Welcome to Androguard’s documentation!

Androguard is a full python tool to play with Android files.

• DEX, ODEX
• APK
• Android’s binary xml
• Android resources
• Disassemble DEX/ODEX bytecodes
• Decompiler for DEX/ODEX files

You can either use the cli or graphical frontend for androguard, or use androguard purely as a library for your own tools and scripts.

Documentation

Introduction

Installation

There are several ways how to install androguard.

Before you start, make sure you are using a supported python version! Although androguard should run with python 2.7.x, we highly recommend a newer version like python 3.6! The python 2.x support might be dropped in the future. For Windows, we recommend using the Anaconda python 3.6.x package.

Note that there is no PyQT5 for python 2.x! If you like to use the GUI, please use a newer version of python!

PIP

The usual way to install a python packages is by using pypi.python.org and it’s package installer pip. Just use

$ pip install -U androguard[magic,graphing,GUI]

to install androguard.

You can also make use of an virtualenv, to separate the installation from your system wide packages:

$ virtualenv venv-androguard
$ . venv-androguard/bin/activate
$ pip install -U androguard[magic,graphing,GUI]

pip should install all required packages too.

Debian / Ubuntu

Debian has androguard in its repository. You can just install it using apt install androguard. All required dependencies are automatically installed.

Install from Source

Use git to fetch the sources, then install it. Please install git and python on your own. Beware, that androguard requires python 2.7 or at least 3.4 to work. Pypy >= 5.9.0 should work as well but is not tested. On Windows, there might be some issues with the magic library. Usually the Anaconda suite works fine!

$ git clone --recursive https://github.com/androguard/androguard.git
$ cd androguard
$ pip install .[magic]

if you like to install the GUI as well, use

$ pip install .[magic,GUI,graphing]

The dependencies, defined in setup.py will be automatically installed.

If you are installing the libraries using pip, make sure you download the correct packages. For example, there are a lot of implemenations of the magic library. Get the one, that is shipped with the file command (See [Fine Free File Command](http://www.darwinsys.com/file/)) or use filemagic, which should work as well.

Getting Started

Using Androguard tools

There are already some tools for specific purposes.

To just decode the AndroidManifest.xml or resources.arsc, there are androaxml.py and androarsc.py. To get information about the certificates use androsign.py.

If you want to create call graphs, use androcg.py, or if you want control flow graphs, you can use androdd.py.

Using Androlyze and the python API

The easiest way to analyze APK files, is by using androlyze.py. It will start a iPython shell and has all modules loaded to get into action.

For analyzing and loading APK or DEX files, some wrapper functions exists. Use AnalyzeAPK(filename) or AnalyzeDEX(filename) to load a file and start analyzing. There are already plenty of APKs in the androguard repo, you can either use one of those, or start your own analysis.

$ androlyze.py
Androguard version 3.1.1 started
In [1]: a, d, dx = AnalyzeAPK("examples/android/abcore/app-prod-debug.apk")
# Depending on the size of the APK, this might take a while...

In [2]:

The three objects you get are a an APK object, d an array of DalvikVMFormat object and dx an Analysis object.

Inside the APK object, you can find all information about the APK, like package name, permissions, the AndroidManifest.xml or its resources.

The DalvikVMFormat corresponds to the DEX file found inside the APK file. You can get classes, methods or strings from the DEX file. But when using multi-DEX APK’s it might be a better idea to get those from another place. The Analysis object should be used instead, as it contains special classes, which link information about the classes.dex and can even handle many DEX files at once.

Getting Information about an APK

If you have sucessfully loaded your APK using AnalyzeAPK, you can now start getting information about the APK.

For example, getting the permissions of the APK:

In [2]: a.get_permissions()
Out[2]:
['android.permission.INTERNET',
 'android.permission.WRITE_EXTERNAL_STORAGE',
 'android.permission.ACCESS_WIFI_STATE',
 'android.permission.ACCESS_NETWORK_STATE']

or getting a list of all activites, which are defined in the AndroidManifest.xml:

In [3]: a.get_activities()
Out[3]:
['com.greenaddress.abcore.MainActivity',
 'com.greenaddress.abcore.BitcoinConfEditActivity',
 'com.greenaddress.abcore.AboutActivity',
 'com.greenaddress.abcore.SettingsActivity',
 'com.greenaddress.abcore.DownloadSettingsActivity',
 'com.greenaddress.abcore.PeerActivity',
 'com.greenaddress.abcore.ProgressActivity',
 'com.greenaddress.abcore.LogActivity',
 'com.greenaddress.abcore.ConsoleActivity',
 'com.greenaddress.abcore.DownloadActivity']

Get the package name, app name and path of the icon:

In [4]: a.get_package()
Out[4]: 'com.greenaddress.abcore'

In [5]: a.get_app_name()
Out[5]: u'ABCore'

In [6]: a.get_app_icon()
Out[6]: u'res/mipmap-xxxhdpi-v4/ic_launcher.png'

Get the numeric version and the version string, and the minimal, maximal, target and effective SDK version:

In [7]: a.get_androidversion_code()
Out[7]: '2162'

In [8]: a.get_androidversion_name()
Out[8]: '0.62'

In [9]: a.get_min_sdk_version()
Out[9]: '21'

In [10]: a.get_max_sdk_version()

In [11]: a.get_target_sdk_version()
Out[11]: '27'

In [12]: a.get_effective_target_sdk_version()
Out[12]: 27

You can even get the decoded XML for the AndroidManifest.xml:

In [15]: a.get_android_manifest_axml().get_xml()
Out[15]: '<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="2162" android:versionName="0.62" package="com.greenaddress.abcore">\n<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="27">\n</uses-sdk>\n<uses-permission android:name="android.permission.INTERNET">\n</uses-permission>\n<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE">\n</uses-permission>\n<uses-permission android:name="android.permission.ACCESS_WIFI_STATE">\n</uses-permission>\n<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE">\n</uses-permission>\n<application android:theme="@7F0F0006" android:label="@7F0E001D" android:icon="@7F0D0000" android:debuggable="true" android:allowBackup="false" android:supportsRtl="true">\n<activity android:name="com.greenaddress.abcore.MainActivity">\n<intent-filter>\n<action android:name="android.intent.action.MAIN">\n</action>\n<category android:name="android.intent.category.LAUNCHER">\n</category>\n</intent-filter>\n</activity>\n<service android:name="com.greenaddress.abcore.DownloadInstallCoreIntentService" android:exported="false">\n</service>\n<service android:name="com.greenaddress.abcore.RPCIntentService" android:exported="false">\n</service>\n<service android:name="com.greenaddress.abcore.ABCoreService" android:exported="false">\n</service>\n<activity android:name="com.greenaddress.abcore.BitcoinConfEditActivity">\n<intent-filter>\n<category android:name="android.intent.category.DEFAULT">\n</category>\n<action android:name="com.greenaddress.abcore.BitcoinConfEditActivity">\n</action>\n</intent-filter>\n</activity>\n<activity android:name="com.greenaddress.abcore.AboutActivity">\n</activity>\n<activity android:label="@7F0E0038" android:name="com.greenaddress.abcore.SettingsActivity" android:noHistory="true">\n</activity>\n<activity android:label="@7F0E0035" android:name="com.greenaddress.abcore.DownloadSettingsActivity" android:noHistory="true">\n</activity>\n<activity android:theme="@7F0F0006" android:label="@7F0E0036" android:name="com.greenaddress.abcore.PeerActivity">\n</activity>\n<activity android:theme="@7F0F0006" android:label="@7F0E0037" android:name="com.greenaddress.abcore.ProgressActivity">\n</activity>\n<activity android:name="com.greenaddress.abcore.LogActivity">\n</activity>\n<activity android:name="com.greenaddress.abcore.ConsoleActivity">\n</activity>\n<activity android:name="com.greenaddress.abcore.DownloadActivity">\n</activity>\n<receiver android:name="com.greenaddress.abcore.PowerBroadcastReceiver">\n<intent-filter>\n<action android:name="android.intent.action.ACTION_POWER_CONNECTED">\n</action>\n<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED">\n</action>\n<action android:name="android.intent.action.ACTION_SHUTDOWN">\n</action>\n<action android:name="android.intent.action.ACTION_BATTERY_LOW">\n</action>\n<action android:name="android.net.wifi.STATE_CHANGE">\n</action>\n</intent-filter>\n</receiver>\n</application>\n</manifest>\n'

Or if you like to use the AndroidManifest.xml as an ElementTree object, use the following method:

In [13]: a.get_android_manifest_xml()
Out[13]: <Element manifest at 0x7f9d01587b00>

There are many more methods to explore, just take a look at the API for APK.

Using the Analysis object

The ~androguard.core.analysis.analysis.Analysis object has all information about the classes, methods, fields and strings inside one or multiple DEX files.

Additionally it enables you to get call graphs and crossreferences (XREFs) for each method, class, field and string.

This means you can investigate the application for certain API calls or create graphs to see the dependencies of different classes.

As a first example, we will get all classes from the Analysis:

In [2]: dx.get_classes()
Out[2]:
[<analysis.ClassAnalysis Ljava/io/FileNotFoundException; EXTERNAL>,
 <analysis.ClassAnalysis Landroid/content/SharedPreferences; EXTERNAL>,
 <analysis.ClassAnalysis Landroid/support/v4/widget/FocusStrategy$BoundsAdapter;>,
 <analysis.ClassAnalysis Landroid/support/v4/media/MediaBrowserCompat$MediaBrowserServiceCallbackImpl;>,
 <analysis.ClassAnalysis Landroid/support/transition/WindowIdImpl;>,
 <analysis.ClassAnalysis Landroid/media/MediaMetadataEditor; EXTERNAL>,
 <analysis.ClassAnalysis Landroid/support/v4/app/BundleCompat$BundleCompatBaseImpl;>,
 <analysis.ClassAnalysis Landroid/support/transition/MatrixUtils$1;>,
 <analysis.ClassAnalysis Landroid/support/v7/widget/ShareActionProvider;>,
 ...

As you can see, get_classes() returns a list of ClassAnalysis objects. Some of them are marked as EXTERNAL, which means that the source code of this class is not defined within the DEX files that are loaded inside the Analysis. For example the first class java.io.FileNotFoundException is an API class.

A ClassAnalysis does not contain the actual code but the ClassDefItem can be loaded using the get_vm_class():

In [5]: dx.get_classes()[2].get_vm_class()
Out[5]: <dvm.ClassDefItem Ljava/lang/Object;->Landroid/support/v4/widget/FocusStrategy$BoundsAdapter;>

If the class is EXTERNAL, a ExternalClass is returned instead.

The ClassAnalysis also contains all the information about XREFs, which are explained in more detail in the next section.

XREFs

Consider the following Java source code:

class Foobar {
    public int afield = 23;

    public void somemethod() {
        String astring = "hello world";
    }
}

class Barfoo {
    public void othermethod() {
        Foobar x = new Foobar();

        x.somemethod();

        System.out.println(x.afield);
    }
}

There are two classes and the class Barfoo instanciates the other class Foobar as well as calling methods and reading fields.

XREFs are generated for four things:

• Classes
• Methods
• Fields
• Strings

XREFs work in two directions: xref_from and xref_to. To means, that the current object is calling another object. From means, that the current object is called by another object.

All XREFs can be visualized as an directed graph and if some object A is contained in the xref_to, the called object will contain A in their xref_from.

In the case of our Java example, the string astring is called in Foobar.somethod, therefore it will be contained in the xref_to of Foobar.somethod.

The Field afield will be contained in the xref_to of Barfoo.othermethod as well as the call to Foobar.somethod.

Working with Sessions

If you are working on a larger APK, you might want to save your current work and come back later. Thats the reason for sessions: They allow you to save your work on disk and resume it at any point. Sessions could also be used to store the analysis on disk, for example if you do automated analysis and want to analyse certain files later.

There are several ways to work with sessions. The easiest way is to use AnalyzeAPK() with a session:

from androguard import misc
from androguard import session

# get a default session
sess = misc.get_default_session()

# Use the session
a, d, dx = misc.AnalyzeAPK("examples/android/abcore/app-prod-debug.apk", session=sess)

# Show the current Session information
sess.show()

# Do stuff...

# Save the session to disk
session.Save(sess, "androguard_session.p")

# Load it again
sess = session.Load("androguard_session.p")

The session information will look like this:

APKs in Session: 1
    d5e26acca809e9cdfaece18afd8e63c60a26d7b6d566d70bd9f44d6934d5c433: [<androguard.core.bytecodes.apk.APK object at 0x7fcecf4f3f10>]
DEXs in Session: 2
    8bd7e9f48a6ed29e4c678633364e8bfd4e6ae76ef3e50c43a5ec3c00eb10a5bc: <analysis.Analysis VMs: 2, Classes: 3092, Strings: 3293>
    e2a1e46ecd03b701ce72c31057581e0104279d142fca06cdcdd000dd94a459e0: <analysis.Analysis VMs: 2, Classes: 3092, Strings: 3293>
Analysis in Session: 1
    d5e26acca809e9cdfaece18afd8e63c60a26d7b6d566d70bd9f44d6934d5c433: <analysis.Analysis VMs: 2, Classes: 3092, Strings: 3293>

Note, that the session objects store a lot of data and can get very big! It is recommended not to use sessions in automated environments, where hundrets or thousands of APKs are loaded.

If you want to use sessions but keep the session alive only for one or multiple APKs, you can call the reset() method on a session, to remove all stored analysis data.

from androguard import misc
from androguard import session
import os

# get a default session
sess = misc.get_default_session()

for root, dirs, files in os.walk("examples")
    for f in files:
        if f.endswith(".apk"):
            # Use the session
            a, d, dx = misc.AnalyzeAPK(os.path.join(root, f), session=sess)

            # Do your stuff

            # Maybe save the session to disk...

            # But now reset the session for the next analysis
            sess.reset()

Use JADX as a Decompiler

Instead of using the internal decompiler DAD, you can also use JADX.

Install JADX as described at it’s website. Make sure that the jadx executable is in $PATH. Otherwise you might set the argument when calling DecompilerJADX().

Here is a short demo code, how JADX can be used:

from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes.dvm import DalvikVMFormat
from androguard.core.analysis.analysis import Analysis
from androguard.decompiler.decompiler import DecompilerJADX
from androguard.core.androconf import show_logging
import logging

# Enable log output
show_logging(level=logging.DEBUG)

# Load our example APK
a = APK("examples/android/TestsAndroguard/bin/TestActivity.apk")

# Create DalvikVMFormat Object
d = DalvikVMFormat(a)
# Create Analysis Object
dx = Analysis(d)

# Load the decompiler
# Make sure that the jadx executable is found in $PATH
# or use the argument jadx="/path/to/jadx" to point to the executable
decompiler = DecompilerJADX(d, dx)

# propagate decompiler and analysis back to DalvikVMFormat
d.set_decompiler(decompiler)
d.set_vmanalysis(dx)

# Now you can do stuff like:
for m in d.get_methods()[:10]:
    print(m)
    print(decompiler.get_source_method(m))

Tools

There are several tools, which gives you the option to do certain tasks directly from the commandline. An exception is androlyze, which spawns an IPython shell and let you use the androguard API interactively.

androlyze - Androguard Shell

androlyze is a tool that spawns an IPython shell.

usage: androlyze.py [-h] [--shell] [--debug] [--ddebug] [--no-session]
                    [--version]
                    [apk]

Open a IPython Shell and start reverse engineering

positional arguments:
  apk                   Start the shell with the given APK. a, d, dx are
                        available then. Loading might be slower in this case!

optional arguments:
  -h, --help            show this help message and exit
  --shell, -s           Will do nothing, this argument is just here for your
                        convenience
  --debug, -d, --verbose
                        Print log messages
  --ddebug, -dd, --very-verbose
                        Print log messages (higher verbosity)
  --no-session          Do not start an Androguard session
  --version, -v         Print the Androguard Version and exit

androcg - Create Call Graph from APK

androcg can create files that can be read using graph visualization software, for example gephi.

Synopsis

usage: androcg.py [-h] [--output OUTPUT] [--show] [--verbose]
                  [--classname CLASSNAME] [--methodname METHODNAME]
                  [--descriptor DESCRIPTOR] [--accessflag ACCESSFLAG]
                  [--no-isolated]
                  APK

Create a call graph based on the dataof Analysis and export it into a graph
format.

positional arguments:
  APK                   The APK to analyze

optional arguments:
  -h, --help            show this help message and exit
  --output OUTPUT, -o OUTPUT
                        Filename of the output file, the extension is used to
                        decide which format to use (default callgraph.gml)
  --show, -s            instead of saving the graph, print it with mathplotlib
                        (you might not see anything!
  --verbose, -v         Print more output
  --classname CLASSNAME
                        Regex to filter by classname
  --methodname METHODNAME
                        Regex to filter by methodname
  --descriptor DESCRIPTOR
                        Regex to filter by descriptor
  --accessflag ACCESSFLAG
                        Regex to filter by accessflags
  --no-isolated         Do not store methods which has no xrefs

Examples

The call graph is constructed from the Analysis object and then converted into a networkx DiGraph. Note that calls between methods are only added once. Thus, if a method calls some other method multiple times, this is not saved.

The methods to construct the callgraph from can be filtered. It is highly suggested to do that, as call graphs can get very large:

Of course, you can export the call graph with androguard and filter it later.

Here is an example of an already filtered graph, visualized in gephi. Each node has an attribute to indicate if it is an internal (defined somewhere in the DEXs) or external (might be an API, but definetly not defined in the DEXs) method. In this case all green nodes are internal and all red ones are external. You can see the calls of some SMS Trojan to the API methods to write SMS.

androgui - Androguard GUI

usage: androgui.py [-h] [-d] [-i INPUT_FILE] [-p INPUT_PLUGIN]

Androguard GUI

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug
  -i INPUT_FILE, --input_file INPUT_FILE
  -p INPUT_PLUGIN, --input_plugin INPUT_PLUGIN

androsign - Print Certificate Fingerprints

Get the fingerprints of the signing certificates inside an APK.

usage: androsign.py [-h] [--hash HASH] [--all] [--show] apk [apk ...]

Return the fingerprint(s) of all certificates inside an APK

positional arguments:
  apk          APK(s) to extract the Fingerprint of Certificates from

optional arguments:
  -h, --help   show this help message and exit
  --hash HASH  Fingerprint Hash algorithm, default SHA1
  --all, -a    Print all supported hashes
  --show, -s   Additionally of printing the fingerprints, show more
               certificate information

An example:

$ androsign.py --all files/golden-aligned-v1v2-out.apk
golden-aligned-v1v2-out.apk, package: 'android.appsecurity.cts.tinyapp'
Is signed v1: True
Is signed v2: True
Found 1 unique certificates
md5 e995a5ed7137307661f854e66901ee9e
sha1 0aa07c0f297b4ae834dc85a17eea8c2cf9380ff7
sha512 4da6e6744a4dabef192b198be13b4492b0ce97469f3ce223dd9b7e8df2ee952328e06651e5e65dd3b60ac5e3946e16cf7059b20d4d4a649957c1e3055c2e1fb8
sha256 fb5dbd3c669af9fc236c6991e6387b7f11ff0590997f22d0f5c74ff40e04fca8

androaxml - AndroidManifest.xml parser

Parse the AndroidManifest.xml from an APK and show/save the XML file.

usage: androaxml.py [-h] [--output OUTPUT] [--version] [--input INPUT] [file]

Parses the AndroidManifest.xml eitherdirect or from a given APK and prints in
XML format or saves tofile.This tool can also be used to process any AXML
encoded file, forexample from the layout directory.

positional arguments:
  file                  AndroidManifest.xml or APK to parse

optional arguments:
  -h, --help            show this help message and exit
  --output OUTPUT, -o OUTPUT
                        filename to save the decoded AndroidManifest.xml to
  --version, -v         Print androguard version and exit
  --input INPUT, -i INPUT
                        AndroidManifest.xml or APK to parse (legacy option)

androarsc - resources.arsc parser

Parse the resources.arsc file from an APK and print human readable XML.

usage: androarsc.py [-h] [--version] [--input INPUT] [--output OUTPUT]
                    [--package PACKAGE] [--locale LOCALE] [--type TYPE]
                    [--list-packages | --list-locales | --list-types]
                    [file]

Decode resources.arsc either directlyfrom a given file or from an APK.

positional arguments:
  file                  resources.arsc or APK to parse

optional arguments:
  -h, --help            show this help message and exit
  --version, -v         Print androguard version and exit
  --input INPUT, -i INPUT
                        resources.arsc or APK to parse (legacy option)
  --output OUTPUT, -o OUTPUT
                        filename to save the decoded resources to
  --package PACKAGE, -p PACKAGE
                        Show only resources for the given package name
                        (default: the first package name found)
  --locale LOCALE, -l LOCALE
                        Show only resources for the given locale (default:
                        '\x00\x00')
  --type TYPE, -t TYPE  Show only resources of the given type (default:
                        public)
  --list-packages       List all package names and exit
  --list-locales        List all locales and exit
  --list-types          List all types and exit

androdd - Decompile APKs and create CFG

androdd is a tool to create a decompiled version of an APK using the available decompilers.

Synopsis

usage: androdd.py [-h] [--version] [--input INPUT] --output OUTPUT
                  [--format FORMAT] [--jar] [--limit LIMIT]
                  [--decompiler DECOMPILER]
                  [file]

Decompile an APK and create Control Flow Graphs

positional arguments:
  file                  resources.arsc or APK to parse

optional arguments:
  -h, --help            show this help message and exit
  --version, -v         Print androguard version and exit
  --input INPUT, -i INPUT
                        resources.arsc or APK to parse (legacy option)
  --output OUTPUT, -o OUTPUT
                        output directory. If the output folder already exsist,
                        it willbe overwritten!
  --format FORMAT, -f FORMAT
                        Additionally write control flow graphs for each
                        method,specify the format for example png, jpg, raw
                        (write dot file), ...
  --jar, -j             Use DEX2JAR to create a JAR file
  --limit LIMIT, -l LIMIT
                        Limit to certain methods only by regex (default: '.*')
  --decompiler DECOMPILER, -d DECOMPILER
                        Use a different decompiler (default: DAD)

It also can generate control flow graphs (CFG) for each method using the graphviz format. The CFGs can be exported as image file directly.

Additionally to the decompiled classes in .java format, each method is given in a SMALI like format (.ag files)

All filenames are sanatized, so they should work on most operating systems and filesystems.

Examples

To get all CFG in png format and limit the processing only to a certain namespace, the following command can be used:

androdd.py -o outputfolder -f png -i someapp.apk --limit "^Lcom/elite/.*"

This will decompile the app someapp.apk into the folder outputfolder and limit the processing to all methods, where the classname starts with com.elite..

A CFG might look like this:

while the .ag file has this content:

# Lcom/elite/MainActivity;->wipeDirectory(Ljava/lang/String;)V [access_flags=private static]
#
# Parameters:
# - local registers: v0...v6
# - v7:java.lang.String
#
# - return:void

wipeDirectory-BB@0x0 : [ wipeDirectory-BB@0x16 wipeDirectory-BB@0x62 ]
    0       (00000000) new-instance         v0, Ljava/io/File;
    1       (00000004) invoke-direct        v0, v7, Ljava/io/File;-><init>(Ljava/lang/String;)V
    2       (0000000a) invoke-virtual       v0, Ljava/io/File;->listFiles()[Ljava/io/File;
    3       (00000010) move-result-object   v2
    4       (00000012) if-eqz               v2, +28
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x16 : [ wipeDirectory-BB@0x1c wipeDirectory-BB@0x62 ]
    5       (00000016) array-length         v4, v2
    6       (00000018) if-lez               v4, +25
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x1c : [ wipeDirectory-BB@0x20 ]
    7       (0000001c) array-length         v5, v2
    8       (0000001e) const/4              v4, 0
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x20 : [ wipeDirectory-BB@0x24 wipeDirectory-BB@0x26 ]
    9       (00000020) if-lt                v4, v5, +3
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x24 :
    10      (00000024) return-void
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x26 : [ wipeDirectory-BB@0x36 wipeDirectory-BB@0x50 ]
    11      (00000026) aget-object          v3, v2, v4
    12      (0000002a) invoke-virtual       v3, Ljava/io/File;->isDirectory()Z
    13      (00000030) move-result          v6
    14      (00000032) if-eqz               v6, +f
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x36 : [ wipeDirectory-BB@0x4a ]
    15      (00000036) invoke-virtual       v3, Ljava/io/File;->toString()Ljava/lang/String;
    16      (0000003c) move-result-object   v6
    17      (0000003e) invoke-static        v6, Lcom/elite/MainActivity;->wipeDirectory(Ljava/lang/String;)V
    18      (00000044) invoke-virtual       v3, Ljava/io/File;->delete()Z
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x4a : [ wipeDirectory-BB@0x20 ]
    19      (0000004a) add-int/lit8         v4, v4, 1
    20      (0000004e) goto                 -17
    0:55
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

wipeDirectory-BB@0x50 : [ wipeDirectory-BB@0x4a ]
    21      (00000050) invoke-virtual       v3, Ljava/io/File;->delete()Z
    22      (00000056) goto                 -6

wipeDirectory-BB@0x58 : [ wipeDirectory-BB@0x24 ]
    23      (00000058) move-exception       v1
    24      (0000005a) invoke-virtual       v1, Ljava/lang/Exception;->printStackTrace()V
    25      (00000060) goto                 -1e

wipeDirectory-BB@0x62 : [ wipeDirectory-BB@0x24 ]
    26      (00000062) invoke-virtual       v0, Ljava/io/File;->delete()Z
    27      (00000068) goto                 -22
    62:67
    (Ljava/lang/Exception; -> 58 wipeDirectory-BB@0x58)

androdis - Disassembler for DEX

androdis is a disassembler for DEX files.

Usage: androdis.py [options]

Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use this filename (DEX/ODEX)
  -o OFFSET, --offset=OFFSET
                        offset to disassemble
  -s SIZE, --size=SIZE  size

androauto - run your own analysis

Go into automated mode using androauto.

Usage: androauto.py [options]

Options:
  -h, --help            show this help message and exit
  -d DIRECTORY, --directory=DIRECTORY
                        directory input
  -v, --verbose         add debug

Commonly used APIs

APK parser:androguard.core.bytecodes.apk.APK DEX parser:androguard.core.bytecodes.dvm.DalvikVMFormat AXML parser:androguard.core.bytecodes.axml.AXMLPrinter ARSC parser:androguard.core.bytecodes.axml.ARSCParser Analysis:androguard.core.analysis.analysis.Analysis Session:androguard.session.Session Decompilers:androguard.decompiler.decompiler

Complete Python API

androguard package

Subpackages

androguard.core package

Subpackages

androguard.core.analysis package

The analysis module implements an abstraction layer for androguard.core.bytecodes.dvm.DalvikVMFormat objects. The the help of the androguard.core.analysis.analysis.Analsyis object, you can bundle several DEX files together. This is not only useful for multidex files, but also for a single dex, as Analysis offers many features to investigate DEX files. One of these features is crossreferencing (XREF). It allows you to build a graph of the methods inside the DEX files. You can then create callgraphs or find methods which use a specific API method.

Submodules

androguard.core.analysis.analysis module

class androguard.core.analysis.analysis.Analysis(vm=None)

Bases: object

add(vm)

Add a DalvikVMFormat to this Analysis

Parameters:vm – dvm.DalvikVMFormat to add to this Analysis

create_xref()

Create Class, Method, String and Field crossreferences for all classes in the Analysis.

If you are using multiple DEX files, this function must be called when all DEX files are added. If you call the function after every DEX file, the crossreferences might be wrong!

find_classes(name='.*', no_external=False)

Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.

Parameters:

• name – regular expression for class name (default “.*”)
• no_external – Remove external classes from the output (default False)

Return type:

generator of ClassAnalysis

find_fields(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')

find fields by regex

Parameters:

• classname – regular expression of the classname
• fieldname – regular expression of the fieldname
• fieldtype – regular expression of the fieldtype
• accessflags – regular expression of the access flags

Return type:

generator of FieldClassAnalysis

find_methods(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)

Find a method by name using regular expression. This method will return all MethodClassAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.

Parameters:

• classname – regular expression for the classname
• methodname – regular expression for the method name
• descriptor – regular expression for the descriptor
• accessflags – regular expression for the accessflags
• no_external – Remove external method from the output (default False)

Return type:

generator of MethodClassAnalysis

find_strings(string='.*')

Find strings by regex

Parameters:string – regular expression for the string to search for Return type:generator of StringAnalysis

get_call_graph(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_isolated=False, entry_points=[])

Generate a directed graph based on the methods found by the filters applied. The filters are the same as in find_methods()

A networkx.DiGraph is returned, containing all edges only once! that means, if a method calls some method twice or more often, there will only be a single connection.

Parameters:

• classname – regular expression of the classname (default: “.*”)
• fieldname – regular expression of the fieldname (default: “.*”)
• fieldtype – regular expression of the fieldtype (default: “.*”)
• accessflags – regular expression of the access flags (default: “.*”)
• no_isolated – remove isolated nodes from the graph, e.g. methods which do not call anything (default: False)
• entry_points – A list of classes that are marked as entry point

Return type:

DiGraph

get_class_analysis(class_name)

Returns the ClassAnalysis object for a given classname.

Parameters:class_name – classname like ‘Ljava/lang/Object;’ (including L and ;) Returns:ClassAnalysis

get_classes()

Returns a list of ClassAnalysis objects

Returns both internal and external classes (if any)

Return type:list of ClassAnalysis

get_external_classes()

Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.

Return type:generator of ClassAnalysis

get_field_analysis(field)

Get the FieldAnalysis for a given fieldname

Parameters:field – TODO Returns:FieldClassAnalysis

get_fields()

Returns a list of FieldClassAnalysis objects

get_internal_classes()

Returns all external classes, that means all classes that are defined in the given set of DalvikVMFormat.

Return type:generator of ClassAnalysis

get_method(method)

Get the MethodAnalysis object for a given EncodedMethod. This Analysis object is used to enhance EncodedMethods.

Parameters:method – EncodedMethod to search for Returns:MethodAnalysis object for the given method, or None if method was not found

get_method_analysis(method)

Returns the crossreferencing object for a given Method.

Beware: the similar named function get_method() will return a MethodAnalysis object, while this function returns a MethodClassAnalysis object!

This Method will only work after a run of create_xref()

Parameters:method – EncodedMethod Returns:MethodClassAnalysis for the given method or None, if method was not found

get_method_analysis_by_name(class_name, method_name, method_descriptor)

Returns the crossreferencing object for a given method.

This function is similar to get_method_analysis(), with the difference that you can look up the Method by name

Parameters:

• class_name – name of the class, for example ‘Ljava/lang/Object;’
• method_name – name of the method, for example ‘onCreate’
• method_descriptor – method descriptor, for example ‘(I I)V’

Returns:

MethodClassAnalysis

get_method_by_name(class_name, method_name, method_descriptor)

Search for a EncodedMethod in all classes in this analysis

Parameters:

• class_name – name of the class, for example ‘Ljava/lang/Object;’
• method_name – name of the method, for example ‘onCreate’
• method_descriptor – descriptor, for example ‘(I I Ljava/lang/String)V

Returns:

EncodedMethod or None if method was not found

get_methods()

Returns a list of MethodClassAnalysis objects

get_strings()

Returns a list of StringAnalysis objects

Return type:list of StringAnalysis

get_strings_analysis()

Returns a dictionary of strings and their corresponding StringAnalysis

Returns:a dictionary

is_class_present(class_name)

Checks if a given class name is part of this Analysis.

Parameters:class_name – classname like ‘Ljava/lang/Object;’ (including L and ;) Returns:True if class was found, False otherwise

class androguard.core.analysis.analysis.BasicBlocks(_vm)

Bases: object

This class represents all basic blocks of a method

get()

Return type:return each basic block (DVMBasicBlock object)

get_basic_block(idx)

get_basic_block_pos(idx)

gets()

Return type:a list of basic blocks (DVMBasicBlock objects)

pop(idx)

push(bb)

class androguard.core.analysis.analysis.ClassAnalysis(classobj)

Bases: object

AddFXrefRead(method, classobj, field)

Add a Field Read to this class

Parameters:

• method –
• classobj –
• field –

Returns:

AddFXrefWrite(method, classobj, field)

Add a Field Write to this class

Parameters:

• method –
• classobj –
• field –

Returns:

AddMXrefFrom(method1, classobj, method2, offset)

AddMXrefTo(method1, classobj, method2, offset)

AddXrefFrom(ref_kind, classobj, methodobj, offset)

Creates a crossreference from this class. XrefFrom means, that the current class is called by another class.

Parameters:

• ref_kind –
• classobj – ClassAnalysis object to link
• methodobj –
• offset – Offset in the methods bytecode, where the call happens

Returns:

AddXrefTo(ref_kind, classobj, methodobj, offset)

Creates a crossreference to another class. XrefTo means, that the current class calls another class. The current class should also be contained in the another class’ XrefFrom list.

Parameters:

• ref_kind –
• classobj – ClassAnalysis object to link
• methodobj –
• offset – Offset in the Methods Bytecode, where the call happens

Returns:

get_fake_method(name, descriptor)

Search for the given method name and descriptor and return a fake (ExternalMethod) if required.

Parameters:

• name – name of the method
• descriptor – descriptor of the method, for example ‘(I I I)V’

Returns:

ExternalMethod

get_field_analysis(field)

get_fields()

Return all FieldClassAnalysis objects of this class

get_method_analysis(method)

Return the MethodClassAnalysis object for a given EncodedMethod

Parameters:method – EncodedMethod Returns:MethodClassAnalysis

get_methods()

Return all MethodClassAnalysis objects of this class

get_nb_methods()

Get the number of methods in this class

get_vm_class()

get_xref_from()

get_xref_to()

is_android_api()

Tries to guess if the current class is an Android API class.

This might be not very precise unless an apilist is given, with classes that are in fact known APIs. Such a list might be generated by using the android.jar files.

Returns:boolean

is_external()

Tests wheather this class is an external class

Returns:True if the Class is external, False otherwise

class androguard.core.analysis.analysis.DVMBasicBlock(start, vm, method, context)

Bases: object

A simple basic block of a dalvik method

add_note(note)

clear_notes()

get_end()

get_exception_analysis()

get_instructions()

Get all instructions from a basic block.

Return type:Return all instructions in the current basic block

get_last()

get_last_length()

get_method()

get_name()

get_nb_instructions()

get_next()

Get next basic blocks

Return type:a list of the next basic blocks

get_notes()

get_prev()

Get previous basic blocks

Return type:a list of the previous basic blocks

get_special_ins(idx)

Return the associated instruction to a specific instruction (for example a packed/sparse switch)

Parameters:idx – the index of the instruction Return type:None or an Instruction

get_start()

push(i)

set_childs(values)

set_exception_analysis(exception_analysis)

set_fathers(f)

set_notes(value)

show()

class androguard.core.analysis.analysis.ExceptionAnalysis(exception, bb)

Bases: object

get()

show_buff()

class androguard.core.analysis.analysis.Exceptions(_vm)

Bases: object

add(exceptions, basic_blocks)

get()

get_exception(addr_start, addr_end)

gets()

class androguard.core.analysis.analysis.ExternalClass(name)

Bases: object

GetMethod(name, descriptor)

get_method(name, descriptor)

Get the method by name and descriptor, or create a new one if the requested method does not exists.

Parameters:

• name – method name
• descriptor – method descriptor, for example ‘(I)V’

Returns:

ExternalMethod

get_methods()

Return the stored methods for this external class :return:

get_name()

Returns the name of the ExternalClass object

class androguard.core.analysis.analysis.ExternalMethod(class_name, name, descriptor)

Bases: object

get_access_flags_string()

get_class_name()

get_descriptor()

get_name()

class androguard.core.analysis.analysis.FieldClassAnalysis(field)

Bases: object

AddXrefRead(classobj, methodobj)

AddXrefWrite(classobj, methodobj)

get_field()

get_xref_read()

get_xref_write()

class androguard.core.analysis.analysis.MethodAnalysis(vm, method)

Bases: object

get_basic_blocks()

Return type:a BasicBlocks object

get_length()

Return type:an integer which is the length of the code

get_method()

get_vm()

show()

Prints the content of this method to stdout.

