dex-oracle 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 429e83f28628efc0c01a251eb0c7870cb5b7f3b8
-  data.tar.gz: bac7c0333a490afe785742ac3988fbd951bc358c
+  metadata.gz: 29bb9c9cc9066101108219d27ca91119656d9a17
+  data.tar.gz: 9d709fc5ca90c911a3898a1ed0e67767fb9e44b4
 SHA512:
-  metadata.gz: 7055c8ff20a15d05248e73d5cdee4fda24c61c5d326a72f08f808f5b1d5798534b1e8c294b246a99426f7b3b0ecb7afff597240ea92e8bd530ad4e843677f98b
-  data.tar.gz: d53241c511d62fc1ca13b7b197af60609d7b18580beb023889bee030b7ba97c6a5d5e21502030426a1d6e02067d4087565c56bb6065a0029f746a88afaf5ff87
+  metadata.gz: d9eac46906217db1dcc2fcf4dc20a93a0a4ab98afb94fe523b2080c8a023a8acef3c55a5219fd19ff2b28a2c14cd36dabd626e418b24cdd7b8ae3dc3224fe8f6
+  data.tar.gz: 18057a22e1d35a71d34bc12da469929f2ce6d71924a806f4a43fbc3f1c42f87e16b146e5788854f0fae78230d8cd1724a6d474c24e4f97a659163e42ec9c0414

data/Gemfile

@@ -1,4 +1,9 @@
 source 'https://rubygems.org'
 gemspec name: 'dex-oracle'
 
-gem 'rubocop', require: false
+group :development, :test do
+  gem 'rubocop', require: false
+  gem 'codeclimate-test-reporter', require: nil
+  gem 'fakefs', require: 'fakefs/safe'
+  gem 'rspec'
+end

data/Gemfile.lock

@@ -1,56 +1,65 @@
 PATH
   remote: .
   specs:
-    dex-oracle (1.0.3)
+    dex-oracle (1.0.5)
       rubyzip (~> 1.1, >= 1.1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.1.0)
-    astrolabe (1.3.1)
-      parser (~> 2.2)
+    ast (2.3.0)
+    codeclimate-test-reporter (0.6.0)
+      simplecov (>= 0.7.1, < 1.0.0)
     diff-lcs (1.2.5)
-    parser (2.2.3.0)
-      ast (>= 1.1, < 3.0)
+    docile (1.1.5)
+    fakefs (0.9.0)
+    json (2.0.1)
+    parser (2.3.1.2)
+      ast (~> 2.2)
     powerpack (0.1.1)
-    rainbow (2.0.0)
-    rspec (3.4.0)
-      rspec-core (~> 3.4.0)
-      rspec-expectations (~> 3.4.0)
-      rspec-mocks (~> 3.4.0)
-    rspec-core (3.4.1)
-      rspec-support (~> 3.4.0)
-    rspec-expectations (3.4.0)
+    rainbow (2.1.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.1)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.4.0)
+      rspec-support (~> 3.5.0)
     rspec-its (1.2.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.4.0)
+    rspec-mocks (3.5.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.4.0)
-    rspec-support (3.4.1)
-    rubocop (0.35.1)
-      astrolabe (~> 1.3)
-      parser (>= 2.2.3.0, < 3.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    rubocop (0.41.2)
+      parser (>= 2.3.1.1, < 3.0)
       powerpack (~> 0.1)
       rainbow (>= 1.99.1, < 3.0)
       ruby-progressbar (~> 1.7)
-      tins (<= 1.6.0)
-    ruby-progressbar (1.7.5)
-    rubyzip (1.1.7)
-    tins (1.6.0)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.8.1)
+    rubyzip (1.2.0)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    unicode-display_width (1.1.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  codeclimate-test-reporter
   dex-oracle!
-  rspec (~> 3.4, >= 3.4.0)
+  fakefs
+  rspec
   rspec-its (~> 1.2, >= 1.2.0)
   rspec-mocks (~> 3.4, >= 3.4.0)
   rubocop
 
 BUNDLED WITH
-   1.11.2
+   1.12.5

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015 Caleb Fenton
+Copyright (c) 2016 Caleb Fenton
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,29 +1,50 @@
 # Oracle
+
 A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis. Also, the inspiration for another Android deobfuscator: [Simplify](https://github.com/CalebFenton/simplify).
 
