diff --git a/DECAF_shared/DroidScope/NDroid/hook/dvm_hook.c b/DECAF_shared/DroidScope/NDroid/hook/dvm_hook.c
index 98a1f7e..a6ec50a 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/dvm_hook.c
+++ b/DECAF_shared/DroidScope/NDroid/hook/dvm_hook.c
@@ -8,6 +8,7 @@
 #include "dvm_hook.h"
 #include "SourcePolicy.h"
 #include "instance_method_calling.h"
+#include "string_operations.h"
 
 /**
  * mem[addr] stores an object reference, get its type
@@ -952,11 +953,14 @@ void dvmCallJNIMethodCallback(CPUState* env){
 	}
 }
 
+/**
+ * dvmGetVirtulizedMethod, dvmInterpret
+ */
 int isStartOfDvmHooks(int curPC, int dvmStartAddr){
 	switch(curPC - dvmStartAddr){
 		case OFFSET_DVM_GET_VIRTULIZED_METHOD_BEGIN:
-			return (1);
 		case OFFSET_DVM_INTERPRET_BEGIN:
+		case OFFSET_DVM_CREATE_STRING_FROM_CSTR_BEGIN:
 			return (1);
 	}
 	return (0);
@@ -965,15 +969,21 @@ int isStartOfDvmHooks(int curPC, int dvmStartAddr){
 void dvmHooksBegin(CPUState* env, int curPC, int dvmStartAddr){
 	switch(curPC - dvmStartAddr){
 		case OFFSET_DVM_GET_VIRTULIZED_METHOD_BEGIN:
-			dvmGetVirtulizedMethod(env, 1);
+			hookDvmGetVirtulizedMethod(env, 1);
 		case OFFSET_DVM_INTERPRET_BEGIN:
-			dvmInterpret(env, 1);
+			hookDvmInterpret(env, 1);
+		case OFFSET_DVM_CREATE_STRING_FROM_CSTR_BEGIN:
+			hookDvmCreateStringFromCstr(env, 1);
 	}
 }
 
+/**
+ * dvmGetVirtulizedMethod, dvmCreateStringFromCstr
+ */
 int isEndOfDvmHooks(int curPC, int dvmStartAddr){
 	switch(curPC - dvmStartAddr){
 		case OFFSET_DVM_GET_VIRTULIZED_METHOD_END:
+		case OFFSET_DVM_CREATE_STRING_FROM_CSTR_END:
 			return (1);
 	}
 	return (0);
@@ -982,6 +992,8 @@ int isEndOfDvmHooks(int curPC, int dvmStartAddr){
 void dvmHooksEnd(CPUState* env, int curPC, int dvmStartAddr){
 	switch(curPC - dvmStartAddr){
 		case OFFSET_DVM_GET_VIRTULIZED_METHOD_END:
-			dvmGetVirtulizedMethod(env, 0);
+			hookDvmGetVirtulizedMethod(env, 0);
+		case OFFSET_DVM_CREATE_STRING_FROM_CSTR_END:
+			hookDvmCreateStringFromCstr(env, 0);
 	}
 }
diff --git a/DECAF_shared/DroidScope/NDroid/hook/dvm_offsets.h b/DECAF_shared/DroidScope/NDroid/hook/dvm_offsets.h
index d7ea593..b1d6545 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/dvm_offsets.h
+++ b/DECAF_shared/DroidScope/NDroid/hook/dvm_offsets.h
@@ -77,6 +77,9 @@ extern "C"
 #define OFFSET_DVM_INTERPRET_BEGIN 0x0002e128
 #define OFFSET_DVM_INTERPRET_END 0x0002e234
 
