plum-umd / redexer Goto Github PK

The Redexer binary instrumentation framework for Dalvik bytecode

Home Page: http://www.cs.umd.edu/projects/PL/redexer/

License: Other

Makefile 0.01% CSS 0.01% Java 0.07% OCaml 0.97% Ruby 0.06% Python 0.01% Haskell 0.01% HTML 0.01% Shell 0.01% TeX 0.01% R 0.01% Smali 98.85%

dex dynamic-analysis bytecode-manipulation dalvik

redexer's Introduction

redexer

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android).

Publications

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '12), Oct 2012.

Requirements

OCaml and Ruby

This tool is tested under OCaml 4.09.0 and Ruby 1.8.6(7), so you need to install them (or higher versions of them).

OCaml package/library manager and SHA library

To manipulate a SHA-1 signature (hash) in the DEX format, we utilize OCaml SHA library via ocamlfind/findlib, an OCaml library manager. The easiest way to install both is using OPAM, an OCaml package manager, which has both packages---OPAM ocamlfind and OPAM sha.

You can also build and/or install both packages directly. If you're using a linux machine, you can easily find distributions.

If not, e.g., using a Mac, you need to build it by yourself. You can find the original source codes at here. Build it by running make, and link the resulting directory into ocamlfind's root site-lib directory; or sudo make install.

If you're using a PC, you need to install ocamlfind/findlib and FlexDLL first. Please make sure that your environment variables are set correctly as follows:

OCAMLLIB=C:\OCaml\lib
CAML_LD_LIBRARY_PATH=%OCAMLLIB%\stublibs
FLEXLINKFLAGS=-L%MinGW%\lib -L%MinGW%\lib\gcc\mingw32\N.N.N

OPAM packages:
- sha
- str
- ppx_deriving
- ppx_deriving_yojson
- yojson
Android SDK (or sources)

To unpack and repack apk files, we use apktool, an open source APK reengineering tool. Since it uses aapt, Android Asset Packaging Tool, you need to install Android SDK or sources. Besides, we use zipalign, which also comes from Android SDK, to optimize rewritten apps.

You can set paths to Android base tools by adding the followings to your profile:

ANDROID_HOME=$HOME/android-sdk    # your own path here!
export ANDROID_HOME

PATH=$PATH:$ANDROID_HOME/tools
PATH=$PATH:$ANDROID_HOME/platform-tools
PATH=$PATH:$ANDROID_HOME/build-tools/19.0.0    # installed version number
export PATH

RubyGems and Nokogiri

The main scripts are written in Ruby and require RubyGems, a Ruby package manager, and Nokogiri, an XML library to manipulate manifest files.

(optional) graphviz dot

If you want to see graphs (e.g. call graph, control-flow graph, dominator tree, etc.), you need to install graphviz dot.

Build

To build redexer, just make! You can see redexer binary at the top level.

$ make (clean)

Before using the tool, installing the most recent platform file for apktool is up to users. For instance, you need to do like

$ java -jar tools/apktool.jar if [proper platform file]

You can generate API documents in html format as well.

$ make api

Usage

help

You can see all the options the tool provides:

$ ruby scripts/cmd.rb -h
$ ruby scripts/cmd.rb --help

unparse

Like dexdump at Android SDK, redexer allows you to view the internals of the given dex file in a YAML format.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd unparse [--to blah.yml]

dump method

This option dumps instructions for a specified method.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd dump_method --mtd cls.mtd

identity

This feature is to test parsing and dumping modules of redexer. It probably generates an identical dex file.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd id [--to blah.dex]

info

You can also see basic statistics about the dex file, e.g., # instr.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd info

classes

This option prints out all class names defined in the dex file.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd classes

It may be useful to search specific third-party libraries, e.g.,

$ ruby scripts/cmd.rb target.(apk|dex) --cmd classes | egrep 'apache'

This option prints out API usage in the dex file.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd api [--sdk android.]
$ ruby scripts/cmd.rb target.(apk|dex) --cmd api --sdk com.facebook.

opcode statistics

Aren't you curious how rarely some opcodes are used in Dalvik bytecodes? It will show you the histogram of entire opcodes, or you can look up how often the exact opcode is used in the given app.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd opstat [--op opcode1,opcode2,...]

