one_gadget 1.6.2 → 1.7.0

data/lib/one_gadget/error.rb

@@ -5,12 +5,24 @@ module OneGadget
     class Error < StandardError
     end
 
-    # Unsupported arguments of intructions.
-    class UnsupportedInstructionArgumentsError < Error
+    # Super class of unsupported errors.
+    class UnsupportedError < Error
+    end
+
+    # Unsupported instruction.
+    class UnsupportedInstructionError < UnsupportedError
+    end
+
+    # Raises when arguments form of an instrution is invalid.
+    class InstructionArgumentError < Error
+    end
+
+    # Raises when form of arguments is valid but not supported.
+    class UnsupportedInstructionArgumentError < UnsupportedError
     end
 
     # Unsupported architecture.
-    class UnsupportedArchitectureError < Error
+    class UnsupportedArchitectureError < UnsupportedError
     end
 
     # Argument error of ruby methods.

data/lib/one_gadget/fetcher.rb

@@ -1,4 +1,5 @@
 require 'one_gadget/error'
+require 'one_gadget/fetchers/aarch64'
 require 'one_gadget/fetchers/amd64'
 require 'one_gadget/fetchers/i386'
 require 'one_gadget/gadget'
@@ -27,6 +28,7 @@ module OneGadget
       def from_file(file)
         arch = OneGadget::Helper.architecture(file)
         klass = {
+          aarch64: OneGadget::Fetcher::AArch64,
           amd64: OneGadget::Fetcher::Amd64,
           i386: OneGadget::Fetcher::I386
         }[arch]
@@ -46,7 +48,7 @@ module OneGadget
             (gadgets[j].constraints - g.constraints).empty?
           end
         end
-        res.sort_by!(&:offset)
+        res.sort_by(&:offset)
       end
     end
     extend ClassMethods

data/lib/one_gadget/fetchers/aarch64.rb

@@ -0,0 +1,41 @@
+require 'one_gadget/emulators/aarch64'
+require 'one_gadget/fetchers/base'
+
+module OneGadget
+  module Fetcher
+    # Define common methods for gadget fetchers.
+    class AArch64 < Base
+      private
+
+      def emulator
+        OneGadget::Emulators::AArch64.new
+      end
+
+      # If str contains a branch instruction.
+      def branch?(str)
+        %w[b b.hi b.gt b.eq b.le b.ls b.lt b.ne b.cs].any? { |f| str.include?(' ' + f + ' ') }
+      end
+
+      def call_str
+        'bl'
+      end
+
+      def bin_sh_offset
+        @bin_sh_offset ||= str_offset('/bin/sh')
+      end
+
+      def str_bin_sh?(str)
+        str.include?('$base') && str.include?(bin_sh_offset.to_s(16))
+      end
+
+      def str_sh?(str)
+        # XXX: hardcode -0x10 is bad
+        str.include?('$base') && str.include?((bin_sh_offset - 0x10).to_s(16))
+      end
+
+      def global_var?(str)
+        str.include?('$base')
+      end
+    end
+  end
+end

data/lib/one_gadget/fetchers/amd64.rb

@@ -1,10 +1,10 @@
 require 'one_gadget/emulators/amd64'
-require 'one_gadget/fetchers/base'
+require 'one_gadget/fetchers/x86'
 
 module OneGadget
   module Fetcher
     # Fetcher for amd64.
-    class Amd64 < OneGadget::Fetcher::Base
+    class Amd64 < OneGadget::Fetcher::X86
       private
 
       def emulator
@@ -36,6 +36,8 @@ module OneGadget
           next nil if jmp_at.nil?
 
           cand = cand[0..jmp_at]
+          next if cand.any? { |c| c.include?(call_str) }
+
           jmp_addr = cand.last.scan(/jmp\s+([\da-f]+)\s/)[0][0].to_i(16)
           dump = `#{objdump_cmd(start: jmp_addr, stop: jmp_addr + 100)}|egrep '[0-9a-f]+:'`
           remain = dump.lines.map(&:strip).reject(&:empty?)