+#define OFFSET_DVM_CREATE_STRING_FROM_CSTR_BEGIN 0x000587ee
+#define OFFSET_DVM_CREATE_STRING_FROM_CSTR_END 0x000587ec
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.c b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.c
index 7d99f2b..cc5146a 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.c
+++ b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.c
@@ -17,8 +17,8 @@ int isInstanceMethodCalling(int curPC, int dvmStartAddr){
 jniHookHandler hookInstanceMethodCalling(int curPC, int dvmStartAddr, CPUState* env){
 	switch(curPC - dvmStartAddr){
 		case CallVoidMethod_OFFSET:
-			callVoidMethod(env, 1);
-			return callVoidMethod;
+			hookCallVoidMethod(env, 1);
+			return hookCallVoidMethod;
 	}
 	return NULL;
 }
@@ -28,7 +28,7 @@ jniHookHandler hookInstanceMethodCalling(int curPC, int dvmStartAddr, CPUState*
  * jmethodID methodID, ...)
  */
 int addressCallVoidMethod = -1;
-void callVoidMethod(CPUState* env, int isStart){
+void hookCallVoidMethod(CPUState* env, int isStart){
 	DECAF_printf("CallVoidMethod[%d]\n", isStart);
 	if(isStart){
 		addressCallVoidMethod = env->regs[2];
@@ -42,7 +42,7 @@ void callVoidMethod(CPUState* env, int isStart){
  * const Method* dvmGetVirtualizedMethod(const ClassObject* clazz, const Method* meth)
  */
 int addressGetVirtulizedMethod = -1;
-void dvmGetVirtulizedMethod(CPUState* env, int isStart){
+void hookDvmGetVirtulizedMethod(CPUState* env, int isStart){
 	if(isStart){
 		if((addressCallVoidMethod != -1) && (env->regs[1] == addressCallVoidMethod)){
 			addressGetVirtulizedMethod = env->regs[1];
@@ -58,8 +58,9 @@ void dvmGetVirtulizedMethod(CPUState* env, int isStart){
 
 /**
  * void dvmInterpret(Thread* self, const Method* method, JValue* pResult, u4* rtaint)
+ * TODO
  */
-void dvmInterpret(CPUState* env, int isStart){
+void hookDvmInterpret(CPUState* env, int isStart){
 	if(isStart){
 		if(env->regs[1] == addressCallVoidMethod){
 			DECAF_printf("dvmInterpret: @%x\n", env->regs[1]);
diff --git a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.h b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.h
index 72b33ad..ba3c992 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.h
+++ b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/instance_method_calling.h
@@ -18,11 +18,11 @@ extern "C"
 
 	jniHookHandler hookInstanceMethodCalling(int curPC, int dvmStartAddr, CPUState* env);
 
-	void callVoidMethod(CPUState* env, int isStart);
+	void hookCallVoidMethod(CPUState* env, int isStart);
 
-	void dvmGetVirtulizedMethod(CPUState* env, int isStart);
+	void hookDvmGetVirtulizedMethod(CPUState* env, int isStart);
 
-	void dvmInterpret(CPUState* env, int isStart);
+	void hookDvmInterpret(CPUState* env, int isStart);
 
 #ifdef __cplusplus
 }
diff --git a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/jni_api_hook.h b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/jni_api_hook.h
index 35f5877..9b59363 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/jni_api_hook.h
+++ b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/jni_api_hook.h
@@ -12,6 +12,8 @@ extern "C"
 #endif
 	#include "cpu.h"
 	#include "TaintEngine.h"
+  #include "dvm_hook.h"
+  #include "DECAF_main.h"
 
 	typedef void (*jniHookHandler)(CPUState*, int);
 
diff --git a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.c b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.c
index 54bb558..8f9ff24 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.c
+++ b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.c
@@ -5,6 +5,7 @@
 
 #include "DECAF_shared/utils/OutputWrapper.h"
 #include "string_operations.h"
+#include "jni_api_hook.h"
 
 /**
  * NewString, GetStringLength, GetStringChars, ReleaseStringChars
@@ -40,84 +41,87 @@ int isStringOperations(int curPC, int dvmStartAddr){
 jniHookHandler hookStringOperations(int curPC, int dvmStartAddr, CPUState* env){
 	switch(curPC - dvmStartAddr){
 		case NewString_OFFSET:
-			jniNewString(env, 1);
-			return jniNewString;
+			hookJniNewString(env, 1);
+			return hookJniNewString;
 		case GetStringLength_OFFSET:
-			jniGetStringLength(env, 1);
-			return jniGetStringLength;
+			hookJniGetStringLength(env, 1);
+			return hookJniGetStringLength;
 		case GetStringChars_OFFSET:
-			jniGetStringChars(env, 1);
-			return jniGetStringChars;
+			hookJniGetStringChars(env, 1);
+			return hookJniGetStringChars;
 		case ReleaseStringChars_OFFSET:
-			jniReleaseStringChars(env, 1);
-			return jniReleaseStringChars;
+			hookJniReleaseStringChars(env, 1);
+			return hookJniReleaseStringChars;
 		case NewStringUTF_OFFSET:
-			jniNewStringUTF(env, 1);
-			return jniNewStringUTF;
+			hookJniNewStringUTF(env, 1);
+			return hookJniNewStringUTF;
 		case GetStringUTFLength_OFFSET:
-			jniGetStringUTFLength(env, 1);
-			return jniGetStringUTFLength;
+			hookJniGetStringUTFLength(env, 1);
+			return hookJniGetStringUTFLength;
 		case GetStringUTFChars_OFFSET:
-			jniGetStringUTFChars(env, 1);
-			return jniGetStringUTFChars;
+			hookJniGetStringUTFChars(env, 1);
+			return hookJniGetStringUTFChars;
 		case ReleaseStringUTFChars_OFFSET:
-			jniReleaseStringUTFChars(env, 1);
-			return jniReleaseStringUTFChars;
+			hookJniReleaseStringUTFChars(env, 1);
+			return hookJniReleaseStringUTFChars;
 		case GetStringRegion_OFFSET:
-			jniGetStringRegion(env, 1);
-			return jniGetStringRegion;
+			hookJniGetStringRegion(env, 1);
+			return hookJniGetStringRegion;
 		case GetStringUTFRegion_OFFSET:
-			jniGetStringUTFRegion(env, 1);
-			return jniGetStringUTFRegion;
+			hookJniGetStringUTFRegion(env, 1);
+			return hookJniGetStringUTFRegion;
 		case GetStringCritical_OFFSET:
-			jniGetStringCritical(env, 1);
-			return jniGetStringCritical;
+			hookJniGetStringCritical(env, 1);
+			return hookJniGetStringCritical;
 		case ReleaseStringCritical_OFFSET:
-			jniReleaseStringCritical(env, 1);
-			return jniReleaseStringCritical;
+			hookJniReleaseStringCritical(env, 1);
+			return hookJniReleaseStringCritical;
 	}
 	return NULL;
 }
 
 
-void jniNewString(CPUState* env, int isBefore){
-	DECAF_printf("NewString[%d]\n", isBefore);
+void hookJniNewString(CPUState* env, int isStart){
+	DECAF_printf("NewString[%d]\n", isStart);
 }
 
-void jniGetStringLength(CPUState* env, int isBefore){
-	DECAF_printf("GetStringLength[%d]\n", isBefore);
+void hookJniGetStringLength(CPUState* env, int isStart){
+	DECAF_printf("GetStringLength[%d]\n", isStart);
 }
 
-void jniGetStringChars(CPUState* env, int isBefore){
-	DECAF_printf("GetStringChars[%d]\n", isBefore);
+void hookJniGetStringChars(CPUState* env, int isStart){
+	DECAF_printf("GetStringChars[%d]\n", isStart);
 }
 
-void jniReleaseStringChars(CPUState* env, int isBefore){
-	DECAF_printf("ReleaseStringChars[%d]\n", isBefore);
+void hookJniReleaseStringChars(CPUState* env, int isStart){
+	DECAF_printf("ReleaseStringChars[%d]\n", isStart);
 }
 
