dex-oracle 1.0.4 → 1.0.5

data/lib/dex-oracle/plugin.rb

@@ -1,9 +1,9 @@
 class Plugin
   module CommonRegex
-    CONST_NUMBER = 'const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)'
-    ESCAPE_STRING = '"(.*?)(?<!\\\\)"'
-    CONST_STRING = 'const-string [vp]\d+, ' << ESCAPE_STRING << '.*'
-    MOVE_RESULT_OBJECT = 'move-result-object ([vp]\d+)'
+    CONST_NUMBER = 'const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)'.freeze
+    ESCAPE_STRING = '"(.*?)(?<!\\\\)"'.freeze
+    CONST_STRING = 'const-string(?:/jumbo)? [vp]\d+, ' << ESCAPE_STRING << '.*'.freeze
+    MOVE_RESULT_OBJECT = 'move-result-object ([vp]\d+)'.freeze
   end
 
   @plugins = []
@@ -16,7 +16,7 @@ class Plugin
     Dir["#{File.dirname(__FILE__)}/plugins/*.rb"].each { |f| require f }
     classes = []
     Object.constants.each do |klass|
-      const = Kernel.const_get(klass)
+      const = Kernel.const_get(klass) unless klass == :TimeoutError
       next unless const.respond_to?(:superclass) && const.superclass == Plugin
       classes << const
     end
@@ -29,11 +29,11 @@ class Plugin
   end
 
   def process
-    fail 'process not implemented'
+    raise 'process not implemented'
   end
 
   def optimizations
-    fail 'optimizations not implemented'
+    raise 'optimizations not implemented'
   end
 
   # method_to_target_to_context -> { method: [target_to_context] }

data/lib/dex-oracle/plugins/bitwise_antiskid.rb

@@ -0,0 +1,61 @@
+require_relative '../logging'
+require_relative '../utility'
+
+# Sample: 0e18bbf2a3539e5669be76ed4c468257ecfd3d36
+class BitwiseAntiSkid < Plugin
+  attr_reader :optimizations
+
+  include Logging
+  include CommonRegex
+
+  STRING_DECRYPT = Regexp.new(
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' + \
+    CONST_NUMBER + '\s+' \
+    'invoke-static \{[vp]\d+, [vp]\d+\}, L([^;]+);->(Go_Learn_Something\(Ljava/lang/String;I\))Ljava/lang/String;' \
+    '\s+' + \
+    MOVE_RESULT_OBJECT + ')'
+  )
+
+  MODIFIER = -> (_, output, out_reg) { "const-string #{out_reg}, \"#{output.split('').collect { |e| e.inspect[1..-2] }.join}\"" }
+
+  def initialize(driver, smali_files, methods)
+    @driver = driver
+    @smali_files = smali_files
+    @methods = methods
+    @optimizations = Hash.new(0)
+  end
+
+  def process
+    method_to_target_to_contexts = {}
+    @methods.each do |method|
+      logger.info("Decrypting Bitwise Anti-Skid #{method.descriptor}")
+      target_to_contexts = {}
+      target_to_contexts.merge!(decrypt_strings(method))
+      target_to_contexts.map { |_, v| v.uniq! }
+      method_to_target_to_contexts[method] = target_to_contexts unless target_to_contexts.empty?
+    end
+
+    made_changes = false
+    made_changes |= Plugin.apply_batch(@driver, method_to_target_to_contexts, MODIFIER)
+
+    made_changes
+  end
+
+  private
+
+  def decrypt_strings(method)
+    target_to_contexts = {}
+    matches = method.body.scan(STRING_DECRYPT)
+    @optimizations[:string_decrypts] += matches.size if matches
+    matches.each do |original, encrypted, number, class_name, method_signature, out_reg|
+      target = @driver.make_target(
+        class_name, method_signature, encrypted, number.to_i(16)
+      )
+      target_to_contexts[target] = [] unless target_to_contexts.key?(target)
+      target_to_contexts[target] << [original, out_reg]
+    end
+
+    target_to_contexts
+  end
+end

data/lib/dex-oracle/plugins/string_decryptor.rb

@@ -2,13 +2,17 @@ require_relative '../logging'
 require_relative '../utility'
 
 class StringDecryptor < Plugin
+  attr_reader :optimizations
+
   include Logging
   include CommonRegex
 
