siberider / androguard

Automatically exported from code.google.com/p/androguard
Apache License 2.0
0 stars 0 forks source link

string of length 0 found in BadNews Malware sample #171

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
I tried to decompile a Malware called BadNews, which has strange strings inside 
its classes.dex

In [2]: d,dx = 
AnalyzeDex("/mnt/AndroidOS_Malware_Samples/AndroguardBreakage/BadNews.dex", 
decompiler="dad")
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
/home/elias/androguard/androlyze.py in <module>()
----> 1 d,dx = 
AnalyzeDex("/mnt/AndroidOS_Malware_Samples/AndroguardBreakage/BadNews.dex", 
decompiler="dad")

/home/elias/androguard/androlyze.py in AnalyzeDex(filename, raw, decompiler)
    138     d = None
    139     if raw == False:
--> 140         d = DalvikVMFormat(open(filename, "rb").read())
    141     else:
    142         d = DalvikVMFormat(filename)

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in __init__(self, 
buff, decompiler, config)
   7247 
   7248         self._preload(buff)
-> 7249         self._load(buff)
   7250 
   7251     def _preload(self, buff):

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in _load(self, buff)
   7258             bytecode.Warning("no map list ...")
   7259         else:
-> 7260             self.map_list = MapList( self.CM, self.__header.map_off, 
self )
   7261 
   7262             self.classes = self.map_list.get_item_type( "TYPE_CLASS_DEF_ITEM" )

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in __init__(self, cm, 
off, buff)
   7140             idx = buff.get_idx()
   7141 
-> 7142             mi = MapItem( buff, self.CM )
   7143             self.map_item.append( mi )
   7144 

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in __init__(self, 
buff, cm)
   6658           self.next_lazy(buff, cm)
   6659         else :
-> 6660           self.next(buff, cm)
   6661 
   6662     def get_off(self) :

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in next(self, buff, cm)
   6715 
   6716         elif TYPE_MAP_ITEM[ self.type ] == "TYPE_STRING_DATA_ITEM" :
-> 6717             self.item = [ StringDataItem( buff, cm ) for i in xrange(0, 
self.size) ]
   6718 
   6719         elif TYPE_MAP_ITEM[ self.type ] == "TYPE_DEBUG_INFO_ITEM" :

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in __init__(self, 
buff, cm)
   1751         self.offset = buff.get_idx()
   1752 
-> 1753         self.utf16_size = readuleb128( buff )
   1754         self.data = buff.read( self.utf16_size + 1 )
   1755 

/home/elias/androguard/androguard/core/bytecodes/dvm.pyc in readuleb128(buff)
    175 
    176 def readuleb128(buff) :
--> 177     result = ord( buff.read(1) )
    178     if result > 0x7f :
    179         cur = ord( buff.read(1) )

TypeError: ord() expected a character, but string of length 0 found

What is the expected output? What do you see instead?
I'm expecting to be able to analyze the Malware, but instead I get the error 
shown above.

What version of the product are you using? On what operating system?
Androguard ver.: 1.9, 
================================
Androlyze ver: 2.0,
(the latest as of 23.07.2014)
=================================
PRETTY_NAME="Kali GNU/Linux 1.0"
NAME="Kali GNU/Linux"
ID=kali
VERSION="1.0"
VERSION_ID="1.0"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"

I attached the classes.dex of the sample to this ticket.
Password: "infected" (without the quotations)

Original issue reported on code.google.com by tibiel...@gmail.com on 10 Dec 2014 at 1:35

Attachments: