dex-oracle 1.0.2

data/lib/dex-oracle/plugins/unreflector.rb

@@ -0,0 +1,85 @@
+require 'digest'
+require_relative '../logging'
+
+class Unreflector < Plugin
+  include Logging
+  include CommonRegex
+
+  attr_reader :optimizations
+
+  CLASS_FOR_NAME = 'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;'
+
+  CONST_CLASS_REGEX = Regexp.new(
+    '^[ \t]*(' << CONST_STRING << '\s+' <<
+    CLASS_FOR_NAME << '\s+' <<
+    MOVE_RESULT_OBJECT << ')'
+  )
+
+  VIRTUAL_FIELD_LOOKUP = Regexp.new(
+    '^[ \t]*(' <<
+    CONST_STRING << '\s+' \
+    'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;\s+' <<
+    MOVE_RESULT_OBJECT << '\s+' <<
+    CONST_STRING << '\s+' \
+    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' <<
+    MOVE_RESULT_OBJECT << '\s+' \
+    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' <<
+    MOVE_RESULT_OBJECT << ')'
+  )
+
+  STATIC_FIELD_LOOKUP = Regexp.new(
+    '^[ \t]*(' <<
+    CONST_STRING << '\s+' <<
+    CLASS_FOR_NAME << '\s+' <<
+    MOVE_RESULT_OBJECT << '\s+' <<
+    CONST_STRING <<
+    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' <<
+    MOVE_RESULT_OBJECT << '\s+' \
+    'const/4 [vp]\d+, 0x0\s+' \
+    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' <<
+    MOVE_RESULT_OBJECT <<
+    ')'
+  )
+
+  CLASS_LOOKUP_MODIFIER = -> (_, output, out_reg) { "const-class #{out_reg}, #{output}" }
+
+  def initialize(driver, smali_files, methods)
+    @driver = driver
+    @smali_files = smali_files
+    @methods = methods
+    @optimizations = Hash.new(0)
+  end
+
+  def process
+    made_changes = false
+    @methods.each do |method|
+      logger.info("Unreflecting #{method.descriptor}")
+      made_changes |= lookup_classes(method)
+    end
+
+    made_changes
+  end
+
+  def optimizations
+    @optimizations
+  end
+
+  private
+
+  def lookup_classes(method)
+    target_to_contexts = {}
+    target_id_to_output = {}
+    matches = method.body.scan(CONST_CLASS_REGEX)
+    @optimizations[:class_lookups] += matches.size
+    matches.each do |original, class_name, out_reg|
+      target = { id: Digest::SHA256.hexdigest(original) }
+      smali_class = "L#{class_name.tr('.', '/')};"
+      target_id_to_output[target[:id]] = ['success', smali_class]
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    method_to_target_to_contexts = { method => target_to_contexts }
+    Plugin.apply_outputs(target_id_to_output, method_to_target_to_contexts, CLASS_LOOKUP_MODIFIER)
+  end
+end

data/lib/dex-oracle/resources.rb

@@ -0,0 +1,13 @@
+class Resources
+  include Logging
+
+  PATH = File.join(File.dirname(File.expand_path(__FILE__)), '../../res')
+
+  def self.dx
+    return "#{PATH}/dx.jar"
+  end
+
+  def self.driver_dex
+    return "#{PATH}/driver.dex"
+  end
+end

data/lib/dex-oracle/smali_field.rb

@@ -0,0 +1,21 @@
+class SmaliField
+    attr_reader :name, :class, :type, :descriptor
+
+    def initialize(class_name, field_signature)
+        @class = class_name
+        @descriptor = "#{class_name}->#{field_signature}"
+        @name, @type = field_signature.split(':')
+    end
+
+    def to_s
+        @descriptor
+    end
+
+    def ==(other)
+        other.class == self.class && other.state == state
+    end
+
+    def state
+        [@name, @class, @type, @descriptor]
+    end
+end

