dex-oracle 1.0.2

data/lib/dex-oracle/driver.rb

@@ -0,0 +1,255 @@
+require 'json'
+require 'digest'
+require 'Open3'
+require 'timeout'
+require_relative 'resources'
+require_relative 'logging'
+require_relative 'utility'
+
+class Driver
+  include Logging
+
+  UNESCAPES = {
+    'a' => "\x07", 'b' => "\x08", 't' => "\x09",
+    'n' => "\x0a", 'v' => "\x0b", 'f' => "\x0c",
+    'r' => "\x0d", 'e' => "\x1b", '\\' => "\x5c",
+    '"' => "\x22", "'" => "\x27"
+  }
+  UNESCAPE_REGEX = /\\(?:([#{UNESCAPES.keys.join}])|u([\da-fA-F]{4}))|\\0?x([\da-fA-F]{2})/
+
+  OUTPUT_HEADER = '===ORACLE DRIVER OUTPUT==='
+  DRIVER_DIR = '/data/local'
+  DRIVER_CLASS = 'org.cf.oracle.Driver'
+
+  def initialize(device_id, timeout = 60)
+    @device_id = device_id
+    @timeout = timeout
+
+    device_str = device_id.empty? ? '' : "-s #{@device_id} "
+    @adb_base = "adb #{device_str}%s"
+    @cmd_stub = "export CLASSPATH=#{DRIVER_DIR}/od.zip; app_process /system/bin #{DRIVER_CLASS}"
+
+    @cache = {}
+  end
+
+  def install(dex)
+    fail 'Unable to find Java on the path.' unless Utility.which('java')
+
+    begin
+      # Merge driver and target dex file
+      # Congratulations. You're now one of the 5 people who've used this tool explicitly.
+      logger.debug("Merging #{dex.path} and driver dex ...")
+      fail "#{Resources.dx} does not exist and is required for DexMerger" unless File.exist?(Resources.dx)
+      fail "#{Resources.driver_dex} does not exist" unless File.exist?(Resources.driver_dex)
+      tf = Tempfile.new(['oracle-driver', '.dex'])
+      cmd = "java -cp #{Resources.dx} com.android.dx.merge.DexMerger #{tf.path} #{dex.path} #{Resources.driver_dex}"
+      exec("#{cmd}")
+
+      # Zip merged dex and push to device
+      logger.debug('Pushing merged driver to device ...')
+      tz = Tempfile.new(['oracle-driver', '.zip'])
+      Utility.create_zip(tz.path, { 'classes.dex' => tf })
+      adb("push #{tz.path} #{DRIVER_DIR}/od.zip")
+    rescue => e
+      puts "Error installing the driver: #{e}"
+    ensure
+      tf.close
+      tf.unlink
+      tz.close
+      tz.unlink
+    end
+  end
+
+  def run(class_name, signature, *args)
+    method = SmaliMethod.new(class_name, signature)
+    cmd = build_command(method.class, method.name, method.parameters, args)
+    output = nil
+    retries = 1
+    begin
+      output = drive(cmd)
+    rescue => e
+      # If you slam an emulator or device with too many app_process commands,
+      # it eventually gets angry and segmentation faults. No idea why.
+      # This took many frustrating hours to figure out.
+      if retries <= 3
+        logger.debug("Driver execution failed. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
+        sleep 5
+        retries += 1
+        retry
+      else
+        raise e
+      end
+    end
+    output
+  end
+
+  def run_batch(batch)
+    push_batch_targets(batch)
+    retries = 1
+    begin
+      drive("#{@cmd_stub} @#{DRIVER_DIR}/od-targets.json", true)
+    rescue => e
+      if retries <= 3 && e.message.include?('Segmentation fault')
+        # Maybe we just need to retry
+        logger.debug("Driver execution segfaulted. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
+        sleep 5
+        retries += 1
+        retry
+      else
+        raise e
+      end
+    end
+    pull_batch_outputs
+  end
+
+  def make_target(class_name, signature, *args)
+    method = SmaliMethod.new(class_name, signature)
+    target = {
+      className: method.class.tr('/', '.'),
+      methodName: method.name,
+      arguments: Driver.build_arguments(method.parameters, args)
+    }
+    # Identifiers are used to map individual inputs to outputs
+    target[:id] = Digest::SHA256.hexdigest(target.to_json)
+
+    target
+  end
+
+  private
+
+  def push_batch_targets(batch)
+    target_file = Tempfile.new(['oracle-targets', '.json'])
+    target_file << batch.to_json
+    target_file.flush
+    logger.info("Pushing #{batch.size} method targets to device ...")
+    adb("push #{target_file.path} #{DRIVER_DIR}/od-targets.json")
+    target_file.close
+    target_file.unlink
+  end
+
+  def pull_batch_outputs
+    output_file = Tempfile.new(['oracle-output', '.json'])
