Origin updates (#56)

* HOTFIX: EFR01 Enterprise feature request (MobSF#1908) * Replace Warning with Medium and added Hotspot * Add file analysis to hotspot * Enterprise Feature Request Flag * EFR01 changes * version bump * update quark & frida (MobSF#1903) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910) * upgrade apktool to 2.6.1 (MobSF#1915) * Hotfix: Update slack link * Hotfix: update slack link * Hotfix: Slack link * Hotfix:Slack link * Hotfix:Slack link * Introduce jadx decompilation timeout with env var (MobSF#1916) * Introduce jadx decompilation timeout with env var - exception for timeout - replace subprocess.call for run Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Scheduled weekly dependency update for week 13 (MobSF#1931) * Update quark-engine from 22.2.1 to 22.3.1 * update lief Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid (MobSF#1939) * Fix dynamic report_json api bug (MobSF#1934) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Hotfix: LIEF * Update README.md (MobSF#1951) * update jadx to 1.3.4 (MobSF#1941) * update jadx to 1.3.4 * update lief * update jadx and requirements Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: superpoussin22 <vincent.nadal@orange.fr> Co-authored-by: pyup.io bot <github-bot@pyup.io> Co-authored-by: Matej Soroka <hi@matejsoroka.com> Co-authored-by: N1neSun <917549681@qq.com> Co-authored-by: Ajin.Abraham <ajin.abraham@chime.com> Co-authored-by: Dapo Adedire <adedireadedapo19@gmail.com>
cyberspect · May 22, 2022 · 9759a01 · 9759a01
1 parent afc1321
commit 9759a01
Show file tree

Hide file tree

Showing 43 changed files with 54 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 Version: v3.5 beta
 ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png)
 
-Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
+Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
 
 Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) in India
 

diff --git a/mobsf/DynamicAnalyzer/views/android/report.py b/mobsf/DynamicAnalyzer/views/android/report.py
@@ -100,7 +100,7 @@ def view_report(request, checksum, api=False):
                    'base64_strings': b64_strings,
                    'trackers': trackers,
                    'frida_logs': is_file_exists(fd_log),
-                   'runtime_dependencies': deps,
+                   'runtime_dependencies': list(deps),
                    'package': package,
                    'version': settings.MOBSF_VER,
                    'title': 'Dynamic Analysis'}

diff --git a/mobsf/StaticAnalyzer/tools/jadx/README.md b/mobsf/StaticAnalyzer/tools/jadx/README.md
@@ -5,12 +5,15 @@
 [![Build status](https://github.com/skylot/jadx/workflows/Build/badge.svg)](https://github.com/skylot/jadx/actions?query=workflow%3ABuild)
 [![Alerts from lgtm.com](https://img.shields.io/lgtm/alerts/g/skylot/jadx.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/skylot/jadx/alerts/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
+[![Maven Central](https://img.shields.io/maven-central/v/io.github.skylot/jadx-core)](https://search.maven.org/search?q=g:io.github.skylot%20AND%20jadx)
 [![License](http://img.shields.io/:license-apache-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)
 
 **jadx** - Dex to Java decompiler
 
 Command line and GUI tools for producing Java source code from Android Dex and Apk files
 
+:exclamation::exclamation::exclamation: Please note that in most cases **jadx** can't decompile all 100% of the code, so errors will occur. Check [Troubleshooting guide](https://github.com/skylot/jadx/wiki/Troubleshooting-Q&A#decompilation-issues) for workarounds
+
 **Main features:**
 - decompile Dalvik bytecode to java classes from APK, dex, aar, aab and zip files
 - decode `AndroidManifest.xml` and other resources from `resources.arsc`
@@ -21,15 +24,13 @@ Command line and GUI tools for producing Java source code from Android Dex and A
 - jump to declaration
 - find usage
 - full text search
+- smali debugger, check [wiki page](https://github.com/skylot/jadx/wiki/Smali-debugger) for setup and usage
 
-**Upcoming unstable features:**
-- smali debugger (thanks to [@LBJ-the-GOAT](https://github.com/LBJ-the-GOAT)), check [wiki page](https://github.com/skylot/jadx/wiki/Smali-debugger) for setup and usage
+Jadx-gui key bindings can be found [here](https://github.com/skylot/jadx/wiki/JADX-GUI-Key-bindings)
 
 See these features in action here: [jadx-gui features overview](https://github.com/skylot/jadx/wiki/jadx-gui-features-overview)
 
-
-![jadx-gui screenshot](https://i.imgur.com/h917IBZ.png)
-
+<img src="https://user-images.githubusercontent.com/118523/142730720-839f017e-38db-423e-b53f-39f5f0a0316f.png" width="700"/>
 
 ### Download
 - release from [github: ![Latest release](https://img.shields.io/github/release/skylot/jadx.svg)](https://github.com/skylot/jadx/releases/latest)
@@ -40,8 +41,8 @@ After download unpack zip file go to `bin` directory and run:
 - `jadx-gui` - UI version
 
 On Windows run `.bat` files with double-click\
-**Note:** ensure you have installed Java 8 or later 64-bit version.
-For windows you can download it from [adoptopenjdk.net](https://adoptopenjdk.net/releases.html?variant=openjdk11&jvmVariant=hotspot#x64_win) (select "Install JRE").
+**Note:** ensure you have installed Java 11 or later 64-bit version.
+For Windows, you can download it from [oracle.com](https://www.oracle.com/java/technologies/downloads/#jdk17-windows) (select x64 Installer).
 
 ### Install
 1. Arch linux
@@ -53,6 +54,9 @@ For windows you can download it from [adoptopenjdk.net](https://adoptopenjdk.net
         brew install jadx
     ```
 
+### Use jadx as a library
+You can use jadx in your java projects, check details on [wiki page](https://github.com/skylot/jadx/wiki/Use-jadx-as-a-library)
+
 ### Build from source
 JDK 8 or higher must be installed:
 ```
@@ -75,10 +79,16 @@ options:
   -dr, --output-dir-res               - output directory for resources
   -r, --no-res                        - do not decode resources
   -s, --no-src                        - do not decompile source code
-  --single-class                      - decompile a single class
+  --single-class                      - decompile a single class, full name, raw or alias
+  --single-class-output               - file or dir for write if decompile a single class
   --output-format                     - can be 'java' or 'json', default: java
   -e, --export-gradle                 - save as android gradle project
   -j, --threads-count                 - processing threads count, default: 4
+  -m, --decompilation-mode            - code output mode:
+                                         'auto' - trying best options (default)
+                                         'restructure' - restore code structure (normal java code)
+                                         'simple' - simplified instructions (linear, with goto's)
+                                         'fallback' - raw instructions without modifications
   --show-bad-code                     - show inconsistent code (incorrectly decompiled)
   --no-imports                        - disable use of imports, always write entire package name
   --no-debug-info                     - disable debug info
@@ -92,9 +102,15 @@ options:
   --deobf-min                         - min length of name, renamed if shorter, default: 3
   --deobf-max                         - max length of name, renamed if longer, default: 64
   --deobf-cfg-file                    - deobfuscation map file, default: same dir and name as input file with '.jobf' extension
-  --deobf-rewrite-cfg                 - force to ignore and overwrite deobfuscation map file
+  --deobf-cfg-file-mode               - set mode for handle deobfuscation map file:
+                                         'read' - read if found, don't save (default)
+                                         'read-or-save' - read if found, save otherwise (don't overwrite)
+                                         'overwrite' - don't read, always save
+                                         'ignore' - don't read and don't save
+  --deobf-rewrite-cfg                 - set '--deobf-cfg-file-mode' to 'overwrite' (deprecated)
   --deobf-use-sourcename              - use source file name as class name alias
   --deobf-parse-kotlin-metadata       - parse kotlin metadata to class and package names
+  --use-kotlin-methods-for-var-names  - use kotlin intrinsic methods to rename variables, values: disable, apply, apply-and-hide, default: apply
   --rename-flags                      - fix options (comma-separated list of):
                                          'case' - fix case sensitivity issues (according to --fs-case-sensitive option),
                                          'valid' - rename java identifiers to make them valid,
@@ -104,18 +120,28 @@ options:
   --fs-case-sensitive                 - treat filesystem as case sensitive, false by default
   --cfg                               - save methods control flow graph to dot file
   --raw-cfg                           - save methods control flow graph (use raw instructions)
-  -f, --fallback                      - make simple dump (using goto instead of 'if', 'for', etc)
-  --comments-level                    - set code comments level, values: none, user_only, error, warn, info, debug, default: info
+  -f, --fallback                      - set '--decompilation-mode' to 'fallback' (deprecated)
+  --use-dx                            - use dx/d8 to convert java bytecode
+  --comments-level                    - set code comments level, values: error, warn, info, debug, user-only, none, default: info
   --log-level                         - set log level, values: quiet, progress, error, warn, info, debug, default: progress
   -v, --verbose                       - verbose output (set --log-level to DEBUG)
   -q, --quiet                         - turn off output (set --log-level to QUIET)
   --version                           - print jadx version
   -h, --help                          - print this help
+
+Plugin options (-P<name>=<value>):
+  1) dex-input (Load .dex and .apk files)
+    -Pdex-input.verify-checksum       - Verify dex file checksum before load, values: [yes, no], default: yes
+  2) java-convert (Convert .jar and .class files to dex)
+    -Pjava-convert.mode               - Convert mode, values: [dx, d8, both], default: both
+    -Pjava-convert.d8-desugar         - Use desugar in d8, values: [yes, no], default: no
+
 Examples:
   jadx -d out classes.dex
   jadx --rename-flags "none" classes.dex
   jadx --rename-flags "valid, printable" classes.dex
   jadx --log-level ERROR app.apk
+  jadx -Pdex-input.verify-checksum=no app.apk
 ```
 These options also worked on jadx-gui running from command line and override options from preferences dialog
 