+[![Gem Version](https://badge.fury.io/rb/dex-oracle.svg)](https://badge.fury.io/rb/dex-oracle)
+[![Code Climate](https://codeclimate.com/github/CalebFenton/dex-oracle/badges/gpa.svg)](https://codeclimate.com/github/CalebFenton/dex-oracle)
+[![Test Coverage](https://codeclimate.com/github/CalebFenton/dex-oracle/badges/coverage.svg)](https://codeclimate.com/github/CalebFenton/dex-oracle/coverage)
+
 **Before**
 ![before](http://i.imgur.com/nICE4N4.png)
 
 **After**
 ![after](http://i.imgur.com/aFFd9eM.png)
 
-Bitcoin: 133bmAUshC5VxntCcusWJdT8Sq3BFsaGce
+_sha1: a68d5d2da7550d35f7dbefc21b7deebe3f4005f3_
+
+_md5: 2dd2eeeda08ac8c15be8a9f2d01adbe8_
 
 ## Installation
 
 ### Step 1. Install Smali / Baksmali
-I'm sure since you're an elite Android reverser you already have smali and baksmali on your path.
+
+Since you're an elite Android reverser, I'm sure you already have Smali and Baksmali on your path. If for some strange reason it's not already installed, this should get you started, but please examine it carefully before running:
+
+```bash
+mkdir ~/bin || cd ~/bin
+curl --location -O https://bitbucket.org/JesusFreke/smali/downloads/smali-2.1.2.jar && mv smali-*.jar smali.jar
+curl --location -O https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.1.2.jar && mv baksmali-*.jar baksmali.jar
+curl --location -O https://bitbucket.org/JesusFreke/smali/downloads/smali
+curl --location -O https://bitbucket.org/JesusFreke/smali/downloads/baksmali
+chmod +x ./smali ./baksmali
+export PATH=$PATH:$PWD
+```
 
 ### Step 2. Install Android SDK / ADB
+
 Make sure `adb` is on your path.
 
 ### Step 3. Install the Gem
-```
+
+```bash
 gem install dex-oracle
 ```
 
 Or, if you prefer to build from source:
-```
+
+```bash
 git clone https://github.com/CalebFenton/dex-oracle.git
 cd dex-oracle
 gem install bundler
@@ -31,16 +52,19 @@ bundle install
 ```
 
 ### Step 4. Connect a Device or Emulator
+
 _You must have either an emulator running or a device plugged in for Oracle to work._
 
 Oracle needs to execute  methods on an live Android system. This can either be on a device or an emulator (preferred). If it's a device, _make sure you don't mind running potentially hostile code on it_.
 
 If you'd like to use an emulator, and already have the Android SDK installed, you can create and start emulator images with:
-```
+
+```bash
 android avd
 ```
 
 ## Usage
+
 ```
 Usage: dex-oracle [opts] <APK / DEX / Smali Directory>
     -h, --help                       Display this screen
@@ -58,18 +82,20 @@ Usage: dex-oracle [opts] <APK / DEX / Smali Directory>
 
 For example, to only deobfuscate methods in a class called `Lcom/android/system/admin/CCOIoll;` inside of an APK called `obad.apk`:
 
-```
+```bash
 dex-oracle -i com/android/system/admin/CCOIoll obad.apk
 ```
 
 ## How it Works
+
 Oracle takes Android apps (APK), Dalvik executables (DEX), and Smali files as inputs. First, if the input is an APK or DEX, it is disassembled into Smali files. Then, the Smali files are passed to various plugins which perform analysis and modifications. Plugins search for patterns which can be transformed into something easier to read. In order to understand what the code is doing, some Dalvik methods are actually executed with and the output is collected. This way, some method calls can be replaced with constants. After that, all of the Smali files are updated. Finally, if the input was an APK or a DEX file, the modified Smali files are recompiled and an updated APK or DEX is created.
 
-Method execution is performed by the [Driver](driver/src/main/java/org/cf/oracle/Driver.java). The input APK, DEX, or Smali is combined with the Driver into a single DEX using dexmerge and pushed onto a device or emulator. Oracle then sends method execution information to Driver whenever a plugin requests it. Driver uses Java reflection to execute methods within its own DEX with the arguments provided by Oracle and returns any output or exceptions. This is especially useful for many string decryption methods, which usually take an encrypted string or some One limitation is that execution is limited to static methods.
+Method execution is performed by the [Driver](driver/src/main/java/org/cf/oracle/Driver.java). The input APK, DEX, or Smali is combined with the Driver into a single DEX using dexmerge and is pushed onto a device or emulator. Plugins can then use Driver which uses Java reflection to execute methods from the input DEX. The return values can be used to improve semantic analysis beyond mere pattern recognition. This is especially useful for many string decryption methods, which usually take an encrypted string or some byte array. One limitation is that execution is limited to static methods.
 
 ## Hacking
 
 ### Creating Your Own Plugin
+
 There are three [plugins](lib/dex-oracle/plugins) which come with Oracle:
 
 1. [Undexguard](lib/dex-oracle/plugins/undexguard.rb) - removes certain types of Dexguard obfuscations
@@ -93,10 +119,19 @@ The included plugins should be a good guide for understanding steps #3 and #4. D
 Of course, you're always welcome to share whatever obfuscation you come across and someone may eventually get to it.
 
 ### Updating Driver
+
 First, ensure `dx` is on your path. This is part of the Android SDK, but it's probably not on your path unless you're hardcore.
 
 The [driver](driver) folder is a Java project managed by Gradle. Import it into Eclipse, IntelliJ, etc. and make any changes you like. To finish updating the driver, run `./update_driver`. This will rebuild the driver and convert the output JAR into a DEX.
 
+### Troubleshooting
+
+If there's a problem executing driver code on your emulator or device, be sure to open `monitor` (part of the Android SDK) and check for any clues there. Even if the error doesn't make sense to you, it'll help if you post it along with the issue you'll create.
+
+Not all Android platforms work well with dex-oracle. Some of them just crap out when trying to execute arbitrary DEX files. If you're having trouble with Segfaults or driver crashes, try using Android 4.4.2 API level 19 with ARM.
+
+It's possible that a plugin sees a pattern it thinks is obfuscation but is actually some code it shouldn't execute. This seems unlikely because the obfuscation patterns are really unusual, but it is possible. If you're finding a particular plugin is causing problems and you're sure the app isn't protected by that particular obfuscator, i.e. the app is not DexGuarded but the DexGuard plugin is trying to execute stuff, just disable it.
+
 ## More Information
 
-[TetCon 2016 Android Deobfuscation Presentation](http://www.slideshare.net/tekproxy/tetcon-2016)
+1. [TetCon 2016 Android Deobfuscation Presentation](http://www.slideshare.net/tekproxy/tetcon-2016)

data/bin/dex-oracle

@@ -29,7 +29,7 @@ optparse = OptionParser.new do |opts|
     options[:device_id] = id
   end
 
-  opts.on('-t', '--timeout N',
+  opts.on('-t', '--timeout N', Integer,
           "ADB command execution timeout in seconds, default=\"#{options[:timeout]}\"") do |id|
     options[:timeout] = id
   end

data/dex-oracle.gemspec

@@ -22,7 +22,7 @@ EOF
     [:development, 'rspec-mocks', '~> 3.4', '>= 3.4.0'],
   ]
 
-  exclude_files = Dir['driver/build/**/*'] + Dir['driver/bin/**/*'] + Dir['sandbox/**/*'] + ['driver/build', 'driver/bin', 'sandbox']
+  exclude_files = Dir['driver/build/**/*'] + Dir['driver/bin/**/*'] + Dir['sandbox/**/*'] + %w(driver/build driver/bin sandbox)
   s.files         = Dir['**/*'] - exclude_files
   s.test_files    = Dir['test/**/*'] + Dir['spec/**/*']
   s.executables   = Dir['bin/*'].map { |f| File.basename(f) }

data/driver/src/main/java/org/cf/oracle/Driver.java

@@ -20,7 +20,6 @@ import com.google.gson.GsonBuilder;
 public class Driver {
 
     private static final String DRIVER_DIR = "/data/local";
-
     private static final String OUTPUT_HEADER = "===ORACLE DRIVER OUTPUT===\n";
     private static final String EXCEPTION_LOG = DRIVER_DIR + "/od-exception.txt";
     private static final String OUTPUT_FILE = DRIVER_DIR + "/od-output.json";
@@ -66,8 +65,8 @@ public class Driver {
     }
 
     private static void showUsage() {
-        System.out.println("Usage: export CLASSPATH=/data/local/od.zip; app_process /system/bin org.cf.driver.OracleDriver <class> <method> [<parameter type>:<parameter value json>]");
-        System.out.println("       export CLASSPATH=/data/local/od.zip; app_process /system/bin org.cf.driver.OracleDriver @<json file>");
+        System.out.println("Usage: export CLASSPATH=/data/local/od.zip; app_process /system/bin org.cf.driver.Driver <class> <method> [<parameter type>:<parameter value json>]");
+        System.out.println("       export CLASSPATH=/data/local/od.zip; app_process /system/bin org.cf.driver.Driver @<json file>");
     }
 
     public static void main(String[] args) {

data/lib/dex-oracle/driver.rb

@@ -12,14 +12,13 @@ class Driver
   UNESCAPES = {
     'a' => "\x07", 'b' => "\x08", 't' => "\x09",
     'n' => "\x0a", 'v' => "\x0b", 'f' => "\x0c",
-    'r' => "\x0d", 'e' => "\x1b", '\\' => "\x5c",
-    '"' => "\x22", "'" => "\x27"
-  }
+    'r' => "\x0d", 'e' => "\x1b", '\\' => '\\',
+    '"' => '"', "'" => "'"
+  }.freeze
   UNESCAPE_REGEX = /\\(?:([#{UNESCAPES.keys.join}])|u([\da-fA-F]{4}))|\\0?x([\da-fA-F]{2})/
 
-  OUTPUT_HEADER = '===ORACLE DRIVER OUTPUT==='
-  DRIVER_DIR = '/data/local'
-  DRIVER_CLASS = 'org.cf.oracle.Driver'
+  OUTPUT_HEADER = '===ORACLE DRIVER OUTPUT==='.freeze
+  DRIVER_CLASS = 'org.cf.oracle.Driver'.freeze
 
   def initialize(device_id, timeout = 60)
     @device_id = device_id
@@ -27,36 +26,61 @@ class Driver
 
     device_str = device_id.empty? ? '' : "-s #{@device_id} "
     @adb_base = "adb #{device_str}%s"
-    @cmd_stub = "export CLASSPATH=#{DRIVER_DIR}/od.zip; app_process /system/bin #{DRIVER_CLASS}"
+    @driver_dir = get_driver_dir
+    unless @driver_dir
+      logger.error 'Unable to find writable driver directory. Make sure /data/local or /data/local/tmp exists and is writable.'
+      exit -1
+    end
+    logger.debug "Using #{@driver_dir} as driver directory ..."
+    @cmd_stub = "export CLASSPATH=#{@driver_dir}/od.zip; app_process /system/bin #{DRIVER_CLASS}"
 