+    logger.debug('Pulling batch results from device ...')
+    adb("pull #{DRIVER_DIR}/od-output.json #{output_file.path}")
+    adb("shell rm #{DRIVER_DIR}/od-output.json")
+    outputs = JSON.parse(File.read(output_file.path))
+    outputs.each { |_, (_, v2)| v2.gsub!(/(?:^"|"$)/, '') if v2.start_with?('"') }
+    logger.debug("Pulled #{outputs.size} outputs.")
+    output_file.close
+    output_file.unlink
+    outputs
+  end
+
+  def exec(cmd, silent = true)
+    logger.debug("exec: #{cmd}")
+
+    retries = 1
+    begin
+      status = Timeout.timeout(@timeout) do
+        if !silent
+          `#{cmd}`
+        else
+          Open3.popen3(cmd) { |_, stdout, _, _| stdout.read }
+        end
+      end
+    rescue => e
+      if retries <= 3
+        logger.debug("ADB command execution timed out, retrying #{retries} ...")
+        sleep 5
+        retries += 1
+        retry
+      else
+        raise e
+      end
+    end
+  end
+
+  def validate_output(full_cmd, full_output)
+    output_lines = full_output.split(/\r?\n/)
+    exit_code = output_lines.last.to_i
+    if exit_code != 0
+      # Non zero exit code would only imply adb command itself was flawed
+      # app_process, dalvikvm, etc. don't propigate exit codes back
+      fail "Command failed with #{exit_code}: #{full_cmd}\nOutput: #{full_output}"
+    end
+
+    # Successful driver run should include driver header
+    # Otherwise it may be a Segmentation fault or Killed
+    logger.debug("Full output: #{full_output.inspect}")
+    header = output_lines[0]
+    fail "app_process execution failure, output: '#{full_output}'" if header != OUTPUT_HEADER
+
+    output_lines[1..-2].join("\n").rstrip
+  end
+
+  def drive(cmd, batch = false)
+    return @cache[cmd] if @cache.key?(cmd)
+
+    full_cmd = "shell \"#{cmd}\"; echo $?"
+    full_output = adb(full_cmd)
+    output = validate_output(full_cmd, full_output)
+
+    # The driver writes any actual exceptions to the filesystem
+    # Need to check to make sure the output value is legitimate
+    logger.debug('Checking if execution had any exceptions ...')
+    exception = adb("shell cat #{DRIVER_DIR}/od-exception.txt").strip
+    unless exception.end_with?('No such file or directory')
+      adb("shell rm #{DRIVER_DIR}/od-exception.txt")
+      fail exception
+    end
+    logger.debug('No exceptions found :)')
+
+    # Cache successful results for single method invocations for speed!
+    @cache[cmd] = output unless batch
+    logger.debug("output = #{output}")
+
+    output
+  end
+
+  def adb(cmd)
+    full_cmd = @adb_base % cmd
+    exec(full_cmd).rstrip
+  end
+
+  def self.unescape(str)
+    str.gsub(UNESCAPE_REGEX) do
+      if Regexp.last_match[1]
+        Regexp.last_match[1] == '\\' ? Regexp.last_match[1] : UNESCAPES[Regexp.last_match[1]]
+      elsif Regexp.last_match[2] # escape \u0000 unicode
+        [Regexp.last_match[2].hex].pack('U*')
+      elsif Regexp.last_match[3] # escape \0xff or \xff
+        [Regexp.last_match[3]].pack('H2')
+      end
+    end
+  end
+
+  def build_command(class_name, method_name, parameters, args)
+    class_name.tr!('/', '.') # Make valid Java class name
+    class_name.gsub!('$', '\$') # inner classes
+    method_name.gsub!('$', '\$') # synthetic method names
+    target = "'#{class_name}' '#{method_name}'"
+    target_args = Driver.build_arguments(parameters, args)
+    "#{@cmd_stub} #{target} #{target_args * ' '}"
+  end
+
+  def self.build_arguments(parameters, args)
+    parameters.map.with_index do |o, i|
+      build_argument(o, args[i])
+    end
+  end
+
+  def self.build_argument(parameter, argument)
+    if parameter[0] == 'L'
+      java_type = parameter[1..-2].tr('/', '.')
+      if java_type == 'java.lang.String'
+        # Need to unescape smali string to get the actual string
+        # Converting to bytes just avoids any weird non-printable characters nonsense
+        argument = "[#{Driver.unescape(argument).bytes.to_a.join(',')}]"
+      end
+      "#{java_type}:#{argument}"
+    else
+      argument = (argument == '1' ? 'true' : 'false') if parameter == 'Z'
+      "#{parameter}:#{argument}"
+    end
+  end
+end