   STRING_DECRYPT = Regexp.new(
-    '^[ \t]*(' << CONST_STRING << '\s+' \
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' \
     'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(Ljava/lang/String;\))Ljava/lang/String;' \
-    '\s+' << MOVE_RESULT_OBJECT << ')'
+    '\s+' +
+    MOVE_RESULT_OBJECT + ')'
   )
 
   MODIFIER = -> (_, output, out_reg) { "const-string #{out_reg}, \"#{output.split('').collect { |e| e.inspect[1..-2] }.join}\"" }
@@ -36,10 +40,6 @@ class StringDecryptor < Plugin
     made_changes
   end
 
-  def optimizations
-    @optimizations
-  end
-
   private
 
   def decrypt_strings(method)

data/lib/dex-oracle/plugins/undexguard.rb

@@ -2,36 +2,45 @@ require_relative '../logging'
 require_relative '../utility'
 
 class Undexguard < Plugin
+  attr_reader :optimizations
+
   include Logging
   include CommonRegex
 
   STRING_LOOKUP_3INT = Regexp.new(
-    '^[ \t]*(' << ((CONST_NUMBER << '\s+') * 3) <<
+    '^[ \t]*(' +
+    ((CONST_NUMBER + '\s+') * 3) +
     'invoke-static \{[vp]\d+, [vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(III\))Ljava/lang/String;' \
-    '\s+' << MOVE_RESULT_OBJECT << ')',
+    '\s+' +
+    MOVE_RESULT_OBJECT + ')',
     Regexp::MULTILINE
   )
 
   STRING_LOOKUP_1INT = Regexp.new(
-    '^[ \t]*(' << CONST_NUMBER << '\s+' \
+    '^[ \t]*(' +
+    CONST_NUMBER + '\s+' \
     'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(I\))Ljava/lang/String;' \
-    '\s+' << MOVE_RESULT_OBJECT << ')'
+    '\s+' +
+    MOVE_RESULT_OBJECT + ')'
   )
 
   BYTES_DECRYPT = Regexp.new(
-    '^[ \t]*(' << CONST_STRING << '\s+' \
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' \
     'invoke-virtual \{[vp]\d+\}, Ljava\/lang\/String;->getBytes\(\)\[B\s+' \
     'move-result-object [vp]\d+\s+' \
     'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(\[B\))Ljava/lang/String;' \
-    '\s+' << MOVE_RESULT_OBJECT << ')'
+    '\s+' +
+    MOVE_RESULT_OBJECT + ')'
   )
 
   MULTI_BYTES_DECRYPT = Regexp.new(
-    '^[ \t]*(' << CONST_STRING << '\s+' \
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' \
     'new-instance ([vp]\d+), L[^;]+;\s+' \
     'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(Ljava/lang/String;\))\[B\s+' \
-    'move-result-object [vp]\d+\s+' <<
-    CONST_STRING << '\s+' \
+    'move-result-object [vp]\d+\s+' +
+    CONST_STRING + '\s+' \
     'invoke-static \{[vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(\[BLjava/lang/String;\))\[B\s+' \
     'move-result-object [vp]\d+\s+' \
     'invoke-static \{[vp]\d+\}, L([^;]+);->([^\(]+\(\[B\))\[B\s+' \
@@ -71,21 +80,8 @@ class Undexguard < Plugin
     made_changes
   end
 
