edisona / androguard Goto Github PK

modify get_string method to return string matching a specific criteria (e.g. a 
substring)

What steps will reproduce the problem?
a = androguard.AndroGuardS("attached jar file")
a.show
What is the expected output? What do you see instead?
should print information about the jar file, instead it dies accessing outside 
of a list - this actually helps with all jar files (classes) that I tried to 
load, except very simple ones.

Traceback (most recent call last):
  File "./bla.py", line 13, in <module>
    a = androguard.AndroguardS(sys.argv[1])
  File "/home/spjsschl/androguard/androguard.py", line 448, in __init__
    self.__orig_a = Androguard( [ filename ], raw )
  File "/home/spjsschl/androguard/androguard.py", line 240, in __init__
    self._analyze()
  File "/home/spjsschl/androguard/androguard.py", line 275, in _analyze
    self.__bc.append( (j[0], BC( jvm.JVMFormat(j[1]) ) ) )
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 2893, in __init__
    self._load_class()
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 2964, in _load_class
    mi = MethodInfo( self.__CM, self )
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 789, in __init__
    ai = AttributeInfo( self.__CM, buff )
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 2527, in __init__
    self._info = ATTRIBUTE_INFO_DESCR[ self.__name ](self.__CM, buff)
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 1545, in __init__
    self.__code = JavaCode( class_manager, buff.read( self.low_struct.get_value().code_length ) )
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 1202, in __init__
    r_function, v_function, r_buff, r_format, f_function = EXTRACT_INFORMATION_SIMPLE( op_value )
  File "/home/spjsschl/androguard//core/bytecodes/jvm.py", line 427, in EXTRACT_INFORMATION_SIMPLE
    r_function = JAVA_OPCODES[ op_value ][2]
IndexError: list index out of range

What version of the product are you using? On what operating system?
I am using the current mercurial version on ubuntu oneiric.

What steps will reproduce the problem?
1. Grab source from mercurial, or 0.9 or 1.0RC1
2. Edit *.h files to point to correct location of hash_map

#ifdef __APPLE__
#include <ext/hash_map>
#else
#include <ext/hash_map>

3. Install all prerequisites

4. type 'make'

What is the expected output? What do you see instead?

Expected output: all sources should be compiled

What I get:

Undefined symbols for architecture x86_64:
  "_PyType_GenericNew", referenced from:
      _initdvmnative in dvm.o
  "_PyType_Ready", referenced from:
      _initdvmnative in dvm.o
  "_Py_InitModule4_64", referenced from:
      _initdvmnative in dvm.o
  "_PyModule_AddObject", referenced from:
      _initdvmnative in dvm.o
  "_Py_BuildValue", referenced from:
      DCode_get_nb_bytecodes(dvm_DCodeObject*, _object*)      in dvm.o
      DBC_get_opvalue(dvm_DBCObject*, _object*)     in dvm.o
      DBC_get_length(dvm_DBCObject*, _object*)     in dvm.o
      DBC_get_type_ins(dvm_DBCObject*, _object*)     in dvm.o
      DBCSpe_get_opvalue(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_length(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_type_ins(dvm_DBCSpeObject*, _object*)     in dvm.o
      ...
  "_PyList_New", referenced from:
      DCode_get_bytecodes(dvm_DCodeObject*, _object*)      in dvm.o
      DCode_get_bytecodes_spe(dvm_DCodeObject*, _object*)      in dvm.o
      DBC_get_operands(dvm_DBCObject*, _object*)     in dvm.o
      DBCSpe_get_operands(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_targets(dvm_DBCSpeObject*, _object*)     in dvm.o
  "_PyList_Append", referenced from:
      DCode_get_bytecodes(dvm_DCodeObject*, _object*)      in dvm.o
      DCode_get_bytecodes_spe(dvm_DCodeObject*, _object*)      in dvm.o
      DBC_get_operands(dvm_DBCObject*, _object*)     in dvm.o
      DBCSpe_get_operands(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_targets(dvm_DBCSpeObject*, _object*)     in dvm.o
  "_PyArg_ParseTuple", referenced from:
      DCode_init(dvm_DCodeObject*, _object*, _object*)in dvm.o
  "_PyString_FromString", referenced from:
      DBC_get_name(dvm_DBCObject*, _object*)     in dvm.o
      DBC_get_operands(dvm_DBCObject*, _object*)     in dvm.o
      DBCSpe_get_name(dvm_DBCSpeObject*, _object*)     in dvm.o
  "_PyInt_FromLong", referenced from:
      DBC_get_operands(dvm_DBCObject*, _object*)     in dvm.o
      DBCSpe_get_operands(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_targets(dvm_DBCSpeObject*, _object*)     in dvm.o
  "_PyString_FromStringAndSize", referenced from:
      DBCSpe_get_operands(dvm_DBCSpeObject*, _object*)     in dvm.o
  "__Py_NoneStruct", referenced from:
      DBCSpe_get_operands(dvm_DBCSpeObject*, _object*)     in dvm.o
      DBCSpe_get_targets(dvm_DBCSpeObject*, _object*)     in dvm.o
ld: symbol(s) not found for architecture x86_64
collect2: ld returned 1 exit status
make: *** [LIBDVM] Error 1

What version of the product are you using? On what operating system?

Androguard from mercurial, 0.9 or 1.0RC1
OSX 10.7.2
Python 2.7.1 (standard Python package that was shipped with OSX)

Please provide any additional information below.

g++ was installed from Command Line Tools for Xcode:

Using built-in specs.
Target: i686-apple-darwin11
Configured with: /private/var/tmp/llvmgcc42/llvmgcc42-2336.9~22/src/configure 
--disable-checking --enable-werror 
--prefix=/Applications/Xcode.app/Contents/Developer/usr/llvm-gcc-4.2 
--mandir=/share/man --enable-languages=c,objc,c++,obj-c++ 
--program-prefix=llvm- --program-transform-name=/^[cg][^.-]*$/s/$/-4.2/ 
--with-slibdir=/usr/lib --build=i686-apple-darwin11 
--enable-llvm=/private/var/tmp/llvmgcc42/llvmgcc42-2336.9~22/dst-llvmCore/Develo
per/usr/local --program-prefix=i686-apple-darwin11- 
--host=x86_64-apple-darwin11 --target=i686-apple-darwin11 
--with-gxx-include-dir=/usr/include/c++/4.2.1
Thread model: posix
gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00)

Hi guys,

Thank you for this awesome tool. I'm planning to extend Androguard to support 
the following:

Modify byte codes (add, remove, ...) , 
Modify fields , 
Modify methods, 
Add/Remove field 
and Add/Remove method. 

I'm wondering if you could provide me with some details / documentation links, 
that would help me to understand the code.

Thanks,

When try to execute makefile the xz folder doesnt exist

The output is:
androguard$ make
 CC z.o
 CC bz2.o
 CC smaz.o
cd: 1: can't cd to xz
make[1]: *** [ZIP] Error 2
make: *** [LIBS] Error 2

Using androguard hg version changeset: 223:00989b5fe3ac
over Linux debian 2.6.32-5-686 #1 SMP i686 GNU/Linux

Running apk analysis iterating on apks got from a directory doen't work 
properly.
After some iterations, the script freezes and doesn't go on....
If I restart the script, it begins from the file on which the analysis was 
blocked! So I think it's not a problem related to the file, but to the sw.
Below the source code extracted from my script
def analyze(infile) :
    score = 0
    permissions = {}
    data = []
    risk_detailed = {}
    if androconf.is_android(infile) == "APK" :
        try:   
            allstrings, score, risk_detailed, list_details_permissions = AnalyzeAPK(infile)
            if (str(list_details_permissions).find('_SMS') != -1 or 
                str(list_details_permissions).find('CALL') != -1) :
                for cur in allstrings :
                    if re.search('^\d{4,20}$', cur) :
                        data.append(cur)
            if str(list_details_permissions).find('INTERNET') != -1 :
                for cur in allstrings :
                    if re.search('^http://', cur) :
                        data.append(cur)
            for i in list_details_permissions :
                permission = i
                if permission.find(".") != -1 :
                    permission = permission.split(".")[-1]
                    risk_type = GENERAL_PERMISSIONS_RISK[ list_details_permissions[ i ][0]]
                    permissions[permission] = RISK_VALUES [ risk_type ]
        except Exception, e:
            print "Exception reason " + str(e)
    return score, permissions, data, risk_detailed
........ other function containg the itertions .......
        for row in rows :
            try:
                filename = row[0]
                filename = download_path + "/" + filename
                appid = row[1]
                flag = 1
                print 'analyze: ', filename, '\n'
                total_risk, permissions, data, risk_detailed=analyze(filename)

