixin
 from trueseeing.core.ui import ui
 
 if TYPE_CHECKING:
-  from typing import Any, Optional, Dict, Mapping
+  from typing import Any, Optional, Dict, Mapping, List, Iterator, Tuple
   from trueseeing.api import CommandHelper, Command, CommandMap, OptionMap
   from trueseeing.core.android.context import APKContext
+  from trueseeing.core.android.model import XAPKManifest
 
-class ExploitCommand(CommandMixin):
+class EngageCommand(CommandMixin):
   def __init__(self, helper: CommandHelper) -> None:
     self._helper = helper
 
   @staticmethod
   def create(helper: CommandHelper) -> Command:
-    return ExploitCommand(helper)
+    return EngageCommand(helper)
 
   def get_commands(self) -> CommandMap:
     return {
-      'xq':dict(e=self._exploit_discard, n='xq', d='exploit: discard changes'),
-      'xx':dict(e=self._exploit_apply, n='xx[!]', d='exploit: apply and rebuild apk'),
-      'xx!':dict(e=self._exploit_apply),
-      'xf':dict(e=self._exploit_inject_frida, n='xf[!] [config]', d='exploit; inject frida gadget'),
-      'xf!':dict(e=self._exploit_inject_frida),
-      'xfs':dict(e=self._exploit_inject_frida_scriptdir, n='xfs[!] [path]', d='exploit; inject frida gadget in script dir mode'),
-      'xfs!':dict(e=self._exploit_inject_frida_scriptdir),
-      'xu':dict(e=self._exploit_disable_pinning, n='xu', d='exploit: disable SSL/TLS pinning'),
-      'xd':dict(e=self._exploit_enable_debug, n='xd', d='exploit: make debuggable'),
-      'xb':dict(e=self._exploit_enable_backup, n='xb', d='exploit: make backupable'),
-      'xt':dict(e=self._exploit_patch_target_api_level, n='xt[!] <api level>', d='exploit: patch target api level'),
-      'xt!':dict(e=self._exploit_patch_target_api_level),
-      'xp':dict(e=self._exploit_device_list_packages, n='xp', d='device: list installed packages'),
-      'xco':dict(e=self._exploit_device_copyout, n='xco[!] package [data.tar]', d='device: copy-out package data'),
-      'xco!':dict(e=self._exploit_device_copyout),
-      'xci':dict(e=self._exploit_device_copyin, n='xci[!] package [data.tar]', d='device: copy-in package data'),
-      'xci!':dict(e=self._exploit_device_copyin),
+      'xtq':dict(e=self._engage_tamper_discard, n='xtq', d='engage: discard changes'),
+      'xtx':dict(e=self._engage_tamper_apply, n='xtx[!]', d='engage: apply and rebuild apk'),
+      'xtx!':dict(e=self._engage_tamper_apply),
+      'xtf':dict(e=self._engage_tamper_inject_frida, n='xtf[!] [config]', d='engage; inject frida gadget'),
+      'xtf!':dict(e=self._engage_tamper_inject_frida),
+      'xtfs':dict(e=self._engage_tamper_inject_frida_scriptdir, n='xtfs[!] [path]', d='engage; inject frida gadget in script dir mode'),
+      'xtfs!':dict(e=self._engage_tamper_inject_frida_scriptdir),
+      'xtn':dict(e=self._engage_tamper_disable_pinning, n='xtn', d='engage: patch NSC to disable SSL/TLS pinning'),
+      'xtd':dict(e=self._engage_tamper_enable_debug, n='xtd', d='engage: make debuggable'),
+      'xtb':dict(e=self._engage_tamper_enable_backup, n='xtb', d='engage: make backupable'),
+      'xtt':dict(e=self._engage_tamper_patch_target_api_level, n='xtt[!] <api level>', d='engage: patch target api level'),
+      'xtt!':dict(e=self._engage_tamper_patch_target_api_level),
+      'xco':dict(e=self._engage_device_copyout, n='xco[!] package [data.tar]', d='engage: copy-out package data'),
+      'xco!':dict(e=self._engage_device_copyout),
+      'xci':dict(e=self._engage_device_copyin, n='xci[!] package [data.tar]', d='engage: copy-in package data'),
+      'xci!':dict(e=self._engage_device_copyin),
+      'xpd':dict(e=self._engage_deploy_package, n='xpd[!]', d='engage: deploy target package'),
+      'xpd!':dict(e=self._engage_deploy_package),
+      'xpu':dict(e=self._engage_undeploy_package, n='xpu', d='engage: remove target package'),
+      'xz':dict(e=self._engage_fuzz_intent, n='xz[!] "am-cmdline-template" [output.txt]', d='engage: fuzz intent'),
+      'xz!':dict(e=self._engage_fuzz_intent),
+      'xzr':dict(e=self._engage_fuzz_command, n='xzr[!] "cmdline-template" [output.txt]', d='engage: fuzz cmdline'),
+      'xzr!':dict(e=self._engage_fuzz_command),
+      'xg':dict(e=self._engage_grab_package, n='xg[!] package [output.apk]', d='engage: grab package'),
+      'xg!':dict(e=self._engage_grab_package),
     }
 