-  def optimizations
-    @optimizations
-  end
-
   private
 
-  def self.array_string_to_array(str)
-      if str =~ /\A\[(?:\d+(?:,\d+)*)?\]\z/
-        str = eval(str)
-      else
-        fail "Output is not in byte format; this frightens me: #{str}"
-      end
-      str
-  end
-
   def lookup_strings_3int(method)
     target_to_contexts = {}
     matches = method.body.scan(STRING_LOOKUP_3INT)
@@ -140,7 +136,7 @@ class Undexguard < Plugin
       iv_bytes = @driver.run(iv_class_name, iv_method_signature, iv_str)
       enc_bytes = @driver.run(iv2_class_name, iv2_method_signature, iv_bytes, iv2_str)
       dec_bytes = @driver.run(dec_class_name, dec_method_signature, enc_bytes)
-      dec_array = Undexguard.array_string_to_array(dec_bytes)
+      dec_array = array_string_to_array(dec_bytes)
       dec_string = dec_array.pack('U*')
 
       target = { id: Digest::SHA256.hexdigest(original) }
@@ -152,4 +148,13 @@ class Undexguard < Plugin
     method_to_target_to_contexts = { method => target_to_contexts }
     Plugin.apply_outputs(target_id_to_output, method_to_target_to_contexts, MODIFIER)
   end
+
+  def array_string_to_array(str)
+    if str =~ /\A\[(?:\d+(?:,\d+)*)?\]\z/
+      str = eval(str)
+    else
+      raise "Output is not in byte format; this frightens me: #{str}"
+    end
+    str
+  end
 end

data/lib/dex-oracle/plugins/unreflector.rb

@@ -2,42 +2,43 @@ require 'digest'
 require_relative '../logging'
 
 class Unreflector < Plugin
+  attr_reader :optimizations
+
   include Logging
   include CommonRegex
 
-  attr_reader :optimizations
-
-  CLASS_FOR_NAME = 'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;'
+  CLASS_FOR_NAME = 'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;'.freeze
 
   CONST_CLASS_REGEX = Regexp.new(
-    '^[ \t]*(' << CONST_STRING << '\s+' <<
-    CLASS_FOR_NAME << '\s+' <<
-    MOVE_RESULT_OBJECT << ')'
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' +
+    CLASS_FOR_NAME + '\s+' +
+    MOVE_RESULT_OBJECT + ')'
   )
 
   VIRTUAL_FIELD_LOOKUP = Regexp.new(
-    '^[ \t]*(' <<
-    CONST_STRING << '\s+' \
-    'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;\s+' <<
-    MOVE_RESULT_OBJECT << '\s+' <<
-    CONST_STRING << '\s+' \
-    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' <<
-    MOVE_RESULT_OBJECT << '\s+' \
-    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' <<
-    MOVE_RESULT_OBJECT << ')'
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' \
+    'invoke-static \{[vp]\d+\}, Ljava\/lang\/Class;->forName\(Ljava\/lang\/String;\)Ljava\/lang\/Class;\s+' +
+    MOVE_RESULT_OBJECT + '\s+' +
+    CONST_STRING + '\s+' \
+    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' +
+    MOVE_RESULT_OBJECT + '\s+' \
+    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' +
+    MOVE_RESULT_OBJECT + ')'
   )
 
   STATIC_FIELD_LOOKUP = Regexp.new(
-    '^[ \t]*(' <<
-    CONST_STRING << '\s+' <<
-    CLASS_FOR_NAME << '\s+' <<
-    MOVE_RESULT_OBJECT << '\s+' <<
-    CONST_STRING <<
-    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' <<
-    MOVE_RESULT_OBJECT << '\s+' \
+    '^[ \t]*(' +
+    CONST_STRING + '\s+' +
+    CLASS_FOR_NAME + '\s+' +
+    MOVE_RESULT_OBJECT + '\s+' +
+    CONST_STRING +
+    'invoke-virtual \{[vp]\d+, [vp]\d+\}, Ljava\/lang\/Class;->getField\(Ljava\/lang\/String;\)Ljava\/lang\/reflect\/Field;\s+' +
+    MOVE_RESULT_OBJECT + '\s+' \
     'const/4 [vp]\d+, 0x0\s+' \
-    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' <<
-    MOVE_RESULT_OBJECT <<
+    'invoke-virtual \{[vp]\d+, ([vp]\d+)\}, Ljava\/lang\/reflect\/Field;->get\(Ljava\/lang\/Object;\)Ljava\/lang\/Object;\s+' +
+    MOVE_RESULT_OBJECT +
     ')'
   )
 
@@ -60,10 +61,6 @@ class Unreflector < Plugin
     made_changes
   end
 
-  def optimizations
-    @optimizations
-  end
-
   private
 
   def lookup_classes(method)

data/lib/dex-oracle/resources.rb

@@ -1,13 +1,15 @@
+require_relative 'logging'
+
 class Resources
   include Logging
 
   PATH = File.join(File.dirname(File.expand_path(__FILE__)), '../../res')
 
   def self.dx
-    return "#{PATH}/dx.jar"
+    "#{PATH}/dx.jar"
   end
 
   def self.driver_dex
-    return "#{PATH}/driver.dex"
+    "#{PATH}/driver.dex"
   end
 end

data/lib/dex-oracle/smali_file.rb

@@ -1,3 +1,4 @@
+# encoding: utf-8
 require_relative 'smali_field'
 require_relative 'smali_method'
 require_relative 'logging'
@@ -7,13 +8,13 @@ class SmaliFile
 
   include Logging
 
-  ACCESSOR = /(?:interface|public|protected|private|abstract|static|final|synchronized|transient|volatile|native|strictfp|synthetic|enum|annotation)/
+  ACCESSOR = /(?:abstract|annotation|constructor|enum|final|interface|native|private|protected|public|static|strictfp|synchronized|synthetic|transient|volatile)/
   TYPE = /(?:[IJFDZBCV]|L[^;]+;)/
   CLASS = /^\.class (?:#{ACCESSOR} )+(L[^;]+;)/
   SUPER = /^\.super (L[^;]+;)/
   INTERFACE = /^\.implements (L[^;]+;)/
   FIELD = /^\.field (?:#{ACCESSOR} )+([^\s]+)$/
-  METHOD = /^.method (?:#{ACCESSOR} )+([^\s]+)$/
+  METHOD = /^\.method (?:#{ACCESSOR} )+([^\s]+)$/
 
   def initialize(file_path)
     @file_path = file_path
@@ -38,23 +39,44 @@ class SmaliFile
   private
 
   def parse(file_path)
-    @content = IO.read(file_path)
+    logger.debug("Parsing: #{file_path} ...")
+    @content = File.open(file_path, 'r:UTF-8', &:read)
     @class = @content[CLASS, 1]
     @super = @content[SUPER, 1]
     @interfaces = []
     @content.scan(INTERFACE).each { |m| @interfaces << m.first }
     @fields = []
     @content.scan(FIELD).each { |m| @fields << SmaliField.new(@class, m.first) }
+    parse_methods
+  end
+
+  def parse_methods
     @methods = []
-    @content.scan(METHOD).each do |m|
-      body_regex = build_method_regex(m.first)
-      body = @content[body_regex, 1]
-      @methods << SmaliMethod.new(@class, m.first, body)
+    method_signature = nil
+    in_method = false
+    body = nil
+    @content.each_line do |line|
+      if in_method
+        if /^\.end method$/ =~ line
+          in_method = false
+          @methods << SmaliMethod.new(@class, method_signature, body)
+          next
+        end
+        body << line
+      else
+        next unless line.include?('.method ')
+        m = METHOD.match(line)
+        next unless m
+
+        in_method = true
+        method_signature = m.captures.first
+        body = "\n"
+      end
     end
   end
 
   def build_method_regex(method_signature)
-    /\.method (?:#{ACCESSOR} )+#{Regexp.escape(method_signature)}(.*)^\.end method/m
+    /^\.method (?:#{ACCESSOR} )+#{Regexp.escape(method_signature)}(.+?)^\.end method$/m
   end
 
   def update_method(method)

data/lib/dex-oracle/smali_input.rb

@@ -5,8 +5,10 @@ require_relative 'utility'
 class SmaliInput
   attr_reader :dir, :out_apk, :out_dex, :temp_dir, :temp_dex
 
