dex-oracle 1.0.2

data/spec/data/plugins/multi_bytes_decrypt.smali

@@ -0,0 +1,28 @@
+.class public Lorg/cf/MultiBytesDecrypt;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 3
+
+    const-string v0, "string1"
+
+    new-instance v1, Ljava/lang/String;
+
+    invoke-static {v0}, Lorg/cf/MultiBytesDecrypt;->doThing1(Ljava/lang/String;)[B
+
+    move-result-object v2
+
+    const-string v3, "string2"
+
+    invoke-static {v2, v3}, Lorg/cf/MultiBytesDecrypt;->doThing2([BLjava/lang/String;)[B
+
+    move-result-object v2
+
+    invoke-static {v2}, Lorg/cf/MultiBytesDecrypt;->doThing3([B)[B
+
+    move-result-object v2
+
+    invoke-direct {v1, v2}, Ljava/lang/String;-><init>([B)V
+
+    return-void
+.end method

data/spec/data/plugins/string_decrypt.smali

@@ -0,0 +1,14 @@
+.class public Lorg/cf/StringDecrypt;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 1
+
+    const-string v0, "encrypted"
+
+    invoke-static {v0}, Lorg/cf/StringDecrypt;->decrypt(Ljava/lang/String;)Ljava/lang/String;
+
+    move-result-object v0
+
+    return-void
+.end method

data/spec/data/plugins/string_lookup_1int.smali

@@ -0,0 +1,14 @@
+.class public Lorg/cf/StringLookup;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 1
+
+    const/4 v0, 0x0
+
+    invoke-static {v0}, Lorg/cf/StringLookup;->lookup(I)Ljava/lang/String;
+
+    move-result-object v0
+
+    return-void
+.end method

data/spec/data/plugins/string_lookup_3int.smali

@@ -0,0 +1,18 @@
+.class public Lorg/cf/StringLookup;
+.super Ljava/lang/Object;
+
+.method public static doStuff()V
+    .locals 3
+
+    const/4 v0, 0x0
+
+    const/4 v1, 0x1
+
+    const/4 v2, 0x2
+
+    invoke-static {v0, v1, v2}, Lorg/cf/StringLookup;->lookup(III)Ljava/lang/String;
+
+    move-result-object v0
+
+    return-void
+.end method

data/spec/data/smali/helloworld.smali

@@ -0,0 +1,17 @@
+.class public LHelloWorld; # COMMENT;
+.super Ljava/lang/Object; # YEAH ;
+.implements Lsome/Interface1;
+.implements Lsome/Interface2;
+
+.field public static final someField:Z
+
+.method public static main([Ljava/lang/String;)V
+    .locals 2
+
+    sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
+    const-string v1, "hello,world!"
+    invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
+
+    return-void
+.end method
+

data/spec/dex-oracle/driver_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+describe Driver do
+  let(:temp_file) { instance_double('Tempfile') }
+  let(:class_name) { 'some/Klazz' }
+  let(:method_signature) { 'run(III)V' }
+  let(:args) { [1, 2, 3] }
+  let(:batch_id) { '8ea0a5c705617449899c85cec2435356e8be83d6829e12ff109ab0c44c4156c6' }
+  let(:batch_item) { { className: 'some.Klazz', methodName: 'run', arguments: %w(I:1 I:2 I:3), id: batch_id } }
+  let(:driver) do
+    allow(temp_file).to receive(:path).and_return('/fake/tmp/file')
+    allow(temp_file).to receive(:unlink)
+    allow(temp_file).to receive(:close)
+    allow(temp_file).to receive(:flush)
+    allow(temp_file).to receive(:<<)
+    allow(Tempfile).to receive(:new).and_return(temp_file)
+    allow(File).to receive(:open).and_yield(temp_file)
+    allow(File).to receive(:read)
+    allow(JSON).to receive(:parse)
+    Driver.new(device_id)
+  end
+  let(:driver_stub) { 'export CLASSPATH=/data/local/od.zip; app_process /system/bin org.cf.oracle.Driver' }
+
+  describe '#make_target' do
+    let(:device_id) { '' }
+    let(:make_target) { driver.make_target(class_name, method_signature, *args) }
+
+    subject { make_target }
+    it { should eq batch_item }
+  end
+
+  describe '#run_batch' do
+    let(:device_id) { '' }
+    let(:batch) { [batch_item] }
+    let(:run_batch) { driver.run_batch(batch) }
+
+    subject { run_batch }
+    it do
+      expect(temp_file).to receive(:<<).with(batch.to_json).ordered
+      expect(driver).to receive(:adb).with("push #{temp_file.path} /data/local/od-targets.json")
+      expect(driver).to receive(:drive).with("#{driver_stub} @/data/local/od-targets.json", true)
+      allow(JSON).to receive(:parse) { {} }
+      expect(driver).to receive(:adb).with("pull /data/local/od-output.json #{temp_file.path}")
+      expect(driver).to receive(:adb).with('shell rm /data/local/od-output.json')
+      subject
+    end
+  end
+
+  describe '#run' do
+    context 'with a device id' do
+      let(:device_id) { '1234abcd' }
+
+      context 'with integer arguments' do
+        subject { driver.run(class_name, method_signature, *args) }
+        it do
+          allow(driver).to receive(:drive)
+          expect(driver).to receive(:drive).with("#{driver_stub} 'some.Klazz' 'run' I:1 I:2 I:3")
+          subject
+        end
+      end
+    end
+
+    context 'without a device id' do
+      let(:device_id) { '' }
+
+      context 'with string argument' do
+        let(:class_name) { 'string/Klazz' }
+        let(:method_signature) { 'run(Ljava/lang/String;)V' }
+        let(:args) { 'hello string' }
+
+        subject { driver.run(class_name, method_signature, args) }
+        it do
+          allow(driver).to receive(:drive)
+          expect(driver).to receive(:drive).with(
+            "#{driver_stub} 'string.Klazz' 'run' java.lang.String:[104,101,108,108,111,32,115,116,114,105,110,103]"
+          )
+          subject
+        end
+      end
+    end
+  end
+end

data/spec/dex-oracle/plugins/string_decryptor_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe StringDecryptor do
+  let(:data_path) { 'spec/data/plugins' }
+  let(:driver) { instance_double('Driver') }
+  let(:smali_files) { [SmaliFile.new(file_path)] }
+  let(:method) { smali_files.first.methods.first }
+  let(:batch) { { id: '123' } }
+  let(:plugin) { StringDecryptor.new(driver, smali_files, [method]) }
+
+  describe '#process' do
+    subject { plugin.process }
+
+    context 'with string_decrypt.smali' do
+      let(:file_path) { "#{data_path}/string_decrypt.smali" }
+      let(:batch_item) { ["const-string v0, \"encrypted\"\n\n    invoke-static {v0}, Lorg/cf/StringDecrypt;->decrypt(Ljava/lang/String;)Ljava/lang/String;\n\n    move-result-object v0", 'v0'] }
+
+      it do
+        expect(driver).to receive(:make_target).with('org/cf/StringDecrypt', 'decrypt(Ljava/lang/String;)', 'encrypted').and_return(batch)
+        expect(Plugin).to receive(:apply_batch).with(driver, { method => { batch => [batch_item] } }, kind_of(Proc))
+        subject
+      end
+    end
+  end
+end

data/spec/dex-oracle/plugins/undexguard_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+describe Undexguard do
+  let(:data_path) { 'spec/data/plugins' }
+  let(:driver) { instance_double('Driver') }
+  let(:smali_files) { [SmaliFile.new(file_path)] }
+  let(:method) { smali_files.first.methods.first }
+  let(:batch) { { id: '123' } }
+  let(:plugin) { Undexguard.new(driver, smali_files, [method]) }
+
+  describe '#process' do
+    subject { plugin.process }
+
+    context 'with string_lookup_3int.smali' do
+      let(:file_path) { "#{data_path}/string_lookup_3int.smali" }
+      let(:batch_item) { ["const/4 v0, 0x0\n\n    const/4 v1, 0x1\n\n    const/4 v2, 0x2\n\n    invoke-static {v0, v1, v2}, Lorg/cf/StringLookup;->lookup(III)Ljava/lang/String;\n\n    move-result-object v0", 'v0'] }
+
+      it do
+        expect(driver).to receive(:make_target).with('org/cf/StringLookup', 'lookup(III)', 0, 1, 2).and_return(batch)
+        expect(Plugin).to receive(:apply_batch).with(driver, { method => { batch => [batch_item] } }, kind_of(Proc))
+        subject
+      end
+    end
+
+    context 'with string_lookup_1int.smali' do
+      let(:file_path) { "#{data_path}/string_lookup_1int.smali" }
+      let(:batch_item) { ["const/4 v0, 0x0\n\n    invoke-static {v0}, Lorg/cf/StringLookup;->lookup(I)Ljava/lang/String;\n\n    move-result-object v0", 'v0'] }
+
+      it do
+        expect(driver).to receive(:make_target).with('org/cf/StringLookup', 'lookup(I)', 0).and_return(batch)
+        expect(Plugin).to receive(:apply_batch).with(driver, { method => { batch => [batch_item] } }, kind_of(Proc))
+        subject
+      end
+    end
+
+    context 'with bytes_decrypt.smali' do
+      let(:file_path) { "#{data_path}/bytes_decrypt.smali" }
+      let(:batch_item) { ["const-string v0, \"asdf\"\n\n    invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B\n\n    move-result-object v0\n\n    invoke-static {v0}, Lorg/cf/BytesDecrypt;->decrypt([B)Ljava/lang/String;\n\n    move-result-object v0", 'v0'] }
+
+      it do
+        expect(driver).to receive(:make_target).with('org/cf/BytesDecrypt', 'decrypt([B)', [97, 115, 100, 102]).and_return(batch)
+        expect(Plugin).to receive(:apply_batch).with(driver, { method => { batch => [batch_item] } }, kind_of(Proc))
+        subject
+      end
+    end
+
+    context 'with multi_bytes_decrypt.smali' do
+      let(:file_path) { "#{data_path}/multi_bytes_decrypt.smali" }
+      let(:batch_id) { '9e31b050ec6334ed1c9ec57686b5bd765bd811410bc240141dfc466ef0719bfd' }
+      let(:batch) { { id: batch_id } }
+      let(:batch_item) { ["const-string v0, \"string1\"\n\n    new-instance v1, Ljava/lang/String;\n\n    invoke-static {v0}, Lorg/cf/MultiBytesDecrypt;->doThing1(Ljava/lang/String;)[B\n\n    move-result-object v2\n\n    const-string v3, \"string2\"\n\n    invoke-static {v2, v3}, Lorg/cf/MultiBytesDecrypt;->doThing2([BLjava/lang/String;)[B\n\n    move-result-object v2\n\n    invoke-static {v2}, Lorg/cf/MultiBytesDecrypt;->doThing3([B)[B\n\n    move-result-object v2\n\n    invoke-direct {v1, v2}, Ljava/lang/String;-><init>([B)V", 'v1'] }
+      let(:iv_bytes) { '[1,2,3]' }
+      let(:enc_bytes) { '[4,5,6]' }
+      let(:dec_bytes) { '[65]' }
+
+      it do
+        expect(driver).to receive(:run).with('org/cf/MultiBytesDecrypt', 'doThing1(Ljava/lang/String;)', 'string1').and_return(iv_bytes)
+        expect(driver).to receive(:run).with('org/cf/MultiBytesDecrypt', 'doThing2([BLjava/lang/String;)', iv_bytes, 'string2').and_return(enc_bytes)
+        expect(driver).to receive(:run).with('org/cf/MultiBytesDecrypt', 'doThing3([B)', enc_bytes).and_return(dec_bytes)
+        expect(Plugin).to receive(:apply_outputs).with(
+          { batch_id => %w(success A) },
+          { method => { batch => [batch_item] } },
+          kind_of(Proc)
+        )
+        subject
+      end
+    end
+  end
+end

data/spec/dex-oracle/plugins/unreflector_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+describe Unreflector do
+  let(:data_path) { 'spec/data/plugins' }
+  let(:driver) { instance_double('Driver') }
+  let(:smali_files) { [SmaliFile.new(file_path)] }
+  let(:method) { smali_files.first.methods.first }
+  let(:plugin) { Unreflector.new(driver, smali_files, [method]) }
+
+  describe '#process' do
+    subject { plugin.process }
+
+    context 'with class_forname.smali' do
+      let(:file_path) { "#{data_path}/class_forname.smali" }
+      let(:batch_id) { 'f8dc3df1acedbee81e5ff984eb026b76eb5e4bdf6d401fb12e081b8bcdb0cd55' }
+      let(:batch) { { id: batch_id } }
+      let(:batch_item) { ["const-string v0, \"android.content.Intent\"\n\n    invoke-static {v0}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;\n\n    move-result-object v0", 'v0'] }
+
+      it do
+        expect(Plugin).to receive(:apply_outputs).with(
+          { batch_id => ['success', 'Landroid/content/Intent;'] },
+          { method => { batch => [batch_item] } },
+          kind_of(Proc)
+        )
+        subject
+      end
+    end
+  end
+end

data/spec/dex-oracle/smali_field_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+describe SmaliField do
+  context 'with simple field' do
+    let(:class_name) { 'Lorg/cfg/MyClass;' }
+    let(:field_signature) { 'someField:Ljava/lang/Object;' }
+    let(:smali_field) { SmaliField.new(class_name, field_signature) }
+    subject { smali_field }
+
+    its(:class) { should eq class_name }
+    its(:name) { should eq 'someField' }
+    its(:type) { should eq 'Ljava/lang/Object;' }
+    its(:descriptor) { should eq "#{class_name}->#{field_signature}" }
+  end
+end

data/spec/dex-oracle/smali_file_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe SmaliFile do
+  let(:data_path) { 'spec/data/smali' }
+
+  context 'the hello world smali' do
+    let(:file_path) { "#{data_path}/helloworld.smali" }
+    let(:smali_file) { SmaliFile.new(file_path) }
+    let(:method_body) do
+<<-EOF
+
+    .locals 2
+
+    sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
+    const-string v1, "hello,world!"
+    invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
+
+    return-void
+        EOF
+    end
+
+    subject { smali_file }
+    its(:class) { should eq 'LHelloWorld;' }
+    its(:super) { should eq 'Ljava/lang/Object;' }
+    its(:interfaces) { should eq ['Lsome/Interface1;', 'Lsome/Interface2;'] }
+    its(:fields) { should eq [SmaliField.new('LHelloWorld;', 'someField:Z')] }
+    its(:methods) { should eq [SmaliMethod.new('LHelloWorld;', 'main([Ljava/lang/String;)V', method_body)] }
+
+    describe '#update' do
+      subject { smali_file.content }
+      it 'should update modified methods' do
+        allow(File).to receive(:open)
+        method = smali_file.methods.first
+        method.modified = true
+        method.body = "\nreturn-void\n"
+        smali_file.update
+        should eq ".class public LHelloWorld; # COMMENT;\n.super Ljava/lang/Object; # YEAH ;\n.implements Lsome/Interface1;\n.implements Lsome/Interface2;\n\n.field public static final someField:Z\n\n.method public static main([Ljava/lang/String;)V\nreturn-void\n.end method\n\n"
+      end
+    end
+  end
+end

data/spec/dex-oracle/smali_input_spec.rb

@@ -0,0 +1,90 @@
+require 'spec_helper'
+
+describe SmaliInput do
+  let(:data_path) { 'spec/data' }
+  let(:temp_dir) { '/fake/tmp/dir' }
+  let(:temp_file) { '/fake/tmp/file' }
+
+  context 'for input that must be disassembled with baksmali' do
+    let(:smali_input) do
+      allow(Dir).to receive(:mktmpdir).and_return(temp_dir)
+      allow(Tempfile).to receive(:new).and_return(temp_file)
+      allow(SmaliInput).to receive(:which).and_return('baksmali')
+      allow(SmaliInput).to receive(:exec)
+      allow(SmaliInput).to receive(:update_apk)
+      allow(SmaliInput).to receive(:extract_dex)
+      allow(FileUtils).to receive(:cp)
+      SmaliInput.new(file_path)
+    end
+
+    subject { smali_input }
+
+    context 'with an apk' do
+      let(:file_path) { "#{data_path}/helloworld.apk" }
+      its(:out_apk) { should eq 'helloworld_oracle.apk' }
+      its(:out_dex) { should eq temp_file }
+      its(:dir) { should eq temp_dir }
+      its(:temp_dir) { should be true }
+      its(:temp_dex) { should be true }
+    end
+
+    context 'with a dex' do
+      let(:file_path) { "#{data_path}/helloworld.dex" }
+      its(:out_apk) { should be nil }
+      its(:out_dex) { should eq 'helloworld_oracle.dex' }
+      its(:dir) { should eq temp_dir }
+      its(:temp_dir) { should be true }
+      its(:temp_dex) { should be false }
+    end
+  end
+
+  context 'for input that must be disassembled without baksmali' do
+    let(:file_path) { "#{data_path}/helloworld.dex" }
+    let(:smali_input) do
+      allow(Dir).to receive(:mktmpdir).and_return(temp_dir)
+      allow(SmaliInput).to receive(:which).and_return(nil)
+      allow(SmaliInput).to receive(:exec)
+      SmaliInput.new(file_path)
+    end
+
+    subject { smali_input }
+    it 'raises' do
+      expect raise_error
+    end
+  end
+
+  context 'for unrecognized input type' do
+    let(:file_path) { "#{data_path}/helloworld.smali" }
+    let(:smali_input) do
+      allow(Dir).to receive(:mktmpdir).and_return(temp_dir)
+      SmaliInput.new(file_path)
+    end
+
+    subject { smali_input }
+
+    it 'raises' do
+      expect raise_error
+    end
+  end
+
+  context 'for a directory' do
+    let(:file_path) { "#{data_path}/smali" }
+    let(:smali_input) do
+      allow(FileUtils).to receive(:rm_rf)
+      allow(SmaliInput).to receive(:compile)
+      SmaliInput.new(file_path)
+    end
+
+    subject { smali_input }
+
+    its(:out_apk) { should be nil }
+    its(:out_dex) { should be nil }
+    its(:dir) { should eq file_path }
+    its(:temp_dir) { should be false }
+    its(:temp_dex) { should be true }
+    it do
+      expect(SmaliInput).to receive(:compile)
+      subject
+    end
+  end
+end