..../androguard-0.9$ ./androgexf.py -i '.../xxx.apk' -o ./xxx.gexf
/usr/lib/pymodules/python2.6/matplotlib/numerix/__init__.py:18: 
DeprecationWarning: 
**********************************************************
matplotlib.numerix and all its subpackages are deprecated.
They will be removed soon.  Please use numpy instead.
**********************************************************

  warnings.warn(msg, DeprecationWarning)
/usr/lib/pymodules/python2.6/networkx/generators/hybrid.py:16: 
DeprecationWarning: the sets module is deprecated
  import sets
Traceback (most recent call last):
  File "./androgexf.py", line 71, in <module>
    main(options, arguments)    
  File "./androgexf.py", line 57, in main
    gvmx = ganalysis.GVMAnalysis( vmx, a )
  File ".//core/analysis/ganalysis.py", line 69, in __init__
    self.vm = self.vmx.get_vm()
AttributeError: VMAnalysis instance has no attribute 'get_vm'

What steps will reproduce the problem?
1. use androsign as written in the wiki:
./androsign.py -i ../test.apk -b signatures/dbandroguard -c signatures/dbconfig 
-v

What do you see instead?

signatures/dbandroguard signatures/dbconfig True
DIST = e
METHOD = m
ADD WEIGHT 0 -> 2.000000
ADD WEIGHT 1 -> 1.200000
ADD WEIGHT 2 -> 0.500000
ADD WEIGHT 3 -> 0.100000
ADD WEIGHT 4 -> 0.600000
SIM METHOD = 0
THRESHOLD LOW = 0.300000
THRESHOLD HIGH = 0.400000
CREATE SUB SIGN 4402
terminate called after throwing an instance of 'mu::ParserError'
[1]    3054 abort (core dumped)  ./androsign.py -i ../test.apk -b 
signatures/dbandroguard -c  -v



What version of the product are you using? On what operating system?
 * Ubuntu 11.10
 * make was runned to build the libs http://pastebin.com/LQmqjvDz
 * last hg version

In androguard/classification/libsimilarity/lzma folder there is only lzma.c 
files, but the Makefile looks for:
SRC     =       Alloc.c LzFind.c LzmaDec.c LzmaEnc.c LzmaLib.c lzma.c

Steps to reproduce:
androguard$ make
make[2]: *** No rule to make target `Alloc.o', needed by `all'.  Stop.
make[1]: *** [ZIP] Error 2
make: *** [LIBS] Error 2

Using androguard hg version changeset: 224:d2a33d41ebbf
over Linux debian 2.6.32-5-686 #1 SMP i686 GNU/Linux

What steps will reproduce the problem?
1.one sample with its dex file header's data link section had non-zero value
2.use androguard to scan this sample
3.It raised an exception (details below)

What is the expected output? What do you see instead?
I traced the exception. I found the "current_pos" was equal to the length of 
"insn". so the "insn[current_pos:current_pos+2]" would return an empty list. 
then "unpack" method raised an exception.

What version of the product are you using? On what operating system?
CentOS 5.6 i386

Please provide any additional information below.

Traceback (most recent call last):
  File "./DiffScan/scanner.py", line 128, in <module>
    print ds.scan(sys.argv[2])+"\r\n"
  File "./DiffScan/scanner.py", line 65, in scan
    ag = androguard.AndroguardS(sFileName)
  File "./Androguard/androguard.py", line 447, in __init__
    self.__orig_a = Androguard( [ filename ], raw )
  File "./Androguard/androguard.py", line 239, in __init__
    self._analyze()
  File "./Androguard/androguard.py", line 258, in _analyze
    bc = dvm.DalvikVMFormat( self.__orig_raw[ i ] )
  File "./Androguard/core/bytecodes/dvm.py", line 3093, in __init__
    self.map_list = MapList( self.CM, self.__header.get_value().map_off, self )
  File "./Androguard/core/bytecodes/dvm.py", line 3051, in __init__
    mi = MapItem( buff, self.CM )
  File "./Androguard/core/bytecodes/dvm.py", line 2788, in __init__
    self.item = CodeItem( general_format.size, buff, cm )
  File "./Androguard/core/bytecodes/dvm.py", line 2745, in __init__
    x = DalvikCode( buff, cm )
  File "./Androguard/core/bytecodes/dvm.py", line 2662, in __init__
    self._code = DCode( self.__CM, self.insns_size.get_value(), buff.read( self.insns_size.get_value() * ushort ) )
  File "./Androguard/core/bytecodes/dvm.py", line 2546, in __init__
    operands, special = self._analyze_mnemonic( op_value, DALVIK_OPCODES[ op_value ])
  File "./Androguard/core/bytecodes/dvm.py", line 2571, in _analyze_mnemonic
    r = self._extract_values(i)
  File "./Androguard/core/bytecodes/dvm.py", line 2562, in _extract_values
    return MAP_EXTRACT_VALUES[i]( self.__insn, self.__current_pos )
  File "./Androguard/core/bytecodes/dvm.py", line 2336, in op_AA_OP
    i16 = unpack("=H", insn[current_pos:current_pos+2])[0]
struct.error: unpack requires a string argument of length 2
p
[ÑíJ
20
18
p
[ÑíJ
20
20

What steps will reproduce the problem?
1. Download either androguard from source, 1.0RC1 or 0.9
2. Install all prerequisites
3. Run ./androlyze -s

What is the expected output? What do you see instead?

Expected output: IPython shell. 
What I get: 

Traceback (most recent call last):
  File "./androlyze.py", line 29, in <module>
    import IPython.ipapi
ImportError: No module named ipapi

What version of the product are you using? On what operating system?

IPython 0.12. Androguard from source, 1.0RC1 and 0.9. Ubuntu 11.10

Please provide any additional information below.

ipapi is deprecated in IPython 0.12 which is the latest stable version.

http://ipython.org/ipython-doc/stable/api/generated/IPython.core.ipapi.html

The following fix seems to work:

from IPython.frontend.terminal.embed import InteractiveShellEmbed
from IPython.config.loader import Config

cfg = Config()
ipshell = InteractiveShellEmbed(config=cfg, banner1="Androlyze version %s" % 
androconf.ANDROGUARD_VERSION)
ipshell()

What steps will reproduce the problem?
run 
./dalvikvm_format_1.py 

What is the expected output? What do you see instead?
Traceback (most recent call last):
  File "./dalvikvm_format_1.py", line 7, in <module>
    from androguard.core.bytecodes import dvm
ImportError: No module named androguard.core.bytecodes

What version of the product are you using? On what operating system?

ARE from virtualbox

Please provide any additional information below.

What steps will reproduce the problem?
1.run dalvikvm_format_2.py with sample facebook apk file
2.get_raw() raised an exception 


What is the expected output? What do you see instead?
Traceback (most recent call last):
  File "./demos/dalvikvm_format_2.py", line 46, in <module>
    fd.write( j.save() )
  File ".//core/bytecodes/dvm.py", line 3513, in save
    return self._get_raw()
  File ".//core/bytecodes/dvm.py", line 3541, in _get_raw
    l = self.map_list.get_raw()
  File ".//core/bytecodes/dvm.py", line 3449, in get_raw
    [ x.get_raw() for x in self.map_item ]
  File ".//core/bytecodes/dvm.py", line 3193, in get_raw
    return [ bytecode.Buff( self.__offset.off, self.format.get_value_buff() ) ] + [ i.get_raw() for i in self.item ]
  File ".//core/bytecodes/dvm.py", line 1369, in get_raw
    return [ bytecode.Buff(self.__offset.off, self.visibility.get_value_buff()) ] + self.annotation.get_raw()
  File ".//core/bytecodes/dvm.py", line 1338, in get_raw
    [ i.get_raw() for i in self.elements ]
  File ".//core/bytecodes/dvm.py", line 1310, in get_raw
    return [ bytecode.Buff(self.__offset.off, writeuleb128(self.name_idx) + self.value.get_raw()) ]
  File ".//core/bytecodes/dvm.py", line 1290, in get_raw
    return self.val.get_value_buff() + object_to_str( self.value )
TypeError: cannot concatenate 'str' and 'list' objects


What version of the product are you using? On what operating system?
Ubuntu 11.04

Please provide any additional information below.
I looked into the error, it seemed in EncodedValue, when type is 
EncodedAnnotation, get_raw() returned a list instead of string,therefore 
'return self.val.get_value_buff() + object_to_str( self.value )' threw 
TypeError exception. 