This will print the method signature and the decompiled code.

class androguard.core.analysis.analysis.MethodClassAnalysis(method)

Bases: object

AddXrefFrom(classobj, methodobj, offset)

Add a crossrefernece from another method (this method is called by another method)

Parameters:

• classobj – ClassAnalysis
• methodobj – EncodedMethod
• offset – integer where in the method the call happens

AddXrefTo(classobj, methodobj, offset)

Add a crossreference to another method (this method calls another method)

Parameters:

• classobj – ClassAnalysis
• methodobj – EncodedMethod
• offset – integer where in the method the call happens

get_method()

Return the EncodedMethod object that relates to this object :return: dvm.EncodedMethod

get_xref_from()

Returns a list of three tuples cotaining the class, method and offset of the call, from where this object was called.

The list of tuples has the form: (ClassAnalysis, EncodedMethod or ExternalMethod, int)

get_xref_to()

Returns a list of three tuples cotaining the class, method and offset of the call, which are called by this method.

The list of tuples has the form: (ClassAnalysis, EncodedMethod or ExternalMethod, int)

is_android_api()

Returns True if the method seems to be an Android API method.

This method might be not very precise unless an list of known API methods is given.

Returns:boolean

is_external()

Return True if the underlying methd is external

Return type:boolean

class androguard.core.analysis.analysis.StringAnalysis(value)

Bases: object

AddXrefFrom(classobj, methodobj)

get_orig_value()

get_value()

get_xref_from()

set_value(value)

androguard.core.analysis.analysis.is_ascii_obfuscation(vm)

Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)

Parameters:vm – DalvikVMObject Returns:True if ascii obfuscation otherwise False

androguard.core.analysis.auto module

class androguard.core.analysis.auto.AndroAuto(settings)

Bases: object

The main class which analyse automatically android apps by calling methods from a specific object :param settings: the settings of the analysis :type settings: dict

dump()

Dump the analysis

dump_file(filename)

Dump the analysis in a filename

go()

Launch the analysis

class androguard.core.analysis.auto.DefaultAndroAnalysis

Bases: object

This class can be used as a template in order to analyse apps

analysis_adex(log, adexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• adexobj – a VMAnalysis object

Return type:

a boolean

analysis_apk(log, apkobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object

Return type:

a boolean

analysis_app(log, apkobj, dexobj, adexobj)

This method is called if you wish to analyse the final app

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object
• dexobj – a DalvikVMFormat object
• adexobj – a VMAnalysis object

analysis_arsc(log, arscobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• arscobj – a ARSCParser object

Return type:

a boolean

analysis_axml(log, axmlobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• axmlobj – a AXMLPrinter object

Return type:

a boolean

analysis_dex(log, dexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Return type:

a boolean

analysis_dey(log, deyobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• deyobj – a DalvikOdexVMFormat object

Return type:

a boolean

crash(log, why)

This method is called if a crash appends

Parameters:

• log – an object which corresponds to a unique app
• why – the string exception

create_adex(log, dexobj)

This method is called in order to create a VMAnalysis object

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Rytpe:

a Analysis object

create_apk(log, fileraw)

This method is called in order to create a new APK object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw apk (a string)

Return type:

an APK object

create_arsc(log, fileraw)

This method is called in order to create a new ARSC object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw arsc (a string)

Return type:

an APK object

create_axml(log, fileraw)

This method is called in order to create a new AXML object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw axml (a string)

Return type:

an APK object

create_dex(log, dexraw)

This method is called in order to create a DalvikVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw classes.dex (a string)

Return type:

a DalvikVMFormat object

create_dey(log, dexraw)

This method is called in order to create a DalvikOdexVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw odex file (a string)

Return type:

a DalvikOdexVMFormat object

dump()

This method is called to dump the result

dump_file(filename)

This method is called to dump the result in a file

Parameters:filename – the filename to dump the result

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

filter_file(log, fileraw)

This method is called in order to filer a specific app

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw app (a string)

Return type:

a set with 2 elements, the return value (boolean) if it is necessary to continue the analysis and the file type

finish(log)

This method is called before the end of the analysis

Parameters:log – an object which corresponds to a unique app

class androguard.core.analysis.auto.DirectoryAndroAnalysis(directory)

Bases: androguard.core.analysis.auto.DefaultAndroAnalysis

A simple class example to analyse a directory

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

Module contents

androguard.core.api_specific_resources package

Module contents

exception androguard.core.api_specific_resources.APILevelNotFoundError

Bases: Exception

androguard.core.api_specific_resources.load_permission_mappings(apilevel)

Load the API/Permission mapping for the requested API level. If the requetsed level was not found, None is returned.

Parameters:apilevel – integer value of the API level, i.e. 24 for Android 7.0 Returns:a dictionary of {MethodSignature: [List of Permissions]}

androguard.core.api_specific_resources.load_permissions(apilevel)

Load the Permissions for the given apilevel

Parameters:apilevel – integer value of the API level Returns:a dictionary of {Permission Name: {Permission info}

androguard.core.bytecodes package

The bytecodes modules are one very important core feature of Androguard. They contain parsers for APK, AXML, DEX, ODEX and DEY files as well for formats used inside these formats. These might be MUTF-8 for string encoding in DEX files as well as the widely used LEB128 encoding for numbers.

The most important modules might be androguard.core.bytecodes.apk.APK and androguard.core.bytecodes.dvm.DalvikVMFormat.

Submodules

androguard.core.bytecodes.apk module

class androguard.core.bytecodes.apk.APK(filename, raw=False, magic_file=None, skip_analysis=False, testzip=False)

Bases: object

files

Returns a dictionary of filenames and detected magic type

Returns:dictionary of files and their mime type

get_activities()

Return the android:name attribute of all activities

Return type:a list of str

get_all_dex()

Return the raw data of all classes dex files

Return type:a generator of bytes

get_android_manifest_axml()

Return the AXMLPrinter object which corresponds to the AndroidManifest.xml file

Return type:AXMLPrinter

get_android_manifest_xml()

Return the parsed xml object which corresponds to the AndroidManifest.xml file

Return type:Element

get_android_resources()

Return the ARSCParser object which corresponds to the resources.arsc file

Return type:ARSCParser

get_androidversion_code()

Return the android version code

This information is read from the AndroidManifest.xml

Return type:str

get_androidversion_name()

Return the android version name

This information is read from the AndroidManifest.xml

Return type:str

get_app_icon(max_dpi=65536)

Return the first icon file name, which density is not greater than max_dpi, unless exact icon resolution is set in the manifest, in which case return the exact file.

This information is read from the AndroidManifest.xml

From https://developer.android.com/guide/practices/screens_support.html and https://developer.android.com/ndk/reference/group___configuration.html

• DEFAULT 0dpi
• ldpi (low) 120dpi
• mdpi (medium) 160dpi
• TV 213dpi
• hdpi (high) 240dpi
• xhdpi (extra-high) 320dpi
• xxhdpi (extra-extra-high) 480dpi
• xxxhdpi (extra-extra-extra-high) 640dpi
• anydpi 65534dpi (0xFFFE)
• nodpi 65535dpi (0xFFFF)

There is a difference between nodpi and anydpi: nodpi will be used if no other density is specified. Or the density does not match. nodpi is the fallback for everything else. If there is a resource that matches the DPI, this is used. anydpi is also valid for all densities but in this case, anydpi will overrule all other files! Therefore anydpi is usually used with vector graphics and with constraints on the API level. For example adaptive icons are usually marked as anydpi.

When it comes now to selecting an icon, there is the following flow: 1) is there an anydpi icon? 2) is there an icon for the dpi of the device? 3) is there a nodpi icon? 4) (only on very old devices) is there a icon with dpi 0 (the default)

For more information read here: https://stackoverflow.com/a/34370735/446140

Return type:str

get_app_name()

Return the appname of the APK

This name is read from the AndroidManifest.xml

Return type:str

get_certificate(filename)

Return a X.509 certificate object by giving the name in the apk file

Parameters:filename – filename of the signature file in the APK Returns:a Certificate certificate

get_certificate_der(filename)

Return the DER coded X.509 certificate from the signature file.

Parameters:filename – Signature filename in APK Returns:DER coded X.509 certificate as binary

get_certificates_der_v2()

Return a list of DER coded X.509 certificates from the v2 signature

get_certificates_v2()

Return a list of asn1crypto.x509.Certificate which are found in the v2 signing block. Note that we simply extract all certificates regardless of the signer. Therefore this is just a list of all certificates found in all signers.

get_declared_permissions()

Returns list of the declared permissions.

Return type:list of strings

get_declared_permissions_details()

Returns declared permissions with the details.

Return type:dict

get_details_permissions()

Return permissions with details

Return type:dict of {permission: [protectionLevel, label, description]}

get_dex()

Return the raw data of the classes dex file

This will give you the data of the file called classes.dex inside the APK. If the APK has multiple DEX files, you need to use get_all_dex().

Return type:bytes

get_dex_names()

Return the names of all DEX files found in the APK. This method only accounts for “offical” dex files, i.e. all files in the root directory of the APK named classes.dex or classes[0-9]+.dex

Return type:a list of str

get_effective_target_sdk_version()

Return the effective targetSdkVersion, always returns int > 0.

If the targetSdkVersion is not set, it defaults to 1. This is set based on defaults as defined in: https://developer.android.com/guide/topics/manifest/uses-sdk-element.html

Return type:int

get_element(tag_name, attribute, **attribute_filter)

Return element in xml files which match with the tag name and the specific attribute

Parameters:

• tag_name (string) – specify the tag name
• attribute (string) – specify the attribute

Return type:

string

get_elements(tag_name, attribute, with_namespace=True)

Return elements in xml files which match with the tag name and the specific attribute

Parameters:

• tag_name – a string which specify the tag name
• attribute – a string which specify the attribute

get_features()

Return a list of all android:names found for the tag uses-feature in the AndroidManifest.xml

Returns:list

get_file(filename)

Return the raw data of the specified filename inside the APK

Return type:bytes

get_filename()

Return the filename of the APK

Return type:str

get_files()

Return the file names inside the APK.

Return type:a list of str

get_files_crc32()

Calculates and returns a dictionary of filenames and CRC32

Returns:dict of filename: CRC32

get_files_information()

Return the files inside the APK with their associated types and crc32

Return type:str, str, int

get_files_types()

Return the files inside the APK with their associated types (by using python-magic)

Return type:a dictionnary

get_intent_filters(itemtype, name)

Find intent filters for a given item and name.

Intent filter are attached to activities, services or receivers. You can search for the intent filters of such items and get a dictionary of all attached actions and intent categories.

Parameters:

• itemtype – the type of parent item to look for, e.g. activity, service or receiver
• name – the android:name of the parent item, e.g. activity name

Returns:

a dictionary with the keys action and category containing the android:name of those items

get_libraries()

Return the android:name attributes for libraries

Return type:list

get_main_activity()

Return the name of the main activity

This value is read from the AndroidManifest.xml

Return type:str

get_max_sdk_version()

Return the android:maxSdkVersion attribute

Return type:string

get_min_sdk_version()

Return the android:minSdkVersion attribute

Return type:string

get_package()

Return the name of the package

This information is read from the AndroidManifest.xml

Return type:str

get_permissions()

Return permissions

Return type:list of str

get_providers()

Return the android:name attribute of all providers

Return type:a list of string

get_raw()

Return raw bytes of the APK

Return type:bytes

get_receivers()

Return the android:name attribute of all receivers

Return type:a list of string

get_requested_aosp_permissions()

Returns requested permissions declared within AOSP project.

This includes several other permissions as well, which are in the platform apps.

Return type:list of str

get_requested_aosp_permissions_details()

Returns requested aosp permissions with details.

Return type:dictionary

get_requested_permissions = DeprecationWarning(<function APK.get_requested_permissions>,)

get_requested_third_party_permissions()

Returns list of requested permissions not declared within AOSP project.

Return type:list of strings

get_services()

Return the android:name attribute of all services

Return type:a list of str

get_signature()

Return the data of the first signature file found (v1 Signature / JAR Signature)

Return type:First signature name or None if not signed

get_signature_name()

Return the name of the first signature file found.

get_signature_names()

Return a list of the signature file names (v1 Signature / JAR Signature)

Return type:List of filenames matching a Signature

get_signatures()

Return a list of the data of the signature files. Only v1 / JAR Signing.

Return type:list of bytes

get_target_sdk_version()

Return the android:targetSdkVersion attribute

Return type:string

get_uses_implied_permission_list()

Return all permissions implied by the target SDK or other permissions.

Return type:list of string

is_androidtv()

Checks if this application does not require a touchscreen, as this is the rule to get into the TV section of the Play Store See: https://developer.android.com/training/tv/start/start.html for more information.

Returns:True if ‘android.hardware.touchscreen’ is not required, False otherwise

is_leanback()

Checks if this application is build for TV (Leanback support) by checkin if it uses the feature ‘android.software.leanback’

Returns:True if leanback feature is used, false otherwise

is_multidex()

Test if the APK has multiple DEX files

Returns:True if multiple dex found, otherwise False

is_signed()

Returns true if either a v1 or v2 (or both) signature was found.

is_signed_v1()

Returns true if a v1 / JAR signature was found.

Returning True does not mean that the file is properly signed! It just says that there is a signature file which needs to be validated.

is_signed_v2()

Returns true of a v2 / APK signature was found.

Returning True does not mean that the file is properly signed! It just says that there is a signature file which needs to be validated.

is_valid_APK()

Return true if the APK is valid, false otherwise. An APK is seen as valid, if the AndroidManifest.xml could be successful parsed. This does not mean that the APK has a valid signature nor that the APK can be installed on an Android system.

Return type:boolean

is_wearable()

Checks if this application is build for wearables by checking if it uses the feature ‘android.hardware.type.watch’ See: https://developer.android.com/training/wearables/apps/creating.html for more information.

Not every app is setting this feature (not even the example Google provides), so it might be wise to not 100% rely on this feature.

Returns:True if wearable, False otherwise

new_zip(filename, deleted_files=None, new_files={})

Create a new zip file

Parameters:

• filename (string) – the output filename of the zip
• deleted_files (None or a string) – a regex pattern to remove specific file
• new_files (a dictionnary (key:filename, value:content of the file)) – a dictionnary of new files

show()

exception androguard.core.bytecodes.apk.BrokenAPKError

Bases: androguard.core.bytecodes.apk.Error

exception androguard.core.bytecodes.apk.Error

Bases: Exception

Base class for exceptions in this module.

exception androguard.core.bytecodes.apk.FileNotPresent

Bases: androguard.core.bytecodes.apk.Error

androguard.core.bytecodes.apk.parse_lxml_dom(tree)

androguard.core.bytecodes.apk.show_Certificate(cert, short=False)

Print Fingerprints, Issuer and Subject of an X509 Certificate.

Parameters:

• cert (asn1crypto.x509.Certificate) – X509 Certificate to print
• short (Boolean) – Print in shortform for DN (Default: False)

androguard.core.bytecodes.dvm module

class androguard.core.bytecodes.dvm.AnnotationElement(buff, cm)

Bases: object

This class can parse an annotation_element of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_element
• cm (ClassManager) – a ClassManager object

get_length()

get_name_idx()

Return the element name, represented as an index into the string_ids section

Return type:int

get_obj()

get_raw()

get_value()

Return the element value (EncodedValue)

Return type:a EncodedValue object

show()

class androguard.core.bytecodes.dvm.AnnotationItem(buff, cm)

Bases: object

This class can parse an annotation_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_item
• cm (ClassManager) – a ClassManager object

get_annotation()

Return the encoded annotation contents

Return type:a EncodedAnnotation object

get_length()

get_obj()

get_off()

get_raw()

get_visibility()

Return the intended visibility of this annotation

Return type:int

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.AnnotationOffItem(buff, cm)

Bases: object

This class can parse an annotation_off_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_off_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_raw()

show()

class androguard.core.bytecodes.dvm.AnnotationSetItem(buff, cm)

Bases: object

This class can parse an annotation_set_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_set_item
• cm (ClassManager) – a ClassManager object

get_annotation_off_item()

Return the offset from the start of the file to an annotation

Return type:a list of AnnotationOffItem

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.AnnotationSetRefItem(buff, cm)

Bases: object

This class can parse an annotation_set_ref_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_set_ref_item
• cm (ClassManager) – a ClassManager object

get_annotations_off()

Return the offset from the start of the file to the referenced annotation set or 0 if there are no annotations for this element.

Return type:int

get_obj()

get_raw()

show()

class androguard.core.bytecodes.dvm.AnnotationSetRefList(buff, cm)

Bases: object

This class can parse an annotation_set_ref_list_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotation_set_ref_list_item
• cm (ClassManager) – a ClassManager object

get_length()

get_list()

Return elements of the list

Return type:AnnotationSetRefItem

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.AnnotationsDirectoryItem(buff, cm)

Bases: object

This class can parse an annotations_directory_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the annotations_directory_item
• cm (ClassManager) – a ClassManager object

get_annotated_fields_size()

Return the count of fields annotated by this item

Return type:int

get_annotated_methods_size()

Return the count of methods annotated by this item

Return type:int

get_annotated_parameters_size()

Return the count of method parameter lists annotated by this item

Return type:int

get_class_annotations_off()

Return the offset from the start of the file to the annotations made directly on the class, or 0 if the class has no direct annotations

Return type:int

get_field_annotations()

Return the list of associated field annotations

Return type:a list of FieldAnnotation

get_length()

get_method_annotations()

Return the list of associated method annotations

Return type:a list of MethodAnnotation

get_obj()

get_off()

get_parameter_annotations()

Return the list of associated method parameter annotations

Return type:a list of ParameterAnnotation

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.ClassDataItem(buff, cm)

Bases: object

This class can parse a class_data_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the class_data_item
• cm (ClassManager) – a ClassManager object

get_direct_methods()

Return the defined direct (any of static, private, or constructor) methods, represented as a sequence of encoded elements

Return type:a list of EncodedMethod objects

get_direct_methods_size()

Return the number of direct methods defined in this item

Return type:int

get_fields()

Return static and instance fields

Return type:a list of EncodedField objects

get_instance_fields()

Return the defined instance fields, represented as a sequence of encoded elements

Return type:a list of EncodedField objects

get_instance_fields_size()

Return the number of instance fields defined in this item

Return type:int

get_length()

get_methods()

Return direct and virtual methods

Return type:a list of EncodedMethod objects

get_obj()

get_off()

get_raw()

get_static_fields()

Return the defined static fields, represented as a sequence of encoded elements

Return type:a list of EncodedField objects

get_static_fields_size()

Return the number of static fields defined in this item

Return type:int

get_virtual_methods()

Return the defined virtual (none of static, private, or constructor) methods, represented as a sequence of encoded elements

Return type:a list of EncodedMethod objects

get_virtual_methods_size()

Return the number of virtual methods defined in this item

Return type:int

reload()

set_off(off)

set_static_fields(value)

show()

class androguard.core.bytecodes.dvm.ClassDefItem(buff, cm)

Bases: object

This class can parse a class_def_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the class_def_item
• cm (ClassManager) – a ClassManager object

get_access_flags()

Return the access flags for the class (public, final, etc.)

