bug in dvm.py [line 2364]

[GoogleCodeExporter]

What steps will reproduce the problem?
1.one sample with its dex file header's data link section had non-zero value
2.use androguard to scan this sample
3.It raised an exception (details below)

What is the expected output? What do you see instead?
I traced the exception. I found the "current_pos" was equal to the length of 
"insn". so the "insn[current_pos:current_pos+2]" would return an empty list. 
then "unpack" method raised an exception.

What version of the product are you using? On what operating system?
CentOS 5.6 i386

Please provide any additional information below.

Traceback (most recent call last):
  File "./DiffScan/scanner.py", line 128, in <module>
    print ds.scan(sys.argv[2])+"\r\n"
  File "./DiffScan/scanner.py", line 65, in scan
    ag = androguard.AndroguardS(sFileName)
  File "./Androguard/androguard.py", line 447, in __init__
    self.__orig_a = Androguard( [ filename ], raw )
  File "./Androguard/androguard.py", line 239, in __init__
    self._analyze()
  File "./Androguard/androguard.py", line 258, in _analyze
    bc = dvm.DalvikVMFormat( self.__orig_raw[ i ] )
  File "./Androguard/core/bytecodes/dvm.py", line 3093, in __init__
    self.map_list = MapList( self.CM, self.__header.get_value().map_off, self )
  File "./Androguard/core/bytecodes/dvm.py", line 3051, in __init__
    mi = MapItem( buff, self.CM )
  File "./Androguard/core/bytecodes/dvm.py", line 2788, in __init__
    self.item = CodeItem( general_format.size, buff, cm )
  File "./Androguard/core/bytecodes/dvm.py", line 2745, in __init__
    x = DalvikCode( buff, cm )
  File "./Androguard/core/bytecodes/dvm.py", line 2662, in __init__
    self._code = DCode( self.__CM, self.insns_size.get_value(), buff.read( self.insns_size.get_value() * ushort ) )
  File "./Androguard/core/bytecodes/dvm.py", line 2546, in __init__
    operands, special = self._analyze_mnemonic( op_value, DALVIK_OPCODES[ op_value ])
  File "./Androguard/core/bytecodes/dvm.py", line 2571, in _analyze_mnemonic
    r = self._extract_values(i)
  File "./Androguard/core/bytecodes/dvm.py", line 2562, in _extract_values
    return MAP_EXTRACT_VALUES[i]( self.__insn, self.__current_pos )
  File "./Androguard/core/bytecodes/dvm.py", line 2336, in op_AA_OP
    i16 = unpack("=H", insn[current_pos:current_pos+2])[0]
struct.error: unpack requires a string argument of length 2
p
[ÑíJ
20
18
p
[ÑíJ
20
20

Original issue reported on code.google.com by jackad...@gmail.com on 21 Dec 2011 at 7:58

[GoogleCodeExporter]

Hi,

is it possible to have a sample ?

Original comment by anthony....@gmail.com on 21 Dec 2011 at 8:29

[GoogleCodeExporter]

sure. attachment file was my test sample with non-zero data link section 

Original comment by jackad...@gmail.com on 22 Dec 2011 at 9:01

Attachments:

• 8449C5DD0CAA083E0311DBB0DC68DDFF3A02B98B_WrsAndroid.apk

[GoogleCodeExporter]

Ok.

I fixed a part in the latest mercurial version.

But in fact it's odex (and ICS) instructions. I will add all others 
instructions in the next version.

Is it ok for this sample ?

Original comment by anthony....@gmail.com on 23 Dec 2011 at 8:54

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by anthony....@gmail.com on 23 Dec 2011 at 8:59

• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Hi, anthony. Thanks for your work. Would you like to tell me the detail of this 
problem if you had free time？
Thank you very much.

Original comment by jackad...@gmail.com on 26 Dec 2011 at 10:53

[GoogleCodeExporter]

and what does the data link section mean? What is it used for?
Why it existed in this sample? what does it want to do?
Is it malware?
Thank you very much.

Original comment by jackad...@gmail.com on 26 Dec 2011 at 11:14

[GoogleCodeExporter]

Original comment by anthony....@gmail.com on 23 Feb 2012 at 11:09

• Changed state: Fixed