What steps will reproduce the problem?
1.
2.
3.
What steps will reproduce the problem?
1. Complete the "make" step, I try to execute "python androlyze.py" in ARE.
2. I try to install androguard-1.0-rc1
3.

What is the expected output? What do you see instead?
Expected out is to enter the iPython. 
I see following message,

Traceback ((most recent call last):
   File "androlyze.py", line 33, in <module>
      from msign import *
   File ".//core/analysis/msign.py", line 25, in<module> imort libsign
ImportError: .//core/analysis/libsign/libsign.so: undefined symbol: 
vcblocksortCompress

What version of the product are you using? On what operating system?
androguard-1.0-rc1

Please provide any additional information below.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1.androguard# ./androlyze.py -s
2.
3.

What is the expected output? What do you see instead?

Expected :Androlyze version 1.0

In [1]:
Instead:
 warnings.warn(msg, DeprecationWarning)
/usr/lib/pymodules/python2.6/networkx/generators/hybrid.py:16: 
DeprecationWarning: the sets module is deprecated
  import sets
WARNING: cannot import to_c_helper, skipping
Traceback (most recent call last):
  File "./androlyze.py", line 41, in <module>
    from IPython.frontend.terminal.embed import InteractiveShellEmbed
ImportError: No module named terminal.embed

What version of the product are you using? On what operating system?
i don't know because i am download from "hg clone 
https://androguard.googlecode.com/hg/ androguard" 

Please provide any additional information below.

This command quickly returns but does not do anything.
$ ./androdd.py -i sample.apk -f png

Indeed the output directory is not specified. 
We would probably either expect the tool to complain about a missing output 
directory, or use a default output dir.

This is only a minor issue!

Androdd version 1.2 on Linux

What steps will reproduce the problem?
1.when I run ./demos/dalvikvm_format_2.py, it throw errors.


What is the expected output? What do you see instead?
the expected output should encode decoded dex file correctly.But I saw:
Traceback (most recent call last):
  File "./demos/dalvikvm_format_2.py", line 25, in <module>
    fd.write( j.save() )
  File ".//core/bytecodes/dvm.py", line 3183, in save
    return self._get_raw()
  File ".//core/bytecodes/dvm.py", line 3211, in _get_raw
    l = self.map_list.get_raw()
  File ".//core/bytecodes/dvm.py", line 3150, in get_raw
    [ x.get_raw() for x in self.map_item ]
  File ".//core/bytecodes/dvm.py", line 2959, in get_raw
    return [ bytecode.Buff( self.__offset.off, self.format.get_value_buff() ) ] + [ i.get_raw() for i in self.item ]
  File ".//core/bytecodes/dvm.py", line 1333, in get_raw
    return [ bytecode.Buff(self.__offset.off, self.visibility.get_value_buff()) ] + self.annotation.get_raw()
  File ".//core/bytecodes/dvm.py", line 1312, in get_raw
    [ i.get_raw() for i in self.elements ]
  File ".//core/bytecodes/dvm.py", line 1287, in get_raw
    return [ bytecode.Buff(self.__offset.off, writeuleb128(self.name_idx) + self.value.get_raw()) ]
  File ".//core/bytecodes/dvm.py", line 1269, in get_raw
    return self.val.get_value_buff() + self.value.get_raw()

What version of the product are you using? On what operating system?
I am using androguard 0.9. on Ubuntu 11.04

Please provide any additional information below.

What steps will reproduce the problem?
1. _a = AndroguardS(inputfile.apk)
   perm_set_1 = _a.get_analysis().get_permissions([]) 
2. a = apk.APK(inputfile.apk, raw)
   perm_set_2 = a.get_details_permissions()

perm_set_1 != perm_set_2 !

From my experience with malware apks, the first set is the one that is 
effectively used by the code, or am I wrong? 

But the risk module takes into consideration the 2nd set while computing the 
risk score (or am I wrong again?)


I'm using:

androrisk.py --version
Androrisk version 1.0

on Linux version 3.3.5-2.fc16.i686.PAE ([email protected])


Of course Anthony, I realize that this might be the behaviour that you desire 
for androguard, I just wanted to be sure that you're aware... :)

Best Regards,
Madalina

When executing "make" on the latest version from the repository under Ubuntu 
11.10 64bit I get the following errors:

sign.cc: In member function ‘float Msign::sign_ncd(std::string, std::string, 
int)’:
sign.cc:681:25: error: cannot convert ‘unsigned int*’ to ‘size_t* {aka 
long unsigned int*}’ in assignment
sign.cc:682:24: error: cannot convert ‘unsigned int*’ to ‘size_t* {aka 
long unsigned int*}’ in assignment

Thanks for taking care of my previous issue so quickly. Unfortunately the next 
two steps I tried also produce unexpected errors:

What steps will reproduce the problem?
Run
a = androguard.AndroguardS("attached jar file")

for i in a.get_fields() :
    print i.get_access(), i.get_name(), i.get_descriptor()

What is the expected output? What do you see instead?

raceback (most recent call last):
  File "./bla.py", line 19, in <module>
    for i in a.get_fields() :
  File "/home/spjsschl/androguard/androguard.py", line 474, in __getattr__
    return getattr(self.__a, value)
AttributeError: 'NoneType' object has no attribute 'get_fields'

What version of the product are you using? On what operating system?
Current mercury androguard on ubuntu oneiric

Johannes

Hi,

I have just begun to use androguard, but find a problem of usage. If I input a 

command like "./androlyze.py -i ~/Downloads/Mms.apk -m . -p" in the directory 

of androguard, it always gives a error warning like 
"Traceback (most recent call last):
  File "./androlyze.py", line 34, in <module>
    from decompiler import *
  File ".//decompiler/decompiler.py", line 23, in <module>
    from pygments.filter import Filter
ImportError: No module named pygments.filter".

But "./demos/dalvikvm_format_1.py" is ok. So I don't known the reason. I use 

androguard in the ARE Virtual Machine and always update androguard.

Really appreciate your help.

Thank you!

The python setup.py does not reference several tools:

  * androdd.py
  * androapkinfo.py

Therefore those won't be installed.

What steps will reproduce the problem?
1. In detection part, that is, "androsign.py"
2.
3.

What is the expected output? What do you see instead?
Expected output is the result of malware detection.
Instead, I saw following message,

./androsign.py -i Malware/  -b signatures/dbandroguard -c signatures/dbconfig

signatures/dbandroguard signatures/dbconfig True

terminate called after throwing an instance of 'mu::ParserError'
Aborted


What version of the product are you using? On what operating system?
1.0 Ubuntu 11.4

Please provide any additional information below.