Return type:int

get_access_flags_string()

Return the access flags string of the class

Return type:string

get_annotations_off()

Return the offset from the start of the file to the annotations structure for this class, or 0 if there are no annotations on this class.

Return type:int

get_ast()

get_class_data()

Return the associated class_data_item

Return type:a ClassDataItem object

get_class_data_off()

Return the offset from the start of the file to the associated class data for this item, or 0 if there is no class data for this class

Return type:int

get_class_idx()

Return the index into the type_ids list for this class

Return type:int

get_fields()

Return all fields of this class

Return type:a list of EncodedField objects

get_interfaces()

Return the name of the interface

Return type:string

get_interfaces_off()

Return the offset from the start of the file to the list of interfaces, or 0 if there are none

Return type:int

get_length()

get_methods()

Return all methods of this class

Return type:a list of EncodedMethod objects

get_name()

Return the name of this class

Return type:int

get_obj()

get_raw()

get_source()

get_source_ext()

get_source_file_idx()

Return the index into the string_ids list for the name of the file containing the original source for (at least most of) this class, or the special value NO_INDEX to represent a lack of this information

Return type:int

get_static_values_off()

Return the offset from the start of the file to the list of initial values for static fields, or 0 if there are none (and all static fields are to be initialized with 0 or null)

Return type:int

get_superclass_idx()

Return the index into the type_ids list for the superclass

Return type:int

get_superclassname()

Return the name of the super class

Return type:string

reload()

set_name(value)

show()

source()

Return the source code of the entire class

Return type:string

class androguard.core.bytecodes.dvm.ClassHDefItem(size, buff, cm)

Bases: object

This class can parse a list of class_def_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the list of class_def_item
• cm (ClassManager) – a ClassManager object

get_class_idx(idx)

get_length()

get_method(name_class, name_method)

get_names()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.ClassManager(vm, config)

Bases: object

This class is used to access to all elements (strings, type, proto …) of the dex format

add_type_item(type_item, c_item, item)

get_all_engine()

get_ascii_string(s)

get_class_data_item(off)

get_code(idx)

get_debug_off(off)

get_encoded_array_item(off)

get_engine()

get_field(idx)

get_field_ref(idx)

get_item_by_offset(offset)

get_lazy_analysis()

get_method(idx)

get_method_ref(idx)

get_next_offset_item(idx)

get_obj_by_offset(offset)

get_odex_format()

get_proto(idx)

get_raw_string(idx)

get_string(idx)

get_string_by_offset(offset)

get_type(idx)

get_type_list(off)

get_type_ref(idx)

set_decompiler(decompiler)

set_hook_class_name(class_def, value)

set_hook_field_name(encoded_field, value)

set_hook_method_name(encoded_method, value)

set_hook_string(idx, value)

class androguard.core.bytecodes.dvm.CodeItem(size, buff, cm)

Bases: object

get_code(off)

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.ConstString(orig_ins, value)

Bases: androguard.core.bytecodes.dvm.Instruction21c

Simulate a const-string instruction.

get_operands(idx=-1)

Return all operands

Return type:list

get_raw_string()

class androguard.core.bytecodes.dvm.DBGBytecode(cm, op_value)

Bases: object

add(value, ttype)

get_obj()

get_op_value()

get_raw()

get_value()

show()

class androguard.core.bytecodes.dvm.DCode(class_manager, offset, size, buff)

Bases: object

This class represents the instructions of a method

Parameters:

• class_manager (ClassManager object) – the ClassManager
• offset (int) – the offset of the buffer
• size (int) – the total size of the buffer
• buff (string) – a raw buffer where are the instructions

add_inote(msg, idx, off=None)

Add a message to a specific instruction by using (default) the index of the address if specified

Parameters:

• msg (string) – the message
• idx (int) – index of the instruction (the position in the list of the instruction)
• off (int) – address of the instruction

get_ins_off(off)

Get a particular instruction by using the address

Parameters:off (int) – address of the instruction Return type:an Instruction object

get_insn()

Get the insn buffer

Return type:string

get_instruction(idx, off=None)

Get a particular instruction by using (default) the index of the address if specified

Parameters:

• idx (int) – index of the instruction (the position in the list of the instruction)
• off (int) – address of the instruction

Return type:

an Instruction object

get_instructions()

Get the instructions

Return type:a generator of each Instruction (or a cached list of instructions if you have setup instructions)

get_length()

Return the length of this object

Return type:int

get_raw()

Return the raw buffer of this object

Return type:bytearray

is_cached_instructions()

off_to_pos(off)

Get the position of an instruction by using the address

Parameters:off (int) – address of the instruction Return type:int

reload()

set_idx(idx)

Set the start address of the buffer

Parameters:idx (int) – the index

set_insn(insn)

Set a new raw buffer to disassemble

Parameters:insn (string) – the buffer

set_instructions(instructions)

Set the instructions

Parameters:instructions (a list of Instruction) – the list of instructions

show()

Display (with a pretty print) this object

class androguard.core.bytecodes.dvm.DalvikCode(buff, cm)

Bases: object

This class represents the instructions of a method

Parameters:

• buff (string) – a raw buffer where are the instructions
• cm (ClassManager object) – the ClassManager

add_inote(msg, idx, off=None)

Add a message to a specific instruction by using (default) the index of the address if specified

Parameters:

• msg (string) – the message
• idx (int) – index of the instruction (the position in the list of the instruction)
• off (int) – address of the instruction

get_bc()

Return the associated code object

Return type:DCode

get_debug()

Return the associated debug object

Return type:DebugInfoItem

get_debug_info_off()

Get the offset from the start of the file to the debug info (line numbers + local variable info) sequence for this code, or 0 if there simply is no information

Return type:int

get_handlers()

Get the bytes representing a list of lists of catch types and associated handler addresses.

Return type:EncodedCatchHandlerList

get_ins_size()

Get the number of words of incoming arguments to the method that this code is for

Return type:int

get_insns_size()

Get the size of the instructions list, in 16-bit code units

Return type:int

get_instruction(idx, off=None)

get_length()

get_obj()

get_off()

get_outs_size()

Get the number of words of outgoing argument space required by this code for method invocation

Return type:int

get_raw()

Get the reconstructed code as bytearray

Return type:bytearray

get_registers_size()

Get the number of registers used by this code

Return type:int

get_size()

get_tries()

Get the array indicating where in the code exceptions are caught and how to handle them

Return type:a list of TryItem objects

get_tries_size()

Get the number of TryItem for this instance

Return type:int

reload()

set_idx(idx)

set_off(off)

show()

class androguard.core.bytecodes.dvm.DalvikOdexVMFormat(buff, decompiler=None, config=None, using_api=None)

Bases: androguard.core.bytecodes.dvm.DalvikVMFormat

This class can parse an odex file

Parameters:

• buff (string) – a string which represents the odex file
• decompiler (object) – associate a decompiler object to display the java source code

Example:

DalvikOdexVMFormat( read(“classes.odex”) )

get_buff()

get_dependencies()

Return the odex dependencies object

Return type:an OdexDependencies object

get_format_type()

Return the type

Return type:a string

save()

Do not use !

class androguard.core.bytecodes.dvm.DalvikVMFormat(buff, decompiler=None, config=None, using_api=None)

Bases: androguard.core.bytecode._Bytecode

This class can parse a classes.dex file of an Android application (APK).

Parameters:

• buff (string) – a string which represents the classes.dex file
• decompiler (object) – associate a decompiler object to display the java source code

Example:

DalvikVMFormat( read(“classes.dex”) )

colorize_operands(operands, colors)

create_python_export()

Export classes/methods/fields’ names in the python namespace

disassemble(offset, size)

Disassembles a given offset in the DEX file

Parameters:

• offset (int) – offset to disassemble in the file (from the beginning of the file)
• size –

fix_checksums(buff)

Fix a dex format buffer by setting all checksums

Return type:string

get_BRANCH_DVM_OPCODES()

get_all_fields()

Return a list of field items

Return type:a list of FieldIdItem objects

get_api_version()

This method returns api version that should be used for loading api specific resources.

Return type:int

get_class(name)

Return a specific class

Parameters:name – the name of the class Return type:a ClassDefItem object

get_class_manager()

This function returns a ClassManager object which allow you to get access to all index references (strings, methods, fields, ….)

Return type:ClassManager object

get_classes()

Return all classes

Return type:a list of ClassDefItem objects

get_classes_def_item()

This function returns the class def item

Return type:ClassHDefItem object

get_classes_names(update=False)

Return the names of classes

Parameters:update – True indicates to recompute the list. Maybe needed after using a MyClass.set_name(). Return type:a list of string

get_cm_field(idx)

Get a specific field by using an index

Parameters:idx (int) – index of the field

get_cm_method(idx)

Get a specific method by using an index

Parameters:idx (int) – index of the method

get_cm_string(idx)

Get a specific string by using an index

Parameters:idx (int) – index of the string

get_cm_type(idx)

Get a specific type by using an index

Parameters:idx (int) – index of the type

get_codes_item()

This function returns the code item

Return type:CodeItem object

get_debug_info_item()

This function returns the debug info item

Return type:DebugInfoItem object

get_determineException()

get_determineNext()

get_field(name)

Return a list all fields which corresponds to the regexp

Parameters:name – the name of the field (a python regexp) Return type:a list with all EncodedField objects

get_field_descriptor(class_name, field_name, descriptor)

Return the specific field

Parameters:

• class_name (string) – the class name of the field
• field_name (string) – the name of the field
• descriptor (string) – the descriptor of the field

Return type:

None or a EncodedField object

get_fields()

Return all field objects

Return type:a list of EncodedField objects

get_fields_class(class_name)

Return all fields of a specific class

Parameters:class_name (string) – the class name Return type:a list with EncodedField objects

get_fields_id_item()

This function returns the field id item

Return type:FieldHIdItem object

get_format()

get_format_type()

Return the type

Return type:a string

get_header_item()

This function returns the header item

Return type:HeaderItem object

get_len_methods()

Return the number of methods

Return type:int

get_method(name)

Return a list all methods which corresponds to the regexp

Parameters:name – the name of the method (a python regexp) Return type:a list with all EncodedMethod objects

get_method_by_idx(idx)

Return a specific method by using an index :param idx: the index of the method :type idx: int

Return type:None or an EncodedMethod object

get_method_descriptor(class_name, method_name, descriptor)

Return the specific method

Parameters:

• class_name (string) – the class name of the method
• method_name (string) – the name of the method
• descriptor (string) – the descriptor of the method

Return type:

None or a EncodedMethod object

get_methods()

Return all method objects

Return type:a list of EncodedMethod objects

get_methods_class(class_name)

Return all methods of a specific class

Parameters:class_name (string) – the class name Return type:a list with EncodedMethod objects

get_methods_descriptor(class_name, method_name)

Return the specific methods of the class

Parameters:

• class_name (string) – the class name of the method
• method_name (string) – the name of the method

Return type:

None or a EncodedMethod object

get_methods_id_item()

This function returns the method id item

Return type:MethodHIdItem object

get_operand_html(operand, registers_colors, colors, escape_fct, wrap_fct)

get_regex_strings(regular_expressions)

Return all target strings matched the regex

Parameters:regular_expressions (string) – the python regex Return type:a list of strings matching the regex expression

get_string_data_item()

This function returns the string data item

Return type:StringDataItem object

get_strings()

Return all strings

The strings will have escaped surrogates, if only a single high or low surrogate is found. Complete surrogates are put together into the representing 32bit character.

Return type:a list with all strings used in the format (types, names …)

get_strings_unicode()

Return all strings

This method will return pure UTF-16 strings. This is the “exact” same string as used in Java. Those strings can be problematic for python, as they can contain surrogates as well as “broken” surrogate pairs, ie single high or low surrogates. Such a string can for example not be printed. To avoid such problems, there is an escape mechanism to detect such lonely surrogates and escape them in the string. Of course, this results in a different string than in the Java Source!

Use get_strings() as a general purpose and get_strings_unicode() if you require the exact string from the Java Source. You can always escape the string from get_strings_unicode() using the function androguard.core.bytecodes.mutf8.patch_string()

Return type:a list with all strings used in the format (types, names …)

get_vmanalysis()

The Analysis Object should contain all the information required, inclduing the DalvikVMFormats.

list_classes_hierarchy()

print_classes_hierarchy()

save()

Return the dex (with the modifications) into raw format (fix checksums) (beta: do not use !)

Return type:string

set_decompiler(decompiler)

set_vmanalysis(analysis)

The Analysis Object should contain all the information required, inclduing the DalvikVMFormats.

show()

Show the all information in the object

class androguard.core.bytecodes.dvm.DebugInfoItem(buff, cm)

Bases: object

get_bytecodes()

get_line_start()

get_off()

get_parameter_names()

get_parameters_size()

get_raw()

get_translated_parameter_names()

reload()

show()

class androguard.core.bytecodes.dvm.DebugInfoItemEmpty(buff, cm)

Bases: object

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.EncodedAnnotation(buff, cm)

Bases: object

This class can parse an encoded_annotation of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_annotation
• cm (ClassManager) – a ClassManager object

get_elements()

Return the elements of the annotation, represented directly in-line (not as offsets)

Return type:a list of AnnotationElement objects

get_length()

get_obj()

get_raw()

get_size()

Return the number of name-value mappings in this annotation

:rtype:int

get_type_idx()

Return the type of the annotation. This must be a class (not array or primitive) type

Return type:int

show()

class androguard.core.bytecodes.dvm.EncodedArray(buff, cm)

Bases: object

This class can parse an encoded_array of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_array
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_raw()

get_size()

Return the number of elements in the array

Return type:int

get_values()

Return a series of size encoded_value byte sequences in the format specified by this section, concatenated sequentially

Return type:a list of EncodedValue objects

show()

class androguard.core.bytecodes.dvm.EncodedArrayItem(buff, cm)

Bases: object

This class can parse an encoded_array_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_array_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_off()

get_raw()

get_value()

Return the bytes representing the encoded array value

Return type:a EncodedArray object

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.EncodedCatchHandler(buff, cm)

Bases: object

This class can parse an encoded_catch_handler of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_catch_handler
• cm (ClassManager) – a ClassManager object

get_catch_all_addr()

Return the bytecode address of the catch-all handler. This element is only present if size is non-positive.

Return type:int

get_handlers()

Return the stream of abs(size) encoded items, one for each caught type, in the order that the types should be tested.

Return type:a list of EncodedTypeAddrPair objects

get_length()

get_off()

get_raw()

Return type:bytearray

get_size()

Return the number of catch types in this list

Return type:int

set_off(off)

show()

class androguard.core.bytecodes.dvm.EncodedCatchHandlerList(buff, cm)

Bases: object

This class can parse an encoded_catch_handler_list of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_catch_handler_list
• cm (ClassManager) – a ClassManager object

get_length()

get_list()

Return the actual list of handler lists, represented directly (not as offsets), and concatenated sequentially

Return type:a list of EncodedCatchHandler objects

get_obj()

get_off()

get_raw()

Return type:bytearray

get_size()

Return the size of this list, in entries

Return type:int

set_off(off)

show()

class androguard.core.bytecodes.dvm.EncodedField(buff, cm)

Bases: object

This class can parse an encoded_field of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded field
• cm (ClassManager) – a ClassManager object

adjust_idx(val)

get_access_flags()

Return the access flags of the field

Return type:int

get_access_flags_string()

Return the access flags string of the field

Return type:string

get_class_name()

Return the class name of the field

Return type:string

get_descriptor()

Return the descriptor of the field

The descriptor of a field is the type of the field.

Return type:string

get_field_idx()

Return the real index of the method

Return type:int

get_field_idx_diff()

Return the index into the field_ids list for the identity of this field (includes the name and descriptor), represented as a difference from the index of previous element in the list

Return type:int

get_init_value()

Return the init value object of the field

Return type:EncodedValue

get_name()

Return the name of the field

Return type:string

get_obj()

get_raw()

get_size()

load()

reload()

set_init_value(value)

Setup the init value object of the field

Parameters:value (EncodedValue) – the init value

set_name(value)

show()

Display the information (with a pretty print) about the field

class androguard.core.bytecodes.dvm.EncodedMethod(buff, cm)

Bases: object

This class can parse an encoded_method of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_method
• cm (ClassManager) – a ClassManager object

access_flags = None

access flags of the method

add_inote(msg, idx, off=None)

Add a message to a specific instruction by using (default) the index of the address if specified

Parameters:

• msg (string) – the message
• idx (int) – index of the instruction (the position in the list of the instruction)
• off (int) – address of the instruction

add_note(msg)

Add a message to this method

Parameters:msg (string) – the message

adjust_idx(val)

code_off = None

offset of the code section

each_params_by_register(nb, proto)

From the Dalvik Bytecode documentation:

> The N arguments to a method land in the last N registers > of the method’s invocation frame, in order. > Wide arguments consume two registers. > Instance methods are passed a this reference as their first argument.

This method will print a description of the register usage to stdout.

Parameters:

• nb – number of registers
• proto – descriptor of method

get_access_flags()

Return the access flags of the method

Return type:int

get_access_flags_string()

Return the access flags string of the method

A description of all access flags can be found here: https://source.android.com/devices/tech/dalvik/dex-format#access-flags

Return type:string

get_address()

Return the offset from the start of the file to the code structure for this method, or 0 if this method is either abstract or native

Return type:int

get_class_name()

Return the class name of the method

Return type:string

get_code()

Return the code object associated to the method

Return type:DalvikCode object or None if no Code

get_code_off()

Return the offset from the start of the file to the code structure for this method, or 0 if this method is either abstract or native

Return type:int

get_debug()

Return the debug object associated to this method

Return type:DebugInfoItem

get_descriptor()

Return the descriptor of the method A method descriptor will have the form (A A A …)R Where A are the arguments to the method and R is the return type. Basic types will have the short form, i.e. I for integer, V for void and class types will be named like a classname, e.g. Ljava/lang/String;.