-  DEX_MAGIC = [0x64, 0x65, 0x78]
-  PK_ZIP_MAGIC = [0x50, 0x4b, 0x3]
+  include Logging
+
+  DEX_MAGIC = [0x64, 0x65, 0x78].freeze
+  PK_ZIP_MAGIC = [0x50, 0x4b, 0x3].freeze
 
   def initialize(input)
     prepare(input)
@@ -14,19 +16,18 @@ class SmaliInput
 
   def finish
     SmaliInput.update_apk(dir, @out_apk) if @out_apk
-    SmaliInput.compile(dir, @out_dex) if @out_dex
+    SmaliInput.compile(dir, @out_dex) if @out_dex && !@out_apk
     FileUtils.rm_rf(@dir) if @temp_dir
     FileUtils.rm_rf(@out_dex) if @temp_dex
   end
 
-  private
-
   def self.compile(dir, out_dex = nil)
-    fail 'Smali could not be found on the path.' if Utility.which('smali').nil?
-    out_dex = Tempfile.new(['oracle', '.dex']) if out_dex.nil?
+    raise 'Smali could not be found on the path.' if Utility.which('smali').nil?
+    out_dex = Tempfile.new(%w(oracle .dex)) if out_dex.nil?
+    logger.info("Compiling DEX #{out_dex.path} ...")
     exit_code = SmaliInput.exec("smali #{dir} -o #{out_dex.path}")
     # Remember kids, if you make a CLI, exit with non-zero status for failures
-    fail 'Crap, smali compilation failed.' if $CHILD_STATUS.exitstatus != 0
+    raise 'Crap, smali compilation failed.' if $CHILD_STATUS.exitstatus != 0
     out_dex
   end
 
@@ -39,6 +40,20 @@ class SmaliInput
     Utility.extract_file(apk, 'classes.dex', out_dex)
   end
 
+  def self.exec(cmd)
+    `#{cmd}`
+  end
+
+  private
+
+  def baksmali(input)
+    logger.debug("Disassembling #{input} ...")
+    raise 'Baksmali could not be found on the path.' if Utility.which('baksmali').nil?
+    @dir = Dir.mktmpdir
+    cmd = "baksmali #{input} -o #{@dir}"
+    SmaliInput.exec(cmd)
+  end
+
   def prepare(input)
     if File.directory?(input)
       @temp_dir = false
@@ -54,7 +69,7 @@ class SmaliInput
       @temp_dex = true
       @temp_dir = true
       @out_apk = "#{File.basename(input, '.*')}_oracle#{File.extname(input)}"
-      @out_dex = Tempfile.new(['oracle', '.dex'])
+      @out_dex = Tempfile.new(%w(oracle .dex))
       FileUtils.cp(input, @out_apk)
       SmaliInput.extract_dex(@out_apk, @out_dex)
       baksmali(input)
@@ -62,20 +77,11 @@ class SmaliInput
       @temp_dex = false
       @temp_dir = true
       @out_dex = "#{File.basename(input, '.*')}_oracle#{File.extname(input)}"
+      FileUtils.cp(input, @out_dex)
+      @out_dex = File.new(@out_dex)
       baksmali(input)
     else
-      fail "Unrecognized file type for: #{input}, magic=#{magic.inspect}"
+      raise "Unrecognized file type for: #{input}, magic=#{magic.inspect}"
     end
   end
-
-  def baksmali(input)
-    fail 'Baksmali could not be found on the path.' if Utility.which('baksmali').nil?
-    @dir = Dir.mktmpdir
-    cmd = "baksmali #{input} -o #{@dir}"
-    SmaliInput.exec(cmd)
-  end
-
-  def self.exec(cmd)
-    `#{cmd}`
-  end
 end