In decompiler.py check if /tmp/ dir exists; if not then create it:

class DecompilerDed  :
    def __init__(self, vm, path_dex2jar = "./decompiler/dex2jar/", bin_dex2jar = "dex2jar.sh", path_jad="./decompiler/jad/", bin_jad="jad") :
        self.classes = {}
        self.classes_failed = []

        pathtmp = os.getcwd() + "/tmp/"
        if not os.path.exists(pathtmp): <-- Adding check
            os.makedirs(pathtmp)        <-- Adding dir creation

I try to generate a png for an APK:
$ ./androdd.py -i com.ppxiu.apk -o ppxiu.png -d -f png

The output is:
"getSmilType-BB@0x5e" [color="lightgray", label="5e new-instance v2 , [type@ 
344 Ljava/lang/StringBuilder;]\l62 const-string v3 , [string@ 261 '<img 
src="']\l66 invoke-direct v2 , v3 , [meth@ 2711 Ljava/lang/StringBuilder; 
(Ljava/lang/String;) V <init>]\l6c iget-object v3 , v4 , [field@ 105 
LDaemon/Service/MmsSender; Ljava/lang/String; Annex_name]\l70 invoke-virtual v2 
, v3 , [meth@ 2715 Ljava/lang/StringBuilder; (Ljava/lang/String;) 
Ljava/lang/StringBuilder; append]\l76 move-result-object v2\l78 const-string v3 
, [string@ 39 '" region="Image"/>']\l7c invoke-virtual v2 , v3 , [meth@ 2715 
Ljava/lang/StringBuilder; (Ljava/lang/String;) Ljava/lang/StringBuilder; 
append]\l82 move-result-object v2\l84 invoke-virtual v2 , [meth@ 2717 
Ljava/lang/StringBuilder; () Ljava/lang/String; toString]\l8a 
move-result-object v1\l"]
                      ^
Expected "}" (at char 2213), (line:20, col:23)
Traceback (most recent call last):
  File "./androdd.py", line 111, in <module>
    main(options, arguments)
  File "./androdd.py", line 97, in main
    export_apps_to_format( a, options.output, options.dot, options.format )
  File "./androdd.py", line 88, in export_apps_to_format
    method2format( filename + "." + _format, _format, raw = buff )
  File "/home/axelle/softs/androguard/core/bytecode.py", line 282, in method2format
    getattr(d, "write_" + _format)( output )
AttributeError: 'NoneType' object has no attribute 'write_png'


I use AndroGuard version from the repository (June 14th) on Debian.

There are several "misc.py" instances in a default Python installation on 
Ubuntu 10.04

$ locate misc.py
(...)/androguard/core/misc.py
/usr/lib/python2.5/compiler/misc.py
/usr/lib/python2.6/compiler/misc.py
/usr/lib/python2.6/dist-packages/numpy/oldnumeric/misc.py
/usr/lib/python2.6/dist-packages/usbcreator/misc.py
/usr/share/pyshared/numpy/oldnumeric/misc.py
/usr/share/pyshared/usbcreator/misc.py

Therefore "import misc" will *not* import "core/misc.py" by default, as it is 
the latest in search order path.

Suggested fix:
1/ Rename "core/misc.py" to something more meaningful.
2/ Use sys.path.insert(1, ...) instead of sys.path.append(...)

What steps will reproduce the problem?
1. python ./androsign.py -h


What is the expected output? What do you see instead?
Help Discription

What version of the product are you using? On what operating system?
1.0 on ubuntu

Please provide any additional information below.
when runnind androsign.py, it says 

Traceback (most recent call last):
  File "androsign.py", line 29, in <module>
    from elsim.elsign import dalvik_elsign
  File "./elsim/elsim/elsign/dalvik_elsign.py", line 29, in <module>
    from libelsign.libelsign import Elsign, entropy
ImportError: No module named libelsign

===> and i have checked your hg url, there is no elsim directory. THANK YOU.

The following command is expected to display information regarding a given 
package, isn't it? It displays all packages.

$ ./andromercury.py --list=mypackage


Package name: com.android.soundrecorder
Process name: com.android.soundrecorder
Version: 2.2
Data directory: /data/data/com.android.soundrecorder
APK path: /system/app/SoundRecorder.apk
UID: 10022
GID: 3003; 1015; 
Permissions: android.permission.RECORD_AUDIO; android.permission.INTERNET; 
android.permission.WAKE_LOCK; android.permission.WRITE_EXTERNAL_STORAGE; 

Package name: com.android.alarmclock
Process name: com.android.alarmclock

Using Mercury 1.0 on an Android Emulator.

What steps will reproduce the problem?
1. Created a signature that will look for AirPush Services:
[ { "SAMPLE" : "myairpushapp" }, { "BASE" : "AndroidOS", "NAME" : "AirPush", 
        "SIGNATURE" : 
        [   
            { "TYPE" : "CLASSSIM", "CN" : "Lcom/airpush/android/PushAds;" },  
            { "TYPE" : "CLASSSIM", "CN" : "Lcom/airpush/android/UserDetailsReceiver;" },                                                                                                      
            { "TYPE" : "CLASSSIM", "CN" : "Lcom/airpush/android/MessageReceiver;" } , 
            { "TYPE" : "CLASSSIM", "CN" : "Lcom/airpush/android/DeliveryReceiver;" }
        ],  
        "BF" : "a || b || c || d"  
    }   
]

2. run androcsign:
./androcsign.py -i ../androsign/airpush.sign -o signatures/testdb
3. run androsign on the same sample to verify:
./androsign.py -i myairpushapp -b signatures/testdb -c signatures/dbconfig -v

What is the expected output? What do you see instead?
Got the following output:

[...]
ADD ELEMENT 71
ADD ELEMENT 1542
ADD ELEMENT 126
ADD ELEMENT 297
ADD ELEMENT 4
ADD ELEMENT 4
ADD ELEMENT 145
 CMClustering init rows
 [SIGN:0 CLUSTERS:0 CMP_CLUSTERS:0 ELEMENTS:984 CMP_ELEMENTS:0 ERROR float division by zero



What version of the product are you using? On what operating system?
latest hg.

The Sample is also attached (pw infected)


Please provide any additional information below.

When executing androsign I get the following errors: (Linux Debian 64bit)