Typical descriptors will look like this: ` (I)I   // one integer argument, integer return (C)Z   // one char argument, boolean as return (Ljava/lang/CharSequence; I)I   // CharSequence and integer as argyument, integer as return (C)Ljava/lang/String;  // char as argument, String as return. `

More information about type descriptors are found here: https://source.android.com/devices/tech/dalvik/dex-format#typedescriptor

Return type:string

get_information()

get_instruction(idx, off=None)

Get a particular instruction by using (default) the index of the address if specified

Parameters:

• idx (int) – index of the instruction (the position in the list of the instruction)
• off (int) – address of the instruction

Return type:

an Instruction object

get_instructions()

Get the instructions

Return type:a generator of each Instruction (or a cached list of instructions if you have setup instructions)

get_length()

Return the length of the associated code of the method

Return type:int

get_locals()

get_method_idx()

Return the real index of the method

Return type:int

get_method_idx_diff()

Return index into the method_ids list for the identity of this method (includes the name and descriptor), represented as a difference from the index of previous element in the lis

Return type:int

get_name()

Return the name of the method

Return type:string

get_raw()

get_short_string()

Return a shorter formatted String which encodes this method. The returned name has the form: <classname> <methodname> ([arguments …])<returntype>

• All Class names are condensed to the actual name (no package).
• Access flags are not returned.
• <init> and <clinit> are NOT replaced by the classname!

This name might not be unique!

Returns:str

get_size()

get_source()

get_triple()

is_cached_instructions()

load()

method_idx_diff = None

method index diff in the corresponding section

reload()

set_code_idx(idx)

Set the start address of the buffer to disassemble

Parameters:idx (int) – the index

set_instructions(instructions)

Set the instructions

Parameters:instructions (a list of Instruction) – the list of instructions

set_name(value)

show()

Display the information (with a pretty print) about the method

show_info()

Display the basic information about the method

show_notes()

Display the notes about the method

source()

Return the source code of this method

Return type:string

class androguard.core.bytecodes.dvm.EncodedTypeAddrPair(buff)

Bases: object

This class can parse an encoded_type_addr_pair of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_type_addr_pair
• cm (ClassManager) – a ClassManager object

get_addr()

Return the bytecode address of the associated exception handler

Return type:int

get_length()

get_obj()

get_raw()

get_type_idx()

Return the index into the type_ids list for the type of the exception to catch

Return type:int

show()

class androguard.core.bytecodes.dvm.EncodedValue(buff, cm)

Bases: object

This class can parse an encoded_value of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the encoded_value
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_raw()

get_value()

Return the bytes representing the value, variable in length and interpreted differently for different value_type bytes, though always little-endian

Return type:an object representing the value

get_value_arg()

get_value_type()

show()

exception androguard.core.bytecodes.dvm.Error

Bases: Exception

Base class for exceptions in this module.

class androguard.core.bytecodes.dvm.ExportObject

Bases: object

class androguard.core.bytecodes.dvm.FakeNop(length)

Bases: androguard.core.bytecodes.dvm.Instruction10x

Simulate a nop instruction.

get_length()

Return the length of the instruction

Return type:int

class androguard.core.bytecodes.dvm.FieldAnnotation(buff, cm)

Bases: object

This class can parse a field_annotation of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the field_annotation
• cm (ClassManager) – a ClassManager object

get_annotations_off()

Return the offset from the start of the file to the list of annotations for the field

Return type:int

get_field_idx()

Return the index into the field_ids list for the identity of the field being annotated

Return type:int

get_length()

get_obj()

get_off()

get_raw()

set_off(off)

show()

class androguard.core.bytecodes.dvm.FieldHIdItem(size, buff, cm)

Bases: object

This class can parse a list of field_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the list of field_id_item
• cm (ClassManager) – a ClassManager object

get(idx)

get_length()

get_obj()

get_off()

get_raw()

gets()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.FieldIdItem(buff, cm)

Bases: object

This class can parse a field_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the field_id_item
• cm (ClassManager) – a ClassManager object

get_class_idx()

Return the index into the type_ids list for the definer of this field

Return type:int

get_class_name()

Return the class name of the field

Return type:string

get_descriptor()

Return the descriptor of the field

Return type:string

get_length()

get_list()

get_name()

Return the name of the field

Return type:string

get_name_idx()

Return the index into the string_ids list for the name of this field

Return type:int

get_obj()

get_raw()

get_type()

Return the type of the field

Return type:string

get_type_idx()

Return the index into the type_ids list for the type of this field

Return type:int

reload()

show()

class androguard.core.bytecodes.dvm.FieldIdItemInvalid

Bases: object

get_class_name()

get_descriptor()

get_list()

get_name()

get_type()

show()

class androguard.core.bytecodes.dvm.FillArrayData(buff)

Bases: object

This class can parse a FillArrayData instruction

Parameters:buff – a Buff object which represents a buffer where the instruction is stored

add_note(msg)

Add a note to this instruction

Parameters:msg (objects (string)) – the message

get_data()

Return the data of this instruction (the payload)

Return type:string

get_formatted_operands()

get_hex()

get_length()

Return the length of the instruction

Return type:int

get_name()

Return the name of the instruction

Return type:string

get_notes()

Get all notes from this instruction

Return type:a list of objects

get_op_value()

Get the value of the opcode

Return type:int

get_operands(idx=-1)

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

show(pos)

Print the instruction

show_buff(pos)

Return the display of the instruction

Return type:string

class androguard.core.bytecodes.dvm.HeaderItem(size, buff, cm)

Bases: object

This class can parse an header_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the header_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.Instruction

Bases: object

This class represents a dalvik instruction

get_formatted_operands()

get_hex()

get_kind()

Return the ‘kind’ argument of the instruction

Return type:int

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_name()

Return the name of the instruction

Return type:string

get_op_value()

Return the value of the opcode

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

get_translated_kind()

Return the translated value of the ‘kind’ argument

Return type:string

show(idx)

Print the instruction

show_buff(idx)

Return the display of the instruction

Return type:string

class androguard.core.bytecodes.dvm.Instruction10t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 10t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction10x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 10x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction11n(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 11n format

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction11x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 11x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction12x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 12x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction20bc(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 20bc format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction20t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 20t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction21c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 21c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_raw_string()

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

get_string()

class androguard.core.bytecodes.dvm.Instruction21h(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 21h format

get_formatted_operands()

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction21s(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 21s format

get_formatted_operands()

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction21t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 21t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction22b(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22b format

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction22c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction22cs(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22cs format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction22s(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22s format

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction22t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction22x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 22x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction23x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 23x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction30t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 30t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction31c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 31c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_raw_string()

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

get_string()

Return the string associated to the ‘kind’ argument

Return type:string

class androguard.core.bytecodes.dvm.Instruction31i(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 3li format

get_formatted_operands()

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction31t(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 31t format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_off()

class androguard.core.bytecodes.dvm.Instruction32x(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 32x format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction35c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 35c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction35mi(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 35mi format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction35ms(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 35ms format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction3rc(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 3rc format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction3rmi(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 3rmi format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction3rms(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 3rms format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction40sc(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 40sc format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction41c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 41c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction51l(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 51l format

get_formatted_operands()

get_length()

Return the length of the instruction

Return type:int

get_literals()

Return the associated literals

Return type:list of int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

class androguard.core.bytecodes.dvm.Instruction52c(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 52c format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.Instruction5rc(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents all instructions which have the 5rc format

get_length()

Return the length of the instruction

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

get_ref_kind()

Return the value of the ‘kind’ argument

Return type:value

class androguard.core.bytecodes.dvm.InstructionInvalid(cm, buff)

Bases: androguard.core.bytecodes.dvm.Instruction

This class represents an invalid instruction

get_length()

Return the length of the instruction

Return type:int

get_name()

Return the name of the instruction

Return type:string

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

exception androguard.core.bytecodes.dvm.InvalidInstruction

Bases: androguard.core.bytecodes.dvm.Error

class androguard.core.bytecodes.dvm.LinearSweepAlgorithm

Bases: object

This class is used to disassemble a method. The algorithm used by this class is linear sweep.

get_instructions(cm, size, insn, idx)

Parameters:

• cm (ClassManager object) – a ClassManager object
• size (int) – the total size of the buffer
• insn (string) – a raw buffer where are the instructions
• idx (int) – a start address in the buffer

Return type:

a generator of Instruction objects

class androguard.core.bytecodes.dvm.MapItem(buff, cm)

Bases: object

get_item()

get_length()

get_obj()

get_off()

get_offset()

get_raw()

get_size()

get_type()

parse()

reload()

set_item(item)

show()

class androguard.core.bytecodes.dvm.MapList(cm, off, buff)

Bases: object

This class can parse the “map_list” of the dex format

https://source.android.com/devices/tech/dalvik/dex-format#map-list

get_class_manager()

get_item_type(ttype)

Get a particular item type

Parameters:ttype – a string which represents the desired type Return type:None or the item object

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

Print with a pretty display the MapList object

class androguard.core.bytecodes.dvm.MethodAnnotation(buff, cm)

Bases: object

This class can parse a method_annotation of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the method_annotation
• cm (ClassManager) – a ClassManager object

get_annotations_off()

Return the offset from the start of the file to the list of annotations for the method

Return type:int

get_length()

get_method_idx()

Return the index into the method_ids list for the identity of the method being annotated

Return type:int

get_obj()

get_off()

get_raw()

set_off(off)

show()

class androguard.core.bytecodes.dvm.MethodHIdItem(size, buff, cm)

Bases: object

This class can parse a list of method_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the list of method_id_item
• cm (ClassManager) – a ClassManager object

get(idx)

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.MethodIdItem(buff, cm)

Bases: object

This class can parse a method_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the method_id_item
• cm (ClassManager) – a ClassManager object

get_class_idx()

Return the index into the type_ids list for the definer of this method

Return type:int

get_class_name()

Return the class name of the method

Return type:string

get_descriptor()

Return the descriptor

Return type:string

get_length()

get_list()

get_name()

Return the name of the method

Return type:string

get_name_idx()

Return the index into the string_ids list for the name of this method

Return type:int

get_obj()

get_proto()

Return the prototype of the method

Return type:string

get_proto_idx()

Return the index into the proto_ids list for the prototype of this method

Return type:int

get_raw()

get_real_descriptor()

Return the real descriptor (i.e. without extra spaces)

Return type:string

get_triple()

reload()

show()

class androguard.core.bytecodes.dvm.MethodIdItemInvalid

Bases: object

get_class_name()

get_descriptor()

get_list()

get_name()

get_proto()

show()

class androguard.core.bytecodes.dvm.OdexDependencies(buff)

Bases: object

This class can parse the odex dependencies

Parameters:buff – a Buff object string which represents the odex dependencies

get_dependencies()

Return the list of dependencies

Return type:a list of strings

get_raw()

class androguard.core.bytecodes.dvm.OdexHeaderItem(buff)

Bases: object

This class can parse the odex header

Parameters:buff – a Buff object string which represents the odex dependencies

get_raw()

show()

class androguard.core.bytecodes.dvm.OffObj(o)

Bases: object

class androguard.core.bytecodes.dvm.PackedSwitch(buff)

Bases: object

This class can parse a PackedSwitch instruction

Parameters:buff – a Buff object which represents a buffer where the instruction is stored

add_note(msg)

Add a note to this instruction

Parameters:msg (objects (string)) – the message

get_formatted_operands()

get_hex()

get_keys()

Return the keys of the instruction

Return type:a list of long

get_length()

get_name()

Return the name of the instruction

Return type:string

get_notes()

Get all notes from this instruction

Return type:a list of objects

get_op_value()

Get the value of the opcode

Return type:int

get_operands(idx=-1)

Return an additional output of the instruction

Return type:string

get_output(idx=-1)

Return an additional output of the instruction

rtype:string

get_raw()

get_targets()

Return the targets (address) of the instruction

Return type:a list of long

get_values()

show(pos)

Print the instruction

show_buff(pos)

Return the display of the instruction

Return type:string

class androguard.core.bytecodes.dvm.ParameterAnnotation(buff, cm)

Bases: object

This class can parse a parameter_annotation of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the parameter_annotation
• cm (ClassManager) – a ClassManager object

get_annotations_off()

Return the offset from the start of the file to the list of annotations for the method parameters

Return type:int

get_length()

get_method_idx()

Return the index into the method_ids list for the identity of the method whose parameters are being annotated

Return type:int

get_obj()

get_off()

get_raw()

set_off(off)

show()

class androguard.core.bytecodes.dvm.ProtoHIdItem(size, buff, cm)

Bases: object

This class can parse a list of proto_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the list of proto_id_item
• cm (ClassManager) – a ClassManager object

get(idx)

get_length()

get_obj()

get_off()

get_raw()

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.ProtoIdItem(buff, cm)

Bases: object

This class can parse a proto_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the proto_id_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_parameters_off()

Return the offset from the start of the file to the list of parameter types for this prototype, or 0 if this prototype has no parameters

Return type:int

get_parameters_off_value()

Return the string associated to the parameters_off

Return type:string

get_raw()

get_return_type_idx()

Return the index into the type_ids list for the return type of this prototype

Return type:int

get_return_type_idx_value()

Return the string associated to the return_type_idx

Return type:string

get_shorty_idx()

Return the index into the string_ids list for the short-form descriptor string of this prototype

Return type:int

get_shorty_idx_value()

Return the string associated to the shorty_idx

Return type:string

reload()

show()

class androguard.core.bytecodes.dvm.ProtoIdItemInvalid

Bases: object

get_params()

get_return_type()

get_shorty()

show()

class androguard.core.bytecodes.dvm.SparseSwitch(buff)

Bases: object

This class can parse a SparseSwitch instruction

Parameters:buff – a Buff object which represents a buffer where the instruction is stored

add_note(msg)

Add a note to this instruction

Parameters:msg (objects (string)) – the message

get_formatted_operands()

get_hex()

get_keys()

Return the keys of the instruction

Return type:a list of long

get_length()

get_name()

Return the name of the instruction

Return type:string

get_notes()

Get all notes from this instruction

Return type:a list of objects

get_op_value()

Get the value of the opcode

Return type:int

get_operands(idx=-1)

Return an additional output of the instruction

Return type:string

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

get_targets()

Return the targets (address) of the instruction

Return type:a list of long

get_values()

show(pos)

Print the instruction

show_buff(pos)

Return the display of the instruction

Return type:string

class androguard.core.bytecodes.dvm.StringDataItem(buff, cm)

Bases: object

This class can parse a string_data_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the string_data_item
• cm (ClassManager) – a ClassManager object

get()

Returns a printable string. In this case, all lonely surrogates are escaped, thus are represented in the string as 6 characters: ud853 Valid surrogates are encoded as 32bit values, ie. 𤽜.

get_data()

Return a series of MUTF-8 code units (a.k.a. octets, a.k.a. bytes) followed by a byte of value 0

Return type:string

get_length()

Get the length of the raw string including the ULEB128 coded length and the null byte terminator

Returns:int

get_obj()

get_off()

get_raw()

Returns the raw string including the ULEB128 coded length and null byte string terminator

Returns:bytes

get_unicode()

Returns an Unicode String This is the actual string. Beware that some strings might be not decodeable with usual UTF-16 decoder, as they use surrogates that are not supported by python.

get_utf16_size()

Return the size of this string, in UTF-16 code units

:rtype:int

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.StringIdItem(buff, cm)

Bases: object

This class can parse a string_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the string_id_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_off()

get_raw()

get_string_data_off()

Return the offset from the start of the file to the string data for this item

Return type:int

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.TryItem(buff, cm)

Bases: object

This class represents the try_item format

Parameters:

• buff (string) – a raw buffer where are the try_item format
• cm (ClassManager object) – the ClassManager

get_handler_off()

Get the offset in bytes from the start of the associated EncodedCatchHandlerList to the EncodedCatchHandler for this entry.

Return type:int

get_insn_count()

Get the number of 16-bit code units covered by this entry

Return type:int

get_length()

get_off()

get_raw()

get_start_addr()

Get the start address of the block of code covered by this entry. The address is a count of 16-bit code units to the start of the first covered instruction.