     @cache = {}
   end
 
   def install(dex)
-    fail 'Unable to find Java on the path.' unless Utility.which('java')
+    has_java = Utility.which('java')
+    raise 'Unable to find Java on the path.' unless has_java
 
     begin
       # Merge driver and target dex file
       # Congratulations. You're now one of the 5 people who've used this tool explicitly.
-      logger.debug("Merging #{dex.path} and driver dex ...")
-      fail "#{Resources.dx} does not exist and is required for DexMerger" unless File.exist?(Resources.dx)
-      fail "#{Resources.driver_dex} does not exist" unless File.exist?(Resources.driver_dex)
-      tf = Tempfile.new(['oracle-driver', '.dex'])
+      raise "#{Resources.dx} does not exist and is required for DexMerger" unless File.exist?(Resources.dx)
+      raise "#{Resources.driver_dex} does not exist" unless File.exist?(Resources.driver_dex)
+      logger.debug("Merging input DEX (#{dex.path}) and driver DEX (#{Resources.driver_dex}) ...")
+      tf = Tempfile.new(%w(oracle-driver .dex))
       cmd = "java -cp #{Resources.dx} com.android.dx.merge.DexMerger #{tf.path} #{dex.path} #{Resources.driver_dex}"
-      exec("#{cmd}")
+      stdout, stderr = exec(cmd)
+      # Ideally, it says something like this:
+      # Merged dex #1 (36 defs/87.9KiB)
+      # Merged dex #2 (1225 defs/1092.7KiB)
+      # Result is 1261 defs/1375.0KiB. Took 0.2s
+      # But it might say this:
+      # Exception in thread "main" com.android.dex.DexIndexOverflowException: Cannot merge new index 65776 into a non-jumbo instruction!
+      if stderr.start_with?('Exception in thread "main"')
+        logger.error("Failure to merge input DEX and driver DEX:\n#{stderr}")
+        if stderr.include?('DexIndexOverflowException')
+          logger.error("Your input DEX inexplicably contains const-string and const-string/jumbo. This probably means someone fucked with it. In any case, it means DexMerge is failing because there are too many strings.\nTry this: baksmali the DEX, replace all const-string instructions with const-string/jumbo, then recompile with smali and use that DEX as input. Sorry, I don't want to do this for you. It's too complicated.")
+        end
+        exit -1
+      end
+      tf.close
 
       # Zip merged dex and push to device
       logger.debug('Pushing merged driver to device ...')
-      tz = Tempfile.new(['oracle-driver', '.zip'])
-      Utility.create_zip(tz.path, { 'classes.dex' => tf })
-      adb("push #{tz.path} #{DRIVER_DIR}/od.zip")
+      tz = Tempfile.new(%w(oracle-driver .zip))
+      # Could pass tz to create_zip, but Windows doesn't let you rename if file open
+      # And zip internally renames files when creating them
+      tempzip_path = tz.path
+      tz.close
+      Utility.create_zip(tempzip_path, 'classes.dex' => tf)
+      adb("push #{tz.path} #{@driver_dir}/od.zip")
     rescue => e
-      puts "Error installing the driver: #{e}"
+      puts "Error installing driver: #{e}\n#{e.backtrace.join("\n\t")}"
     ensure
-      tf.close
-      tf.unlink
-      tz.close
-      tz.unlink
+      tf.close if tf
+      tf.unlink if tf
+      tz.close if tz
+      tz.unlink if tz
     end
   end
 
@@ -71,15 +95,14 @@ class Driver
       # If you slam an emulator or device with too many app_process commands,
       # it eventually gets angry and segmentation faults. No idea why.
       # This took many frustrating hours to figure out.
-      if retries <= 3
-        logger.debug("Driver execution failed. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
-        sleep 5
-        retries += 1
-        retry
-      else
-        raise e
-      end
+      raise e if retries > 3
+
+      logger.debug("Driver execution failed. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