# ./androsign.py -i 2.apk -b signatures/dbandroguard -c signatures/dbconfig -v
Foncy.B (0)
    ---> METHSIM L:0 I:0 N:0 J:1 4413 [4.6616735458374023, 4.5721940994262695, 4.6310625076293945, 4.4476799964904785, 4.0113649368286133]
Foncy.C (0)
    ---> METHSIM L:1 I:1 N:0 J:1 1754 [4.7942671775817871, 4.6375041007995605, 4.4870743751525879, 4.6819987297058105, 0.0]
GingerMaster (0 and 1)
    ---> METHSIM L:2 I:2 N:0 J:2 962 [4.9418520927429199, 4.3729357719421387, 4.7183656692504883, 4.4228439331054688, 3.9754178524017334]
    ---> METHSIM L:2 I:3 N:1 J:2 1244 [4.9450316429138184, 4.7812762260437012, 4.7661762237548828, 4.5302424430847168, 3.9754178524017334]
RageagainstTheCage (0)
    ---> BINHASH L:3 I:4 N:0 J:1
DroidDeluxe (0 and 1 and 2)
    ---> METHSIM L:4 I:5 N:0 J:3 905 [4.792943000793457, 4.1135177612304688, 4.7298212051391602, 4.4896812438964844, 4.0113649368286133]
    ---> METHSIM L:4 I:6 N:1 J:3 1540 [4.8668885231018066, 4.2125983238220215, 4.715888500213623, 4.7183380126953125, 3.8208885192871094]
    ---> METHSIM L:4 I:7 N:2 J:3 5226 [4.765784740447998, 4.7281794548034668, 4.4956917762756348, 4.5737781524658203, 4.149996280670166]
YZHCSMS (0 and 1)
    ---> METHSIM L:5 I:8 N:0 J:2 409 [5.0327415466308594, 1.6237781047821045, 4.7683391571044922, 4.8285346031188965, 3.9754178524017334]
    ---> METHSIM L:5 I:9 N:1 J:2 1900 [4.7891192436218262, 4.6746187210083008, 4.514441967010498, 4.7024493217468262, 0.0]
Wat (0)
    ---> CLASSSIM L:6 I:10 N:0 J:1 3551 [3.9028834274836948, 2.8835478850773404, 2.3970618758882796, 4.0557840211050848, 0.6026742117745536]
Pjapps (0)
    ---> METHSIM L:7 I:11 N:0 J:1 1981 [4.9978241920471191, 4.7603583335876465, 4.6897745132446289, 4.4102416038513184, 3.9754178524017334]
SndApps (0 or 1)
    ---> METHSIM L:8 I:12 N:0 J:2 1250 [4.6240973472595215, 1.2427303791046143, 4.4894008636474609, 4.5552773475646973, 4.2081961631774902]
    ---> METHSIM L:8 I:13 N:1 J:2 1216 [4.9923348426818848, 4.8052005767822266, 4.5855984687805176, 4.4975037574768066, 4.2158646583557129]
Crusewind ((0 or 1) and 2)
    ---> METHSIM L:9 I:14 N:0 J:3 1261 [4.9798541069030762, 4.6750292778015137, 4.7505569458007812, 4.5253338813781738, 4.2801966667175293]
    ---> METHSIM L:9 I:15 N:1 J:3 918 [4.8647561073303223, 4.5962967872619629, 4.6942548751831055, 4.5018887519836426, 0.0]
    ---> METHSIM L:9 I:16 N:2 J:3 221 [4.7028636932373047, 1.5338449478149414, 4.535919189453125, 4.4318118095397949, 0.0]
BaseBridge.B (0 and 1)
    ---> METHSIM L:10 I:17 N:0 J:2 2308 [4.8561825752258301, 4.731076717376709, 4.5397763252258301, 4.5733532905578613, 3.9754178524017334]
    ---> METHSIM L:10 I:18 N:1 J:2 2624 [4.763066291809082, 4.6711916923522949, 4.5062112808227539, 4.8685741424560547, 3.9754178524017334]
BaseBridge.C (0)
    ---> METHSIM L:11 I:19 N:0 J:1 3557 [4.5441703796386719, 3.2457294464111328, 4.5147109031677246, 4.5192923545837402, 3.9754178524017334]
BaseBridge ((0 or 1) and 2)
    ---> METHSIM L:12 I:20 N:0 J:3 3066 [4.5579466819763184, 1.6733947992324829, 4.5265865325927734, 4.5559782981872559, 3.9754178524017334]
    ---> METHSIM L:12 I:21 N:1 J:3 4477 [5.0170536041259766, 4.8571329116821289, 4.6744322776794434, 4.4395885467529297, 3.9754178524017334]
    ---> METHSIM L:12 I:22 N:2 J:3 966 [4.7569260597229004, 1.7403091192245483, 4.6997122764587402, 4.4517860412597656, 3.9754178524017334]
Ozotshielder.C (0)
    ---> METHSIM L:13 I:23 N:0 J:1 1837 [4.5943169593811035, 4.525092601776123, 4.4844989776611328, 4.4258179664611816, 0.0]
Ewalls (0)
    ---> METHSIM L:14 I:24 N:0 J:1 14066 [4.5969524383544922, 4.7685627937316895, 4.4099941253662109, 4.2093234062194824, 3.9754178524017334]
DroidDreamLight (0)
    ---> METHSIM L:15 I:25 N:0 J:1 1574 [4.7781567573547363, 4.6544718742370605, 3.8625667095184326, 4.5037317276000977, 0.0]
Spitmo (0)
    ---> METHSIM L:16 I:26 N:0 J:1 1895 [5.0166354179382324, 4.790163516998291, 4.6962299346923828, 4.6933317184448242, 3.9754178524017334]
Boxer (0 and 1)
    ---> METHSIM L:17 I:27 N:0 J:2 1699 [5.1056971549987793, 4.8911633491516113, 4.6583089828491211, 4.6163825988769531, 0.0]
    ---> METHSIM L:17 I:28 N:1 J:2 798 [4.9127368927001953, 4.6306390762329102, 4.1440944671630859, 4.5409460067749023, 0.0]
Hongtoutou (0)
    ---> METHSIM L:18 I:29 N:0 J:1 1413 [5.1167397499084473, 4.8783326148986816, 4.7843966484069824, 4.7036099433898926, 0.0]
YZHCSMS.B (0)
    ---> METHSIM L:19 I:30 N:0 J:1 1120 [4.9847249984741211, 4.7853765487670898, 4.6623964309692383, 4.4476594924926758, 3.9754178524017334]
DroidDream-Included (0)
    ---> METHSIM L:20 I:31 N:0 J:1 2821 [4.8083133697509766, 4.7362179756164551, 4.5589680671691895, 4.422579288482666, 0.0]
HippoSMS.B (0)
    ---> METHSIM L:21 I:32 N:0 J:1 1181 [4.8786911964416504, 4.891486644744873, 4.6299595832824707, 4.3698744773864746, 0.0]
Foncy (0)
    ---> METHSIM L:22 I:33 N:0 J:1 1500 [4.9286208152770996, 4.6954078674316406, 4.4973897933959961, 4.6937942504882812, 0.0]
Ewalls.B (0)
    ---> METHSIM L:23 I:34 N:0 J:1 11341 [4.574305534362793, 4.6146163940429688, 4.4084692001342773, 4.2746791839599609, 3.9754178524017334]
HippoSMS ((0 and 1) or 2)
    ---> CLASSSIM L:24 I:35 N:0 J:3 1212 [4.6626451810201006, 4.4411741892496748, 2.16331418355306, 4.1790606180826826, 0.0]
    ---> CLASSSIM L:24 I:36 N:1 J:3 788 [4.5609114170074463, 4.4270169734954834, 2.6578314304351807, 4.1325935125350952, 0.0]
    ---> CLASSSIM L:24 I:37 N:2 J:3 458 [4.7386491298675537, 2.8634676933288574, 4.4856486320495605, 4.088369607925415, 0.0]
Ozotshielder (0)
    ---> METHSIM L:25 I:38 N:0 J:1 2178 [4.6285390853881836, 4.6470947265625, 4.5313506126403809, 4.345757007598877, 0.0]
DogoWar (0 and 1)
    ---> CLASSSIM L:26 I:39 N:0 J:2 376 [4.5922770500183105, 4.3906300067901611, 2.7473165988922119, 3.9876822233200073, 0.0]
    ---> CLASSSIM L:26 I:40 N:1 J:2 1729 [4.1555795669555664, 3.6046688079833986, 1.4984882354736329, 3.9250543117523193, 0.0]
Plankton.C (0 and 1)
    ---> METHSIM L:27 I:41 N:0 J:2 697 [5.0583977699279785, 1.567484974861145, 4.8082575798034668, 4.5208311080932617, 4.3333024978637695]
    ---> METHSIM L:27 I:42 N:1 J:2 2301 [4.8061156272888184, 4.7663564682006836, 4.5806660652160645, 4.3953781127929688, 0.0]
Plankton.B (0 and 1)
    ---> METHSIM L:28 I:43 N:0 J:2 1230 [4.6938409805297852, 4.6064891815185547, 4.5410966873168945, 4.6769933700561523, 0.0]
    ---> METHSIM L:28 I:44 N:1 J:2 1179 [4.7628979682922363, 4.5756878852844238, 4.6231117248535156, 4.6342296600341797, 3.8208885192871094]
Zsone (0)
    ---> METHSIM L:29 I:45 N:0 J:1 825 [5.0066843032836914, 4.7855949401855469, 4.6031131744384766, 4.8662714958190918, 3.9754178524017334]
Plankton (0 and 1)
    ---> METHSIM L:30 I:46 N:0 J:2 1511 [4.8705577850341797, 4.6757988929748535, 4.6721949577331543, 4.722226619720459, 3.8208885192871094]
    ---> METHSIM L:30 I:47 N:1 J:2 1377 [4.6603341102600098, 4.0039081573486328, 4.4825272560119629, 4.5173683166503906, 4.3710126876831055]
Lovetrap (0 and 1)
    ---> METHSIM L:31 I:48 N:0 J:2 2131 [4.9191985130310059, 4.3934955596923828, 4.8094043731689453, 4.8097281455993652, 3.9754178524017334]
    ---> METHSIM L:31 I:49 N:1 J:2 3144 [4.9548416137695312, 4.3504295349121094, 4.8521542549133301, 4.6344723701477051, 3.9754178524017334]
GoldDream (0 and 1)
    ---> METHSIM L:32 I:50 N:0 J:2 3512 [4.8103795051574707, 4.7493586540222168, 4.5943202972412109, 4.6015524864196777, 0.0]
    ---> METHSIM L:32 I:51 N:1 J:2 3308 [4.8343148231506348, 1.3113172054290771, 4.8033995628356934, 4.538449764251709, 3.9754178524017334]
Pjapps.B (0)
    ---> METHSIM L:33 I:52 N:0 J:1 2449 [4.9337239265441895, 4.7807784080505371, 4.6869611740112305, 4.5481977462768555, 3.9754178524017334]
Pjapps.C (0 or 1)
    ---> METHSIM L:34 I:53 N:0 J:2 3006 [4.8885741233825684, 4.7182526588439941, 4.6228675842285156, 4.4607253074645996, 0.0]
    ---> METHSIM L:34 I:54 N:1 J:2 3051 [4.9115018844604492, 4.7393302917480469, 4.6674752235412598, 4.5522646903991699, 4.2181391716003418]
Zitmo (0 and 1)
    ---> METHSIM L:35 I:55 N:0 J:2 1016 [4.9809880256652832, 4.7676701545715332, 4.6947941780090332, 4.4621977806091309, 4.2081961631774902]
    ---> METHSIM L:35 I:56 N:1 J:2 564 [4.9196834564208984, 4.8797001838684082, 4.5931968688964844, 4.7688388824462891, 0.0]
NickyBot (0)
    ---> METHSIM L:36 I:57 N:0 J:1 1923 [4.772580623626709, 3.8884062767028809, 4.5958952903747559, 4.6140275001525879, 3.9754178524017334]
Exploid (0)
    ---> BINHASH L:37 I:58 N:0 J:1
GGTracker (0 and 1)
    ---> METHSIM L:38 I:59 N:0 J:2 1628 [4.8290805816650391, 4.057319164276123, 4.7673635482788086, 4.4964823722839355, 4.2384934425354004]
    ---> METHSIM L:38 I:60 N:1 J:2 3008 [4.9003796577453613, 4.6949944496154785, 4.5048131942749023, 4.5457534790039062, 0.0]
Tapsnake (0)
    ---> METHSIM L:39 I:61 N:0 J:1 4099 [4.7968864440917969, 4.4730305671691895, 4.5795297622680664, 4.2302732467651367, 3.9754178524017334]
NickySpy (0 or 1)
    ---> METHSIM L:40 I:62 N:0 J:2 3229 [4.9899697303771973, 4.7834396362304688, 4.8159637451171875, 4.5245232582092285, 0.0]
    ---> METHSIM L:40 I:63 N:1 J:2 2536 [5.0211300849914551, 4.7652387619018555, 4.8861689567565918, 4.5666427612304688, 4.2081961631774902]
Logastrod (0 and 1)
    ---> METHSIM L:41 I:64 N:0 J:2 3511 [5.0234689712524414, 4.8151087760925293, 4.6068859100341797, 4.7003602981567383, 3.9754178524017334]
    ---> METHSIM L:41 I:65 N:1 J:2 1869 [4.9413108825683594, 4.8094344139099121, 4.5841174125671387, 4.5388092994689941, 0.0]
DroidKungfu2 (0)
    ---> METHSIM L:42 I:66 N:0 J:1 1862 [4.6282501220703125, 4.0211343765258789, 4.5443987846374512, 4.1571140289306641, 3.9754178524017334]
SMSHider (0 and 1 and 2)
    ---> METHSIM L:43 I:67 N:0 J:3 4475 [4.8213520050048828, 4.709599494934082, 4.7197036743164062, 4.5428285598754883, 4.5164380073547363]
    ---> METHSIM L:43 I:68 N:1 J:3 4418 [4.8130149841308594, 4.7001566886901855, 4.7191720008850098, 4.5456838607788086, 4.5164380073547363]
    ---> METHSIM L:43 I:69 N:2 J:3 1273 [4.9414114952087402, 4.598602294921875, 4.6776943206787109, 4.6068816184997559, 3.9754178524017334]
Geinimi (0 or 1 or (2 and 3))
    ---> METHSIM L:44 I:70 N:0 J:4 2607 [4.6687860488891602, 4.5770049095153809, 4.4555692672729492, 4.6577677726745605, 3.9754178524017334]
    ---> METHSIM L:44 I:71 N:1 J:4 12644 [4.7114653587341309, 4.7980365753173828, 4.5259051322937012, 4.5926632881164551, 4.1278433799743652]
    ---> METHSIM L:44 I:72 N:2 J:4 885 [4.7507805824279785, 1.4406454563140869, 4.5679025650024414, 4.5526924133300781, 3.9754178524017334]
    ---> METHSIM L:44 I:73 N:3 J:4 740 [4.6218976974487305, 4.4623689651489258, 1.6163301467895508, 4.5717849731445312, 0.0]
RogueSPPush (0)
    ---> CLASSSIM L:45 I:74 N:0 J:1 3093 [4.3179397106170656, 3.7004831314086912, 2.939491558074951, 4.4999289989471434, 0.79508357048034672]
DroidKungfu (0)
    ---> METHSIM L:46 I:75 N:0 J:1 3137 [4.838798999786377, 4.6483860015869141, 4.6914162635803223, 4.7337584495544434, 4.2597851753234863]
DroidDream (0)
    ---> METHSIM L:47 I:76 N:0 J:1 2040 [5.0286870002746582, 4.4915299415588379, 4.9674844741821289, 4.9468302726745605, 0.0]
Ozotshielder.B (0)
    ---> METHSIM L:48 I:77 N:0 J:1 3213 [4.9547429084777832, 4.75701904296875, 4.7511677742004395, 4.822575569152832, 3.9754178524017334]