data/lib/dex-oracle/logging.rb

@@ -0,0 +1,32 @@
+require 'logger'
+
+module Logging
+  class << self
+    def logger
+      unless @logger
+        @logger = Logger.new($stdout)
+        @logger.level = Logger::WARN
+        @logger.formatter = proc do |severity, datetime, progname, msg|
+          "[#{severity}] #{datetime.strftime('%Y-%m-%d %H:%M:%S')}: #{msg}\n"
+        end
+      end
+      @logger
+    end
+
+    def logger=(logger)
+      @logger = logger
+    end
+  end
+
+  def self.included(base)
+    class << base
+      def logger
+        Logging.logger
+      end
+    end
+  end
+
+  def logger
+    Logging.logger
+  end
+end

data/lib/dex-oracle/plugin.rb

@@ -0,0 +1,87 @@
+class Plugin
+  module CommonRegex
+    CONST_NUMBER = 'const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)'
+    ESCAPE_STRING = '"(.*?)(?<!\\\\)"'
+    CONST_STRING = 'const-string [vp]\d+, ' << ESCAPE_STRING << '.*'
+    MOVE_RESULT_OBJECT = 'move-result-object ([vp]\d+)'
+  end
+
+  @plugins = []
+
+  def self.plugins
+    @plugins
+  end
+
+  def self.plugin_classes
+    Dir["#{File.dirname(__FILE__)}/plugins/*.rb"].each { |f| require f }
+    classes = []
+    Object.constants.each do |klass|
+      const = Kernel.const_get(klass)
+      next unless const.respond_to?(:superclass) && const.superclass == Plugin
+      classes << const
+    end
+
+    classes
+  end
+
+  def self.init_plugins(driver, smali_files, methods)
+    @plugins = plugin_classes.collect { |p| p.new(driver, smali_files, methods) }
+  end
+
+  def process
+    fail 'process not implemented'
+  end
+
+  def optimizations
+    fail 'optimizations not implemented'
+  end
+
+  # method_to_target_to_context -> { method: [target_to_context] }
+  # target_to_context -> [ [target, context] ]
+  # target = Driver.make_target, has :id key
+  # context = [ [original, out_reg] ]
+  def self.apply_batch(driver, method_to_target_to_contexts, modifier)
+    all_batches = method_to_target_to_contexts.values.collect(&:keys).flatten
+    return false if all_batches.empty?
+
+    target_id_to_output = driver.run_batch(all_batches)
+    apply_outputs(target_id_to_output, method_to_target_to_contexts, modifier)
+  end
+
+  # target_id_to_output -> { id: [status, output] }
+  # status = (success|failure)
+  def self.apply_outputs(target_id_to_output, method_to_target_to_contexts, modifier)
+    made_changes = false
+    method_to_target_to_contexts.each do |method, target_to_contexts|
+      target_to_contexts.each do |target, contexts|
+        status, output = target_id_to_output[target[:id]]
+        unless status == 'success'
+          logger.warn("Unsuccessful status: #{status} for #{output}")
+          next
+        end
+
+        contexts.each do |original, out_reg|
+          modification = modifier.call(original, output, out_reg)
+          #puts "modification #{original.inspect} = #{modification.inspect}"
+
+          # Go home Ruby. You're drunk.
+          # (gsub actually _modifies_ the replacement string)
+          #modification.gsub!('\\') { '\\\\' }
+          #method.body.gsub!(original) { modification }
+
+          dumb_replace(method.body, original, modification)
+        end
+
+        made_changes = true
+        method.modified = true
+      end
+    end
+
+    made_changes
+  end
+
+  def self.dumb_replace(string, find, replace)
+    string[find] = replace while string.include?(find)
+    string
+  end
+end

