[Bug]: Arguments for staticinvoke in JAssignStmt appear to be missing after DEX conversion

[main-force]

I am encountering an issue while analyzing the OWASP UnCrackable-Level1.apk with SootUp. It seems that arguments for a staticinvoke call are not being correctly represented in the Jimple body after conversion from a DEX file.

Smali Representation
When I disassemble the target APK, the Smali code clearly shows the arguments (v1, v2) being passed to Base64.decode:

.method public static a(Ljava/lang/String;)Z
    .locals 5

    const-string v0, "8d127684cbc37c17616d806cf50473cc"

    const-string v1, "5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc="

    const/4 v2, 0x0

    invoke-static {v1, v2}, Landroid/util/Base64;->decode(Ljava/lang/String;I)[B

    move-result-object v1

    new-array v2, v2, [B

However, when I process the APK with SootUp and view the corresponding Jimple, the arguments for the staticinvoke are missing in its textual representation. Even when accessing the InvokeExpr object programmatically, the getArgs() method returns an empty list.

Class: sg.vantagepoint.uncrackable1.a
  - Method: <sg.vantagepoint.uncrackable1.a: boolean a(java.lang.String)>
    - Body Instructions:
        > $u5 := @parameter0: java.lang.String   [JIdentityStmt]
        > $u0 = "8d127684cbc37c17616d806cf50473cc"   [JAssignStmt]
        > $u1 = "5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc="   [JAssignStmt]
        > $u2 = 0   [JAssignStmt]
        > $stack = staticinvoke <android.util.Base64: byte[] decode(java.lang.String,int)>()   [JAssignStmt]
        > $u1 = $stack   [JAssignStmt]
        > $u2 = newarray (byte)[$u2]   [JAssignStmt]

I have noticed that this issue seems to occur when the result of a staticinvoke is assigned to a variable (in this case, $stack). The variables that should have been used as arguments ($u1, $u2) are prepared right before the call.

This leads to my questions:

• Is this the expected behavior?
• If it is, even though the arguments are not explicitly listed, why does the .getArgs() method on the corresponding AbstractInvokeExpr return an empty list when the necessary arguments are clearly available in the preceding statements?

PS: I am still new to the SootUp framework, so I apologize if I have misunderstood something. Any guidance or clarification on this would be greatly appreciated.

Version

Latest develop branch

CPG

[main-force]

I just found that when dex byte code is changed by the jimplifyStatic, it doesn't use the args. So I just changed this code:

  protected void jimplifyStatic(DexBody body) {
    MethodReference item = (MethodReference) ((ReferenceInstruction) instruction).getReference();
    List<Local> parameters = buildParameters(body, item.getParameterTypes(), true);

    invocation =
        Jimple.newStaticInvokeExpr(
            new MethodSignature(
                DexUtil.getClassTypeFromClassName(item.getDefiningClass()),
                item.getName(),
                convertParameterTypes(item.getParameterTypes()),
                DexUtil.toSootType(item.getReturnType(), 0)));
    body.setDanglingInstruction(this);
  }

like this.

  protected void jimplifyStatic(DexBody body) {
    MethodReference item = (MethodReference) ((ReferenceInstruction) instruction).getReference();
    List<Local> parameters = buildParameters(body, item.getParameterTypes(), true);

    invocation =
        Jimple.newStaticInvokeExpr(
            new MethodSignature(
                DexUtil.getClassTypeFromClassName(item.getDefiningClass()),
                item.getName(),
                convertParameterTypes(item.getParameterTypes()),
                DexUtil.toSootType(item.getReturnType(), 0)),
            buildArgs(parameters));
    body.setDanglingInstruction(this);
  }

Now I can get the correct pdg graph.

Are the previous code's unused args intended?
Can I just change the code using the args?

[main-force]

I just update the code and create pr in here

[main-force]

I found wierd situation in staticinvoke's modifier.

method interceptBody in DexNullTransformer.java is like:

AbstractStmtVisitor checkUse =
        new AbstractStmtVisitor() {

          private boolean examineInvokeExpr(AbstractInvokeExpr e) {
            List<Immediate> args = e.getArgs();
            List<Type> argTypes = e.getMethodSignature().getParameterTypes();
            assert args.size() == argTypes.size();
            for (int i = 0; i < args.size(); i++) {
              if (args.get(i) == l && isObject(argTypes.get(i))) {
                return true;
              }
            }
            System.out.println(MethodModifier.isStatic(builder.getModifiers()));
            System.out.println(builder.getModifiers());
            System.out.println(e.getMethodSignature());
            System.out.println(e.getType());
            System.out.println(e);
            // check for base
            if (!MethodModifier.isStatic(builder.getModifiers())) {
              AbstractInstanceInvokeExpr aiiexpr = (AbstractInstanceInvokeExpr) e;
              Value b = aiiexpr.getBase();
              return b == l;
            }
            return false;
          }

Some of the console output is like:

false
[PUBLIC]
<android.support.v4.print.PrintHelperKitkat: android.graphics.Matrix access$000(android.support.v4.print.PrintHelperKitkat,int,int,android.graphics.RectF,int)>
android.graphics.Matrix
staticinvoke <android.support.v4.print.PrintHelperKitkat: android.graphics.Matrix access$000(android.support.v4.print.PrintHelperKitkat,int,int,android.graphics.RectF,int)>($u5, $u6, $u7, content, $u8)

And it just failed the test in AbstracInstanceInvokeExpr casting

[ERROR] Tests run: 4, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.617 s <<< FAILURE! -- in sootup.apk.frontend.ApkToDexTest
[ERROR] sootup.apk.frontend.ApkToDexTest.loadAnApk -- Time elapsed: 0.258 s <<< ERROR!
java.lang.ClassCastException: class sootup.core.jimple.common.expr.JStaticInvokeExpr cannot be cast to class sootup.core.jimple.common.expr.AbstractInstanceInvokeExpr (sootup.core.jimple.common.expr.JStaticInvokeExpr and sootup.core.jimple.common.expr.AbstractInstanceInvokeExpr are in unnamed module of loader 'app')
        at sootup.apk.frontend.interceptors.DexNullTransformer$2.examineInvokeExpr(DexNullTransformer.java:128)
        at sootup.apk.frontend.interceptors.DexNullTransformer$2.caseAssignStmt(DexNullTransformer.java:206)

I think the staticinvoke is not considered like static. Although the method is a static method, it just tries to cast AbstractInstanceInvokeExpr in if (!MethodModifier.isStatic(builder.getModifiers()))
The if-condition statement checks the method's modifier. It must check STATIC, but it doesn't.

I struggled to solve this, but it isn't available only to me.
Are there any other solutions to solve this problem?