For instance,

$ ruby scripts/cmd.rb ~/apps/top24/com.whatsapp.apk --cmd opstat
$ ruby scripts/cmd.rb ~/apps/top24/com.whatsapp.apk --cmd opstat --op div-int/lit16,nop

Intent resolution analysis

This option conducts propagation-based Intent resolution analysis, and prints out transitions amongst Activity classes.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd intent

call graph

This option generates a pdf file that depicts a call graph of the given file. If you don't specify the pdf name, cg.pdf will be used.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd cg [--to blah.pdf] [--no-pdf]

control-flow graph

This option generates a pdf file that shows a control-flow graph of the given method. Append a method name to a class name with dot: class_name.method_name

$ ruby scripts/cmd.rb target.(apk|dex) --cmd cfg --mtd cls.mtd [--to blah.pdf] [--no-pdf]

(post) dominator tree

This option is similar to the above feature, except for that it depicts (post) dominator tree.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd (p)dom --mtd cls.mtd [--to blah.pdf] [--no-pdf]

liveness analysis

This option performs a classic backward data-flow analysis.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd live --mtd cls.mtd

constant-propagation analysis

This option conducts a classic forward data-flow analysis.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd const --mtd cls.mtd

reaching definition analysis

This option conducts a classic forward data-flow analysis.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd reach --mtd cls.mtd

dependants

This option finds class dependency.

$ ruby scripts/cmd.rb target.(apk|dex) --cmd dependants --mtd cls.mtd

launcher activity

This option prints out the launching activity name of the given apk.

$ ruby scripts/cmd.rb target.apk --cmd launcher

exported

This option lets you know what components are exposed to outside.

$ ruby scripts/cmd.rb target.apk --cmd exported

activity, service, provider, receiver

These options print out Android basic components declared in the manifest.

$ ruby scripts/cmd.rb target.apk --cmd [activity | service | provider | receiver]

custom_views

This option explores layout definitions in resource and prints out custom views.

$ ruby scripts/cmd.rb target.apk --cmd custom_views

fragments

This option explores layout definitions in resource and prints out Fragment elements.

$ ruby scripts/cmd.rb target.apk --cmd fragments

buttons

This option explores layout definitions in resource and prints out Buttons, along with their id (or text) as well as callback method (if exists).

$ ruby scripts/cmd.rb target.apk --cmd buttons

permissions declared in the app's manifest

This option prints out permissions the apk uses.

$ ruby scripts/cmd.rb target.apk --cmd permissions

target SDK version

This option prints out what SDK version the apk requires.

$ ruby scripts/cmd.rb target.apk --cmd sdk

If you don't want to unpack the apk file, actually, you can do the same thing with a combination of commands:

$ aapt dump badging target.apk | grep 'targetSdkVersion' | tr -dc 0-9.\\n

Hello, DEX

This option would generate a dex file that prints out a simple message. That dex file is made only using redexer's APIs.

$ ruby scripts/cmd.rb --cmd hello

Check its internal.

$ dexdump -d results/classes.dex

If you're interested, you can test that dex file as follows. Assume path to ANDROID_SDK is set.

// create a temporary jar suitable for dalvik VM
$ aapt add temp.jar results/classes.dex

// (optional) if you didn't make an avd, then make it.
$ android create avd -n myAVD1 -t android-8

// launch your emulator
$ emulator -avd myAVD1 &

// push the temporary jar
$ adb push temp.jar /data

// connect to adb shell
$ adb shell

// at last, run the dex
# /system/bin/dalvikvm -Xbootclasspath:/system/framework/core.jar \
 -classpath /data/temp.jar Hello
Hello, DEX
#

logging

This is a variant of the rewrite feature. Using this feature, you can log apps behavior from specific points of view. The pre-built dex file for logging library is provided: data/logging.dex. If you want to add more features or utilities, build it as follows:

$ cd logging
$ gradle copyDex
$ cd ..

Then, use the following command:

$ ruby scripts/cmd.rb target.apk --cmd logging

trim.py can capture the call-return sequences of the instrumented app. (You should first instrument the app under test using redexer.)

If those logs are short enough, i.e., the phone (or emulator) can hold all information in the memory, you may use the offline mode of the script:

$ ./scripts/trim.py -d

Note that all command-line parameters will be passed to adb logcat, and by default, org.umd.logging:I *:S is passed to filter out irrelevant logs.

If logs overflow, you should use the online mode:

$ ./scripts/trim.py

The script catches key interrupt, so you can finish logging via Ctrl+C.

In either mode, logs are saved in log.txt and shown to the screen at once. Thus, after collecting logs, you may need to move that file, e.g.:

$ mv log.txt app.scenario.txt

logging user interactions

The logging feature above is general in that you can specify what to log at a method level. (See logging module for more details.) However, this is sometimes too verbose and may induce performance degradation. This feature is designed to log only user interactions. Using this feature, you can capture UI-related events only. Similarly, the pre-built dex file for logging library is provided: data/logging-ui.dex. If you want to modify the verbosity of UI information, build it as follows:

$ cd logging-ui
$ gradle copyDex
$ cd ..

Then, use the following command:

$ ruby scripts/cmd.rb target.apk --cmd logging_ui

The logging library is inherited from android a11y service, which requires user's explicit consent. Thus, after installing the rewritten apk, go to Settings/Accessibility and turn on UI Logging service. (This step can be viewed similar to turning on device debugging mode.) In the logcat, messages with tags org.umd.logging_ui.* are interactions between the user and the app under test.

directed exploration

This option finds component transition paths towards target method calls.