data/lib/dex-oracle/plugins/string_decryptor.rb

@@ -0,0 +1,59 @@
+require_relative '../logging'
+require_relative '../utility'
+
+class StringDecryptor < Plugin
+  include Logging
+  include CommonRegex
+
+  STRING_DECRYPT = Regexp.new(
+    '^[ \t]*(' << CONST_STRING << '\s+' \
+    'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(Ljava/lang/String;\))Ljava/lang/String;' \
+    '\s+' << MOVE_RESULT_OBJECT << ')'
+  )
+
+  MODIFIER = -> (_, output, out_reg) { "const-string #{out_reg}, \"#{output.split('').collect { |e| e.inspect[1..-2] }.join}\"" }
+
+  def initialize(driver, smali_files, methods)
+    @driver = driver
+    @smali_files = smali_files
+    @methods = methods
+    @optimizations = Hash.new(0)
+  end
+
+  def process
+    method_to_target_to_contexts = {}
+    @methods.each do |method|
+      logger.info("Decrypting strings #{method.descriptor}")
+      target_to_contexts = {}
+      target_to_contexts.merge!(decrypt_strings(method))
+      target_to_contexts.map { |_, v| v.uniq! }
+      method_to_target_to_contexts[method] = target_to_contexts unless target_to_contexts.empty?
+    end
+
+    made_changes = false
+    made_changes |= Plugin.apply_batch(@driver, method_to_target_to_contexts, MODIFIER)
+
+    made_changes
+  end
+
+  def optimizations
+    @optimizations
+  end
+
+  private
+
+  def decrypt_strings(method)
+    target_to_contexts = {}
+    matches = method.body.scan(STRING_DECRYPT)
+    @optimizations[:string_decrypts] += matches.size if matches
+    matches.each do |original, encrypted, class_name, method_signature, out_reg|
+      target = @driver.make_target(
+        class_name, method_signature, encrypted
+      )
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    target_to_contexts
+  end
+end