data/lib/one_gadget/fetchers/base.rb

@@ -11,6 +11,7 @@ module OneGadget
       # @param [String] file Absolute path of target libc.
       def initialize(file)
         @file = file
+        @arch = self.class.name.split('::').last.downcase.to_sym
       end
 
       # Do find gadgets in glibc.
@@ -29,7 +30,7 @@ module OneGadget
             gadgets << OneGadget::Gadget::Gadget.new(offset, options)
           end
           gadgets
-        end.flatten.compact
+        end.flatten
       end
 
       # Fetch candidates that end with call exec*.
@@ -42,7 +43,7 @@ module OneGadget
       # @return [Array<String>]
       #   Each +String+ returned is multi-lines of assembly code.
       def candidates(&block)
-        cands = `#{objdump_cmd}|egrep 'call.*<exec[^+]*>$' -B 30`.split('--').map do |cand|
+        cands = `#{objdump_cmd}|egrep '#{call_str}.*<exec[^+]*>$' -B 30`.split('--').map do |cand|
           cand.lines.map(&:strip).reject(&:empty?).join("\n")
         end
         # remove all jmps
@@ -83,7 +84,7 @@ module OneGadget
         # arg[2] == NULL || [arg[2]] == NULL || arg[2] == envp
         arg1 = processor.argument(1).to_s
         arg2 = processor.argument(2).to_s
-        cons = []
+        cons = processor.constraints
         cons << check_execve_arg(processor, arg1)
         return nil unless cons.all?
 
@@ -134,8 +135,9 @@ module OneGadget
         return nil if global_var?(arg) # we don't want base-related constraints
 
         args << arg
+        cons = processor.constraints + ["#{arg} == NULL"]
         # now arg is the constraint.
-        { constraints: ["#{arg} == NULL"], effect: %(execl("/bin/sh", #{args.join(', ')})) }
+        { constraints: cons, effect: %(execl("/bin/sh", #{args.join(', ')})) }
       end
 
       def global_var?(_str); raise NotImplementedError
@@ -147,6 +149,9 @@ module OneGadget
       def str_sh?(_str); raise NotImplementedError
       end
 
+      def call_str; raise NotImplementedError
+      end
+
       def emulate(cmds)
         cmds.each_with_object(emulator) { |cmd, obj| break obj unless obj.process(cmd) }
       end
@@ -155,10 +160,20 @@ module OneGadget
       end
 
       def objdump_cmd(start: nil, stop: nil)
-        cmd = %(objdump --no-show-raw-insn -w -d -M intel #{::Shellwords.escape(file)})
-        cmd.concat(" --start-address #{start}") if start
-        cmd.concat(" --stop-address #{stop}") if stop
-        cmd
+        cmd = [objdump_bin, '--no-show-raw-insn', '-w', '-d', *objdump_options, file]
+        cmd.push('--start-address', start) if start
+        cmd.push('--stop-address', stop) if stop
+        ::Shellwords.join(cmd)
+      end
+
+      def objdump_bin
+        OneGadget::Helper.find_objdump(@arch).tap do |bin|
+          install_objdump_guide! if bin.nil?
+        end
+      end
+
+      def objdump_options
+        []
       end
 
       def slice_prefix(cands)
@@ -171,18 +186,27 @@ module OneGadget
       end
 
       # If str contains a branch instruction.
-      def branch?(str)
-        %w(jmp je jne jl jb ja jg).any? { |f| str.include?(f) }
+      def branch?(_str); raise NotImplementedError
       end
 
       def str_offset(str)
         IO.binread(file).index(str + "\x00") ||
-          raise(Error::ArgumentError, "File #{file.inspect} doesn't contain string \"/bin/sh\", not glibc?")
+          raise(Error::ArgumentError, "File #{file.inspect} doesn't contain string #{str.inspect}, not glibc?")
       end
 
       def offset_of(assembly)
         assembly.scan(/^([\da-f]+):/)[0][0].to_i(16)
       end
+
+      def install_objdump_guide!
+        raise Error::UnsupportedArchitectureError, <<-EOS
+Objdump that supports architecture #{@arch.to_s.inspect} is not found!
+Please install the package 'binutils-multiarch' and try one_gadget again!
+
+For Ubuntu users:
+  $ [sudo] apt install binutils-multiarch
+        EOS
+      end
     end
   end
 end

data/lib/one_gadget/fetchers/i386.rb

@@ -1,12 +1,12 @@
 require 'elftools'
 
 require 'one_gadget/emulators/i386'
-require 'one_gadget/fetchers/base'
+require 'one_gadget/fetchers/x86'
 
 module OneGadget
   module Fetcher
     # Fetcher for i386.
-    class I386 < OneGadget::Fetcher::Base
+    class I386 < OneGadget::Fetcher::X86
       private
 
       def candidates

data/lib/one_gadget/fetchers/x86.rb

@@ -0,0 +1,23 @@
+require 'one_gadget/fetchers/base'
+
+module OneGadget
+  module Fetcher
+    # Define common methods for gadget fetchers.
+    class X86 < Base
+      private
+
+      # If str contains a branch instruction.
+      def branch?(str)
+        %w[jmp je jne jl jb ja jg].any? { |f| str.include?(f) }
+      end
+
+      def objdump_options
+        %w[-M intel]
+      end
+
+      def call_str
+        'call'
+      end
+    end
+  end
+end

data/lib/one_gadget/gadget.rb

@@ -1,4 +1,5 @@
 require 'one_gadget/abi'
+require 'one_gadget/emulators/lambda'
 require 'one_gadget/error'
 
 module OneGadget
@@ -7,11 +8,11 @@ module OneGadget
     # Information of a gadget.
     class Gadget
       # @return [Integer] The gadget's address offset.
-      attr_accessor :offset
+      attr_reader :offset
       # @return [Array<String>] The constraints need for this gadget.
-      attr_accessor :constraints
+      attr_reader :constraints
       # @return [String] The final result of this gadget.
-      attr_accessor :effect
+      attr_reader :effect
 
       # Initialize method of {Gadget} instance.
       # @param [Integer] offset The relative address offset of this gadget.
@@ -28,22 +29,70 @@ module OneGadget
       # Show gadget in a pretty way.
       def inspect
         str = OneGadget::Helper.hex(offset)
-        str += effect ? "\t#{effect}\n" : "\n"
+        str += effect ? " #{effect}\n" : "\n"
         unless constraints.empty?
           str += "#{OneGadget::Helper.colorize('constraints')}:\n  "
-          str += constraints.join("\n  ")
+          str += merge_constraints.join("\n  ")
         end
         str.gsub!(/0x[\da-f]+/) { |s| OneGadget::Helper.colorize(s, sev: :integer) }
-        OneGadget::ABI.all.each { |reg| str.gsub!(reg, OneGadget::Helper.colorize(reg, sev: :reg)) }
+        OneGadget::ABI.all.each do |reg|
+          str.gsub!(/([^\w])(#{reg})([^\w])/, '\1' + OneGadget::Helper.colorize('\2', sev: :reg) + '\3')
+        end
         str + "\n"
       end
+
+      # @return [Float]
+      #   The success probability of the constraints.
+      def score
+        @score ||= constraints.reduce(1.0) { |s, c| s * calculate_score(c) }
+      end
+
+      private
+
+      # REG: OneGadget::ABI.all
+      # IMM: [+-]0x[\da-f]+
+      # Identity: <REG><IMM>?
+      # Identity: [<Identity>]
+      # Expr: <REG> is the GOT address of libc
+      # Expr: writable: <Identity>
+      # Expr: <Identity> == NULL
+      # Expr: <Expr> || <Expr>
+      def calculate_score(cons)
+        return cons.split(' || ').map(&method(:calculate_score)).max if cons.include?(' || ')
+        return 0.9 if cons.include?('GOT address')
+        return 0.81 if cons.include?('writable')
+
+        expr = cons.gsub(' == NULL', ' == 0')
+        # raise Error::ArgumentError, cons unless expr.end_with?(' == 0')
+
+        identity = expr.slice(0...expr.rindex(' == 0'))
+        # Thank God we are already able to parse this
+        lmda = OneGadget::Emulators::Lambda.parse(identity)
+        # raise Error::ArgumentError, cons unless OneGadget::ABI.all.include?(lmda.obj)
+        # rax == 0 is easy; rax + 0x10 == 0 is damn hard.
+        return lmda.immi.zero? ? 0.9 : 0.1 if lmda.deref_count.zero?
+
+        # [sp+xx] == NULL is easy.
+        base = OneGadget::ABI.stack_register?(lmda.obj) ? 0 : 1
+        0.9**(lmda.deref_count + base)
+      end
+
+      def merge_constraints
+        key = 'writable: '
+        w_cons, normal = constraints.partition { |c| c.start_with?(key) }
+        return normal if w_cons.empty?
+
+        w_cons.map! { |c| c[key.size..-1] }
+        ["address#{w_cons.size > 1 ? 'es' : ''} #{w_cons.join(', ')} #{w_cons.size > 1 ? 'are' : 'is'} writable"] +
+          normal
+      end
     end
 
     # Define class methods here.
     module ClassMethods
       # Path to the pre-build files.
       BUILDS_PATH = File.join(__dir__, 'builds').freeze
-      # Cache.
+      # Record.
       BUILDS = Hash.new { |h, k| h[k] = [] }
       # Get gadgets from pre-defined corpus.
       # @param [String] build_id Desired build id.
@@ -51,8 +100,8 @@ module OneGadget
       #   When local not found, try search in latest version?
       # @return [Array<Gadget::Gadget>?] Gadgets.
       def builds(build_id, remote: true)
-        require_all if BUILDS.empty?
-        return BUILDS[build_id] if BUILDS.key?(build_id)
+        ret = find_build(build_id)
+        return ret unless ret.nil?
         return build_not_found unless remote
 
         # fetch remote builds
@@ -107,10 +156,13 @@ module OneGadget
 
       private
 
-      def require_all
-        Dir.glob(File.join(BUILDS_PATH, '**', '*.rb')).each do |dic|
+      def find_build(id)
+        return BUILDS[id] if BUILDS.key?(id)
+
+        Dir.glob(File.join(BUILDS_PATH, "*-#{id}.rb")).each do |dic|
           require dic
         end
+        BUILDS[id] if BUILDS.key?(id)
       end
 
       def build_not_found

data/lib/one_gadget/helper.rb

@@ -11,230 +11,309 @@ module OneGadget
   # Define some helpful methods here.
   module Helper
     # Format of build-id, 40 hex numbers.
-    BUILD_ID_FORMAT = /[0-9a-f]{40}/
-    # Define class methods here.
-    module ClassMethods
-      # Verify if `build_id` is a valid SHA1 hex format.
-      # @param [String] build_id
-      #   BuildID.
-      # @raise [Error::ArgumentError]
-      #   Raises error if invalid.
-      # @return [void]
-      def verify_build_id!(build_id)
-        return if build_id =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
-
-        raise OneGadget::Error::ArgumentError, format('invalid BuildID format: %p', build_id)
-      end
+    BUILD_ID_FORMAT = /[0-9a-f]{40}/.freeze
 
-      # Fetch lines start with '#'.
-      # @param [String] file
-      #   Filename.
-      # @return [Array<String>]
-      #   Lines of comments.
-      def comments_of_file(file)
-        File.readlines(file).map { |s| s[2..-1].rstrip if s.start_with?('# ') }.compact
-      end
+    module_function
 
-      # Get absolute path from relative path. Support symlink.
-      # @param [String] path Relative path.
-      # @return [String] Absolute path, with symlink resolved.
-      # @example
-      #   abspath('/lib/x86_64-linux-gnu/libc.so.6')
-      #   #=> '/lib/x86_64-linux-gnu/libc-2.23.so'
-      def abspath(path)
-        Pathname.new(File.expand_path(path)).realpath.to_s
-      end
+    # Checks if +build_id+ is a valid SHA1 hex format.
+    # @param [String] build_id
+    #   BuildID.
+    # @raise [Error::ArgumentError]
+    #   Raises error if invalid.
+    # @return [void]
+    def verify_build_id!(build_id)
+      return if build_id =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
 
-      # Checks if the file of given path is a valid ELF file.
-      #
-      # @param [String] path Path to target file.
-      # @return [Boolean] If the file is an ELF or not.
-      # @example
-      #   valid_elf_file?('/etc/passwd')
-      #   => false
-      #   valid_elf_file?('/lib64/ld-linux-x86-64.so.2')
-      #   => true
-      def valid_elf_file?(path)
-        # A light-weight way to check if is a valid ELF file
-        # Checks at least one phdr should present.
-        File.open(path) { |f| ELFTools::ELFFile.new(f).each_segments.first }
-        true
-      rescue ELFTools::ELFError
-        false
-      end
+      raise OneGadget::Error::ArgumentError, format('invalid BuildID format: %p', build_id)
+    end
 
-      # Checks if the file of given path is a valid ELF file
-      # An error message will be shown if given path is not a valid ELF.
-      #
-      # @param [String] path Path to target file.
-      # @return [void]
-      # @raise [Error::ArgumentError] Raise exception if not a valid ELF.
-      def verify_elf_file!(path)
-        return if valid_elf_file?(path)
+    # Fetch lines start with '#'.
+    # @param [String] file
+    #   Filename.
+    # @return [Array<String>]
+    #   Lines of comments.
+    def comments_of_file(file)
+      File.readlines(file).map { |s| s[2..-1].rstrip if s.start_with?('# ') }.compact
+    end
 
-        raise Error::ArgumentError, 'Not an ELF file, expected glibc as input'
-      end
+    # Get absolute path from relative path. Support symlink.
+    # @param [String] path Relative path.
+    # @return [String] Absolute path, with symlink resolved.
+    # @example
+    #   Helper.abspath('/lib/x86_64-linux-gnu/libc.so.6')
+    #   #=> '/lib/x86_64-linux-gnu/libc-2.23.so'
+    def abspath(path)
+      Pathname.new(File.expand_path(path)).realpath.to_s
+    end
 
-      # Get the Build ID of target ELF.
-      # @param [String] path Absolute file path.
-      # @return [String] Target build id.
-      # @example
-      #   build_id_of('/lib/x86_64-linux-gnu/libc-2.23.so')
-      #   #=> '60131540dadc6796cab33388349e6e4e68692053'
-      def build_id_of(path)
-        File.open(path) { |f| ELFTools::ELFFile.new(f).build_id }
-      end
+    # Checks if the file of given path is a valid ELF file.
+    #
+    # @param [String] path Path to target file.
+    # @return [Boolean] If the file is an ELF or not.
+    # @example
+    #   Helper.valid_elf_file?('/etc/passwd')
+    #   #=> false
+    #   Helper.valid_elf_file?('/lib64/ld-linux-x86-64.so.2')
+    #   #=> true
+    def valid_elf_file?(path)
+      # A light-weight way to check if is a valid ELF file
+      # Checks at least one phdr should present.
+      File.open(path) { |f| ELFTools::ELFFile.new(f).each_segments.first }
+      true
+    rescue ELFTools::ELFError
+      false
+    end
 
-      # Disable colorize.
-      # @return [void]
-      def color_off!
-        @disable_color = true
-      end
+    # Checks if the file of given path is a valid ELF file.
+    #
+    # An error message will be shown if given path is not a valid ELF.
+    #
+    # @param [String] path Path to target file.
+    # @return [void]
+    # @raise [Error::ArgumentError] Raise exception if not a valid ELF.
+    def verify_elf_file!(path)
+      return if valid_elf_file?(path)
 
-      # Enable colorize.
-      # @return [void]
-      def color_on!
-        @disable_color = false
-      end
+      raise Error::ArgumentError, 'Not an ELF file, expected glibc as input'
+    end
 
-      # Is colorify output enabled?
-      # @return [Boolean]
-      #   True or false.
-      def color_enabled?
-        # if not set, use tty to check
-        return $stdout.tty? unless instance_variable_defined?(:@disable_color)
+    # Get the Build ID of target ELF.
+    # @param [String] path Absolute file path.
+    # @return [String] Target build id.
+    # @example
+    #   Helper.build_id_of('/lib/x86_64-linux-gnu/libc-2.23.so')
+    #   #=> '60131540dadc6796cab33388349e6e4e68692053'
+    def build_id_of(path)
+      File.open(path) { |f| ELFTools::ELFFile.new(f).build_id }
+    end
 
-        !@disable_color
-      end
+    # Disable colorize.
+    # @return [void]
+    def color_off!
+      @disable_color = true
+    end
 
-      # Color codes for pretty print
-      COLOR_CODE = {
-        esc_m: "\e[0m",
-        normal_s: "\e[38;5;203m", # red
-        integer: "\e[38;5;189m", # light purple
-        reg: "\e[38;5;82m", # light green
-        warn: "\e[38;5;230m", # light yellow
-        error: "\e[38;5;196m" # heavy red
-      }.freeze
-
-      # Wrapper color codes for pretty inspect.
-      # @param [String] str Contents to colorize.
-      # @param [Symbol] sev Specific which kind of color want to use, valid symbols are defined in +COLOR_CODE+.
-      # @return [String] Wrapper with color codes.
-      def colorize(str, sev: :normal_s)
-        return str unless color_enabled?
-
-        cc = COLOR_CODE
-        color = cc.key?(sev) ? cc[sev] : ''
-        "#{color}#{str.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
-      end
+    # Is colorize output enabled?
+    # @return [Boolean]
+    #   True or false.
+    def color_enabled?
+      # if not set, use tty to check
+      return $stdout.tty? unless instance_variable_defined?(:@disable_color)
 
-      # Fetch the latest release version's tag name.
-      # @return [String] The tag name, in form +vx.x.x+.
-      def latest_tag
-        releases_url = 'https://github.com/david942j/one_gadget/releases/latest'
-        @latest_tag ||= url_request(releases_url).split('/').last
-      end
+      !@disable_color
+    end
 
-      # Get the url which can fetch +filename+ from remote repo.
-      # @param [String] filename
-      # @return [String] The url.
-      def url_of_file(filename)
-        raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
-        raw_file_url.sub('@tag', latest_tag).sub('@file', filename)
-      end
+    # Color codes for pretty print
+    COLOR_CODE = {
+      esc_m: "\e[0m",
+      normal_s: "\e[38;5;203m", # red
+      integer: "\e[38;5;189m", # light purple
+      reg: "\e[38;5;82m", # light green
+      warn: "\e[38;5;230m", # light yellow
+      error: "\e[38;5;196m" # heavy red
+    }.freeze
 
-      # Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
-      #
-      # @param [String] file The filename desired.
-      # @return [Tempfile] The temp file be created.
-      def download_build(file)
-        temp = Tempfile.new(['gadgets', file + '.rb'])
-        url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb')))
-        temp.write(url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb'))))
-        temp.tap(&:close)
-      end
+    # Wrap string with color codes for pretty inspect.
+    # @param [String] str Contents to colorize.
+    # @param [Symbol] sev Specify which kind of color to use, valid symbols are defined in {.COLOR_CODE}.
+    # @return [String] String wrapped with color codes.
+    def colorize(str, sev: :normal_s)
+      return str unless color_enabled?
 
-      # Get the latest builds list from repo.
-      # @return [Array<String>] List of build ids.
-      def remote_builds
-        @remote_builds ||= url_request(url_of_file('builds_list')).lines.map(&:strip)
-      end
+      cc = COLOR_CODE
+      color = cc.key?(sev) ? cc[sev] : ''
+      "#{color}#{str.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
+    end
 
-      # Get request.
-      # @param [String] url The url.
-      # @return [String]
-      #   The request response body.
-      #   If the response is '302 Found', return the location in header.
-      def url_request(url)
-        uri = URI.parse(url)
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = true
-        http.verify_mode = ::OpenSSL::SSL::VERIFY_NONE
-
-        request = Net::HTTP::Get.new(uri.request_uri)
-
-        response = http.request(request)
-        raise ArgumentError, "Fail to get response of #{url}" unless %w(200 302).include?(response.code)
-
-        response.code == '302' ? response['location'] : response.body
-      rescue NoMethodError, SocketError, ArgumentError => e
-        p e
-        nil
-      end
+    # Fetch the latest release version's tag name.
+    # @return [String] The tag name, in form +vX.X.X+.
+    def latest_tag
+      releases_url = 'https://github.com/david942j/one_gadget/releases/latest'
+      @latest_tag ||= url_request(releases_url).split('/').last
+    end
 
-      # Fetch the file archiecture of +file+.
-      # @param [String] file The target ELF filename.
-      # @return [Symbol]
-      #   Only supports architecture amd64 and i386 now.
-      def architecture(file)
-        f = File.open(file)
-        str = ELFTools::ELFFile.new(f).machine
-        {
-          'Advanced Micro Devices X86-64' => :amd64,
-          'Intel 80386' => :i386,
-          'ARM' => :arm,
-          'AArch64' => :aarch64,
-          'MIPS R3000' => :mips
-        }[str] || :unknown
-      rescue ELFTools::ELFError # not a valid ELF
-        :invalid
-      ensure
-        f.close
-      end
+    # Get the url which can fetch +filename+ from remote repo.
+    # @param [String] filename
+    # @return [String] The url.
+    def url_of_file(filename)
+      raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
+      raw_file_url.sub('@tag', latest_tag).sub('@file', filename)
+    end
 
-      # Present number in hex format.
-      # @param [Integer] val The number.
-      # @param [Boolean] psign Need to show plus sign when +val >= 0+.
-      # @return [String] string in hex format.
-      # @example
-      #   hex(32) #=> 0x20
-      #   hex(32, psign: true) #=> +0x20
-      #   hex(-40) #=> -0x28
-      #   hex(0) #=> 0x0
-      #   hex(0, psign: true) #=> +0x0
-      def hex(val, psign: false)
-        return format("#{psign ? '+' : ''}0x%x", val) if val >= 0
-
-        format('-0x%x', -val)
+    # Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
+    #
+    # @param [String] file The filename desired.
+    # @return [Tempfile] The temp file be created.
+    def download_build(file)
+      temp = Tempfile.new(['gadgets', file + '.rb'])
+      temp.write(url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb'))))
+      temp.tap(&:close)
+    end
+
+    # Get the latest builds list from repo.
+    # @return [Array<String>] List of build ids.
+    def remote_builds
+      @remote_builds ||= url_request(url_of_file('builds_list')).lines.map(&:strip)
+    end
+
+    # Get request.
+    # @param [String] url The url.
+    # @return [String]
+    #   The request response body.
+    #   If the response is +302 Found+, returns the location in header.
+    def url_request(url)
+      uri = URI.parse(url)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      http.verify_mode = ::OpenSSL::SSL::VERIFY_NONE
+
+      request = Net::HTTP::Get.new(uri.request_uri)
+
+      response = http.request(request)
+      raise ArgumentError, "Fail to get response of #{url}" unless %w[200 302].include?(response.code)
+
+      response.code == '302' ? response['location'] : response.body
+    rescue NoMethodError, SocketError, ArgumentError => e
+      OneGadget::Logger.error(e.message)
+      nil
+    end
+
+    # Fetch the ELF archiecture of +file+.
+    # @param [String] file The target ELF filename.
+    # @return [Symbol]
+    #   Currently supports amd64, i386, arm, aarch64, and mips.
+    # @example
+    #   Helper.architecture('/bin/cat')
+    #   #=> :amd64
+    def architecture(file)
+      return :invalid unless File.exist?(file)
+
+      f = File.open(file)
+      str = ELFTools::ELFFile.new(f).machine
+      {
+        'Advanced Micro Devices X86-64' => :amd64,
+        'Intel 80386' => :i386,
+        'ARM' => :arm,
+        'AArch64' => :aarch64,
+        'MIPS R3000' => :mips
+      }[str] || :unknown
+    rescue ELFTools::ELFError # not a valid ELF
+      :invalid
+    ensure
+      f.close if f
+    end
+
+    # Present number in hex format.
+    # @param [Integer] val
+    #   The number.
+    # @param [Boolean] psign
+    #   If needs to show the plus sign when +val >= 0+.
+    # @return [String]
+    #   String in hex format.
+    # @example
+    #   Helper.hex(32) #=> '0x20'
+    #   Helper.hex(32, psign: true) #=> '+0x20'
+    #   Helper.hex(-40) #=> '-0x28'
+    #   Helper.hex(0) #=> '0x0'
+    #   Helper.hex(0, psign: true) #=> '+0x0'
+    def hex(val, psign: false)
+      return format("#{psign ? '+' : ''}0x%x", val) if val >= 0
+
+      format('-0x%x', -val)
+    end
+
+    # Checks if a string can be converted into an integer.
+    # @param [String] str
+    #   String to be checked.
+    # @return [Boolean]
+    #   If +str+ can be converted into an integer.
+    # @example
+    #   Helper.integer? '1234'
+    #   #=> true
+    #   Helper.integer? '0x1234'
+    #   #=> true
+    #   Helper.integer? '0xheapoverflow'
+    #   #=> false
+    def integer?(str)
+      true if Integer(str)
+    rescue ArgumentError, TypeError
+      false
+    end
+
+    # Cross-platform way of finding an executable in +$PATH+.
+    #
+    # @param [String] cmd
+    # @return [String?]
+    # @example
+    #   Helper.which('ruby')
+    #   #=> "/usr/bin/ruby"
+    def which(cmd)
+      exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+      ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+        exts.each do |ext|
+          exe = File.join(path, "#{cmd}#{ext}")
+          return exe if File.executable?(exe) && !File.directory?(exe)
+        end
       end
+      nil
+    end
+
+    # Find objdump that supports architecture +arch+.
+    # @param [String] arch
+    # @return [String?]
+    # @example
+    #   Helper.find_objdump(:amd64)
+    #   #=> '/usr/bin/objdump'
+    #   Helper.find_objdump(:aarch64)
+    #   #=> '/usr/bin/aarch64-linux-gnu-objdump'
+    def find_objdump(arch)
+      [
+        which('objdump'),
+        which(arch_specific_objdump(arch))
+      ].find { |bin| objdump_arch_supported?(bin, arch) }
+    end
 
-      # For checking a string is actually an integer.
-      # @param [String] str String to be checked.
-      # @return [Boolean] If +str+ can be converted into integer.
-      # @example
-      #   Helper.integer? '1234'
-      #   # => true
-      #   Helper.integer? '0x1234'
-      #   # => true
-      #   Helper.integer? '0xheapoverflow'
-      #   # => false
-      def integer?(str)
-        true if Integer(str)
-      rescue ArgumentError, TypeError
-        false
+    # Checks if the given objdump supports certain architecture.
+    # @param [String] bin
+    # @param [Symbol] arch
+    # @return [Boolean]
+    # @example
+    #   Helper.objdump_arch_supported?('/usr/bin/objdump', :i386)
+    #   #=> true
+    def objdump_arch_supported?(bin, arch)
+      return false if bin.nil?
+
+      arch = objdump_arch(arch)
+      archs = `#{::Shellwords.join([bin, '--help'])}`.lines.find { |c| c.include?('supported architectures') }
+      return false if archs.nil?
+
+      archs.split.include?(arch)
+    end
+
+    # Converts to the architecture name shown in objdump's +--help+ command.
+    # @param [Symbol] arch
+    # @return [String]
+    # @example
+    #   Helper.objdump_arch(:i386)
+    #   #=> 'i386'
+    #   Helper.objdump_arch(:amd64)
+    #   #=> 'i386:x86-64'
+    def objdump_arch(arch)
+      case arch
+      when :amd64 then 'i386:x86-64'
+      else arch.to_s
       end
     end
-    extend ClassMethods
+
+    # Returns the binary name of objdump.
+    # @param [Symbol] arch
+    # @return [String]
+    def arch_specific_objdump(arch)
+      {
+        aarch64: 'aarch64-linux-gnu-objdump',
+        amd64: 'x86_64-linux-gnu-objdump',
+        i386: 'i686-linux-gnu-objdump'
+      }[arch]
+    end
   end
 end