$ ruby scripts/cmd.rb target.apk --cmd directed

You can specify target methods to be invoked in data/directed.txt

Those component transition paths are used to drive apps to test security vulnerabilities in 3rd party libraries. More details are described at the following paper:

* Brahmastra: Driving Apps to Test the Security of Third-Party Components.
R. Bhoraskar, et al., In 23rd Usenix Security Symposium (Security '14).

withTimeout.rb can build a skip file for an app automatically. This script runs cmd.rb with a specific timeout, used to limit the time spent instrumenting any single class. This is a temporary work-around for the occasional class that gets stuck in a loop during instrumentation. When this script finds a class that crashes, it adds it to the skip file and continues from where it left off. Once withTimeout has terminated, there will be a file called [apk name]-skip.txt in the data directory, which can be used to build a fully-instrumented app for that apk. To use withTimeout, simply call

$ ruby scripts/withTimeout.rb TIMEOUT COMMANDS

Where TIMEOUT is the length of the timeout you want in seconds (300 is recommended) and COMMANDS are all the regular command-line inputs you would pass to scripts/cmd.rb for the apk.

redexer's People

Contributors

Stargazers

Watchers

redexer's Issues

String literal corruption

This was reported by Santosh Kumar Cheler.

When rewriting "Kingsoft_Office_5_5_1", one string literal is getting changed to something different. To check this out, add the following to the file: logging/src/org/umd/logging/Logger.java:

static void test() {
    System.out.println("pl/test.properties");
}

Then, this is getting changed to:

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Ldxq;"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

This is not happening when removing the "/" in the string.

register type inferrence bug

context: in the logging module, you need some free registers so you shift them and call update_reg_usage; the problem is that some registers may cross the 16reg boundary a you need to add further instructions to move them from high to low - this is what the expand_opr in modify.ml is supposed to do...
to move a register, you need to know, whether it's a normal register (say int; and move instr. should be used) or an object reference (and move-obj should be used)

you try to infer the register type by doing a data flow analysis, but then consider just the first type!

i encountered code where this approach failed: a register was an object reference, but it was first initialized as 0 (NULL) which made redexer think it is an int...
(0 seems to be the only ambiguous value)

Dex API too leaky: tries length vs tries

The Dex module presents a leaky API to the user: lots of record cells are mutable, which ends up being problematic when inserting items because there are necessarily implicit invariants. For example, the tries_size field has to be in sync with the length of tries. The API should be carefully redesigned so that this is more intuitive.

installation at Ubuntu 12.04 LTS amd64

Hello,

I'm having a trouble installing redexer at Ubuntu 12.04 LTS amd64.

here's my error at make step.

ocamlfind: [WARNING] The DLL dllsha256.so occurs in multiple directories: /usr/local/lib/ocaml/3.12.1/stublibs
File "src/ext/directed.ml", line 89, characters 2-152:
Warning 8: this pattern-matching is not exhaustive.
Here is an example of a value that is not matched:
(::, [])
File "src/ext/directed.ml", line 172, characters 8-114:
Warning 8: this pattern-matching is not exhaustive.
Here is an example of a value that is not matched:
None
File "src/ext/directed.ml", line 405, characters 4-11:
Error: Unbound value L.iteri
make[1]: *** [src/ext/directed.cmx] Error 2
make[1]: Leaving directory `/home/krha/redexer'
make: *** [native-code] Error 2

and here's my library installation & configuration.

$ dpkg -l | grep ruby
ii libruby 4.8 Transitional package for libruby1.8
ii libruby1.8 1.8.7.352-2ubuntu1.4 Libraries necessary to run Ruby 1.8
ii libruby1.9.1 1.9.3.0-1ubuntu2.8 Libraries necessary to run Ruby 1.9.1
ii libruby1.9.1-dbg 1.9.3.0-1ubuntu2.8 Debugging symbols for Ruby 1.9.1
ii libtcltk-ruby1.9.1 1.9.3.0-1ubuntu2.8 Tcl/Tk interface for Ruby 1.9.1
ii ruby-bundler 1.0.15-0ubuntu2 manage your ruby application's dependencies
ii ruby1.8 1.8.7.352-2ubuntu1.4 Interpreter of object-oriented scripting language Ruby 1.8
ii ruby1.8-dev 1.8.7.352-2ubuntu1.4 Header files for compiling extension modules for the Ruby 1.8
ii ruby1.9.1 1.9.3.0-1ubuntu2.8 Interpreter of object-oriented scripting language Ruby
ii ruby1.9.1-dev 1.9.3.0-1ubuntu2.8 Header files for compiling extension modules for the Ruby 1.9.1
ii ruby1.9.1-examples 1.9.3.0-1ubuntu2.8 Examples for Ruby 1.9
ii ruby1.9.1-full 1.9.3.0-1ubuntu2.8 Ruby 1.9.1 full installation
ii ruby1.9.3 1.9.3.0-1ubuntu2.8 Interpreter of object-oriented scripting language Ruby, version 1.9.3
ii rubygems 1.8.15-1ubuntu0.1 package management framework for Ruby libraries/applications

$ ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]

$ dpkg -l | grep ocam
ii libfindlib-ocaml 1.2.7+debian-1build3 library for managing OCaml libraries (runtime)
ii libfindlib-ocaml-dev 1.2.7+debian-1build3 library for managing OCaml libraries (development files)
ii libsha-ocaml 1.7-2build3 SHA cryptographic hash functions for OCaml (runtime)
ii ocaml 3.12.1-2ubuntu2 ML language implementation with a class-based object system
ii ocaml-base 3.12.1-2ubuntu2 Runtime system for OCaml bytecode executables
ii ocaml-base-nox 3.12.1-2ubuntu2 Runtime system for OCaml bytecode executables (no X)
ii ocaml-findlib 1.2.7+debian-1build3 management tool for OCaml libraries
ii ocaml-interp 3.12.1-2ubuntu2 OCaml interactive interpreter and standard libraries
ii ocaml-nox 3.12.1-2ubuntu2 ML implementation with a class-based object system (no X)

Do you have any idea? Thanks!

Implement proper dataflow analysis for reaching definitions using a powerset lattice for register

Currently the reaching definitions analysis in Redexer uses the wrong lattice for its dataflow analysis.

Redexer should implement dataflow analysis that answers the question: for every point in the program, and for every register at that point, which definitions reach this point? Right now, it only allows one instruction to modify that, because it uses an int map for its lattice structure:

https://github.com/plum-umd/redexer/blob/master/src/ext/reaching.ml#L90

Instead, it should use a set, and proper operations on that set.

This is critical for fixing issue #18, because the reason that's broken is a result of incorect dataflow analysis. Currently, we are fixing this by skipping the problematic method in the app under consideration, but a proper fix requires implementing dataflow analysis correctly.

I am not fixing this this weekend, because I'm going to work on the visualization instead. But after the weekend (/ we finish the implementation) I'll pay attention to this.

Multi-dex support

Support for multi-dex files by adding method prototypes and passing through classesN.dex as the (e.g.,) logging library

basic apk logging issue

Hello!

I am currently trying to use Redexer to implement logging to an apk when certain methods are called (like the tutorial). However, I am having a few issues.

When I run
ruby scripts/cmd.rb my-app-base.apk --cmd logging

It seems to run correctly, as this is the terminal output:

java -jar /home/vherzog/redexer/scripts/../tools/apktool.jar d -f --no-src --keep-broken-res -o tmp_dir_th870pye ../my-app-base.apk
/home/vherzog/redexer/scripts/../redexer -out tmp_dir_th870pye/classes.dex tmp_dir_th870pye/classes.dex -logging
====== redexer performance statistics ======
TOTAL 20.116 s
parse 0.660 s
merge 0.468 s
logging 16.144 s
transition 3.964 s
cfg 0.000 s
pdom 0.000 s
instrument 5.740 s
cfg 0.004 s
pdom 0.000 s
expand-opr 0.344 s
reach 0.316 s
cfg 0.032 s
trans 0.008 s
meet 0.020 s
rename 0.000 s
dump 2.844 s
place 1.088 s
calc. 0.328 s
trans 1.400 s
Timing used
Memory statistics: total=7474.59MB, max=432.41MB, minor=3663.91MB, major=4407.82MB, promoted=597.14MB
minor collections=3374 major collections=78 compactions=1
java -jar /home/vherzog/redexer/scripts/../tools/apktool.jar b -f -o tmp_dir_th870pye/unsigned.apk tmp_dir_th870pye
...
.# of method logging instruction(s): 268
.# of API-use logging instruction(s): 170
.# of operand expand(s): 810
java -jar /home/vherzog/redexer/scripts/../tools/apktool.jar b -f -o tmp_dir_th870pye/unsigned.apk tmp_dir_th870pye
I: Using Apktool 2.2.0
I: Copying tmp_dir_th870pye classes.dex file...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
java -jar /home/vherzog/redexer/scripts/../tools/signapk.jar /home/vherzog/redexer/scripts/../tools/platform.x509.pem /home/vherzog/redexer/scripts/../tools/platform.pk8 tmp_dir_th870pye/unsigned.apk tmp_dir_th870pye/unaligned.apk
zipalign 4 tmp_dir_th870pye/unaligned.apk base.apk

However, when I unpack the new apk file, there are no changes from the old one (no logging implemented).

Is there another command I should be running in order to properly use this element of redexer?

Thanks!

Redexer infinite-loops on some APKs

The apk com.brainbow.peak causes redexer to not terminate.

`opr_expander` pass generates ill typed code for `if-ne` instruction

In the "wedding planner" app @eldr4d linked, there was a specific issue that caused badly formed code after rewriting. The original error thrown by the verifier is:

W/dalvikvm( 2658): VFY: copy1 v1<-v18 type=-1531563544 cat=1
W/dalvikvm( 2658): VFY:  rejecting opcode 0x02 at 0x0091
W/dalvikvm( 2658): VFY:  rejected
Lorg/codehaus/jackson/map/ser/std/MapSerializer;.serializeTypedFields
 (Ljava/util/Map;Lorg/codehaus/jackson/JsonGenerator;Lorg/codehaus/jackson/map/SerializerProvider;)V
W/dalvikvm( 2658): Verifier rejected class
Lorg/codehaus/jackson/map/ser/std/MapSerializer;

The reason why this is happening is that in the instrumented bytecode, the method org.codehaus.jackson.map.ser.std.MapSerializer.serializeTypedFields contains malformed bytecode at the address 0x004CEEDE. The offending instruction at that address is:

0x004CEEDE    op: move/from16, opr [v1], opr [v18]

This comes as the result of a "cleanup" pass within redexer: the opr_expander pass in the Modify module. The purpose of this pass is to fix up bytecode instructions that have been thrown out of range by instrumentation. After instrumenting redexer to print the instructions that are replaced as a result of this phase, I have realized that the original instruction replaced is:

if-ne v9 v18 0x004D06CE

The instruction sequence is replaced with

move/from16 v1 v18
if-ne v9 v1 0x004D06CE

This is a necessary step, because if-ne only works on four bit operands. But the problem is that v1 is somehow causing a type error? I'm not sure what's happening, so I need to look into the machinery that's being used to allocate registers in this phase.

Try / catch blocks are dropped when logging

Here's a method that Redexer fails on:

boolean isPackageInstalled(Context context, String s)
{
    context = context.getPackageManager();
    boolean flag = false;
    try
    {
        context = context.getPackageInfo(s, 0);
    }
    // Misplaced declaration of an exception variable
    catch (Context context)
    {
        return false;
    }
    if (context != null)
    {
        flag = true;
    }
    return flag;
}

However, it produces this output instead (decompiled):

boolean isPackageInstalled(Context context, String s)
{
    Logger.logMethodEntry(new Object[] {
        this, context, s
    });
    Logger.logAPIEntry("Landroid/content/Context;", "getPackageManager", new Object[] {
        context
    });
    context = context.getPackageManager();
    Logger.logAPIExit("Landroid/content/Context;", "getPackageManager", new Object[] {
        context
    });
    boolean flag = false;
    Logger.logAPIEntry("Landroid/content/pm/PackageManager;", "getPackageInfo", new Object[] {
        context, s, Integer.valueOf(0)
    });
    context = context.getPackageInfo(s, 0);
    Logger.logAPIExit("Landroid/content/pm/PackageManager;", "getPackageInfo", new Object[] {
        context
    });
    if (context != null)
    {
        flag = true;
    }
    Logger.logMethodExit(new Object[] {
        Boolean.valueOf(flag)
    });
    return flag;
}

Redexer drops the try/catch block.

Redexer doesn't instruments runnable functions.

Redexer doesn't instrument code that starts a new thread (e.g. void run () {... }).
I found this problem in the wepala wedding application (apk-> https://www.dropbox.com/s/qru4lmfs4210ulx/com.wepala.weddingplan-1.apk?dl=0).

In order to locate the bug I converted the .dex file to .jar and then I run a java decompiler to get access to the source code. The problem (for the wedding application) can be found in the file com.wepala.weddingplan.ui.BaseListFragment (screenshot attached).

Make fail with can't find SHA library

I follow the readme.md but when i make i find those error:

ocamlbuild -cflag -dsource -use-ocamlfind main.native

ocamlfind ocamldep -package sha,str,unix,ppx_deriving.std,ppx_deriving_yojson -modules src/main.ml > src/main.ml.depends
ocamlfind: Package `sha' not found
Command exited with code 2.
Compilation unsuccessful after building 1 target (0 cached) in 00:00:00.
make: *** [main.native] error 10

$ opam list

Installed packages for system:

base-bigarray base Bigarray library distributed with the OCaml compiler
base-threads base Threads library distributed with the OCaml compiler
base-unix base Unix library distributed with the OCaml compiler
ocamlfind 1.5.6 A library manager for OCaml
sha 1.9 Binding to the SHA cryptographic functions