diff --git a/mobsf/StaticAnalyzer/tools/jadx/bin/jadx b/mobsf/StaticAnalyzer/tools/jadx/bin/jadx
@@ -86,7 +86,7 @@ APP_NAME="jadx"
 APP_BASE_NAME=${0##*/}
 
 # Add default JVM options here. You can also use JAVA_OPTS and JADX_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xms128M" "-Xmx4g" "-XX:+UseG1GC"'
+DEFAULT_JVM_OPTS='"-Xms128M" "-XX:MaxRAMPercentage=70.0" "-XX:+UseG1GC"'
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,7 +114,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
-CLASSPATH=$APP_HOME/lib/jadx-cli-1.3.0.jar:$APP_HOME/lib/jadx-core-1.3.0.jar:$APP_HOME/lib/logback-classic-1.2.7.jar:$APP_HOME/lib/jadx-smali-input-1.3.0.jar:$APP_HOME/lib/jadx-dex-input-1.3.0.jar:$APP_HOME/lib/jadx-java-input-1.3.0.jar:$APP_HOME/lib/jadx-plugins-api-1.3.0.jar:$APP_HOME/lib/raung-disasm-0.0.2.jar:$APP_HOME/lib/raung-common-0.0.2.jar:$APP_HOME/lib/slf4j-api-1.7.32.jar:$APP_HOME/lib/baksmali-2.5.2.jar:$APP_HOME/lib/smali-2.5.2.jar:$APP_HOME/lib/util-2.5.2.jar:$APP_HOME/lib/jcommander-1.81.jar:$APP_HOME/lib/gson-2.8.9.jar:$APP_HOME/lib/aapt2-proto-4.2.1-7147631.jar:$APP_HOME/lib/protobuf-java-3.11.4.jar:$APP_HOME/lib/logback-core-1.2.7.jar:$APP_HOME/lib/dexlib2-2.5.2.jar:$APP_HOME/lib/guava-30.1.1-jre.jar:$APP_HOME/lib/antlr-3.5.2.jar:$APP_HOME/lib/ST4-4.0.8.jar:$APP_HOME/lib/antlr-runtime-3.5.2.jar:$APP_HOME/lib/stringtemplate-3.2.1.jar:$APP_HOME/lib/jsr305-3.0.2.jar:$APP_HOME/lib/failureaccess-1.0.1.jar:$APP_HOME/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:$APP_HOME/lib/checker-qual-3.8.0.jar:$APP_HOME/lib/error_prone_annotations-2.5.1.jar:$APP_HOME/lib/j2objc-annotations-1.3.jar:$APP_HOME/lib/asm-9.2.jar:$APP_HOME/lib/antlr-2.7.7.jar
+CLASSPATH=$APP_HOME/lib/jadx-cli-1.3.5.jar:$APP_HOME/lib/jadx-core-1.3.5.jar:$APP_HOME/lib/logback-classic-1.2.11.jar:$APP_HOME/lib/jadx-java-convert-1.3.5.jar:$APP_HOME/lib/jadx-smali-input-1.3.5.jar:$APP_HOME/lib/jadx-dex-input-1.3.5.jar:$APP_HOME/lib/jadx-java-input-1.3.5.jar:$APP_HOME/lib/jadx-plugins-api-1.3.5.jar:$APP_HOME/lib/raung-disasm-0.0.2.jar:$APP_HOME/lib/raung-common-0.0.2.jar:$APP_HOME/lib/slf4j-api-1.7.36.jar:$APP_HOME/lib/baksmali-2.5.2.jar:$APP_HOME/lib/smali-2.5.2.jar:$APP_HOME/lib/util-2.5.2.jar:$APP_HOME/lib/jcommander-1.82.jar:$APP_HOME/lib/gson-2.9.0.jar:$APP_HOME/lib/aapt2-proto-4.2.1-7147631.jar:$APP_HOME/lib/protobuf-java-3.11.4.jar:$APP_HOME/lib/logback-core-1.2.11.jar:$APP_HOME/lib/dexlib2-2.5.2.jar:$APP_HOME/lib/guava-30.1.1-jre.jar:$APP_HOME/lib/dalvik-dx-11.0.0_r3.jar:$APP_HOME/lib/r8-3.3.28.jar:$APP_HOME/lib/asm-9.3.jar:$APP_HOME/lib/antlr-3.5.2.jar:$APP_HOME/lib/ST4-4.0.8.jar:$APP_HOME/lib/antlr-runtime-3.5.2.jar:$APP_HOME/lib/stringtemplate-3.2.1.jar:$APP_HOME/lib/jsr305-3.0.2.jar:$APP_HOME/lib/failureaccess-1.0.1.jar:$APP_HOME/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:$APP_HOME/lib/checker-qual-3.8.0.jar:$APP_HOME/lib/error_prone_annotations-2.5.1.jar:$APP_HOME/lib/j2objc-annotations-1.3.jar:$APP_HOME/lib/antlr-2.7.7.jar
 