+      sleep 5
+      retries += 1
+      retry
     end
+
     output
   end
 
@@ -87,17 +110,15 @@ class Driver
     push_batch_targets(batch)
     retries = 1
     begin
-      drive("#{@cmd_stub} @#{DRIVER_DIR}/od-targets.json", true)
+      drive("#{@cmd_stub} @#{@driver_dir}/od-targets.json", true)
     rescue => e
-      if retries <= 3 && e.message.include?('Segmentation fault')
-        # Maybe we just need to retry
-        logger.debug("Driver execution segfaulted. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
-        sleep 5
-        retries += 1
-        retry
-      else
-        raise e
-      end
+      raise e if retries > 3 || !e.message.include?('Segmentation fault')
+
+      # Maybe we just need to retry
+      logger.debug("Driver execution segfaulted. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
+      sleep 5
+      retries += 1
+      retry
     end
     pull_batch_outputs
   end
@@ -107,7 +128,7 @@ class Driver
     target = {
       className: method.class.tr('/', '.'),
       methodName: method.name,
-      arguments: Driver.build_arguments(method.parameters, args)
+      arguments: build_arguments(method.parameters, args)
     }
     # Identifiers are used to map individual inputs to outputs
     target[:id] = Digest::SHA256.hexdigest(target.to_json)
@@ -118,20 +139,33 @@ class Driver
   private
 
   def push_batch_targets(batch)
-    target_file = Tempfile.new(['oracle-targets', '.json'])
+    target_file = Tempfile.new(%w(oracle-targets .json))
     target_file << batch.to_json
     target_file.flush
     logger.info("Pushing #{batch.size} method targets to device ...")
-    adb("push #{target_file.path} #{DRIVER_DIR}/od-targets.json")
+    adb("push #{target_file.path} #{@driver_dir}/od-targets.json")
     target_file.close
     target_file.unlink
   end
 
+  def get_driver_dir
+    # On some older devices, /data/local is world writable
+    # But on other devices, it's /data/local/tmp
+    %w(/data/local /data/local/tmp).each do |dir|
+      stdout = adb("shell -x ls #{dir}")
+      next if stdout == "ls: #{dir}: Permission denied"
+      next if stdout == "ls: #{dir}: No such file or directory"
+      return dir
+    end
+
+    nil
+  end
+
   def pull_batch_outputs
     output_file = Tempfile.new(['oracle-output', '.json'])
     logger.debug('Pulling batch results from device ...')
-    adb("pull #{DRIVER_DIR}/od-output.json #{output_file.path}")
-    adb("shell rm #{DRIVER_DIR}/od-output.json")
+    adb("pull #{@driver_dir}/od-output.json #{output_file.path}")
+    adb("shell rm #{@driver_dir}/od-output.json")
     outputs = JSON.parse(File.read(output_file.path))
     outputs.each { |_, (_, v2)| v2.gsub!(/(?:^"|"$)/, '') if v2.start_with?('"') }
     logger.debug("Pulled #{outputs.size} outputs.")
@@ -146,21 +180,19 @@ class Driver
     retries = 1
     begin
       status = Timeout.timeout(@timeout) do
-        if !silent
-          `#{cmd}`
+        if silent
+          Open3.popen3(cmd) { |_, stdout, stderr, _| [stdout.read, stderr.read] }
         else
-          Open3.popen3(cmd) { |_, stdout, _, _| stdout.read }
+          [`#{cmd}`, '']
         end
       end
     rescue => e
-      if retries <= 3
-        logger.debug("ADB command execution timed out, retrying #{retries} ...")
-        sleep 5
-        retries += 1
-        retry
-      else
-        raise e
-      end
+      raise e if retries > 3
+
+      logger.debug("ADB command execution timed out, retrying #{retries} ...")
+      sleep 5
+      retries += 1
+      retry
     end
   end
 
@@ -170,14 +202,14 @@ class Driver
     if exit_code != 0
       # Non zero exit code would only imply adb command itself was flawed
       # app_process, dalvikvm, etc. don't propigate exit codes back
-      fail "Command failed with #{exit_code}: #{full_cmd}\nOutput: #{full_output}"
+      raise "Command failed with #{exit_code}: #{full_cmd}\nOutput: #{full_output}"
     end
 
     # Successful driver run should include driver header
     # Otherwise it may be a Segmentation fault or Killed
     logger.debug("Full output: #{full_output.inspect}")
     header = output_lines[0]
-    fail "app_process execution failure, output: '#{full_output}'" if header != OUTPUT_HEADER
+    raise "app_process execution failure, output: '#{full_output}'" if header != OUTPUT_HEADER
 
     output_lines[1..-2].join("\n").rstrip
   end
@@ -192,10 +224,10 @@ class Driver
     # The driver writes any actual exceptions to the filesystem
     # Need to check to make sure the output value is legitimate
     logger.debug('Checking if execution had any exceptions ...')
-    exception = adb("shell cat #{DRIVER_DIR}/od-exception.txt").strip
+    exception = adb("shell cat #{@driver_dir}/od-exception.txt").strip
     unless exception.end_with?('No such file or directory')
-      adb("shell rm #{DRIVER_DIR}/od-exception.txt")
-      fail exception
+      adb("shell rm #{@driver_dir}/od-exception.txt")
+      raise exception
     end
     logger.debug('No exceptions found :)')
 
@@ -207,20 +239,13 @@ class Driver
   end
 
   def adb(cmd)
-    full_cmd = @adb_base % cmd
-    exec(full_cmd).rstrip
+    adb_with_stderr(cmd)[0]
   end
 
-  def self.unescape(str)
-    str.gsub(UNESCAPE_REGEX) do
-      if Regexp.last_match[1]
-        Regexp.last_match[1] == '\\' ? Regexp.last_match[1] : UNESCAPES[Regexp.last_match[1]]
-      elsif Regexp.last_match[2] # escape \u0000 unicode
-        [Regexp.last_match[2].hex].pack('U*')
-      elsif Regexp.last_match[3] # escape \0xff or \xff
-        [Regexp.last_match[3]].pack('H2')
-      end
-    end
+  def adb_with_stderr(cmd)
+    full_cmd = @adb_base % cmd
+    stdout, stderr = exec(full_cmd, false)
+    [stdout.rstrip, stderr.rstrip]
   end
 
   def build_command(class_name, method_name, parameters, args)
@@ -228,23 +253,39 @@ class Driver
     class_name.gsub!('$', '\$') # inner classes
     method_name.gsub!('$', '\$') # synthetic method names
     target = "'#{class_name}' '#{method_name}'"
-    target_args = Driver.build_arguments(parameters, args)
+    target_args = build_arguments(parameters, args)
     "#{@cmd_stub} #{target} #{target_args * ' '}"
   end
 
-  def self.build_arguments(parameters, args)
-    parameters.map.with_index do |o, i|
-      build_argument(o, args[i])
+  private
+
+  def unescape(str)
+    str.gsub(UNESCAPE_REGEX) do
+      if Regexp.last_match[1]
+        if Regexp.last_match[1] == '\\'
+          Regexp.last_match[1]
+        else
+          UNESCAPES[Regexp.last_match[1]]
+        end
+      elsif Regexp.last_match[2] # escape \u0000 unicode
+        [Regexp.last_match[2].hex].pack('U*')
+      elsif Regexp.last_match[3] # escape \0xff or \xff
+        [Regexp.last_match[3]].pack('H2')
+      end
     end
   end
 
-  def self.build_argument(parameter, argument)
+  def build_arguments(parameters, args)
+    parameters.map.with_index { |o, i| build_argument(o, args[i]) }
+  end
+
+  def build_argument(parameter, argument)
     if parameter[0] == 'L'
       java_type = parameter[1..-2].tr('/', '.')
       if java_type == 'java.lang.String'
         # Need to unescape smali string to get the actual string
         # Converting to bytes just avoids any weird non-printable characters nonsense
-        argument = "[#{Driver.unescape(argument).bytes.to_a.join(',')}]"
+        argument = "[#{unescape(argument).bytes.to_a.join(',')}]"
       end
       "#{java_type}:#{argument}"
     else