Source

APKinspector / androguard / demos / geinimi_analysis.py

The default branch has multiple heads

Full commit
#!/usr/bin/env python

import sys
import hashlib

import pyDes

PATH_INSTALL = "./"
sys.path.append(PATH_INSTALL + "./")
sys.path.append(PATH_INSTALL + "/core")
sys.path.append(PATH_INSTALL + "/core/bytecodes")
sys.path.append(PATH_INSTALL + "/core/analysis")

from androguard import *
import analysis

TEST = "./geinimi/geinimi.apk"

_a = AndroguardS( TEST )
_x = analysis.VMAnalysis( _a.get_vm() )

#print _a.get_strings()

KEY = "\x01\x02\x03\x04\x05\x06\x07\x08"
_des = pyDes.des( KEY )

#_x.tainted_packages.export_call_graph("toto.dot", "Lcom/swampy/sexpos/pos")

tainted_string = _x.tainted_variables.get_string( "DES" )
if tainted_string != None :
    print "\t -->", tainted_string.get_info()
    for path in tainted_string.get_paths() :
        print "\t\t =>", path.get_access_flag(), path.get_method().get_class_name(), path.get_method().get_name(), path.get_method().get_descriptor(), path.get_bb().get_name(), "%x" % ( path.get_bb().start + path.get_idx() )

tainted_field = _x.tainted_variables.get_field( "Lcom/swampy/sexpos/pos/e/k;", "b", "[B" )
if tainted_field != None :
    print "\t -->", tainted_field.get_info()
    for path in tainted_field.get_paths() :
        print "\t\t =>", path.get_access_flag(), path.get_method().get_class_name(), path.get_method().get_name(), path.get_method().get_descriptor(), path.get_bb().get_name(), "%x" % (path.get_bb().start + path.get_idx() )


tainted_field = _x.tainted_variables.get_field( "Lcom/swampy/sexpos/pos/e/p;", "a", "[[B" )
if tainted_field != None :
    print "\t -->", tainted_field.get_info()
    for path in tainted_field.get_paths() :
        print "\t\t =>", path.get_access_flag(), path.get_method().get_class_name(), path.get_method().get_name(), path.get_method().get_descriptor(), path.get_bb().get_name(), "%x" % (path.get_bb().start + path.get_idx() )
        if path.get_access_flag() == "W" :
            b = ""
            for ins in path.get_method().get_code().get_bc().get() :
                if ins.get_name() == "FILL-ARRAY-DATA" :
                    b += ins.get_data()

            print repr( _des.decrypt( b ) )

tainted_field = _x.tainted_variables.get_field( "Lcom/swampy/sexpos/pos/a;", "g", "Ljava/lang/String;" )
if tainted_field != None :
    print "\t -->", tainted_field.get_info()
    for path in tainted_field.get_paths() :
        print "\t\t =>", path.get_access_flag(), path.get_method().get_class_name(), path.get_method().get_name(), path.get_method().get_descriptor(), path.get_bb().get_name(), "%x" % (path.get_bb().start + path.get_idx() )

tainted_method = _x.tainted_packages.get_method( "Lcom/swampy/sexpos/pos/e/q;", "a", "(Ljava/lang/String;)Ljava/lang/String;" )
for path in tainted_method :
    print path.get_access_flag(), path.get_method().get_class_name(), path.get_method().get_name(), path.get_method().get_descriptor(), path.get_bb().get_name(), "%x" % (path.get_bb().start + path.get_idx() )