data/lib/dex-oracle/plugins/undexguard.rb

@@ -0,0 +1,155 @@
+require_relative '../logging'
+require_relative '../utility'
+
+class Undexguard < Plugin
+  include Logging
+  include CommonRegex
+
+  STRING_LOOKUP_3INT = Regexp.new(
+    '^[ \t]*(' << ((CONST_NUMBER << '\s+') * 3) <<
+    'invoke-static \{[vp]\d+, [vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(III\))Ljava/lang/String;' \
+    '\s+' << MOVE_RESULT_OBJECT << ')',
+    Regexp::MULTILINE
+  )
+
+  STRING_LOOKUP_1INT = Regexp.new(
+    '^[ \t]*(' << CONST_NUMBER << '\s+' \
+    'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(I\))Ljava/lang/String;' \
+    '\s+' << MOVE_RESULT_OBJECT << ')'
+  )
+
+  BYTES_DECRYPT = Regexp.new(
+    '^[ \t]*(' << CONST_STRING << '\s+' \
+    'invoke-virtual \{[vp]\d+\}, Ljava\/lang\/String;->getBytes\(\)\[B\s+' \
+    'move-result-object [vp]\d+\s+' \
+    'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(\[B\))Ljava/lang/String;' \
+    '\s+' << MOVE_RESULT_OBJECT << ')'
+  )
+
+  MULTI_BYTES_DECRYPT = Regexp.new(
+    '^[ \t]*(' << CONST_STRING << '\s+' \
+    'new-instance ([vp]\d+), L[^;]+;\s+' \
+    'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(Ljava/lang/String;\))\[B\s+' \
+    'move-result-object [vp]\d+\s+' <<
+    CONST_STRING << '\s+' \
+    'invoke-static \{[vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(\[BLjava/lang/String;\))\[B\s+' \
+    'move-result-object [vp]\d+\s+' \
+    'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(\[B\))\[B\s+' \
+    'move-result-object [vp]\d+\s+' \
+    'invoke-direct \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/String;-><init>\(\[B\)V' \
+    ')'
+  )
+
+  MODIFIER = -> (_, output, out_reg) { "const-string #{out_reg}, \"#{output.split('').collect { |e| e.inspect[1..-2] }.join}\"" }
+
+  def initialize(driver, smali_files, methods)
+    @driver = driver
+    @smali_files = smali_files
+    @methods = methods
+    @optimizations = Hash.new(0)
+  end
+
+  def process
+    method_to_target_to_contexts = {}
+    @methods.each do |method|
+      logger.info("Undexguarding #{method.descriptor} - stage 1/2")
+      target_to_contexts = {}
+      target_to_contexts.merge!(lookup_strings_3int(method))
+      target_to_contexts.merge!(lookup_strings_1int(method))
+      target_to_contexts.merge!(decrypt_bytes(method))
+      target_to_contexts.map { |_, v| v.uniq! }
+      method_to_target_to_contexts[method] = target_to_contexts unless target_to_contexts.empty?
+    end
+
+    made_changes = Plugin.apply_batch(@driver, method_to_target_to_contexts, MODIFIER)
+
+    @methods.each do |method|
+      logger.info("Undexguarding #{method.descriptor} - stage 2/2")
+      made_changes |= decrypt_multi_bytes(method)
+    end
+
+    made_changes
+  end
+
+  def optimizations
+    @optimizations
+  end
+
+  private
+
+  def self.array_string_to_array(str)
+      if str =~ /\A\[(?:\d+(?:,\d+)*)?\]\z/
+        str = eval(str)
+      else
+        fail "Output is not in byte format; this frightens me: #{str}"
+      end
+      str
+  end
+
+  def lookup_strings_3int(method)
+    target_to_contexts = {}
+    matches = method.body.scan(STRING_LOOKUP_3INT)
+    @optimizations[:string_lookups] += matches.size if matches
+    matches.each do |original, arg1, arg2, arg3, class_name, method_signature, out_reg|
+      target = @driver.make_target(
+        class_name, method_signature, arg1.to_i(16), arg2.to_i(16), arg3.to_i(16)
+      )
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    target_to_contexts
+  end
+
+  def lookup_strings_1int(method)
+    target_to_contexts = {}
+    matches = method.body.scan(STRING_LOOKUP_1INT)
+    @optimizations[:string_lookups] += matches.size if matches
+    matches.each do |original, arg1, class_name, method_signature, out_reg|
+      target = @driver.make_target(
+        class_name, method_signature, arg1.to_i(16)
+      )
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    target_to_contexts
+  end
+
+  def decrypt_bytes(method)
+    target_to_contexts = {}
+    matches = method.body.scan(BYTES_DECRYPT)
+    @optimizations[:string_decrypts] += matches.size if matches
+    matches.each do |original, encrypted, class_name, method_signature, out_reg|
+      target = @driver.make_target(
+        class_name, method_signature, encrypted.bytes.to_a
+      )
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    target_to_contexts
+  end
+
+  def decrypt_multi_bytes(method)
+    target_to_contexts = {}
+    target_id_to_output = {}
+    matches = method.body.scan(MULTI_BYTES_DECRYPT)
+    @optimizations[:string_decrypts] += matches.size if matches
+    matches.each do |original, iv_str, out_reg, iv_class_name, iv_method_signature, iv2_str, iv2_class_name, iv2_method_signature, dec_class_name, dec_method_signature|
+      iv_bytes = @driver.run(iv_class_name, iv_method_signature, iv_str)
+      enc_bytes = @driver.run(iv2_class_name, iv2_method_signature, iv_bytes, iv2_str)
+      dec_bytes = @driver.run(dec_class_name, dec_method_signature, enc_bytes)
+      dec_array = Undexguard.array_string_to_array(dec_bytes)
+      dec_string = dec_array.pack('U*')
+
+      target = { id: Digest::SHA256.hexdigest(original) }
+      target_id_to_output[target[:id]] = ['success', dec_string]
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    method_to_target_to_contexts = { method => target_to_contexts }
+    Plugin.apply_outputs(target_id_to_output, method_to_target_to_contexts, MODIFIER)
+  end
+end