Android soot.SootMethodRefImpl$ClassResolutionFailedException under soot 3.3.0

[anonymousgroundhog]

I have come across a soot error that indicates it is a method reflection implementation class resolution failure under soot 3.3.0 when trying to analyze an android APK that utilizes Googles Admob library.

Error Messages Displayed:

• Error Message 1:

• Error Message 2:

Operating System Information:

• Ubuntu 19.10
• Processor is Intel® Core™ i7-6500U CPU @ 2.50GHz × 4
• 64-bit Operating System

The android APK utilizes the following requirements:

• compileSdkVersion 28
• buildToolsVersion "28.0.3"
• targetSdkVersion 28
• versionCode 1
• sourceCompatibility/targetCompatibility = 1.8

Dependencies used are:

• implementation 'androidx.appcompat:appcompat:1.0.2'
• implementation 'com.google.android.gms:play-services-ads:18.3.0'

SOOT Description:

• Soot Version: 3.3.0

I have been using eclipse and have imported through maven the soot framework. The code I used for analyzing the soot comes from the documentation android example. Below is the example code:

import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;

import soot.Body;
import soot.BodyTransformer;
import soot.Local;
import soot.PackManager;
import soot.PatchingChain;
import soot.RefType;
import soot.Scene;
import soot.SootClass;
import soot.SootMethod;
import soot.Transform;
import soot.Unit;
import soot.jimple.AbstractStmtSwitch;
import soot.jimple.InvokeExpr;
import soot.jimple.InvokeStmt;
import soot.jimple.Jimple;
import soot.jimple.StringConstant;
import soot.options.Options;

public class Main {

    public static void main(String[] args) {
        System.out.println("ENTERING MAIN!!!!!!!!!!");
        Options.v().set_src_prec(Options.src_prec_apk);
        Options.v().process_multiple_dex();
        Options.v().set_android_api_version(17);
        Options.v().allow_phantom_refs();   
        Options.v().set_allow_phantom_refs(true);
        Options.v().set_output_format(Options.output_format_dex);
//      Options.v().set_android_jars("/home/sean/Android/Sdk/platforms");
        Options.v().set_android_jars("/home/sean/Projects/Advertisement/Android-Jars/");
        ArrayList<String> al=new ArrayList<String>();  
        al.add("/home/sean/Projects/Advertisement/AndroidAPK/SimpleBanner.apk");
        Options.v().set_process_dir(al);
        // resolve the PrintStream and System soot-classes
        Scene.v().addBasicClass("java.io.PrintStream",SootClass.SIGNATURES);
        Scene.v().addBasicClass("java.lang.System",SootClass.SIGNATURES);

        PackManager.v().getPack("jtp").add(new Transform("jtp.myInstrumenter", new BodyTransformer() {
            @Override
            protected void internalTransform(final Body b, String phaseName, @SuppressWarnings("rawtypes") Map options) {
                final PatchingChain<Unit> units = b.getUnits();

                //important to use snapshotIterator here
                for(Iterator<Unit> iter = units.snapshotIterator(); iter.hasNext();) {
                    final Unit u = iter.next();
                    u.apply(new AbstractStmtSwitch() {

                        public void caseInvokeStmt(InvokeStmt stmt) {
                            InvokeExpr invokeExpr = stmt.getInvokeExpr();
                            System.out.println("Invoke Expression: " + invokeExpr);
//                          System.out.println("Invoke Expression: " + stmt.getInvokeExprBox());
                            if(invokeExpr.getMethod().getName().equals("println")) {

                                Local tmpRef = addTmpRef(b);
                                Local tmpString = addTmpString(b);

                                  // insert "tmpRef = java.lang.System.out;" 
                                units.insertBefore(Jimple.v().newAssignStmt( 
                                              tmpRef, Jimple.v().newStaticFieldRef( 
                                              Scene.v().getField("<java.lang.System: java.io.PrintStream out>").makeRef())), u);

                                // insert "tmpLong = 'HELLO';" 
                                units.insertBefore(Jimple.v().newAssignStmt(tmpString, 
                                              StringConstant.v("HELLO")), u);

                                // insert "tmpRef.println(tmpString);" 
                                SootMethod toCall = Scene.v().getSootClass("java.io.PrintStream").getMethod("void println(java.lang.String)");                    
                                units.insertBefore(Jimple.v().newInvokeStmt(
                                              Jimple.v().newVirtualInvokeExpr(tmpRef, toCall.makeRef(), tmpString)), u);

                                //check that we did not mess up the Jimple
                                b.validate();
                            }
                        }

                    });
                }
            }

        }));

        soot.Main.main(args);
    }

    private static Local addTmpRef(Body body)
    {
        Local tmpRef = Jimple.v().newLocal("tmpRef", RefType.v("java.io.PrintStream"));
        body.getLocals().add(tmpRef);
        return tmpRef;
    }

    private static Local addTmpString(Body body)
    {
        Local tmpString = Jimple.v().newLocal("tmpString", RefType.v("java.lang.String")); 
        body.getLocals().add(tmpString);
        return tmpString;
    }
}

Android File: BannerExample.zip

Any help with this issue would be much appreciated.

Don't hesitate to post any other questions you might have, but I think I have mentioned enough information.

Thanks.

[dec0mrad3]

I had the same issue. [API-LEVEL]: 7 soot.SootMethodRefImpl$ClassResolutionFailedException: Class android.view.MenuItem doesn't have method setActionProvider([android.view.ActionProvider]) : android.view.MenuItem; failed to resolve in superclasses and interfacesLooking in android.view.MenuItem which has methods [<android.view.MenuItem: int getItemId()>, <android.view.MenuItem: int getGroupId()>

I jadx-ed the app I tried to analyse and the actual code is MenuItemCompat.setActionProvider where MenuItemCompat is added in API version 22.1.

So the problems are: first soot failed to fetch the correct SDK for the analysis. What's worth to mention is the app I tried to analyse does not specify which android api level it uses in its MANIFEST.. Second is that soot identified MenuItemCompat as MenuItem.

Also I observed some abnormals in some android malwares - where this errors occurs in some customized funtions soot.SootMethodRefImpl$ClassResolutionFailedException: Class org.c.b doesn't have method warn([java.lang.String, java.lang.Object, java.lang.Object]) : void; failed to resolve in superclasses and interfacesLooking