 
 # Determine the Java command to use to start the JVM.

diff --git a/mobsf/StaticAnalyzer/tools/jadx/bin/jadx-gui b/mobsf/StaticAnalyzer/tools/jadx/bin/jadx-gui
@@ -86,7 +86,7 @@ APP_NAME="jadx-gui"
 APP_BASE_NAME=${0##*/}
 
 # Add default JVM options here. You can also use JAVA_OPTS and JADX_GUI_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS=""
+DEFAULT_JVM_OPTS='"-Xms128M" "-XX:MaxRAMPercentage=70.0" "-XX:+UseG1GC" "-Dawt.useSystemAAFontSettings=lcd" "-Dswing.aatext=true"'
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,7 +114,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
-CLASSPATH=$APP_HOME/lib/jadx-gui-1.3.0.jar:$APP_HOME/lib/jfontchooser-1.0.5.jar:$APP_HOME/lib/jadx-cli-1.3.0.jar:$APP_HOME/lib/jadx-core-1.3.0.jar:$APP_HOME/lib/logback-classic-1.2.7.jar:$APP_HOME/lib/jadx-smali-input-1.3.0.jar:$APP_HOME/lib/jadx-dex-input-1.3.0.jar:$APP_HOME/lib/jadx-java-input-1.3.0.jar:$APP_HOME/lib/jadx-plugins-api-1.3.0.jar:$APP_HOME/lib/raung-disasm-0.0.2.jar:$APP_HOME/lib/raung-common-0.0.2.jar:$APP_HOME/lib/slf4j-api-1.7.32.jar:$APP_HOME/lib/baksmali-2.5.2.jar:$APP_HOME/lib/smali-2.5.2.jar:$APP_HOME/lib/util-2.5.2.jar:$APP_HOME/lib/jcommander-1.81.jar:$APP_HOME/lib/rsyntaxtextarea-3.1.3.jar:$APP_HOME/lib/image-viewer-1.2.3.jar:$APP_HOME/lib/flatlaf-intellij-themes-1.6.4.jar:$APP_HOME/lib/flatlaf-extras-1.6.4.jar:$APP_HOME/lib/flatlaf-1.6.4.jar:$APP_HOME/lib/svgSalamander-1.1.2.4.jar:$APP_HOME/lib/gson-2.8.9.jar:$APP_HOME/lib/commons-text-1.9.jar:$APP_HOME/lib/commons-lang3-3.12.0.jar:$APP_HOME/lib/rxjava2-swing-0.3.7.jar:$APP_HOME/lib/rxjava-2.2.21.jar:$APP_HOME/lib/apksig-4.2.1.jar:$APP_HOME/lib/jdwp-1.0.jar:$APP_HOME/lib/aapt2-proto-4.2.1-7147631.jar:$APP_HOME/lib/protobuf-java-3.11.4.jar:$APP_HOME/lib/logback-core-1.2.7.jar:$APP_HOME/lib/reactive-streams-1.0.3.jar:$APP_HOME/lib/dexlib2-2.5.2.jar:$APP_HOME/lib/guava-30.1.1-jre.jar:$APP_HOME/lib/antlr-3.5.2.jar:$APP_HOME/lib/ST4-4.0.8.jar:$APP_HOME/lib/antlr-runtime-3.5.2.jar:$APP_HOME/lib/stringtemplate-3.2.1.jar:$APP_HOME/lib/jsr305-3.0.2.jar:$APP_HOME/lib/failureaccess-1.0.1.jar:$APP_HOME/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:$APP_HOME/lib/checker-qual-3.8.0.jar:$APP_HOME/lib/error_prone_annotations-2.5.1.jar:$APP_HOME/lib/j2objc-annotations-1.3.jar:$APP_HOME/lib/asm-9.2.jar:$APP_HOME/lib/antlr-2.7.7.jar
+CLASSPATH=$APP_HOME/lib/jadx-gui-1.3.5.jar:$APP_HOME/lib/jfontchooser-1.0.5.jar:$APP_HOME/lib/jadx-cli-1.3.5.jar:$APP_HOME/lib/jadx-core-1.3.5.jar:$APP_HOME/lib/logback-classic-1.2.11.jar:$APP_HOME/lib/jadx-java-convert-1.3.5.jar:$APP_HOME/lib/jadx-smali-input-1.3.5.jar:$APP_HOME/lib/jadx-dex-input-1.3.5.jar:$APP_HOME/lib/jadx-java-input-1.3.5.jar:$APP_HOME/lib/jadx-plugins-api-1.3.5.jar:$APP_HOME/lib/raung-disasm-0.0.2.jar:$APP_HOME/lib/raung-common-0.0.2.jar:$APP_HOME/lib/slf4j-api-1.7.36.jar:$APP_HOME/lib/baksmali-2.5.2.jar:$APP_HOME/lib/smali-2.5.2.jar:$APP_HOME/lib/util-2.5.2.jar:$APP_HOME/lib/jcommander-1.82.jar:$APP_HOME/lib/rsyntaxtextarea-3.2.0.jar:$APP_HOME/lib/image-viewer-1.2.3.jar:$APP_HOME/lib/flatlaf-intellij-themes-2.1.jar:$APP_HOME/lib/flatlaf-extras-2.1.jar:$APP_HOME/lib/flatlaf-2.1.jar:$APP_HOME/lib/svgSalamander-1.1.3.jar:$APP_HOME/lib/gson-2.9.0.jar:$APP_HOME/lib/commons-text-1.9.jar:$APP_HOME/lib/commons-lang3-3.12.0.jar:$APP_HOME/lib/rxjava2-swing-0.3.7.jar:$APP_HOME/lib/rxjava-2.2.21.jar:$APP_HOME/lib/apksig-4.2.1.jar:$APP_HOME/lib/jdwp-1.0.jar:$APP_HOME/lib/aapt2-proto-4.2.1-7147631.jar:$APP_HOME/lib/protobuf-java-3.11.4.jar:$APP_HOME/lib/logback-core-1.2.11.jar:$APP_HOME/lib/reactive-streams-1.0.3.jar:$APP_HOME/lib/dexlib2-2.5.2.jar:$APP_HOME/lib/guava-30.1.1-jre.jar:$APP_HOME/lib/dalvik-dx-11.0.0_r3.jar:$APP_HOME/lib/r8-3.3.28.jar:$APP_HOME/lib/asm-9.3.jar:$APP_HOME/lib/antlr-3.5.2.jar:$APP_HOME/lib/ST4-4.0.8.jar:$APP_HOME/lib/antlr-runtime-3.5.2.jar:$APP_HOME/lib/stringtemplate-3.2.1.jar:$APP_HOME/lib/jsr305-3.0.2.jar:$APP_HOME/lib/failureaccess-1.0.1.jar:$APP_HOME/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:$APP_HOME/lib/checker-qual-3.8.0.jar:$APP_HOME/lib/error_prone_annotations-2.5.1.jar:$APP_HOME/lib/j2objc-annotations-1.3.jar:$APP_HOME/lib/antlr-2.7.7.jar
 
 
 # Determine the Java command to use to start the JVM.