data/lib/dex-oracle/smali_file.rb

@@ -0,0 +1,64 @@
+require_relative 'smali_field'
+require_relative 'smali_method'
+require_relative 'logging'
+
+class SmaliFile
+  attr_reader :class, :super, :interfaces, :methods, :fields, :file_path, :content
+
+  include Logging
+
+  ACCESSOR = /(?:interface|public|protected|private|abstract|static|final|synchronized|transient|volatile|native|strictfp|synthetic|enum|annotation)/
+  TYPE = /(?:[IJFDZBCV]|L[^;]+;)/
+  CLASS = /^\.class (?:#{ACCESSOR} )+(L[^;]+;)/
+  SUPER = /^\.super (L[^;]+;)/
+  INTERFACE = /^\.implements (L[^;]+;)/
+  FIELD = /^\.field (?:#{ACCESSOR} )+([^\s]+)$/
+  METHOD = /^.method (?:#{ACCESSOR} )+([^\s]+)$/
+
+  def initialize(file_path)
+    @file_path = file_path
+    @modified = false
+    parse(file_path)
+  end
+
+  def update
+    @methods.each do |m|
+      next unless m.modified
+      logger.debug("Updating method: #{m}")
+      update_method(m)
+      m.modified = false
+    end
+    File.open(@file_path, 'w') { |f| f.write(@content) }
+  end
+
+  def to_s
+    @class
+  end
+
+  private
+
+  def parse(file_path)
+    @content = IO.read(file_path)
+    @class = @content[CLASS, 1]
+    @super = @content[SUPER, 1]
+    @interfaces = []
+    @content.scan(INTERFACE).each { |m| @interfaces << m.first }
+    @fields = []
+    @content.scan(FIELD).each { |m| @fields << SmaliField.new(@class, m.first) }
+    @methods = []
+    @content.scan(METHOD).each do |m|
+      body_regex = build_method_regex(m.first)
+      body = @content[body_regex, 1]
+      @methods << SmaliMethod.new(@class, m.first, body)
+    end
+  end
+
+  def build_method_regex(method_signature)
+    /\.method (?:#{ACCESSOR} )+#{Regexp.escape(method_signature)}(.*)^\.end method/m
+  end
+
+  def update_method(method)
+    body_regex = build_method_regex(method.signature)
+    @content[body_regex, 1] = method.body
+  end
+end

data/lib/dex-oracle/smali_input.rb

@@ -0,0 +1,81 @@
+require 'zip'
+require 'english'
+require_relative 'utility'
+
+class SmaliInput
+  attr_reader :dir, :out_apk, :out_dex, :temp_dir, :temp_dex
+
+  DEX_MAGIC = [0x64, 0x65, 0x78]
+  PK_ZIP_MAGIC = [0x50, 0x4b, 0x3]
+
+  def initialize(input)
+    prepare(input)
+  end
+
+  def finish
+    SmaliInput.update_apk(dir, @out_apk) if @out_apk
+    SmaliInput.compile(dir, @out_dex) if @out_dex
+    FileUtils.rm_rf(@dir) if @temp_dir
+    FileUtils.rm_rf(@out_dex) if @temp_dex
+  end
+
+  private
+
+  def self.compile(dir, out_dex = nil)
+    fail 'Smali could not be found on the path.' if Utility.which('smali').nil?
+    out_dex = Tempfile.new(['oracle', '.dex']) if out_dex.nil?
+    exit_code = SmaliInput.exec("smali #{dir} -o #{out_dex.path}")
+    # Remember kids, if you make a CLI, exit with non-zero status for failures
+    fail 'Crap, smali compilation failed.' if $CHILD_STATUS.exitstatus != 0
+    out_dex
+  end
+
+  def self.update_apk(dir, out_apk)
+    out_dex = compile(dir)
+    Utility.update_zip(out_apk, 'classes.dex', out_dex)
+  end
+
+  def self.extract_dex(apk, out_dex)
+    Utility.extract_file(apk, 'classes.dex', out_dex)
+  end
+
+  def prepare(input)
+    if File.directory?(input)
+      @temp_dir = false
+      @temp_dex = true
+      @dir = input
+      @out_dex = SmaliInput.compile(dir)
+      return
+    end
+
+    magic = File.open(input) { |f| f.read(3) }.bytes.to_a
+    case magic
+    when PK_ZIP_MAGIC
+      @temp_dex = true
+      @temp_dir = true
+      @out_apk = "#{File.basename(input, '.*')}_oracle#{File.extname(input)}"
+      @out_dex = Tempfile.new(['oracle', '.dex'])
+      FileUtils.cp(input, @out_apk)
+      SmaliInput.extract_dex(@out_apk, @out_dex)
+      baksmali(input)
+    when DEX_MAGIC
+      @temp_dex = false
+      @temp_dir = true
+      @out_dex = "#{File.basename(input, '.*')}_oracle#{File.extname(input)}"
+      baksmali(input)
+    else
+      fail "Unrecognized file type for: #{input}, magic=#{magic.inspect}"
+    end
+  end
+
+  def baksmali(input)
+    fail 'Baksmali could not be found on the path.' if Utility.which('baksmali').nil?
+    @dir = Dir.mktmpdir
+    cmd = "baksmali #{input} -o #{@dir}"
+    SmaliInput.exec(cmd)
+  end
+
+  def self.exec(cmd)
+    `#{cmd}`
+  end
+end