FIX MINIMUM SIGNATURE 110.5
FIX MINIMUM SIGNATURE 188.0
2.apk : loading apk.. loading dex..Segmentation fault

Without a setup.py, Androguard can't be used with pip, virtualenv, and other 
python packaging tools. I made a clone with a setup.py and slightly revised 
directory structure to support it. I verified that androaxml.py works with 
minor changes (also included in the clone). As androaxml is all I need, I have 
not tested other functionality.

https://code.google.com/r/dan-androguard-setup

This error spawns while parsing the Manifest.xml file.

android@honeynet:~/tools/androguard$ python apkviewer.py -i 
/home/android/PFE/APKS/Brighteriffic_1.0.3.apk -o 
/home/android/PFE/APKS/Brighter
Traceback (most recent call last):
  File "apkviewer.py", line 97, in <module>
    main(options, arguments)    
  File "apkviewer.py", line 75, in main
    dd = data.Data(vm, vmx, gvmx, a)
  File "/home/android/tools/androguard/androguard/core/data/data.py", line 80, in __init__
    self.apk_data = ApkViewer( self.a )
  File "/home/android/tools/androguard/androguard/core/data/data.py", line 325, in __init__
    for x, y, z in self.a.get_files_information() :
  File "/home/android/tools/androguard/androguard/core/bytecodes/apk.py", line 224, in get_files_information
    yield i, self.files[ i ], self.files_crc32[ i ]
KeyError: 'META-INF/MANIFEST.MF'

What steps will reproduce the problem?
1.at the make step
2.
3.

What is the expected output? What do you see instead?
complete the make process

I see following message...
android@honeynet:~/tools/backup/androguard$ make
In file included from /usr/include/c++/4.4/ext/hash_map:60,
                 from formula.h:35,
                 from test.cc:1:
/usr/include/c++/4.4/backward/backward_warning.h:28:2: warning: #warning This 
file includes at least one deprecated or antiquated header which may be removed 
without further notice at a future date. Please use a non-deprecated interface 
with equivalent functionality instead. For a listing of replacement headers and 
interfaces, consult the file backward_warning.h. To disable this warning use 
-Wno-deprecated.
formula.o: In function `Formula::eval()':
formula.cc:(.text+0x49f): undefined reference to `mu::ParserBase::Eval() const'
collect2: ld returned 1 exit status
make[3]: *** [TEST] Error 1
make[2]: *** [LIBS] Error 2
make[1]: *** [LIBS] Error 2
make: *** [LIBS] Error 2


What version of the product are you using? On what operating system?
the latest one from from 
hg clone https://androguard.googlecode.com/hg/ androguard 

Please provide any additional information below.