Return type:int

set_off(off)

class androguard.core.bytecodes.dvm.TypeHIdItem(size, buff, cm)

Bases: object

This class can parse a list of type_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the list of type_id_item
• cm (ClassManager) – a ClassManager object

get(idx)

get_length()

get_obj()

get_off()

get_raw()

get_type()

Return the list of type_id_item

Return type:a list of TypeIdItem objects

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.TypeIdItem(buff, cm)

Bases: object

This class can parse a type_id_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the type_id_item
• cm (ClassManager) – a ClassManager object

get_descriptor_idx()

Return the index into the string_ids list for the descriptor string of this type

Return type:int

get_descriptor_idx_value()

Return the string associated to the descriptor

Return type:string

get_length()

get_obj()

get_raw()

reload()

show()

class androguard.core.bytecodes.dvm.TypeItem(buff, cm)

Bases: object

This class can parse a type_item of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the type_item
• cm (ClassManager) – a ClassManager object

get_length()

get_obj()

get_raw()

get_string()

Return the type string

Return type:string

get_type_idx()

Return the index into the type_ids list

Return type:int

show()

class androguard.core.bytecodes.dvm.TypeList(buff, cm)

Bases: object

This class can parse a type_list of a dex file

Parameters:

• buff (Buff object) – a string which represents a Buff object of the type_list
• cm (ClassManager) – a ClassManager object

get_length()

get_list()

Return the list of TypeItem

Return type:a list of TypeItem objects

get_obj()

get_off()

get_pad()

Return the alignment string

Return type:string

get_raw()

get_size()

Return the size of the list, in entries

Return type:int

get_string()

Return the concatenation of all strings

Return type:string

get_type_list_off()

Return the offset of the item

Return type:int

reload()

set_off(off)

show()

class androguard.core.bytecodes.dvm.Unresolved(cm, data)

Bases: androguard.core.bytecodes.dvm.Instruction

get_length()

Return the length of the instruction

Return type:int

get_name()

Return the name of the instruction

Return type:string

get_op_value()

Return the value of the opcode

Return type:int

get_operands(idx=-1)

Return all operands

Return type:list

get_output(idx=-1)

Return an additional output of the instruction

Return type:string

get_raw()

Return the object in a raw format

Return type:string

androguard.core.bytecodes.dvm.clean_name_instruction(instruction)

androguard.core.bytecodes.dvm.determineException(vm, m)

androguard.core.bytecodes.dvm.determineNext(i, end, m)

androguard.core.bytecodes.dvm.get_access_flags_string(value)

Transform an access flag field to the corresponding string

Parameters:value (int) – the value of the access flags Return type:string

androguard.core.bytecodes.dvm.get_byte(buff)

androguard.core.bytecodes.dvm.get_bytecodes_method(dex_object, ana_object, method)

androguard.core.bytecodes.dvm.get_bytecodes_methodx(method, mx)

androguard.core.bytecodes.dvm.get_extented_instruction(cm, op_value, buff)

androguard.core.bytecodes.dvm.get_instruction(cm, op_value, buff, odex=False)

androguard.core.bytecodes.dvm.get_instruction_payload(op_value, buff)

androguard.core.bytecodes.dvm.get_kind(cm, kind, value)

Return the value of the ‘kind’ argument

Parameters:

• cm (ClassManager) – a ClassManager object
• kind (int) – the type of the ‘kind’ argument
• value (int) – the value of the ‘kind’ argument

Return type:

string

androguard.core.bytecodes.dvm.get_optimized_instruction(cm, op_value, buff)

androguard.core.bytecodes.dvm.get_params_info(nb, proto)

androguard.core.bytecodes.dvm.get_sbyte(buff)

androguard.core.bytecodes.dvm.get_type(atype, size=None)

Retrieve the type of a descriptor (e.g : I)

androguard.core.bytecodes.dvm.read_null_terminated_string(f)

Read a null terminated string from a file-like object.

Parameters:f – file-like object Return type:bytearray

androguard.core.bytecodes.dvm.readsleb128(buff)

androguard.core.bytecodes.dvm.readuleb128(buff)

androguard.core.bytecodes.dvm.readuleb128p1(buff)

androguard.core.bytecodes.dvm.readusleb128(buff)

androguard.core.bytecodes.dvm.static_operand_instruction(instruction)

androguard.core.bytecodes.dvm.writesleb128(value)

androguard.core.bytecodes.dvm.writeuleb128(value)

androguard.core.bytecodes.axml module

class androguard.core.bytecodes.axml.ARSCComplex(buff, parent=None)

Bases: object

class androguard.core.bytecodes.axml.ARSCHeader(buff)

Bases: object

SIZE = 8

class androguard.core.bytecodes.axml.ARSCParser(raw_buff)

Bases: object

Parser for resource.arsc files

class ResourceResolver(android_resources, config=None)

Bases: object

put_ate_value(result, ate, config)

put_item_value(result, item, config, complex_)

resolve(res_id)

get_bool_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘bool’.

Read more about bool resources: https://developer.android.com/guide/topics/resources/more-resources.html#Bool

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_color_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘color’.

Read more about color resources: https://developer.android.com/guide/topics/resources/more-resources.html#Color

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_dimen_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘dimen’.

Read more about Dimension resources: https://developer.android.com/guide/topics/resources/more-resources.html#Dimension

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_id(package_name, rid, locale='\x00\x00')

get_id_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘id’.

Read more about ID resources: https://developer.android.com/guide/topics/resources/more-resources.html#Id

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_integer_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘integer’.

Read more about integer resources: https://developer.android.com/guide/topics/resources/more-resources.html#Integer

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_items(package_name)

get_locales(package_name)

Retrieve a list of all available locales in a given packagename.

Parameters:package_name – the package name to get locales of

get_packages_names()

Retrieve a list of all package names, which are available in the given resources.arsc.

get_public_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘public’.

The public resources table contains the IDs for each item.

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_res_configs(rid, config=None, fallback=True)

Return the resources found with the ID rid and select the right one based on the configuration, or return all if no configuration was set.

But we try to be generous here and at least try to resolve something: This method uses a fallback to return at least one resource (the first one in the list) if more than one items are found and the default config is used and no default entry could be found.

This is usually a bad sign (i.e. the developer did not follow the android documentation: https://developer.android.com/guide/topics/resources/localization.html#failing2) In practise an app might just be designed to run on a single locale and thus only has those locales set.

You can disable this fallback behaviour, to just return exactly the given result.

Parameters:

• rid – resource id as int
• config – a config to resolve from, or None to get all results
• fallback – Enable the fallback for resolving default configuration (default: True)

Returns:

a list of ARSCResTableConfig: ARSCResTableEntry

get_res_id_by_key(package_name, resource_type, key)

get_resolved_res_configs(rid, config=None)

get_resolved_strings()

get_resource_bool(ate)

get_resource_color(ate)

get_resource_dimen(ate)

get_resource_id(ate)

get_resource_integer(ate)

get_resource_string(ate)

get_resource_style(ate)

get_string(package_name, name, locale='\x00\x00')

get_string_resources(package_name, locale='\x00\x00')

Get the XML (as string) of all resources of type ‘string’.

Read more about string resources: https://developer.android.com/guide/topics/resources/string-resource.html

Parameters:

• package_name – the package name to get the resources for
• locale – the locale to get the resources for (default: ‘’)

get_strings_resources()

Get the XML (as string) of all resources of type ‘string’. This is a combined variant, which has all locales and all package names stored.

get_type_configs(package_name, type_name=None)

get_types(package_name, locale='\x00\x00')

Retrieve a list of all types which are available in the given package and locale.

Parameters:

• package_name – the package name to get types of
• locale – the locale to get types of (default: ‘’)

class androguard.core.bytecodes.axml.ARSCResStringPoolRef(buff, parent=None)

Bases: object

format_value()

get_data()

get_data_type()

get_data_type_string()

get_data_value()

is_reference()

class androguard.core.bytecodes.axml.ARSCResTableConfig(buff=None, **kwargs)

Bases: object

classmethod default_config()

get_config_name_friendly()

get_country()

get_density()

get_language()

get_language_and_region()

class androguard.core.bytecodes.axml.ARSCResTableEntry(buff, mResId, parent=None)

Bases: object

See https://github.com/LineageOS/android_frameworks_base/blob/df2898d9ce306bb2fe922d3beaa34a9cf6873d27/include/androidfw/ResourceTypes.h#L1370

FLAG_COMPLEX = 1

FLAG_PUBLIC = 2

FLAG_WEAK = 4

get_index()

get_key_data()

get_value()

is_complex()

is_public()

is_weak()

class androguard.core.bytecodes.axml.ARSCResTablePackage(buff, header)

Bases: object

get_name()

class androguard.core.bytecodes.axml.ARSCResType(buff, parent=None)

Bases: object

get_package_name()

get_type()

class androguard.core.bytecodes.axml.ARSCResTypeSpec(buff, parent=None)

Bases: object

class androguard.core.bytecodes.axml.AXMLParser(raw_buff)

Bases: object

doNext()

getAttributeCount()

getAttributeName(index)

getAttributeOffset(index)

getAttributePrefix(index)

getAttributeValue(index)

This function is only used to look up strings All other work is made by format_value # FIXME should unite those functions :param index: :return:

getAttributeValueData(index)

getAttributeValueType(index)

getName()

getNamespaceCount(pos)

getNamespacePrefix(pos)

getNamespaceUri(pos)

getPrefix()

getPrefixByUri(uri)

getText()

getXMLNS()

is_valid()

reset()

class androguard.core.bytecodes.axml.AXMLPrinter(raw_buff)

Bases: object

Converter for AXML Files into a XML string

getAttributeValue(index)

Wrapper function for format_value to resolve the actual value of an attribute in a tag :param index: :return:

getPrefix(prefix)

get_buff()

get_xml()

Get the XML as an UTF-8 string

Returns:str

get_xml_obj()

Get the XML as an ElementTree object

Returns:Element

is_packed()

Return True if we believe that the AXML file is packed If it is, we can not be sure that the AXML file can be read by a XML Parser

Returns:boolean

class androguard.core.bytecodes.axml.PackageContext(current_package, stringpool_main, mTableStrings, mKeyStrings)

Bases: object

get_mResId()

get_package_name()

set_mResId(mResId)

class androguard.core.bytecodes.axml.StringBlock(buff, header)

Bases: object

StringBlock is a CHUNK inside an AXML File It contains all strings, which are used by referecing to ID’s

TODO might migrate this block into the ARSCParser, as it it not a “special” block but a normal tag.

decode16(offset)

decode8(offset)

decodeLength(offset, sizeof_char)

decode_bytes(data, encoding, str_len)

getString(idx)

getStyle(idx)

show()

androguard.core.bytecodes.axml.complexToFloat(xcomplex)

androguard.core.bytecodes.axml.format_value(_type, _data, lookup_string=<function <lambda>>)

androguard.core.bytecodes.axml.getPackage(i)

androguard.core.bytecodes.axml.get_arsc_info(arscobj)

Return a string containing all resources packages ordered by packagename, locale and type.

Parameters:arscobj – ARSCParser Returns:a string

androguard.core.bytecodes.axml.long2int(l)

androguard.core.bytecodes.mutf8 module

class androguard.core.bytecodes.mutf8.PeekIterator(s)

Bases: object

A quick’n’dirty variant of an Iterator that has a special function peek, which will return the next object but not consume it.

idx = 0

next()

peek()

androguard.core.bytecodes.mutf8.chr(val)

Patched Version of builtins.chr, to work with narrow python builds In those versions, the function unichr does not work with inputs >0x10000

This seems to be a problem usually on older windows builds.

Parameters:val – integer value of character Returns:character

androguard.core.bytecodes.mutf8.decode(b)

Decode bytes as MUTF-8 See https://docs.oracle.com/javase/6/docs/api/java/io/DataInput.html#modified-utf-8 for more information

Surrogates will be returned as two 16 bit characters.

Parameters:b – bytes to decode Return type:unicode (py2), str (py3) of 16bit chars

androguard.core.bytecodes.mutf8.patch_string(s)

Reorganize a String in such a way that surrogates are printable and lonely surrogates are escaped.

Parameters:s – input string Returns:string with escaped lonely surrogates and 32bit surrogates

Module contents

androguard.core.resources package

Submodules

androguard.core.resources.public module

Module contents

Submodules

androguard.core.androconf module

class androguard.core.androconf.Color

Bases: object

Black = '\x1b[30m'

Blue = '\x1b[34m'

Bold = '\x1b[1m'

Cyan = '\x1b[36m'

Green = '\x1b[32m'

Grey = '\x1b[37m'

Normal = '\x1b[0m'

Purple = '\x1b[35m'

Red = '\x1b[31m'

Yellow = '\x1b[33m'

class androguard.core.androconf.Configuration

Bases: object

instance = {'BIN_DED': 'ded.sh', 'BIN_DEX2JAR': 'dex2jar.sh', 'BIN_FERNFLOWER': 'fernflower.jar', 'BIN_JAD': 'jad', 'BIN_JADX': 'jadx', 'BIN_JARSIGNER': 'jarsigner', 'BIN_WINEJAD': 'jad.exe', 'COLORS': {'BRANCH_FALSE': '\x1b[31m', 'OUTPUT': {'normal': '\x1b[0m', 'meth': '\x1b[36m', 'field': '\x1b[32m', 'string': '\x1b[31m', 'offset': '\x1b[35m', 'literal': '\x1b[32m', 'raw': '\x1b[31m', 'type': '\x1b[34m', 'registers': '\x1b[0m'}, 'NORMAL': '\x1b[0m', 'BRANCH': '\x1b[34m', 'BB': '\x1b[35m', 'INSTRUCTION_NAME': '\x1b[33m', 'EXCEPTION': '\x1b[36m', 'OFFSET_ADDR': '\x1b[32m', 'NOTE': '\x1b[31m', 'OFFSET': '\x1b[33m', 'BRANCH_TRUE': '\x1b[32m'}, 'DEFAULT_API': 16, 'DEOBFUSCATED_STRING': True, 'ENGINE': 'python', 'LAZY_ANALYSIS': False, 'MAGIC_PATH_FILE': None, 'OPTIONS_FERNFLOWER': {'dgs': '1', 'asc': '1'}, 'PRETTY_SHOW': 1, 'PRINT_FCT': <built-in method write of _io.TextIOWrapper object at 0x7f65b147f630>, 'RECODE_ASCII_STRING': False, 'RECODE_ASCII_STRING_METH': None, 'SESSION': None, 'TMP_DIRECTORY': '/tmp'}

exception androguard.core.androconf.InvalidResourceError

Bases: Exception

Invalid Resource Erorr is thrown by load_api_specific_resource_module

androguard.core.androconf.color_range(startcolor, goalcolor, steps)

wrapper for interpolate_tuple that accepts colors as html (“#CCCCC” and such)

androguard.core.androconf.default_colors(obj)

androguard.core.androconf.disable_colors()

Disable colors from the output (color = normal)

androguard.core.androconf.enable_colors(colors)

androguard.core.androconf.interpolate_tuple(startcolor, goalcolor, steps)

Take two RGB color sets and mix them over a specified number of steps. Return the list

androguard.core.androconf.is_android(filename)

Return the type of the file

@param filename : the filename @rtype : “APK”, “DEX”, None

androguard.core.androconf.is_android_raw(raw)

Returns a string that describes the type of file, for common Android specific formats

androguard.core.androconf.is_ascii_problem(s)

Test if a string contains other chars than ASCII

Parameters:s – a string to test Returns:True if string contains other chars than ASCII, False otherwise

androguard.core.androconf.load_api_specific_resource_module(resource_name, api=None)

Load the module from the JSON files and return a dict, which might be empty if the resource could not be loaded.

If no api version is given, the default one from the CONF dict is used.

Parameters:

• resource_name – Name of the resource to load
• api – API version

Returns:

dict

androguard.core.androconf.make_color_tuple(color)

turn something like “#000000” into 0,0,0 or “#FFFFFF into “255,255,255”

androguard.core.androconf.remove_colors()

Remove colors from the output (no escape sequences)

androguard.core.androconf.rrmdir(directory)

Recursivly delete a directory

Parameters:directory – directory to remove

androguard.core.androconf.save_colors()

androguard.core.androconf.set_options(key, value)

androguard.core.androconf.show_logging(level=20)

enable log messages on stdout

We will catch all messages here! From all loggers…

androguard.core.bytecode module

class androguard.core.bytecode.Buff(offset, buff)

Bases: object

class androguard.core.bytecode.BuffHandle(buff)

Bases: object

end()

get_idx()

read(size)

readNullString(size)

read_at(offset, size)

read_b(size)

set_idx(idx)

size()

androguard.core.bytecode.Exit(msg)

androguard.core.bytecode.FormatClassToJava(i)

Transform a typical xml format class into java format

Parameters:i – the input class name Return type:string

androguard.core.bytecode.FormatClassToPython(i)

androguard.core.bytecode.FormatDescriptorToPython(i)

androguard.core.bytecode.FormatNameToPython(i)

class androguard.core.bytecode.MethodBC

Bases: object

show(value)

class androguard.core.bytecode.Node(n, s)

Bases: object

androguard.core.bytecode.PrettyShow(m_a, basic_blocks, notes={})

androguard.core.bytecode.PrettyShowEx(exceptions)

class androguard.core.bytecode.SV(size, buff)

Bases: object

get_value()

get_value_buff()

set_value(attr)

class androguard.core.bytecode.SVs(size, ntuple, buff)

Bases: object

get_value()

get_value_buff()

set_value(attr)

class androguard.core.bytecode.TmpBlock(name)

Bases: object

get_name()

androguard.core.bytecode.disable_print_colors()

androguard.core.bytecode.enable_print_colors(colors)

androguard.core.bytecode.method2dot(mx, colors=None)

Export analysis method to dot format

Parameters:

• mx – MethodAnalysis
• colors – dict of colors to use, if colors is None the default colors are used

Returns:

a string which contains the dot graph

androguard.core.bytecode.method2format(output, _format='png', mx=None, raw=None)

Export method to a specific file format

@param output : output filename @param _format : format type (png, jpg …) (default : png) @param mx : specify the MethodAnalysis object @param raw : use directly a dot raw buffer if None

androguard.core.bytecode.method2jpg(output, mx, raw=False)

Export method to a jpg file format

Parameters:

• output (string) – output filename
• mx (MethodAnalysis object) – specify the MethodAnalysis object
• raw (string) – use directly a dot raw buffer (optional)

androguard.core.bytecode.method2json(mx, directed_graph=False)

Create directed or undirected graph in the json format.