data/lib/dex-oracle/smali_method.rb

@@ -0,0 +1,33 @@
+class SmaliMethod
+  attr_accessor :modified, :body
+  attr_reader :name, :class, :descriptor, :signature, :parameters, :return_type
+
+  PARAMETER_ISOLATOR = /\([^\)]+\)/
+  PARAMETER_INDIVIDUATOR = /(\[*(?:[BCDFIJSZ]|L[^;]+;))/
+
+  def initialize(class_name, signature, body = nil)
+    @modified = false
+    @class = class_name
+    @name = signature[/[^\(]+/]
+    @body = body
+    @return_type = signature[/[^\)$]+$/]
+    @descriptor = "#{class_name}->#{signature}"
+    @signature = signature
+    @parameters = []
+    parameter_string = signature[PARAMETER_ISOLATOR]
+    return if parameter_string.nil?
+    parameter_string.scan(PARAMETER_INDIVIDUATOR).each { |m| @parameters << m.first }
+  end
+
+  def to_s
+    @descriptor
+  end
+
+  def ==(other)
+      other.class == self.class && other.state == state
+  end
+
+  def state
+      [@name, @class, @descriptor, @parameters, @return_type, @modified, @body]
+  end
+end

data/lib/dex-oracle/utility.rb

@@ -0,0 +1,37 @@
+require 'zip'
+
+class Utility
+  def self.which(cmd)
+    exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+    ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+      exts.each do |ext|
+        exe = File.join(path, "#{cmd}#{ext}")
+        return exe if File.executable?(exe) && !File.directory?(exe)
+      end
+    end
+    nil
+  end
+
+  def self.create_zip(zip, name_to_file)
+    Zip::File.open(zip, Zip::File::CREATE) do |zf|
+      name_to_file.each { |n, f| zf.add(n, f) }
+    end
+  end
+
+  def self.extract_file(zip, name, dest)
+    Zip::File.open(zip) do |zf|
+      zf.each do |e|
+        next unless e.name == name
+        e.extract(dest) { true } # overwrite
+        break
+      end
+    end
+  end
+
+  def self.update_zip(zip, name, target)
+    Zip::File.open(zip) do |zf|
+      zf.remove(name)
+      zf.add(name, target.path)
+    end
+  end
+end

data/lib/dex-oracle/version.rb

@@ -0,0 +1,3 @@
+module DexOracle
+  VERSION = '1.0.2'
+end

data/lib/oracle.rb

@@ -0,0 +1,61 @@
+require_relative 'dex-oracle/logging'
+require_relative 'dex-oracle/plugin'
+require_relative 'dex-oracle/smali_file'
+
+class Oracle
+  include Logging
+
+  def initialize(smali_dir, driver, include_types, exclude_types, disable_plugins)
+    @smali_files = Oracle.parse_smali(smali_dir)
+    @methods = Oracle.filter_methods(@smali_files, include_types, exclude_types)
+    Plugin.init_plugins(driver, @smali_files, @methods)
+    @disable_plugins = disable_plugins
+    logger.info("Disabled plugins: #{@disable_plugins * ','}") unless @disable_plugins.empty?
+  end
+
+  def divine
+    puts "Optimizing #{@methods.size} methods over #{@smali_files.size} Smali files."
+    made_changes = process_plugins
+    @smali_files.each(&:update) if made_changes
+    optimizations = {}
+    Plugin.plugins.each { |p| optimizations.merge!(p.optimizations) }
+    opt_str = optimizations.collect { |k, v| "#{k}=#{v}" } * ', '
+    puts "Optimizations: #{opt_str}"
+  end
+
+  def process_plugins
+    made_changes = false
+    loop do
+      sweep_changes = false
+      Plugin.plugins.each do |p|
+        next if @disable_plugins.include?(p.class.name.downcase)
+        sweep_changes |= p.process
+      end
+      made_changes |= sweep_changes
+      break unless sweep_changes
+    end
+    made_changes
+  end
+
+  def self.filter_methods(smali_files, include_types, exclude_types)
+    methods = []
+    smali_files.each do |smali_file|
+      smali_file.methods.each do |method|
+        if include_types
+          next if method.descriptor !~ include_types
+        elsif exclude_types && !(method.descriptor !~ exclude_types)
+          next
+        end
+        methods << method
+      end
+    end
+
+    methods
+  end
+
+  def self.parse_smali(smali_dir)
+    smali_files = []
+    Dir["#{smali_dir}/**/*.smali"].each { |f| smali_files << SmaliFile.new(f) }
+    smali_files
+  end
+end

data/spec/data/plugins/bytes_decrypt.smali

@@ -0,0 +1,18 @@
+.class public Lorg/cf/BytesDecrypt;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 1
+
+    const-string v0, "asdf"
+
+    invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B
+
+    move-result-object v0
+
+    invoke-static {v0}, Lorg/cf/BytesDecrypt;->decrypt([B)Ljava/lang/String;
+
+    move-result-object v0
+
+    return-void
+.end method

data/spec/data/plugins/class_forname.smali

@@ -0,0 +1,14 @@
+.class public Lorg/cf/ClassForName;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 1
+
+    const-string v0, "android.content.Intent"
+
+    invoke-static {v0}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
+
+    move-result-object v0
+
+    return-void
+.end method