1. Download com.rovio.new.ads-LeNa.c.apk from Contagio's mobile minidump
2. Run ./androdd.py -i com.rovio.new.ads-LeNa.c.apk -o ./fu -f png

Androdd reports multiple warnings (see below).
Either those are warnings, and I expect an option to remove them (e.g --quiet), 
or those are errors, and then something ought to be fixed.

Expected "}" (at char 674), (line:10, col:33)
"_matchToken-BB@0x44" [color="lightgray", label="44 invoke-virtual v7 , v5 , v8 
, [ meth@ 8086 Ljava/lang/String; substring ['(I I)', 'Ljava/lang/String;'] 
]\l4a move-result-object v3\l4c const-string v4 , [ string@ 471 \"'null', 
'true', 'false' or NaN\" ]\l50 invoke-virtual v6 , v3 , v4 , [ meth@ 9625 
Lorg/codehaus/jackson/impl/Utf8StreamParser; _reportInvalidToken 
['(Ljava/lang/String; Ljava/lang/String;)', 'V'] ]\l"]
                      ^
Expected "}" (at char 1988), (line:18, col:23)
"_parseApostropheFieldName-BB@0x1e" [color="lightgray", label="1e const-string 
v8 , [ string@ 868 \": was expecting closing ''' for name\" ]\l22 
invoke-virtual v13 , v8 , [ meth@ 9620 
Lorg/codehaus/jackson/impl/Utf8StreamParser; _reportInvalidEOF 
['(Ljava/lang/String;)', 'V'] ]\l"]


I am using Androdd version 1.2 on a Linux box.

Hi,

Firstly thank you so much for the great work on Androguard! I followed the 
instructions in the wiki page to de-compile and modify .dex bytecode. But I 
have some difficulties in doing this and it will be great if you would like to 
give me some hints.

The instructions I followed is as following:  
http://code.google.com/p/androguard/wiki/Usage#patch_bytecodes_of_a_method_?

FILE = "./HelloAndroid.dex"
a = androguard.AndroguardS(FILE)
code = a.get_vm().get_methods()[0].get_code()
code.remove_at(0)

AttributeError: DalvikCode instance has no attribute 'remove_at'


When I use the same statements to remove a specific instruction, I was told 
that there is no such method. I further checked the source code and made sure 
that there is no such method in dvm. But in the wiki, it is written that "# 
supposed vm is a JVMFormat or DalvikVMFormat", so I am wondering maybe the 
modification API for DalvikVMFormat is not released yet? If so, I am very glad 
to help on this since I need the Dalvik bytecode editor as a basic of our 
research. 


Another thing is, given that we can use Androguard to modify Java bytecode, is 
there a way for us to generate an updated .class file after modification?

Thanks,

Zhiqiu

dex2jar output is located in the same directory of the running process.
so decompiler.py fails to locate the jar file created.
Probably this code should be added:
        tmpfilename = os.path.basename(fdname) + "_dex2jar.jar"
        import shutil
        try :
            if os.os.path.exists(tmpfilename) :
                shutil.move(tmpfilename, pathtmp)
        except Exception, e:
                print "Failed to move file %s. Exception %s" %(tmpfilename, e)
                os.remove(tmpfilename) 

The idea is: if jar file exists, then mv into tmp dir, so the unzip works 
correctly.

    def get_fields_by_bb(self, bb) :
        l = []
        for i in self.__vars[ TAINTED_FIELD ] :
            for j in self.__vars[ TAINTED_FIELD ][i].gets() : <-- Missing method!
            for j in self.__vars[ TAINTED_FIELD ][i] :
                if j.get_bb() == bb :
                    l.append( (i.get_name(), j.get_access_flag()) )                
        return l

Hi, I am trying to make androguard (latest version retrieved via hg) run on 
Ubuntu 11.10 (Python 2.7.2) but I get the following error:

ubuntu@ubuntu: ./androlyze.py -i my.apk -m . -p
Traceback (most recent call last):
  File "./androlyze.py", line 231, in <module>
    main(options, arguments)
  File "./androlyze.py", line 201, in main
    method.pretty_show( _a.get_analysis() )
TypeError: pretty_show() takes exactly 1 argument (2 given)

What steps will reproduce the problem?
1. import androlyze.py 
2. run the python programm

What is the expected output? What do you see instead?
the programm should just run, instead an error is thrown

What version of the product are you using? On what operating system?
ubuntu 11.04, newest hg checkout


Please provide any additional information below.

Traceback (most recent call last):
  File "myscript.py", line 6, in <module>
    from androlyze import AAnalyzeAPK
  File "/foo/bar/bla/androguard/androlyze.py", line 36, in <module>
    from androguard.core.analysis.diff import *
ImportError: No module named diff

ll androguard/androguard/core/analysis
ls: unrecognized prefix: hl
ls: unparsable value for LS_COLORS environment variable
total 308
-rw-rw-r-- 1 android android 78620 2012-04-02 12:05 analysis.py
-rw-rw-r-- 1 android android 84849 2012-04-02 12:08 analysis.pyc
-rw-rw-r-- 1 android android 20678 2012-04-02 12:05 ganalysis.py
-rw-rw-r-- 1 android android 14943 2012-04-02 12:08 ganalysis.pyc
-rw-rw-r-- 1 android android     0 2012-04-02 12:05 __init__.py
-rw-rw-r-- 1 android android   136 2012-04-02 12:08 __init__.pyc
-rw-rw-r-- 1 android android 44477 2012-04-02 12:05 risk.py
-rw-rw-r-- 1 android android 27319 2012-04-02 12:08 risk.pyc
-rw-rw-r-- 1 android android 12837 2012-04-02 12:05 sign.py
-rw-rw-r-- 1 android android 10625 2012-04-02 12:08 sign.pyc

- Take code straight from the repository
- sudo apt-get install libmuparser-dev
- ./elsim
- make

Fails to compile. The makefile can't find muParser.h and Python.h which are 
located (on my system) in:
/usr/include/muParser
/usr/include/python2.6

Adding those paths to the CFLAGS:
in elsim/elsign/formula/Makefile, add:
CFLAGS += -I/usr/include/muParser

in elsim/elsign/libelsign/Makefile, add:
CFLAGS += -I/usr/include/muParser -I/usr/include/python2.6

and it compiles.

on Linux/debian.

In tdecompiler.py check if /tmp/ dir exists; if not then create it:

class DecompilerDex2Jad :
    def __init__(self, vm, path_dex2jar = "./decompiler/dex2jar/", bin_dex2jar = "dex2jar.sh", path_jad="./decompiler/jad/", bin_jad="jad") :
        self.classes = {}
        self.classes_failed = []

        pathtmp = os.getcwd() + "/tmp/"
        if not os.path.exists(pathtmp): <-- Adding check
            os.makedirs(pathtmp)        <-- Adding dir creation

Upon executing:

./androlyze.py -i /home/ubuntu/android.apk -m . -p

I got following error:

Traceback (most recent call last):
  File "./androlyze.py", line 42, in <module>
    from IPython.frontend.terminal.embed import InteractiveShellEmbed
ImportError: No module named IPython.frontend.terminal.embed


I am using ubuntu 10.04 64-bit and androguard 0.9

Any ideas to get through.