   def get_options(self) -> OptionMap:
     return {
-      'vers':dict(n='vers=X.Y.Z', d='specify frida-gadget version to use [xf,xfs]')
+      'vers':dict(n='vers=X.Y.Z', d='specify frida-gadget version to use [xf,xfs]'),
+      'w':dict(n='wNAME=FN', d='wordlist, use as {NAME} [xz]'),
     }
 
-  async def _exploit_discard(self, args: deque[str]) -> None:
+  async def _engage_tamper_discard(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     _ = args.popleft()
@@ -63,7 +73,7 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_apply(self, args: deque[str]) -> None:
+  async def _engage_tamper_apply(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     cmd = args.popleft()
@@ -107,7 +117,7 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_disable_pinning(self, args: deque[str]) -> None:
+  async def _engage_tamper_disable_pinning(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     _ = args.popleft()
@@ -157,7 +167,7 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_enable_debug(self, args: deque[str]) -> None:
+  async def _engage_tamper_enable_debug(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     _ = args.popleft()
@@ -179,7 +189,7 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_enable_backup(self, args: deque[str]) -> None:
+  async def _engage_tamper_enable_backup(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     _ = args.popleft()
@@ -203,7 +213,7 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_patch_target_api_level(self, args: deque[str]) -> None:
+  async def _engage_tamper_patch_target_api_level(self, args: deque[str]) -> None:
     apk = self._helper.require_target()
 
     cmd = args.popleft()
@@ -239,7 +249,7 @@ class ExploitCommand(CommandMixin):
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
   # XXX: long and ugly
-  async def _exploit_inject_frida(self, args: deque[str], script_dir_mode: bool = False) -> None:
+  async def _engage_tamper_inject_frida(self, args: deque[str], script_dir_mode: bool = False) -> None:
     configfn: Optional[str] = None
     config_override: Optional[str] = None
     dev_frida_dir: Optional[str] = None
@@ -419,8 +429,8 @@ class ExploitCommand(CommandMixin):
 
     ui.success('done ({t:.02f} sec.)'.format(t=(time.time() - at)))
 
-  async def _exploit_inject_frida_scriptdir(self, args: deque[str]) -> None:
-    await self._exploit_inject_frida(args, script_dir_mode=True)
+  async def _engage_tamper_inject_frida_scriptdir(self, args: deque[str]) -> None:
+    await self._engage_tamper_inject_frida(args, script_dir_mode=True)
 
   def _as_dalvik_classname(self, jn: str) -> str:
     return 'L{};'.format(jn.replace('.', '/'))
@@ -475,24 +485,7 @@ class ExploitCommand(CommandMixin):
       except ClientConnectionError:
         raise InvalidResponseError()
 
-  async def _exploit_device_list_packages(self, args: deque[str]) -> None:
-    _ = args.popleft()
-
-    ui.info('listing packages')
-
-    import time
-    import re
-    from trueseeing.core.android.device import AndroidDevice
-
-    at = time.time()
-    nr = 0
-    for m in re.finditer(r'^package:(.*)', await AndroidDevice().invoke_adb('shell pm list package'), re.MULTILINE):
-      p = m.group(1)
-      ui.info(p)
-      nr += 1
-    ui.success('done, {nr} packages found ({t:.02f} sec.)'.format(nr=nr, t=(time.time() - at)))
-
-  async def _exploit_device_copyout(self, args: deque[str]) -> None:
+  async def _engage_device_copyout(self, args: deque[str]) -> None:
     success: bool = False
 
     cmd = args.popleft()
@@ -585,7 +578,7 @@ class ExploitCommand(CommandMixin):
     else:
       ui.failure('copyout failed')
 
-  async def _exploit_device_copyin(self, args: deque[str]) -> None:
+  async def _engage_device_copyin(self, args: deque[str]) -> None:
     success: bool = False
 
     _ = args.popleft()
@@ -677,6 +670,272 @@ class ExploitCommand(CommandMixin):
     else:
       ui.failure('copyin failed')
 
+  async def _engage_fuzz_command(self, args: deque[str], am: bool = False) -> None:
+    outfn: Optional[str] = None
+
+    cmd = args.popleft()
+
+    if not args:
+      if am:
+        ui.fatal('an "am" command line pattern required; try giving whatever you would to "adb shell am" (e.g. {} "start-activity .." ..)'.format(cmd))
+      else:
+        ui.fatal('command line pattern required; try giving you would to "adb shell"')
+
+    pat = args.popleft()
+    if am:
+      pat = f'am {pat}'
+
+    if args and not args[0].startswith('@'):
+      import os
+      outfn = args.popleft()
+      if os.path.exists(outfn) and not cmd.endswith('!'):
+        ui.fatal('outfile exists; force (!) to overwrite')
+
+    wordlist: Dict[str, List[str]] = dict()
+    for name, fn in self._helper.get_effective_options(self._helper.get_modifiers(args)).items():
+      if name.startswith('w'):
+        name = name[1:]
+        try:
+          with open(fn, 'r') as f:
+            wordlist[name] = [x.rstrip() for x in f]
+        except OSError as e:
+          ui.fatal(f'cannot open wordlist: {e}')
+
+    if not wordlist:
+      ui.fatal('need a wordlist (try @o:wNAME=FN)')
+
+    ui.info('wordlist built: {} words in {} keys ({})'.format(sum([len(v) for v in wordlist.values()]), len(wordlist), ','.join(wordlist.keys())))
+
+    def _expand(pat: str, wordlist: Mapping[str, List[str]]) -> Iterator[Tuple[int, int, str]]:
+      tries = min(len(v) for v in wordlist.values())
+      for nr in range(tries):
+        d = {k:v[nr] for k,v in wordlist.items()}
+        try:
+          yield nr, tries, pat.format(*[], **d)
+        except KeyError as e:
+          ui.fatal(f'unknown wordlist specified: {e}')
+
+    ui.info('starting fuzzing, opening log system-wide{}'.format(' [{}]'.format(outfn) if outfn else ''))
+
+    from trueseeing.core.android.device import AndroidDevice
+
+    dev = AndroidDevice()
+
+    async def _log(outfn: Optional[str]) -> None:
+      import sys
+      nr = 0
+
+      if not outfn:
+        f = sys.stdout.buffer
+      else:
+        f = open(outfn, 'wb')
+
+      try:
+        async for l in dev.invoke_adb_streaming('logcat -T1'):
+          f.write(l)
+          nr += 1
+          if outfn and nr % 256 == 0:
+            ui.info(' ... captured: {}')
+      finally:
+        if outfn:
+          f.close()
+
+    async def _fuzz(pat: str, wordlist: Mapping[str, List[str]]) -> None:
+      from asyncio import sleep
+      from subprocess import CalledProcessError
+      for nr, tries, t in _expand(pat, wordlist):
+        await sleep(.05)
+        prog = dict(nr=nr+1, max=tries, cmd=t)
+        try:
+          await dev.invoke_adb(f'shell {t}')
+          ui.info('[{nr}/{max}] {cmd}'.format(**prog))
+        except CalledProcessError as e:
+          ui.failure('[{nr}/{max}] {cmd}: failed: {code}'.format(code=e.returncode, **prog))
+
+    from asyncio import create_task, wait, FIRST_COMPLETED, ALL_COMPLETED
+    task_log = create_task(_log(outfn))
+    task_fuzz = create_task(_fuzz(pat, wordlist))
+
+    done, pending = await wait([task_log, task_fuzz], return_when=FIRST_COMPLETED)
+    for t in pending:
+      t.cancel()
+    done, _ = await wait([task_log, task_fuzz], return_when=ALL_COMPLETED)
+    for t in done:
+      exc = t.exception()
+      if exc:
+        ui.error('unhandled exception', exc=exc)
+
+  async def _engage_fuzz_intent(self, args: deque[str]) -> None:
+    await self._engage_fuzz_command(args, am=True)
+
+  async def _engage_deploy_package(self, args: deque[str]) -> None:
+    cmd = args.popleft()
+
+    context: APKContext = self._helper.get_context().require_type('apk')
+    apk = context.target
+
+    from time import time
+    from pubsub import pub
+    from trueseeing.core.ui import AndroidInstallProgressReporter
+    from trueseeing.core.android.device import AndroidDevice
+    from subprocess import CalledProcessError
+
+    dev = AndroidDevice()
+    at = time()
+    pkg = context.get_package_name()
+
+    ui.info(f'deploying package: {pkg}')
+
+    if cmd.endswith('!'):
+      try:
+        async for l in dev.invoke_adb_streaming(f'uninstall {pkg}', redir_stderr=True):
+          pub.sendMessage('progress.android.adb.update')
+          if b'success' in l.lower():
+            ui.warn('removing existing package')
+      except CalledProcessError as e:
+        ui.fatal('uninstall failed: {}'.format(e.stdout.decode().rstrip()))
+
+    with AndroidInstallProgressReporter().scoped():
+      pub.sendMessage('progress.android.adb.begin', what='installing ... ')
+      try:
+        async for l in dev.invoke_adb_streaming(f'install --no-streaming {apk}', redir_stderr=True):