 /**
  * jstring NewStringUTF(JNIEnv *env, const char *bytes)
  */
 int taintNewStringUTF = 0;
-void jniNewStringUTF(CPUState* env, int isBefore){
-	DECAF_printf("NewStringUTF[%d]\n", isBefore);
-	if(isBefore){
+int addressNewStringUTF = -1;
+void hookJniNewStringUTF(CPUState* env, int isStart){
+	DECAF_printf("NewStringUTF[%d]\n", isStart);
+	if(isStart){
 		taintNewStringUTF = getTaint(env->regs[1]);
 		if(taintNewStringUTF > 0){
 			DECAF_printf("gTaint[%x]: %x\n", env->regs[1], taintNewStringUTF);
 		}
+		addressNewStringUTF = env->regs[1];
 	}else{
 		if(taintNewStringUTF > 0){
 			addTaint(env->regs[0], taintNewStringUTF);
 			DECAF_printf("sTaint[%x]: %x\n", env->regs[0], taintNewStringUTF);
 			taintNewStringUTF = 0;
 		}
+		addressNewStringUTF = -1;
 	}
 }
 
-void jniGetStringUTFLength(CPUState* env, int isBefore){
-	DECAF_printf("GetStringUTFLength[%d]\n", isBefore);
+void hookJniGetStringUTFLength(CPUState* env, int isStart){
+	DECAF_printf("GetStringUTFLength[%d]\n", isStart);
 }
 
 /**
@@ -125,9 +129,9 @@ void jniGetStringUTFLength(CPUState* env, int isBefore){
  * jboolean *isCopy);
  */
 int taintGetStringUTFChars = 0;
-void jniGetStringUTFChars(CPUState* env, int isBefore){
-	DECAF_printf("GetStringUTFChars[%d]\n", isBefore);
-	if(isBefore){
+void hookJniGetStringUTFChars(CPUState* env, int isStart){
+	DECAF_printf("GetStringUTFChars[%d]\n", isStart);
+	if(isStart){
 		taintGetStringUTFChars = getTaint(env->regs[1]);
 		if(taintGetStringUTFChars > 0){
 			DECAF_printf("gTaint[%x]: %x\n", env->regs[1], taintGetStringUTFChars);
@@ -141,22 +145,66 @@ void jniGetStringUTFChars(CPUState* env, int isBefore){
 	}
 }
 
-void jniReleaseStringUTFChars(CPUState* env, int isBefore){
-	DECAF_printf("ReleaseStringUTFChars[%d]\n", isBefore);
+void hookJniReleaseStringUTFChars(CPUState* env, int isStart){
+	DECAF_printf("ReleaseStringUTFChars[%d]\n", isStart);
 }
 
-void jniGetStringRegion(CPUState* env, int isBefore){
-	DECAF_printf("GetStringRegion[%d]\n", isBefore);
+void hookJniGetStringRegion(CPUState* env, int isStart){
+	DECAF_printf("GetStringRegion[%d]\n", isStart);
 }
 
-void jniGetStringUTFRegion(CPUState* env, int isBefore){
-	DECAF_printf("GetStringUTFRegion[%d]\n", isBefore);
+void hookJniGetStringUTFRegion(CPUState* env, int isStart){
+	DECAF_printf("GetStringUTFRegion[%d]\n", isStart);
 }
 
-void jniGetStringCritical(CPUState* env, int isBefore){
-	DECAF_printf("GetStringCritical[%d]\n", isBefore);
+void hookJniGetStringCritical(CPUState* env, int isStart){
+	DECAF_printf("GetStringCritical[%d]\n", isStart);
 }
 