Parameters:

• mx – MethodAnalysis
• directed_graph – True if a directed graph should be created (default: False)

Returns:

androguard.core.bytecode.method2json_direct(mx)

Parameters:mx – MethodAnalysis Returns:

androguard.core.bytecode.method2json_undirect(mx)

Parameters:mx – MethodAnalysis Returns:

androguard.core.bytecode.method2png(output, mx, raw=False)

Export method to a png file format

Parameters:

• output (string) – output filename
• mx (MethodAnalysis object) – specify the MethodAnalysis object
• raw (string) – use directly a dot raw buffer

androguard.core.bytecode.object_to_bytes(obj)

Convert a object to a bytearray or call get_raw() of the object if no useful type was found.

androguard.core.bytecode.vm2json(vm)

Get a JSON representation of a DEX file

Parameters:vm – DalvikVMFormat Returns:

Module contents

androguard.decompiler package

Subpackages

androguard.decompiler.dad package

Submodules

androguard.decompiler.dad.ast module

This file is a simplified version of writer.py that outputs an AST instead of source code.

class androguard.decompiler.dad.ast.JSONWriter(graph, method)

Bases: object

add(val)

get_ast()

get_cond(node)

visit_cond_node(cond)

visit_ins(op)

visit_loop_node(loop)

visit_node(node)

visit_return_node(ret)

visit_statement_node(stmt)

visit_switch_node(switch)

visit_throw_node(throw)

visit_try_node(try_node)

androguard.decompiler.dad.ast.array_access(arr, ind)

androguard.decompiler.dad.ast.array_creation(tn, params, dim)

androguard.decompiler.dad.ast.array_initializer(params, tn=None)

androguard.decompiler.dad.ast.assignment(lhs, rhs, op='')

androguard.decompiler.dad.ast.binary_infix(op, left, right)

androguard.decompiler.dad.ast.cast(tn, arg)

androguard.decompiler.dad.ast.dummy(*args)

androguard.decompiler.dad.ast.expression_stmt(expr)

androguard.decompiler.dad.ast.field_access(triple, left)

androguard.decompiler.dad.ast.if_stmt(cond_expr, scopes)

androguard.decompiler.dad.ast.jump_stmt(keyword)

androguard.decompiler.dad.ast.literal(result, tt)

androguard.decompiler.dad.ast.literal_bool(b)

androguard.decompiler.dad.ast.literal_class(desc)

androguard.decompiler.dad.ast.literal_double(f)

androguard.decompiler.dad.ast.literal_float(f)

androguard.decompiler.dad.ast.literal_hex_int(b)

androguard.decompiler.dad.ast.literal_int(b)

androguard.decompiler.dad.ast.literal_long(b)

androguard.decompiler.dad.ast.literal_null()

androguard.decompiler.dad.ast.literal_string(s)

androguard.decompiler.dad.ast.local(name)

androguard.decompiler.dad.ast.local_decl_stmt(expr, decl)

androguard.decompiler.dad.ast.loop_stmt(isdo, cond_expr, body)

androguard.decompiler.dad.ast.method_invocation(triple, name, base, params)

androguard.decompiler.dad.ast.parenthesis(expr)

androguard.decompiler.dad.ast.parse_descriptor(desc)

androguard.decompiler.dad.ast.return_stmt(expr)

androguard.decompiler.dad.ast.statement_block()

androguard.decompiler.dad.ast.switch_stmt(cond_expr, ksv_pairs)

androguard.decompiler.dad.ast.throw_stmt(expr)

androguard.decompiler.dad.ast.try_stmt(tryb, pairs)

androguard.decompiler.dad.ast.typen(baset, dim)

androguard.decompiler.dad.ast.unary_postfix(left, op)

androguard.decompiler.dad.ast.unary_prefix(op, left)

androguard.decompiler.dad.ast.var_decl(typen, var)

androguard.decompiler.dad.ast.visit_arr_data(value)

androguard.decompiler.dad.ast.visit_decl(var, init_expr=None)

androguard.decompiler.dad.ast.visit_expr(op)

androguard.decompiler.dad.ast.visit_ins(op, isCtor=False)

androguard.decompiler.dad.ast.write_inplace_if_possible(lhs, rhs)

androguard.decompiler.dad.basic_blocks module

class androguard.decompiler.dad.basic_blocks.BasicBlock(name, block_ins)

Bases: androguard.decompiler.dad.node.Node

add_ins(new_ins_list)

add_variable_declaration(variable)

get_ins()

get_loc_with_ins()

number_ins(num)

remove_ins(loc, ins)

set_catch_type(_type)

class androguard.decompiler.dad.basic_blocks.CatchBlock(node)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

visit(visitor)

visit_exception(visitor)

class androguard.decompiler.dad.basic_blocks.CondBlock(name, block_ins)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

neg()

update_attribute_with(n_map)

visit(visitor)

visit_cond(visitor)

class androguard.decompiler.dad.basic_blocks.Condition(cond1, cond2, isand, isnot)

Bases: object

get_ins()

get_loc_with_ins()

neg()

visit(visitor)

class androguard.decompiler.dad.basic_blocks.LoopBlock(name, cond)

Bases: androguard.decompiler.dad.basic_blocks.CondBlock

get_ins()

get_loc_with_ins()

neg()

update_attribute_with(n_map)

visit(visitor)

visit_cond(visitor)

class androguard.decompiler.dad.basic_blocks.ReturnBlock(name, block_ins)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

visit(visitor)

class androguard.decompiler.dad.basic_blocks.ShortCircuitBlock(name, cond)

Bases: androguard.decompiler.dad.basic_blocks.CondBlock

get_ins()

get_loc_with_ins()

neg()

visit_cond(visitor)

class androguard.decompiler.dad.basic_blocks.StatementBlock(name, block_ins)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

visit(visitor)

class androguard.decompiler.dad.basic_blocks.SwitchBlock(name, switch, block_ins)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

add_case(case)

copy_from(node)

order_cases()

update_attribute_with(n_map)

visit(visitor)

class androguard.decompiler.dad.basic_blocks.ThrowBlock(name, block_ins)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

visit(visitor)

class androguard.decompiler.dad.basic_blocks.TryBlock(node)

Bases: androguard.decompiler.dad.basic_blocks.BasicBlock

add_catch_node(node)

num

visit(visitor)

androguard.decompiler.dad.basic_blocks.build_node_from_block(block, vmap, gen_ret, exception_type=None)

androguard.decompiler.dad.control_flow module

androguard.decompiler.dad.control_flow.catch_struct(graph, idoms)

androguard.decompiler.dad.control_flow.derived_sequence(graph)

Compute the derived sequence of the graph G The intervals of G are collapsed into nodes, intervals of these nodes are built, and the process is repeated iteratively until we obtain a single node (if the graph is not irreducible)

androguard.decompiler.dad.control_flow.identify_structures(graph, idoms)

androguard.decompiler.dad.control_flow.if_struct(graph, idoms)

androguard.decompiler.dad.control_flow.intervals(graph)

Compute the intervals of the graph Returns interval_graph: a graph of the intervals of G interv_heads: a dict of (header node, interval)

androguard.decompiler.dad.control_flow.loop_follow(start, end, nodes_in_loop)

androguard.decompiler.dad.control_flow.loop_struct(graphs_list, intervals_list)

androguard.decompiler.dad.control_flow.loop_type(start, end, nodes_in_loop)

androguard.decompiler.dad.control_flow.mark_loop(graph, start, end, interval)

androguard.decompiler.dad.control_flow.mark_loop_rec(graph, node, s_num, e_num, interval, nodes_in_loop)

androguard.decompiler.dad.control_flow.short_circuit_struct(graph, idom, node_map)

androguard.decompiler.dad.control_flow.switch_struct(graph, idoms)

androguard.decompiler.dad.control_flow.update_dom(idoms, node_map)

androguard.decompiler.dad.control_flow.while_block_struct(graph, node_map)

androguard.decompiler.dad.dataflow module

class androguard.decompiler.dad.dataflow.BasicReachDef(graph, params)

Bases: object

run()

class androguard.decompiler.dad.dataflow.DummyNode(name)

Bases: androguard.decompiler.dad.node.Node

get_loc_with_ins()

androguard.decompiler.dad.dataflow.build_def_use(graph, lparams)

Builds the Def-Use and Use-Def (DU/UD) chains of the variables of the method.

androguard.decompiler.dad.dataflow.clear_path(graph, reg, loc1, loc2)

Check that the path from loc1 to loc2 is clear. We have to check that there is no side effect between the two location points. We also have to check that the variable reg is not redefined along one of the possible pathes from loc1 to loc2.

androguard.decompiler.dad.dataflow.clear_path_node(graph, reg, loc1, loc2)

androguard.decompiler.dad.dataflow.dead_code_elimination(graph, du, ud)

Run a dead code elimination pass. Instructions are checked to be dead. If it is the case, we remove them and we update the DU & UD chains of its variables to check for further dead instructions.

androguard.decompiler.dad.dataflow.group_variables(lvars, DU, UD)

androguard.decompiler.dad.dataflow.place_declarations(graph, dvars, du, ud)

androguard.decompiler.dad.dataflow.reach_def_analysis(graph, lparams)

androguard.decompiler.dad.dataflow.register_propagation(graph, du, ud)

Propagate the temporary registers between instructions and remove them if necessary. We process the nodes of the graph in reverse post order. For each instruction in the node, we look at the variables that it uses. For each of these variables we look where it is defined and if we can replace it with its definition. We have to be careful to the side effects some instructions may have. To do the propagation, we use the computed DU and UD chains.

androguard.decompiler.dad.dataflow.split_variables(graph, lvars, DU, UD)

androguard.decompiler.dad.dataflow.update_chain(graph, loc, du, ud)

Updates the DU chain of the instruction located at loc such that there is no more reference to it so that we can remove it. When an instruction is found to be dead (i.e it has no side effect, and the register defined is not used) we have to update the DU chain of all the variables that may me used by the dead instruction.

androguard.decompiler.dad.decompile module

class androguard.decompiler.dad.decompile.DvClass(dvclass, vma)

Bases: object

get_ast()

get_methods()

get_source()

get_source_ext()

process(doAST=False)

process_method(num, doAST=False)

show_source()

class androguard.decompiler.dad.decompile.DvMachine(name)

Bases: object

get_class(class_name)

get_classes()

process()

process_and_show()

show_source()

class androguard.decompiler.dad.decompile.DvMethod(methanalysis)

Bases: object

get_ast()

get_source()

get_source_ext()

process(doAST=False)

show_source()

androguard.decompiler.dad.decompile.auto_vm(filename)

androguard.decompiler.dad.decompile.get_field_ast(field)

androguard.decompiler.dad.decompile.main()

androguard.decompiler.dad.graph module

class androguard.decompiler.dad.graph.GenInvokeRetName

Bases: object

last()

new()

set_to(ret)

class androguard.decompiler.dad.graph.Graph

Bases: object

add_catch_edge(e1, e2)

add_edge(e1, e2)

add_node(node)

all_preds(node)

all_sucs(node)

compute_rpo()

Number the nodes in reverse post order. An RPO traversal visit as many predecessors of a node as possible before visiting the node itself.

draw(name, dname, draw_branches=True)

get_ins_from_loc(loc)

get_node_from_loc(loc)

immediate_dominators()

number_ins()

post_order()

Return the nodes of the graph in post-order i.e we visit all the children of a node before visiting the node itself.

preds(node)

remove_ins(loc)

remove_node(node)

sucs(node)

androguard.decompiler.dad.graph.bfs(start)

androguard.decompiler.dad.graph.construct(start_block, vmap, exceptions)

androguard.decompiler.dad.graph.dom_lt(graph)

Dominator algorithm from Lengaeur-Tarjan

androguard.decompiler.dad.graph.make_node(graph, block, block_to_node, vmap, gen_ret)

androguard.decompiler.dad.graph.simplify(graph)

Simplify the CFG by merging/deleting statement nodes when possible: If statement B follows statement A and if B has no other predecessor besides A, then we can merge A and B into a new statement node. We also remove nodes which do nothing except redirecting the control flow (nodes which only contains a goto).

androguard.decompiler.dad.graph.split_if_nodes(graph)

Split IfNodes in two nodes, the first node is the header node, the second one is only composed of the jump condition.

androguard.decompiler.dad.instruction module

class androguard.decompiler.dad.instruction.ArrayExpression

Bases: androguard.decompiler.dad.instruction.IRForm

class androguard.decompiler.dad.instruction.ArrayLengthExpression(array)

Bases: androguard.decompiler.dad.instruction.ArrayExpression

get_type()

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.ArrayLoadExpression(arg, index, _type)

Bases: androguard.decompiler.dad.instruction.ArrayExpression

get_type()

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.ArrayStoreInstruction(rhs, array, index, _type)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

has_side_effect()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.AssignExpression(lhs, rhs)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_rhs()

get_used_vars()

has_side_effect()

is_call()

is_propagable()

remove_defined_var()

replace(old, new)

replace_lhs(new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.BaseClass(name, descriptor=None)

Bases: androguard.decompiler.dad.instruction.IRForm

is_const()

visit(visitor)

class androguard.decompiler.dad.instruction.BinaryCompExpression(op, arg1, arg2, _type)

Bases: androguard.decompiler.dad.instruction.BinaryExpression

visit(visitor)

class androguard.decompiler.dad.instruction.BinaryExpression(op, arg1, arg2, _type)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

has_side_effect()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.BinaryExpression2Addr(op, dest, arg, _type)

Bases: androguard.decompiler.dad.instruction.BinaryExpression

class androguard.decompiler.dad.instruction.BinaryExpressionLit(op, arg1, arg2)

Bases: androguard.decompiler.dad.instruction.BinaryExpression

class androguard.decompiler.dad.instruction.CastExpression(op, atype, arg)

Bases: androguard.decompiler.dad.instruction.UnaryExpression

get_type()

get_used_vars()

is_const()

visit(visitor)

class androguard.decompiler.dad.instruction.CheckCastExpression(arg, _type, descriptor=None)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

is_const()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.ConditionalExpression(op, arg1, arg2)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

is_cond()

neg()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.ConditionalZExpression(op, arg)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

is_cond()

neg()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.Constant(value, atype, int_value=None, descriptor=None)

Bases: androguard.decompiler.dad.instruction.IRForm

get_int_value()

get_type()

get_used_vars()

is_const()

visit(visitor)

class androguard.decompiler.dad.instruction.FillArrayExpression(reg, value)

Bases: androguard.decompiler.dad.instruction.ArrayExpression

get_rhs()

get_used_vars()

is_propagable()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.FilledArrayExpression(asize, atype, args)

Bases: androguard.decompiler.dad.instruction.ArrayExpression

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.IRForm

Bases: object

get_lhs()

get_rhs()

get_type()

get_used_vars()

has_side_effect()

is_call()

is_cond()

is_const()

is_ident()

is_propagable()

remove_defined_var()

replace(old, new)

replace_lhs(new)

replace_var(old, new)

set_type(_type)

visit(visitor)

class androguard.decompiler.dad.instruction.InstanceExpression(arg, klass, ftype, name)

Bases: androguard.decompiler.dad.instruction.IRForm

get_type()

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.InstanceInstruction(rhs, lhs, klass, atype, name)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

has_side_effect()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.InvokeDirectInstruction(clsname, name, base, rtype, ptype, args, triple)

Bases: androguard.decompiler.dad.instruction.InvokeInstruction

class androguard.decompiler.dad.instruction.InvokeInstruction(clsname, name, base, rtype, ptype, args, triple)

Bases: androguard.decompiler.dad.instruction.IRForm

get_type()

get_used_vars()

has_side_effect()

is_call()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.InvokeRangeInstruction(clsname, name, rtype, ptype, args, triple)

Bases: androguard.decompiler.dad.instruction.InvokeInstruction

class androguard.decompiler.dad.instruction.InvokeStaticInstruction(clsname, name, base, rtype, ptype, args, triple)

Bases: androguard.decompiler.dad.instruction.InvokeInstruction

get_used_vars()

class androguard.decompiler.dad.instruction.MonitorEnterExpression(ref)

Bases: androguard.decompiler.dad.instruction.RefExpression

visit(visitor)

class androguard.decompiler.dad.instruction.MonitorExitExpression(ref)

Bases: androguard.decompiler.dad.instruction.RefExpression

visit(visitor)

class androguard.decompiler.dad.instruction.MoveExceptionExpression(ref, _type)

Bases: androguard.decompiler.dad.instruction.RefExpression

get_lhs()

get_used_vars()

has_side_effect()

replace_lhs(new)

visit(visitor)

class androguard.decompiler.dad.instruction.MoveExpression(lhs, rhs)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_rhs()

get_used_vars()

has_side_effect()

is_call()

replace(old, new)

replace_lhs(new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.MoveResultExpression(lhs, rhs)

Bases: androguard.decompiler.dad.instruction.MoveExpression

has_side_effect()

is_propagable()

visit(visitor)

class androguard.decompiler.dad.instruction.NewArrayExpression(asize, atype)

Bases: androguard.decompiler.dad.instruction.ArrayExpression

get_used_vars()

is_propagable()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.NewInstance(ins_type)

Bases: androguard.decompiler.dad.instruction.IRForm

get_type()

get_used_vars()

replace(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.NopExpression

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

visit(visitor)

class androguard.decompiler.dad.instruction.Param(value, atype)

Bases: androguard.decompiler.dad.instruction.Variable

is_const()

visit(visitor)

class androguard.decompiler.dad.instruction.RefExpression(ref)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

is_propagable()

replace(old, new)

replace_var(old, new)

class androguard.decompiler.dad.instruction.ReturnInstruction(arg)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.StaticExpression(cls_name, field_type, field_name)

Bases: androguard.decompiler.dad.instruction.IRForm

get_type()

replace(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.StaticInstruction(rhs, klass, ftype, name)

Bases: androguard.decompiler.dad.instruction.IRForm

get_lhs()

get_used_vars()

has_side_effect()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.SwitchExpression(src, branch)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.ThisParam(value, atype)

Bases: androguard.decompiler.dad.instruction.Param

visit(visitor)

class androguard.decompiler.dad.instruction.ThrowExpression(ref)

Bases: androguard.decompiler.dad.instruction.RefExpression

visit(visitor)

class androguard.decompiler.dad.instruction.UnaryExpression(op, arg, _type)

Bases: androguard.decompiler.dad.instruction.IRForm

get_type()

get_used_vars()

replace(old, new)

replace_var(old, new)

visit(visitor)

class androguard.decompiler.dad.instruction.Variable(value)

Bases: androguard.decompiler.dad.instruction.IRForm

get_used_vars()

is_ident()

value()

visit(visitor)

visit_decl(visitor)

androguard.decompiler.dad.node module

class androguard.decompiler.dad.node.Interval(head)

Bases: object

add_node(node)

compute_end(graph)

get_end()

get_head()

class androguard.decompiler.dad.node.LoopType

Bases: object

copy()

is_endless

is_posttest

is_pretest

class androguard.decompiler.dad.node.MakeProperties(name, bases, dct)

Bases: type

class androguard.decompiler.dad.node.Node(name)

Bases: object

copy_from(node)

get_end()

get_head()

update_attribute_with(n_map)

class androguard.decompiler.dad.node.NodeType

Bases: object

copy()

is_cond

is_return

is_stmt

is_switch

is_throw

androguard.decompiler.dad.opcode_ins module

class androguard.decompiler.dad.opcode_ins.Op

Bases: object

ADD = '+'

AND = '&'

CMP = 'cmp'

DIV = '/'

EQUAL = '=='

GEQUAL = '>='

GREATER = '>'

INTSHL = '<<'

INTSHR = '>>'

LEQUAL = '<='

LONGSHL = '<<'

LONGSHR = '>>'

LOWER = '<'

MOD = '%'

MUL = '*'

NEG = '-'

NEQUAL = '!='

NOT = '~'

OR = '|'

SUB = '-'

XOR = '^'

androguard.decompiler.dad.opcode_ins.adddouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.adddouble2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.addfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.addfloat2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.addint(ins, vmap)

androguard.decompiler.dad.opcode_ins.addint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.addintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.addintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.addlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.addlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.aget(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.agetwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.andint(ins, vmap)

androguard.decompiler.dad.opcode_ins.andint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.andintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.andintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.andlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.andlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.aput(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.aputwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.arraylength(ins, vmap)

androguard.decompiler.dad.opcode_ins.assign_binary_2addr_exp(ins, val_op, op_type, vmap)

androguard.decompiler.dad.opcode_ins.assign_binary_exp(ins, val_op, op_type, vmap)

androguard.decompiler.dad.opcode_ins.assign_cast_exp(val_a, val_b, val_op, op_type, vmap)

androguard.decompiler.dad.opcode_ins.assign_cmp(val_a, val_b, val_c, cmp_type, vmap)

androguard.decompiler.dad.opcode_ins.assign_const(dest_reg, cst, vmap)

androguard.decompiler.dad.opcode_ins.assign_lit(op_type, val_cst, val_a, val_b, vmap)

androguard.decompiler.dad.opcode_ins.checkcast(ins, vmap)

androguard.decompiler.dad.opcode_ins.cmpgdouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.cmpgfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.cmpldouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.cmplfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.cmplong(ins, vmap)

androguard.decompiler.dad.opcode_ins.const(ins, vmap)

androguard.decompiler.dad.opcode_ins.const16(ins, vmap)

androguard.decompiler.dad.opcode_ins.const4(ins, vmap)

androguard.decompiler.dad.opcode_ins.constclass(ins, vmap)

androguard.decompiler.dad.opcode_ins.consthigh16(ins, vmap)

androguard.decompiler.dad.opcode_ins.conststring(ins, vmap)

androguard.decompiler.dad.opcode_ins.conststringjumbo(ins, vmap)

androguard.decompiler.dad.opcode_ins.constwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.constwide16(ins, vmap)

androguard.decompiler.dad.opcode_ins.constwide32(ins, vmap)

androguard.decompiler.dad.opcode_ins.constwidehigh16(ins, vmap)

androguard.decompiler.dad.opcode_ins.divdouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.divdouble2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.divfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.divfloat2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.divint(ins, vmap)

androguard.decompiler.dad.opcode_ins.divint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.divintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.divintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.divlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.divlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.doubletofloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.doubletoint(ins, vmap)

androguard.decompiler.dad.opcode_ins.doubletolong(ins, vmap)

androguard.decompiler.dad.opcode_ins.fillarraydata(ins, vmap, value)

androguard.decompiler.dad.opcode_ins.fillarraydatapayload(ins, vmap)

androguard.decompiler.dad.opcode_ins.fillednewarray(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.fillednewarrayrange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.floattodouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.floattoint(ins, vmap)

androguard.decompiler.dad.opcode_ins.floattolong(ins, vmap)

androguard.decompiler.dad.opcode_ins.get_args(vmap, param_type, largs)

androguard.decompiler.dad.opcode_ins.get_variables(vmap, *variables)

androguard.decompiler.dad.opcode_ins.goto(ins, vmap)

androguard.decompiler.dad.opcode_ins.goto16(ins, vmap)

androguard.decompiler.dad.opcode_ins.goto32(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifeq(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifeqz(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifge(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifgez(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifgt(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifgtz(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifle(ins, vmap)

androguard.decompiler.dad.opcode_ins.iflez(ins, vmap)

androguard.decompiler.dad.opcode_ins.iflt(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifltz(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifne(ins, vmap)

androguard.decompiler.dad.opcode_ins.ifnez(ins, vmap)

androguard.decompiler.dad.opcode_ins.iget(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.igetwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.instanceof(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttobyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttochar(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttodouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttofloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttolong(ins, vmap)

androguard.decompiler.dad.opcode_ins.inttoshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.invokedirect(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokedirectrange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokeinterface(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokeinterfacerange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokestatic(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokestaticrange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokesuper(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokesuperrange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokevirtual(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.invokevirtualrange(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.iput(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.iputwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.load_array_exp(val_a, val_b, val_c, ar_type, vmap)

androguard.decompiler.dad.opcode_ins.longtodouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.longtofloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.longtoint(ins, vmap)

androguard.decompiler.dad.opcode_ins.monitorenter(ins, vmap)

androguard.decompiler.dad.opcode_ins.monitorexit(ins, vmap)

androguard.decompiler.dad.opcode_ins.move(ins, vmap)

androguard.decompiler.dad.opcode_ins.move16(ins, vmap)

androguard.decompiler.dad.opcode_ins.moveexception(ins, vmap, _type)

androguard.decompiler.dad.opcode_ins.movefrom16(ins, vmap)

androguard.decompiler.dad.opcode_ins.moveobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.moveobject16(ins, vmap)

androguard.decompiler.dad.opcode_ins.moveobjectfrom16(ins, vmap)

androguard.decompiler.dad.opcode_ins.moveresult(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.moveresultobject(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.moveresultwide(ins, vmap, ret)

androguard.decompiler.dad.opcode_ins.movewide(ins, vmap)

androguard.decompiler.dad.opcode_ins.movewide16(ins, vmap)

androguard.decompiler.dad.opcode_ins.movewidefrom16(ins, vmap)

androguard.decompiler.dad.opcode_ins.muldouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.muldouble2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulfloat2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulint(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.mulintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.mullong(ins, vmap)

androguard.decompiler.dad.opcode_ins.mullong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.negdouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.negfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.negint(ins, vmap)

androguard.decompiler.dad.opcode_ins.neglong(ins, vmap)

androguard.decompiler.dad.opcode_ins.newarray(ins, vmap)

androguard.decompiler.dad.opcode_ins.newinstance(ins, vmap)

androguard.decompiler.dad.opcode_ins.nop(ins, vmap)

androguard.decompiler.dad.opcode_ins.notint(ins, vmap)

androguard.decompiler.dad.opcode_ins.notlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.orint(ins, vmap)

androguard.decompiler.dad.opcode_ins.orint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.orintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.orintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.orlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.orlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.packedswitch(ins, vmap)

androguard.decompiler.dad.opcode_ins.remdouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.remdouble2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.remfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.remfloat2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.remint(ins, vmap)

androguard.decompiler.dad.opcode_ins.remint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.remintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.remintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.remlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.remlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.return_reg(ins, vmap)

androguard.decompiler.dad.opcode_ins.returnobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.returnvoid(ins, vmap)

androguard.decompiler.dad.opcode_ins.returnwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.rsubint(ins, vmap)

androguard.decompiler.dad.opcode_ins.rsubintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.sget(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.sgetwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.shlint(ins, vmap)

androguard.decompiler.dad.opcode_ins.shlint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.shlintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.shllong(ins, vmap)

androguard.decompiler.dad.opcode_ins.shllong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.shrint(ins, vmap)

androguard.decompiler.dad.opcode_ins.shrint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.shrintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.shrlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.shrlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.sparseswitch(ins, vmap)

androguard.decompiler.dad.opcode_ins.sput(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputboolean(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputbyte(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputchar(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputobject(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputshort(ins, vmap)

androguard.decompiler.dad.opcode_ins.sputwide(ins, vmap)

androguard.decompiler.dad.opcode_ins.store_array_inst(val_a, val_b, val_c, ar_type, vmap)

androguard.decompiler.dad.opcode_ins.subdouble(ins, vmap)

androguard.decompiler.dad.opcode_ins.subdouble2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.subfloat(ins, vmap)

androguard.decompiler.dad.opcode_ins.subfloat2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.subint(ins, vmap)

androguard.decompiler.dad.opcode_ins.subint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.sublong(ins, vmap)

androguard.decompiler.dad.opcode_ins.sublong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.throw(ins, vmap)

androguard.decompiler.dad.opcode_ins.ushrint(ins, vmap)

androguard.decompiler.dad.opcode_ins.ushrint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.ushrintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.ushrlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.ushrlong2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorint(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorint2addr(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorintlit16(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorintlit8(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorlong(ins, vmap)

androguard.decompiler.dad.opcode_ins.xorlong2addr(ins, vmap)

androguard.decompiler.dad.util module

androguard.decompiler.dad.util.build_path(graph, node1, node2, path=None)

Build the path from node1 to node2. The path is composed of all the nodes between node1 and node2, node1 excluded. Although if there is a loop starting from node1, it will be included in the path.

androguard.decompiler.dad.util.common_dom(idom, cur, pred)

androguard.decompiler.dad.util.create_png(cls_name, meth_name, graph, dir_name='graphs2')

androguard.decompiler.dad.util.get_access_class(access)

androguard.decompiler.dad.util.get_access_field(access)

androguard.decompiler.dad.util.get_access_method(access)

androguard.decompiler.dad.util.get_params_type(descriptor)

Return the parameters type of a descriptor (e.g (IC)V)

androguard.decompiler.dad.util.get_type(atype, size=None)

Retrieve the java type of a descriptor (e.g : I)

androguard.decompiler.dad.util.get_type_size(param)

Return the number of register needed by the type @param

androguard.decompiler.dad.util.merge_inner(clsdict)

Merge the inner class(es) of a class: e.g class A { … } class A$foo{ … } class A$bar{ … } ==> class A { class foo{…} class bar{…} … }

androguard.decompiler.dad.writer module

class androguard.decompiler.dad.writer.Writer(graph, method)

Bases: object

dec_ind(i=1)

end_ins()

inc_ind(i=1)

space()

str_ext()

visit_alength(array)

visit_aload(array, index)

visit_assign(lhs, rhs)

visit_astore(array, index, rhs, data=None)

visit_base_class(cls, data=None)

visit_binary_expression(op, arg1, arg2)

visit_cast(op, arg)

visit_catch_node(catch_node)

visit_check_cast(arg, atype)

visit_cond_expression(op, arg1, arg2)

visit_cond_node(cond)

visit_condz_expression(op, arg)

visit_constant(cst)

visit_decl(var)

visit_fill_array(array, value)

visit_filled_new_array(atype, size, args)

visit_get_instance(arg, name, data=None)

visit_get_static(cls, name)

visit_ins(ins)

visit_invoke(name, base, ptype, rtype, args, invokeInstr)

visit_loop_node(loop)

visit_monitor_enter(ref)

visit_monitor_exit(ref)

visit_move(lhs, rhs)

visit_move_exception(var, data=None)

visit_move_result(lhs, rhs)

visit_new(atype, data=None)

visit_new_array(atype, size)

visit_node(node)

visit_nop()

visit_param(param, data=None)

visit_put_instance(lhs, name, rhs, data=None)

visit_put_static(cls, name, rhs)

visit_return(arg)

visit_return_node(ret)

visit_return_void()

visit_short_circuit_condition(nnot, aand, cond1, cond2)

visit_statement_node(stmt)

visit_super()

visit_switch(arg)

visit_switch_node(switch)

visit_this()

visit_throw(ref)

visit_throw_node(throw)

visit_try_node(try_node)

visit_unary_expression(op, arg)

visit_variable(var)

write(s, data=None)

write_ext(t)

write_ind()

write_ind_visit_end(lhs, s, rhs=None, data=None)

write_ind_visit_end_ext(lhs, before, s, after, rhs=None, data=None, subsection='UNKNOWN_SUBSECTION')

write_inplace_if_possible(lhs, rhs)

write_method()

androguard.decompiler.dad.writer.string(s)

Convert a string to a escaped ASCII representation including quotation marks :param s: a string :return: ASCII escaped string

Module contents

Submodules

androguard.decompiler.decompiler module

class androguard.decompiler.decompiler.DecompilerDAD(vm, vmx)

Bases: object

display_all(_class)

display_source(m)

get_all(class_name)

get_ast_class(_class)

get_ast_method(m)

get_source_class(_class)

get_source_class_ext(_class)

get_source_method(m)

class androguard.decompiler.decompiler.DecompilerDed(vm, bin_ded='ded.sh', tmp_dir='/tmp/')

Bases: object

display_all(_class)

display_source(method)

get_all(class_name)

get_source_class(_class)

get_source_method(method)

class androguard.decompiler.decompiler.DecompilerDex2Fernflower(vm, bin_dex2jar='dex2jar.sh', bin_fernflower='fernflower.jar', options_fernflower={'asc': '1', 'dgs': '1'}, tmp_dir='/tmp/')

Bases: object

display_all(_class)

display_source(method)

get_all(class_name)

get_source_class(_class)

get_source_method(method)

class androguard.decompiler.decompiler.DecompilerDex2Jad(vm, bin_dex2jar='dex2jar.sh', bin_jad='jad', tmp_dir='/tmp/')

Bases: object

display_all(_class)

display_source(method)

get_all(class_name)

get_source_class(_class)

get_source_method(method)

class androguard.decompiler.decompiler.DecompilerDex2WineJad(vm, bin_dex2jar='dex2jar.sh', bin_jad='jad', tmp_dir='/tmp/')

Bases: object

display_all(_class)

display_source(method)

get_all(class_name)

get_source_class(_class)

get_source_method(method)

class androguard.decompiler.decompiler.DecompilerJADX(vm, vmx, jadx='jadx', keepfiles=False)

Bases: object

display_all(_class)

???

Parameters:_class – Returns:

display_source(m)

This method does the same as get_source_method but prints the result directly to stdout

Parameters:m – EncodedMethod to print Returns:

get_all(class_name)

???

Parameters:class_name – Returns:

get_source_class(_class)

Return the Java source code of a whole class

Parameters:_class – ClassDefItem object, to get the source from Returns:

get_source_method(m)

Return the Java source of a single method

Parameters:m – EncodedMethod Object Returns:

class androguard.decompiler.decompiler.Dex2Jar(vm, bin_dex2jar='dex2jar.sh', tmp_dir='/tmp/')

Bases: object

get_jar()

exception androguard.decompiler.decompiler.JADXDecompilerError

Bases: Exception

Exception for JADX related problems

class androguard.decompiler.decompiler.MethodFilter(**options)

Bases: pygments.filter.Filter

filter(lexer, stream)

Module contents

Submodules

androguard.misc module

androguard.misc.AnalyzeAPK(_file, session=None, raw=False)

Analyze an android application and setup all stuff for a more quickly analysis! If session is None, no session is used at all. This is the default behaviour. If you like to continue your work later, it might be a good idea to use a session. A default session can be created by using get_default_session().

Parameters:

• _file (string (for filename) or bytes (for raw)) – the filename of the android application or a buffer which represents the application
• session – A session (default: None)
• raw – boolean if raw bytes are supplied instead of a filename

Return type:

return the APK, list of DalvikVMFormat, and Analysis objects

androguard.misc.AnalyzeDex(filename, session=None)

Analyze an android dex file and setup all stuff for a more quickly analysis !

Parameters:

• session – A session (Default None)
• filename (string) – the filename of the android dex file or a buffer which represents the dex file

Return type:

return the DalvikVMFormat, and Analysis objects

androguard.misc.AnalyzeODex(filename, session=None)

Analyze an android odex file and setup all stuff for a more quickly analysis !

Parameters:

• filename (string) – the filename of the android dex file or a buffer which represents the dex file
• session – The Androguard Session to add the ODex to (default: None)

Return type:

return the DalvikOdexVMFormat, and Analysis objects

androguard.misc.RunDecompiler(d, dx, decompiler_name)

Run the decompiler on a specific analysis

Parameters:

• d (DalvikVMFormat object) – the DalvikVMFormat object
• dx (VMAnalysis object) – the analysis of the format
• decompiler (string) – the type of decompiler to use (“dad”, “dex2jad”, “ded”)

androguard.misc.clean_file_name(filename, unique=True, replace='_', force_nt=False)

Return a filename version, which has no characters in it which are forbidden. On Windows these are for example <, /, ?, …

The intention of this function is to allow distribution of files to different OSes.

Parameters:

• filename – string to clean
• unique – check if the filename is already taken and append an integer to be unique (default: True)
• replace – replacement character. (default: ‘_’)
• force_nt – Force shortening of paths like on NT systems (default: False)

Returns:

clean string

androguard.misc.get_default_session()

Return the default Session from the configuration or create a new one, if the session in the configuration is None.

androguard.misc.init_print_colors()

androguard.misc.sign_apk(filename, keystore, storepass)

Use jarsigner to sign an APK file.

Parameters:

• filename – APK file on disk to sign (path)
• keystore – path to keystore
• storepass – your keystorage passphrase

androguard.session module

androguard.session.Load(filename)

load your session!

Parameters:filename (string) – the filename where the session has been saved Return type:the elements of your session :) Example:s = session.Load(“mysession.p”)

androguard.session.Save(session, filename)

save your session!

Parameters:

• session – A Session object to save
• filename (string) – output filename to save the session

Example:

s = session.Session() session.Save(s, “msession.p”)

class androguard.session.Session(export_ipython=False)

Bases: object

add(filename, raw_data, dx=None)

addAPK(filename, data)

Add an APK file to the Session and run analysis on it.

Parameters:

• filename – (file)name of APK file
• data – binary data of the APK file

Returns:

a tuple of SHA256 Checksum and APK Object

addDEX(filename, data, dx=None)

Add a DEX file to the Session and run analysis.

Parameters:

• filename – the (file)name of the DEX file
• data – binary data of the dex file
• dx – an existing Analysis Object (optional)

Returns:

A tuple of SHA256 Hash, DalvikVMFormat Object and Analysis object

addDEY(filename, data, dx=None)

get_all_apks()

get_analysis(current_class)

get_classes()

get_digest_by_class(current_class)

get_filename_by_class(current_class)

get_format(current_class)

get_nb_strings()

get_objects_apk(filename, digest=None)

get_objects_dex()

get_strings()

isOpen()

Test if any file was analyzed in this session

Returns:True if any file was analyzed, False otherwise

reset()

Reset the current session, delete all added files.

show()

Print information about the current session

androguard.util module

androguard.util.get_certificate_name_string(name, short=False)

Return the distinguished name of an X509 Certificate

Parameters:

• name (cryptography.x509.Name) – Name object to return the DN from
• short (Boolean) – Use short form (Default: False)

Return type:

str

androguard.util.read(filename, binary=True)

Module contents

Indices and tables

• Index
• Module Index
• Search Page