+          pub.sendMessage('progress.android.adb.update')
+          if b'failure' in l.lower():
+            ui.stderr('')
+            if not cmd.endswith('!'):
+              ui.fatal('install failed; force (!) to replace ({})'.format(l.decode('UTF-8')))
+            else:
+              ui.fatal('install failed ({})'.format(l.decode('UTF-8')))
+
+        pub.sendMessage('progress.android.adb.done')
+      except CalledProcessError as e:
+        ui.fatal('install failed: {}'.format(e.stdout.decode().rstrip()))
+
+      ui.success('done ({t:.02f} sec){trailer}'.format(t=time() - at, trailer=' '*8))
+
+  async def _engage_undeploy_package(self, args: deque[str]) -> None:
+    _ = args.popleft()
+
+    context: APKContext = self._helper.get_context().require_type('apk')
+
+    from time import time
+    from pubsub import pub
+    from trueseeing.core.android.device import AndroidDevice
+    from subprocess import CalledProcessError
+
+    dev = AndroidDevice()
+    at = time()
+    pkg = context.get_package_name()
+
+    ui.info(f'removing package: {pkg}')
+
+    try:
+      async for l in dev.invoke_adb_streaming(f'uninstall {pkg}', redir_stderr=True):
+        pub.sendMessage('progress.android.adb.update')
+        if b'failure' in l.lower():
+          import re
+          packages = await dev.invoke_adb('shell pm list packages', redir_stderr=True)
+          if not re.match(f'{pkg}$', packages, re.MULTILINE):
+            ui.fatal('package not found')
+          else:
+            ui.fatal('uninstall failed ({})'.format(l.decode()))
+    except CalledProcessError as e:
+      ui.fatal('uninstall failed: {}'.format(e.stdout.decode().rstrip()))
+
+    ui.success('done ({t:.02f} sec)'.format(t=time() - at))
+
+  async def _engage_grab_package(self, args: deque[str]) -> None:
+    cmd = args.popleft()
+
+    import os
+    if not args:
+      ui.fatal('need the package name')
+
+    pkg = args.popleft()
+
+    if args:
+      outfn = args.popleft()
+    else:
+      outfn = f'{pkg}.apk'
+
+    if os.path.exists(outfn):
+      if not cmd.endswith('!'):
+        ui.fatal('output file exists; force (!) to overwrite')
+      else:
+        os.remove(outfn)
+
+    import re
+    from time import time
+    from tempfile import TemporaryDirectory
+    from pubsub import pub
+    from trueseeing.core.android.device import AndroidDevice
+
+    dev = AndroidDevice()
+    at = time()
+    outfn = os.path.realpath(outfn)
+
+    ui.info(f'grabbing package: {pkg} -> {outfn}')
+
+    basepath: Optional[bytes] = None
+    splits: List[bytes] = []
+
+    async for l in dev.invoke_adb_streaming(f'shell pm dump {pkg}', redir_stderr=True):
+      pub.sendMessage('progress.android.adb.update')
+      if f'unable to find package: {pkg}'.encode() in l.lower():
+        ui.fatal(f'package not found: {pkg}')
+
+      m = re.search(rb'codePath=(/.+)', l)
+      if m:
+        basepath = m.group(1)
+      m = re.search(rb'splits=\[(.+)\]', l)
+      if m:
+        splits = re.split(rb', *', m.group(1))
+
+    assert basepath
+    assert splits
+
+    with TemporaryDirectory() as td:
+      from os import chdir, getcwd
+      from shlex import quote
+      from zipfile import ZipFile, ZIP_STORED
+      cd = getcwd()
+      try:
+        chdir(td)
+        slicemap = dict()
+        if len(splits) == 1:
+          if outfn.endswith('.xapk'):
+            ui.warn('target has only one slice; using apk format')
+            outfn = outfn.replace('.xapk', '.apk')
+          ui.info('getting {nr} slice'.format(nr=len(splits)))
+          await dev.invoke_adb('pull {path}/base.apk {outfn}'.format(path=quote(basepath.decode()), outfn=outfn))
+        else:
+          if outfn.endswith('.apk'):
+            ui.warn('target has multiple slices; using xapk format')
+            outfn = outfn.replace('.apk', '.xapk')
+          ui.info('getting {nr} slices'.format(nr=len(splits)))
+          for s in splits:
+            slice = s.decode()
+            if slice == 'base':
+              fn = f'{pkg}.apk'
+            else:
+              fn = f'{slice}.apk'
+            await dev.invoke_adb('pull {path}/{typ}{slice}.apk {fn}'.format(
+              path=quote(basepath.decode()),
+              typ='' if slice == 'base' else 'split_',
+              slice=slice,
+              fn=fn,
+            ))
+            slicemap[slice] = fn
+          XAPKManifestGenerator(slicemap).generate()
+          with ZipFile(outfn, 'w', ZIP_STORED) as zf:
+            from glob import glob
+            for n in glob('*'):
+              with open(n, 'rb') as g:
+                zf.writestr(n, g.read())
+      finally:
+        chdir(cd)
+    ui.success('done ({t:.02f} sec)'.format(t=time() - at))
+
   def _generate_tempfilename_for_device(self, dir: Optional[str] = None) -> str:
     import random
     return (f'{dir}/' if dir is not None else '/data/local/tmp/') + ''.join(random.choices('abcdefghijklmnopqrstuvwxyz0123456789', k=16))
@@ -692,3 +951,50 @@ class ExploitCommand(CommandMixin):
 
 class InvalidResponseError(Exception):
   pass
+
+class XAPKManifestGenerator:
+  def __init__(self, slicemap: Dict[str, str]) -> None:
+    self._slicemap = slicemap
+
+  def generate(self) -> None:
+    from os import stat
+    from pyaxmlparser import APK
+    manif: XAPKManifest = dict(
+      xapk_version='2',
+      total_size=0,
+      locales_name=dict(),
+      split_apks=[],
+    )
+
+    for slice, fn in self._slicemap.items():
+      conf = slice.split('.')[-1]
+      manif['total_size'] += stat(fn).st_size
+      manif['split_apks'].append(dict(id=slice, file=fn))
+      if slice == 'base':
+        apk = APK(fn)
+        manif.update(dict(
+          name=apk.get_app_name(),
+          icon='icon.png',
+          package_name=apk.get_package(),
+          version_code=apk.version_code,
+          version_name=apk.version_name,
+          min_sdk_version=apk.get_min_sdk_version(),
+          target_sdk_version=apk.get_target_sdk_version(),
+          permissions=apk.get_permissions(),
+        ))
+        with open('icon.png', 'wb') as f:
+          f.write(apk.icon_data)
+      elif len(conf) == 2:
+        apk = APK(fn)
+        country_code = conf
+        manif['locales_name'].update({
+          country_code:apk.get_app_name(),
+        })
+      if manif['locales_name']:
+        ln: Dict[str, str] = manif['locales_name']
+        for k in ln.keys():
+          if not ln[k]:
+            ln[k] = manif['name']
+    with open('manifest.json', 'w') as g:
+      from json import dumps
+      g.write(dumps(manif, separators=(',', ':')))