-void jniReleaseStringCritical(CPUState* env, int isBefore){
-	DECAF_printf("ReleaseStringCritical[%d]\n", isBefore);
+void hookJniReleaseStringCritical(CPUState* env, int isStart){
+	DECAF_printf("ReleaseStringCritical[%d]\n", isStart);
 }
+
+/**
+ * StringObject* dvmCreateStringFromCstr(const char* utf8Str)
+ */
+int addressDvmCreateStringFromCstr = -1;
+void hookDvmCreateStringFromCstr(CPUState* env, int isStart){
+	if(isStart){
+		if((addressNewStringUTF != -1) && (addressNewStringUTF == env->regs[0])){
+			addressDvmCreateStringFromCstr = addressNewStringUTF;
+		}
+	}else{
+		if((addressDvmCreateStringFromCstr != -1) &&
+				(taintNewStringUTF > 0)){
+			//add taintNewStringUTF to string@env->regs[0]
+			int charArrayAddr = -1;
+			//if(DECAF_read_mem(env, env->regs[0] + STRING_INSTANCE_DATA_OFFSET
+			if(DECAF_read_mem(env, env->regs[0] + 8
+						, &charArrayAddr, 4) != -1){
+				DECAF_printf("dvmCreateStringFromCstr: add taint %x to %x\n", 
+						//taintNewStringUTF, charArrayAddr + STRING_TAINT_OFFSET);
+						taintNewStringUTF, charArrayAddr + 12);
+				//assert(DECAF_write_mem(env, charArrayAddr + STRING_TAINT_OFFSET, 
+				assert(DECAF_write_mem(env, charArrayAddr + 12, &taintNewStringUTF, 4) != -1);
+			}
+
+			addressDvmCreateStringFromCstr = -1;
+		}
+	}
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.h b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.h
index b5705c9..7418785 100644
--- a/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.h
+++ b/DECAF_shared/DroidScope/NDroid/hook/jni_bridge/string_operations.h
@@ -24,18 +24,20 @@ extern "C"
    * NewStringUTF, GetStringUTFLength, GetStringUTFChars, ReleaseStringUTFChars
    * GetStringRegion, GetStringUTFRegion, GetStringCritical, ReleaseStringCritical
    */
-	void jniNewString(CPUState* env, int isBefore);
-	void jniGetStringLength(CPUState* env, int isBefore);
-	void jniGetStringChars(CPUState* env, int isBefore);
-	void jniReleaseStringChars(CPUState* env, int isBefore);
-	void jniNewStringUTF(CPUState* env, int isBefore);
-	void jniGetStringUTFLength(CPUState* env, int isBefore);
-	void jniGetStringUTFChars(CPUState* env, int isBefore);
-	void jniReleaseStringUTFChars(CPUState* env, int isBefore);
-	void jniGetStringRegion(CPUState* env, int isBefore);
-	void jniGetStringUTFRegion(CPUState* env, int isBefore);
-	void jniGetStringCritical(CPUState* env, int isBefore);
-	void jniReleaseStringCritical(CPUState* env, int isBefore);
+	void hookJniNewString(CPUState* env, int isStart);
+	void hookJniGetStringLength(CPUState* env, int isStart);
+	void hookJniGetStringChars(CPUState* env, int isStart);
+	void hookJniReleaseStringChars(CPUState* env, int isStart);
+	void hookJniNewStringUTF(CPUState* env, int isStart);
+	void hookJniGetStringUTFLength(CPUState* env, int isStart);
+	void hookJniGetStringUTFChars(CPUState* env, int isStart);
+	void hookJniReleaseStringUTFChars(CPUState* env, int isStart);
+	void hookJniGetStringRegion(CPUState* env, int isStart);
+	void hookJniGetStringUTFRegion(CPUState* env, int isStart);
+	void hookJniGetStringCritical(CPUState* env, int isStart);
+	void hookJniReleaseStringCritical(CPUState* env, int isStart);
+
+	void hookDvmCreateStringFromCstr(CPUState* env, int isStart);
 
 #ifdef __cplusplus
 }