You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a label statement between the array name and the array initialization. This causes Dexcalibur to fail since it thinks it's in a new BasicBlock while it should be in a DataBlock. The actual error I'm getting is:
TypeError: this.__tmp_block.setDataWidth is not a function
at SmaliParser.method (/usr/local/lib/node_modules/dexcalibur/src/SmaliParser.js:437:34)
at SmaliParser.parse (/usr/local/lib/node_modules/dexcalibur/src/SmaliParser.js:736:34)
at Analyzer.file (/usr/local/lib/node_modules/dexcalibur/src/Analyzer.js:800:30)
at /usr/local/lib/node_modules/dexcalibur/src/Analyzer.js:839:18
at Object.forEachFileOf (/usr/local/lib/node_modules/dexcalibur/src/Utils.js:108:21)
at Object.forEachFileOf (/usr/local/lib/node_modules/dexcalibur/src/Utils.js:105:26)
at Object.forEachFileOf (/usr/local/lib/node_modules/dexcalibur/src/Utils.js:105:26)
at Analyzer.path (/usr/local/lib/node_modules/dexcalibur/src/Analyzer.js:838:12)
at DexcaliburProject.fullscan (/usr/local/lib/node_modules/dexcalibur/src/DexcaliburProject.js:737:26)
at DexcaliburProject.open (/usr/local/lib/node_modules/dexcalibur/src/DexcaliburProject.js:468:21)
this.__tmp_block is of type BasicBlock and not of type DataBlock.
Expected behavior
Ignore the invalid smali and fix it.
Suggested Fix
This might be difficult to solve correctly without regression bugs... You could check for this specific situation when encountering a goto label, or maybe you can 'look to previous lines' when you encounter an .array-data without a label and add the label manually? Or maybe a preprocessing step that searches for this specific situation and flips the two lines? I don't know if you currently have those...
If you don't want me to open bugs for these edge cases let me know, but malware seems like a very good use case for Dexcalibur so correctly dealing with 'weird smali' would make sense.
The text was updated successfully, but these errors were encountered:
I patched SmaliParser to ignore Goto label, when the parser is entered into an Array definition, but data are not yet set. So, between :array_XX and .array-data_B.
Describe the bug
I have a malware sample (acb38742fddfc3dcb511e5b0b2b2a2e4cef3d67cc6188b29aeb4475a717f5f95) that contains the following code:
There is a label statement between the array name and the array initialization. This causes Dexcalibur to fail since it thinks it's in a new BasicBlock while it should be in a DataBlock. The actual error I'm getting is:
this.__tmp_block is of type BasicBlock and not of type DataBlock.
Expected behavior
Ignore the invalid smali and fix it.
Suggested Fix
This might be difficult to solve correctly without regression bugs... You could check for this specific situation when encountering a goto label, or maybe you can 'look to previous lines' when you encounter an .array-data without a label and add the label manually? Or maybe a preprocessing step that searches for this specific situation and flips the two lines? I don't know if you currently have those...
If you don't want me to open bugs for these edge cases let me know, but malware seems like a very good use case for Dexcalibur so correctly dealing with 'weird smali' would make sense.
The text was updated successfully, but these errors were encountered: