Class: Driver

Inherits:

Object

• Object
• Driver

Includes:

Logging

Defined in:

lib/dex-oracle/driver.rb

Constant Summary

UNESCAPES =

{
  'a' => "\x07", 'b' => "\x08", 't' => "\x09",
  'n' => "\x0a", 'v' => "\x0b", 'f' => "\x0c",
  'r' => "\x0d", 'e' => "\x1b", '\\' => '\\',
  '"' => '"', "'" => "'"
}.freeze

UNESCAPE_REGEX =

/\\(?:([#{UNESCAPES.keys.join}])|u([\da-fA-F]{4}))|\\0?x([\da-fA-F]{2})/

OUTPUT_HEADER =

'===ORACLE DRIVER OUTPUT==='.freeze

DRIVER_CLASS =

'org.cf.oracle.Driver'.freeze

Instance Method Summary

• #initialize(device_id, timeout = 60) ⇒ Driver constructor

  A new instance of Driver.

• #install(dex) ⇒ Object
• #make_target(class_name, signature, *args) ⇒ Object
• #run(class_name, signature, *args) ⇒ Object
• #run_batch(batch) ⇒ Object

Methods included from Logging

included, logger, #logger, logger=

Constructor Details

#initialize(device_id, timeout = 60) ⇒ Driver

Returns a new instance of Driver.

# File 'lib/dex-oracle/driver.rb', line 23

def initialize(device_id, timeout = 60)
  @device_id = device_id
  @timeout = timeout

  device_str = device_id.empty? ? '' : "-s #{@device_id} "
  @adb_base = "adb #{device_str}%s"
  @driver_dir = get_driver_dir
  unless @driver_dir
    logger.error 'Unable to find writable driver directory. Make sure /data/local or /data/local/tmp exists and is writable.'
    exit -1
  end
  logger.debug "Using #{@driver_dir} as driver directory ..."
  @cmd_stub = "export CLASSPATH=#{@driver_dir}/od.zip; app_process /system/bin #{DRIVER_CLASS}"

  @cache = {}
end

Instance Method Details

#install(dex) ⇒ Object

# File 'lib/dex-oracle/driver.rb', line 40

def install(dex)
  has_java = Utility.which('java')
  raise 'Unable to find Java on the path.' unless has_java

  begin
    # Merge driver and target dex file
    # Congratulations. You're now one of the 5 people who've used this tool explicitly.
    raise "#{Resources.dx} does not exist and is required for DexMerger" unless File.exist?(Resources.dx)
    raise "#{Resources.driver_dex} does not exist" unless File.exist?(Resources.driver_dex)
    logger.debug("Merging input DEX (#{dex.path}) and driver DEX (#{Resources.driver_dex}) ...")
    tf = Tempfile.new(%w(oracle-driver .dex))
    cmd = "java -cp #{Resources.dx} com.android.dx.merge.DexMerger #{tf.path} #{dex.path} #{Resources.driver_dex}"
    stdout, stderr = exec(cmd)
    # Ideally, it says something like this:
    # Merged dex #1 (36 defs/87.9KiB)
    # Merged dex #2 (1225 defs/1092.7KiB)
    # Result is 1261 defs/1375.0KiB. Took 0.2s
    # But it might say this:
    # Exception in thread "main" com.android.dex.DexIndexOverflowException: Cannot merge new index 65776 into a non-jumbo instruction!
    if stderr.start_with?('Exception in thread "main"')
      logger.error("Failure to merge input DEX and driver DEX:\n#{stderr}")
      if stderr.include?('DexIndexOverflowException')
        logger.error("Your input DEX inexplicably contains const-string and const-string/jumbo. This probably means someone fucked with it. In any case, it means DexMerge is failing because there are too many strings.\nTry this: baksmali the DEX, replace all const-string instructions with const-string/jumbo, then recompile with smali and use that DEX as input. Sorry, I don't want to do this for you. It's too complicated.")
      end
      exit -1
    end
    tf.close

    # Zip merged dex and push to device
    logger.debug('Pushing merged driver to device ...')
    tz = Tempfile.new(%w(oracle-driver .zip))
    # Could pass tz to create_zip, but Windows doesn't let you rename if file open
    # And zip internally renames files when creating them
    tempzip_path = tz.path
    tz.close
    Utility.create_zip(tempzip_path, 'classes.dex' => tf)
    adb("push #{tz.path} #{@driver_dir}/od.zip")
  rescue => e
    puts "Error installing driver: #{e}\n#{e.backtrace.join("\n\t")}"
  ensure
    tf.close if tf
    tf.unlink if tf
    tz.close if tz
    tz.unlink if tz
  end
end

#make_target(class_name, signature, *args) ⇒ Object

# File 'lib/dex-oracle/driver.rb', line 126

def make_target(class_name, signature, *args)
  method = SmaliMethod.new(class_name, signature)
  target = {
    className: method.class.tr('/', '.'),
    methodName: method.name,
    arguments: build_arguments(method.parameters, args)
  }
  # Identifiers are used to map individual inputs to outputs
  target[:id] = Digest::SHA256.hexdigest(target.to_json)

  target
end

#run(class_name, signature, *args) ⇒ Object

# File 'lib/dex-oracle/driver.rb', line 87

def run(class_name, signature, *args)
  method = SmaliMethod.new(class_name, signature)
  cmd = build_command(method.class, method.name, method.parameters, args)
  output = nil
  retries = 1
  begin
    output = drive(cmd)
  rescue => e
    # If you slam an emulator or device with too many app_process commands,
    # it eventually gets angry and segmentation faults. No idea why.
    # This took many frustrating hours to figure out.
    raise e if retries > 3

    logger.debug("Driver execution failed. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
    sleep 5
    retries += 1
    retry
  end

  output
end

#run_batch(batch) ⇒ Object

# File 'lib/dex-oracle/driver.rb', line 109

def run_batch(batch)
  push_batch_targets(batch)
  retries = 1
  begin
    drive("#{@cmd_stub} @#{@driver_dir}/od-targets.json", true)
  rescue => e
    raise e if retries > 3 || !e.message.include?('Segmentation fault')

    # Maybe we just need to retry
    logger.debug("Driver execution segfaulted. Taking a quick nap and retrying, Zzzzz ##{retries} / 3 ...")
    sleep 5
    retries += 1
    retry
  end
  pull_batch_outputs
end