Thanks
-Sam

What steps will reproduce the problem?
1. using the patch for porting androguard to OSX
2. make it

What is the expected output? What do you see instead?

claud:~/code/androguard$ make
 CCP dvm.o
 CCP buff.o
 CC z.o
z.c:20:17: warning: assigning to 'Bytef *' (aka 'unsigned char *') from 'const 
unsigned char *' discards qualifiers [-Wincompatible-pointer-types]
   strm.next_in = data;
                ^ ~~~~
z.c:47:17: warning: assigning to 'Bytef *' (aka 'unsigned char *') from 'const 
unsigned char *' discards qualifiers [-Wincompatible-pointer-types]
   strm.next_in = data;
                ^ ~~~~
2 warnings generated.
 CC bz2.o
bz2.c:19:17: warning: assigning to 'char *' from 'const unsigned char *' 
discards qualifiers [-Wincompatible-pointer-types]
   strm.next_in = data;
                ^ ~~~~
bz2.c:20:18: warning: assigning to 'char *' from 'unsigned char *' converts 
between pointers to integer types with different sign [-Wpointer-sign]
   strm.next_out = odata;
                 ^ ~~~~~
2 warnings generated.
 CC smaz.o
smaz.c:139:24: warning: comparison of unsigned expression < 0 is always false 
[-Wtautological-compare]
            if (outlen < 0) return _outlen+1;
                ~~~~~~ ^ ~
1 warning generated.
 CC xz.o
 CC Alloc.o
 CC LzFind.o
 CC LzmaDec.o
 CC LzmaEnc.o
LzmaEnc.c:2081:6: warning: explicitly assigning a variable of type 
'CLzmaEncHandle' (aka 'void *') to itself [-Wself-assign]
  pp = pp;
  ~~ ^ ~~
1 warning generated.
 CC LzmaLib.o
LzmaLib.c:11:48: warning: explicitly assigning a variable of type 'void *' to 
itself [-Wself-assign]
static void *SzAlloc(void *p, size_t size) { p = p; return MyAlloc(size); }
                                             ~ ^ ~
LzmaLib.c:12:48: warning: explicitly assigning a variable of type 'void *' to 
itself [-Wself-assign]
static void SzFree(void *p, void *address) { p = p; MyFree(address); }
                                             ~ ^ ~
2 warnings generated.
 CC lzma.o
 CC snappy.o
 CC vcblocksort.o
 CC similarity.o
similarity.c:114:13: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
    if (ret < 0) {
        ~~~ ^ ~
similarity.c:147:17: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
        if (ret < 0) {
            ~~~ ^ ~
similarity.c:161:17: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
        if (ret < 0) {
            ~~~ ^ ~
similarity.c:184:13: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
    if (ret < 0) {
        ~~~ ^ ~
similarity.c:234:17: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
        if (ret < 0) {
            ~~~ ^ ~
similarity.c:247:17: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
        if (ret < 0) {
            ~~~ ^ ~
similarity.c:269:13: warning: comparison of unsigned expression < 0 is always 
false [-Wtautological-compare]
    if (ret < 0) {
        ~~~ ^ ~
7 warnings generated.
 CC formula.o
 CC elsign.o

What version of the product are you using? On what operating system?
Mac OS X 10.7.3, Xcode 4.3.1, g++ 4.2.1

Please provide any additional information below.
I think these warnings are not introduced by my patch. 

What steps will reproduce the problem?
1.at the make step
2.
3.

What is the expected output? What do you see instead?
complete the make process

I see following message...
 CC formula.o
In file included from formula.cc:21:
formula.h:26:22: error: muParser.h: No such file or directory
In file included from /usr/include/c++/4.4/ext/hash_map:60,
                 from formula.h:35,
                 from formula.cc:21:
/usr/include/c++/4.4/backward/backward_warning.h:28:2: warning: #warning This 
file includes at least one deprecated or antiquated header which may be removed 
without further notice at a future date. Please use a non-deprecated interface 
with equivalent functionality instead. For a listing of replacement headers and 
interfaces, consult the file backward_warning.h. To disable this warning use 
-Wno-deprecated.
In file included from formula.cc:21:
formula.h:42: error: ‘mu’ is not a namespace-name
formula.h:42: error: expected namespace-name before ‘;’ token
formula.h:53: error: ‘Parser’ does not name a type
formula.cc: In constructor ‘Formula::Formula(std::string, int)’:
formula.cc:36: error: ‘class Formula’ has no member named ‘p’
formula.cc: In member function ‘int Formula::eval()’:
formula.cc:58: error: ‘p’ was not declared in this scope
formula.cc:61: error: expected type-specifier before ‘Parser’
formula.cc:61: error: expected ‘)’ before ‘::’ token
formula.cc:61: error: expected ‘{’ before ‘::’ token
formula.cc:61: error: ‘::exception_type’ has not been declared
formula.cc:61: error: ‘e’ was not declared in this scope
formula.cc:61: error: expected ‘;’ before ‘)’ token
make[3]: *** [formula.o] Error 1
make[2]: *** [LIBS] Error 2
make[1]: *** [LIBS] Error 2
make: *** [LIBS] Error 2



What version of the product are you using? On what operating system?
the latest one from from 
hg clone https://androguard.googlecode.com/hg/ androguard 

Please provide any additional information below.

/androguard-0.9$ ./androgexf.py -i 
'/home/suresh/Bureaublad/AndroidCracking/vddebug.apk' -o ./xxxxx.gexf
/usr/lib/pymodules/python2.6/matplotlib/numerix/__init__.py:18: 
DeprecationWarning: 
**********************************************************
matplotlib.numerix and all its subpackages are deprecated.
They will be removed soon.  Please use numpy instead.
**********************************************************

  warnings.warn(msg, DeprecationWarning)
/usr/lib/pymodules/python2.6/networkx/generators/hybrid.py:16: 
DeprecationWarning: the sets module is deprecated
  import sets
Traceback (most recent call last):
  File "./androgexf.py", line 28, in <module>
    import androguard, apk, dvm, analysis, ganalysis, androconf 
  File ".//core/analysis/ganalysis.py", line 23, in <module>
    import libsign
ImportError: liblzma.so.5: cannot open shared object file: No such file or 
directory

There are three problems when compiling androguard under OSX
1. Python binding should manually link with -lpython
2. an inline assembly code with condition micro
3. hash_map header file's path changed in g++ of Xcode

I've patched these problems and attached the patch file here.

My environment is OSX Lion 10.7.3, Xcode 4.3.1, g++ 4.2.1

1. Add a method to get source in ClassItem

    def display_source(self) :
        self.__CM.decompiler_ob.display_all( self.get_name() )

    def get_source(self)
        self.__CM.decompiler_ob.get_all(self.get_name() )


2. Add a method to get source in EncodedMethod
    def source(self) :
        return self.__CM.decompiler_ob.get_source( self.get_class_name(), self.get_name() )

    def display_source(self) :
        self.__CM.decompiler_ob.display_source( self.get_class_name(), self.get_name() )

3. Remove  get_descriptor() because unused in source(self, class_name, 
method_name)  of dvm.py

4. rename source in display_source or show_source in dvm.py

Upon executing:
android@honeynet:~/androguard$ ./androsign.py -h

I got following error:
Traceback (most recent call last):
  File "./androsign.py", line 29, in <module>
    from elsim.elsign import dalvik_elsign
  File "./elsim/elsim/elsign/dalvik_elsign.py", line 29, in <module>
    from libelsign.libelsign import Elsign, entropy
ImportError: No module named libelsign

I am using ARE(Android Reverse Engineering) Virtual Machine

>Any ideas to get through.
thank you.

track registerReceiver function

backtrace: 

Traceback (most recent call last):
  File "./androlyze.py", line 243, in <module>
    main(options, arguments)
  File "./androlyze.py", line 197, in main
    _a = AndroguardS( options.input )
  File "/media/truecrypt1/androguard/androguard/core/androgen.py", line 238, in __init__
    self.__orig_a = Androguard( [ filename ], raw )
  File "/media/truecrypt1/androguard/androguard/core/androgen.py", line 91, in __init__
    self._analyze()
  File "/media/truecrypt1/androguard/androguard/core/androgen.py", line 112, in _analyze
    x = apk.APK( i )
  File "/media/truecrypt1/androguard/androguard/core/bytecodes/apk.py", line 108, in __init__
    self.xml[i] = minidom.parseString( AXMLPrinter( self.zip.read( i ) ).getBuff() )
  File "/usr/lib/python2.7/xml/dom/minidom.py", line 1924, in parseString
    return expatbuilder.parseString(string)
  File "/usr/lib/python2.7/xml/dom/expatbuilder.py", line 940, in parseString
    return builder.parseString(string)
  File "/usr/lib/python2.7/xml/dom/expatbuilder.py", line 223, in parseString
    parser.Parse(string, True)
xml.parsers.expat.ExpatError: unbound prefix: line 9, column 0


support multiple xmlns