$ ocamlfind list
bigarray (version: [distributed with Ocaml])
camlp4 (version: [distributed with Ocaml])
camlp4.exceptiontracer (version: [distributed with Ocaml])
camlp4.extend (version: [distributed with Ocaml])
camlp4.foldgenerator (version: [distributed with Ocaml])
camlp4.fulllib (version: [distributed with Ocaml])
camlp4.gramlib (version: [distributed with Ocaml])
camlp4.lib (version: [distributed with Ocaml])
camlp4.listcomprehension (version: [distributed with Ocaml])
camlp4.locationstripper (version: [distributed with Ocaml])
camlp4.macro (version: [distributed with Ocaml])
camlp4.mapgenerator (version: [distributed with Ocaml])
camlp4.metagenerator (version: [distributed with Ocaml])
camlp4.profiler (version: [distributed with Ocaml])
camlp4.quotations (version: [distributed with Ocaml])
camlp4.quotations.o (version: [distributed with Ocaml])
camlp4.quotations.r (version: [distributed with Ocaml])
camlp4.tracer (version: [distributed with Ocaml])
compiler-libs (version: [distributed with Ocaml])
compiler-libs.bytecomp (version: [distributed with Ocaml])
compiler-libs.common (version: [distributed with Ocaml])
compiler-libs.optcomp (version: [distributed with Ocaml])
compiler-libs.toplevel (version: [distributed with Ocaml])
dynlink (version: [distributed with Ocaml])
findlib (version: 1.4)
graphics (version: [distributed with Ocaml])
labltk (version: [distributed with Ocaml])
num (version: [distributed with Ocaml])
num-top (version: 1.4)
num.core (version: [internal])
oasis (version: 0.3.0)
oasis.base (version: 0.3.0)
oasis.builtin-plugins (version: 0.3.0)
oasis.cli (version: 0.3.0)
oasis.dynrun (version: 0.3.0)
ocamlbuild (version: [distributed with Ocaml])
odn (version: 0.0.11)
odn.with (version: n/a)
odn.with.syntax (version: 0.0.11)
odn.without (version: n/a)
odn.without.syntax (version: 0.0.11)
pcre (version: 7.0.4)
plugin-loader (version: 0.3.0)
stdlib (version: [distributed with Ocaml])
str (version: [distributed with Ocaml])
threads (version: [distributed with Ocaml])
threads.posix (version: [internal])
threads.vm (version: [internal])
type_conv (version: 109.28.00)
unix (version: [distributed with Ocaml])
userconf (version: 0.3.0)

Check fine grained regex based logging for method entries along with calls

In android-logging-experimental branch.

That branch logs method calls using the regex based logging preferences, but doesn't check method entries against the same set of regexes. This needs to be fixed to be consistent across logging methods: it doesn't make sense only to log calls but then not check method entries.

[master branch] redexer throws Exception: DynArray.Invalid_arg

app-debug.apk.zip
When I run redexer on my apk (attached), redexer throws the exception:

Exception: DynArray.Invalid_arg(0, "get", "index") Raised at file "hashtbl.ml", line 140, characters 23-32

To reproduce, run: the following:

~/Desktop/Hogarth/redexer$ ruby scripts/cmd.rb --cmd logging --logging-fine app-debug.apk

And you should see:

Exception: DynArray.Invalid_arg(0, "get", "index")
Raised at file "hashtbl.ml", line 140, characters 23-32

Dalvik VM halts during the execution of instrumented app

We tried to use Redexer to add logs into an app and while Redexer didn't produce any error during the execution, it seems that during the actual run of the application some instructions are buggy.

Bellow is the dump extracted with adb from the actual phone:

I/ActivityManager( 468): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.XXXXXXX/.UBUberActivity (has extras)} from pid 788
I/ActivityManager( 468): Start proc com.XXXXXXX for activity com.XXXXXXX/.UBUberActivity: pid=29458 uid=10117 gids={50117, 3003, 1028, 1015, 1023}
W/GooglePlayServicesUtil(28964): Google Play services out of date. Requires 6772000 but found 6599036
E/IcingUsageReportRunnabl(28964): Failed to connect when reporting usage: a{statusCode=SERVICE_VERSION_UPDATE_REQUIRED, resolution=null}
I/ActivityManager( 468): Killing 29240:com.android.documentsui/u0a33 (adj 15): empty #17
I/MultiDex(29458): VM with version 1.6.0 does not have multidex support
I/MultiDex(29458): install
I/MultiDex(29458): MultiDexExtractor.load(/data/app/com.XXXXXXX-1.apk, false)
I/MultiDex(29458): Detected that extraction must be performed.
I/MultiDex(29458): load found 0 secondary dex files
I/MultiDex(29458): install done
I/org.umd.logging(29458): Method > com.XXXXXXX.client.core.app.RiderApplication.onCreate(com.XXXXXXX.client.core.app.RiderApplication@1103909280)
I/org.umd.logging(29458): Method > com.XXXXXXX.client.core.app.injection.InjectionApplication.onCreate(com.XXXXXXX.client.core.app.RiderApplication@1103909280)
I/org.umd.logging(29458): Method > com.XXXXXXX.client.core.app.injection.InjectionApplication.initObjectGraph(com.XXXXXXX.client.core.app.RiderApplication@1103909280)
I/org.umd.logging(29458): Method > com.XXXXXXX.client.core.app.RiderApplication.getModules(com.XXXXXXX.client.core.app.RiderApplication@1103909280)
I/org.umd.logging(29458): Method < com.XXXXXXX.client.core.app.RiderApplication.getModules([Ljava.lang.Object;@1104888792)
D/dalvikvm(29458): Trying to load lib /data/app-lib/com.XXXXXXX-1/libsnappydb-native.so 0x41cc2f00
D/dalvikvm(29458): Added shared lib /data/app-lib/com.XXXXXXX-1/libsnappydb-native.so 0x41cc2f00
D/dalvikvm(29458): DexOpt: wanted instance, got static for method Lanalytics/RiderEvents$Impression;.
I/dalvikvm(29458): Could not find method analytics.RiderEvents$Impression., referenced from method com.google.gson.LongSerializationPolicy.values
W/dalvikvm(29458): VFY: unable to resolve virtual method 13: Lanalytics/RiderEvents$Impression;. ()V
D/dalvikvm(29458): VFY: replacing opcode 0x6e at 0x0002
D/dalvikvm(29458): DexOpt: wanted instance, got static for method Lanalytics/RiderEvents$Custom;.values
I/dalvikvm(29458): Could not find method analytics.RiderEvents$Custom.values, referenced from method com.google.gson.FieldNamingPolicy.values
W/dalvikvm(29458): VFY: unable to resolve virtual method 12: Lanalytics/RiderEvents$Custom;.values ()[Lanalytics/RiderEvents$Custom;
D/dalvikvm(29458): VFY: replacing opcode 0x6e at 0x0002
W/dalvikvm(29458): VFY: 'this' arg '[Ljava/lang/Object;' not instance of 'Landroid/app/Activity;'
W/dalvikvm(29458): VFY: rejecting opcode 0x6e at 0x0000
W/dalvikvm(29458): VFY: rejected Lcom/squareup/okhttp/internal/Util;.immutableList ([Ljava/lang/Object;)Ljava/util/List;
W/dalvikvm(29458): Verifier rejected class Lcom/squareup/okhttp/internal/Util;
D/AndroidRuntime(29458): Shutting down VM
W/dalvikvm(29458): threadid=1: thread exiting with uncaught exception (group=0x419abba8)
E/AndroidRuntime(29458): FATAL EXCEPTION: main
E/AndroidRuntime(29458): Process: com.XXXXXXX, PID: 29458
E/AndroidRuntime(29458): java.lang.VerifyError: com/squareup/okhttp/internal/Util
E/AndroidRuntime(29458): at com.squareup.okhttp.internal.DiskLruCache.(DiskLruCache.java:159)
E/AndroidRuntime(29458): at com.squareup.okhttp.internal.DiskLruCache.open(DiskLruCache.java:221)
E/AndroidRuntime(29458): at com.squareup.okhttp.Cache.(Cache.java:146)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule.provideOkHttpClient(RiderNetworkModule.java:105)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideOkHttpClientProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:289)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideOkHttpClientProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:250)
E/AndroidRuntime(29458): at dagger.internal.Linker$SingletonBinding.get(Linker.java:364)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideUberRetrofitClientProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:625)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideUberRetrofitClientProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:580)
E/AndroidRuntime(29458): at dagger.internal.Linker$SingletonBinding.get(Linker.java:364)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideRestAdapterProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:351)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.RiderNetworkModule$$ModuleAdapter$ProvideRestAdapterProvidesAdapter.get(RiderNetworkModule$$ModuleAdapter.java:303)
E/AndroidRuntime(29458): at dagger.internal.Linker$SingletonBinding.get(Linker.java:364)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.OldLibraryModule$$ModuleAdapter$ProvideAnalyticsClientProvidesAdapter.get(OldLibraryModule$$ModuleAdapter.java:217)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.module.OldLibraryModule$$ModuleAdapter$ProvideAnalyticsClientProvidesAdapter.get(OldLibraryModule$$ModuleAdapter.java:160)
E/AndroidRuntime(29458): at dagger.internal.Linker$SingletonBinding.get(Linker.java:364)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.app.RiderApplication$$InjectAdapter.injectMembers(RiderApplication$$InjectAdapter.java:145)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.app.RiderApplication$$InjectAdapter.injectMembers(RiderApplication$$InjectAdapter.java:23)
E/AndroidRuntime(29458): at dagger.ObjectGraph$DaggerObjectGraph.inject(ObjectGraph.java:281)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.app.injection.InjectionApplication.initObjectGraph(InjectionApplication.java)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.app.injection.InjectionApplication.onCreate(InjectionApplication.java)
E/AndroidRuntime(29458): at com.XXXXXXX.client.core.app.RiderApplication.onCreate(RiderApplication.java)
E/AndroidRuntime(29458): at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1007)
E/AndroidRuntime(29458): at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4328)
E/AndroidRuntime(29458): at android.app.ActivityThread.access$1500(ActivityThread.java:135)
E/AndroidRuntime(29458): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1256)
E/AndroidRuntime(29458): at android.os.Handler.dispatchMessage(Handler.java:102)
E/AndroidRuntime(29458): at android.os.Looper.loop(Looper.java:136)
E/AndroidRuntime(29458): at android.app.ActivityThread.main(ActivityThread.java:5001)
E/AndroidRuntime(29458): at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime(29458): at java.lang.reflect.Method.invoke(Method.java:515)
E/AndroidRuntime(29458): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:785)
E/AndroidRuntime(29458): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:601)
E/AndroidRuntime(29458): at dalvik.system.NativeStart.main(Native Method)
W/ActivityManager( 468): Force finishing activity com.XXXXXXX/.UBUberActivity
I/WindowManager( 468): Screenshot max retries 4 of Token{42d9f560 ActivityRecord{42d9f400 u0 com.XXXXXXX/.UBUberActivity t36 f}} appWin=Window{42da4e20 u0 Starting com.XXXXXXX} drawState=4
W/WindowManager( 468): Screenshot failure taking screenshot for (720x1280) to layer 21035
W/ActivityManager( 468): Activity pause timeout for ActivityRecord{42d9f400 u0 com.XXXXXXX/.UBUberActivity t36 f}
W/RemoteServiceHelper(28964): Google Play Services not available: SERVICE_VERSION_UPDATE_REQUIRED
I/Process (29458): Sending signal. PID: 29458 SIG: 9
I/ActivityManager( 468): Process com.XXXXXXX (pid 29458) has died.
W/InputMethodManagerService( 468): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@4287db70 attribute=null, token = android.os.BinderProxy@421940c0

`trans_adder` pass mangles method links

When the trans_adder pass runs during the logging phase for some APKs, it causes method identifiers to be mangled when the resulting APK is finally dumped. This results in a large set of verification errors because methods will be shifted to unpredictable places.

For example, in the com.apalon.myclockfree APK, running the trans_adder phase causes the resulting APK to break. Running everything but the trans_adder phase works.

Here is a link to the APK in question:

http://www.speedyshare.com/M4TK4/com.apalon.myclockfree.apk

It must be run on the logging branch

List all methods

Is there a command like "ruby scripts/cmd.rb target.(apk|dex) --cmd classes"? I need to list all methods written in the given apk.

Thanks for your great tools.

redexer against facebook.apk

Hi, I tried to exact info of facebook apk by redexer. But it raised an exception,"scripts/cmd.rb:126:in `

': unpacking apk failed (RuntimeError)".

Then I checked cmd.rb and found that it was caused by APKTool.

"java -Djava.awt.headless=true -jar apktool_2.0.0rc4.jar d -f --no-src --keep-broken-res -o tmp_dir_kd0bi70b com.facebook.katana.apk" would cause the following log.

Then I tried adding an option "--no-res", and apktool would pass. But the AndoridManifest.xml would be a binary file, which caused new problems.

Thanks,

Without option --no-src
I: Using Apktool 2.0.0-RC4 on com.facebook.katana.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/chunrong/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
W: Could not decode attr value, using undecoded value instead: ns=internal, name=layout_maxHeight, value=0x00004001
W: Could not decode attr value, using undecoded value instead: ns=internal, name=layout_minHeight, value=0x00004001
I: Decoding values / XMLs...
Exception in thread "main" brut.androlib.err.UndefinedResObject: resource spec: 0x0101055c
at brut.androlib.res.data.ResPackage.getResSpec(ResPackage.java:59)
at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:57)
at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:53)
at brut.androlib.res.decoder.ResAttrDecoder.decode(ResAttrDecoder.java:36)
at brut.androlib.res.decoder.AXmlResourceParser.getAttributeValue(AXmlResourceParser.java:369)
at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.getAttributeValue(XmlPullParserDelegate.java:69)
at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.writeStartTag(StaticXmlSerializerWrapper.java:267)
at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.event(StaticXmlSerializerWrapper.java:211)
at brut.androlib.res.decoder.XmlPullStreamDecoder$1.event(XmlPullStreamDecoder.java:83)
at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:141)
at brut.androlib.res.decoder.ResStreamDecoderContainer.decode(ResStreamDecoderContainer.java:33)
at brut.androlib.res.decoder.ResFileDecoder.decode(ResFileDecoder.java:114)
at brut.androlib.res.decoder.ResFileDecoder.decode(ResFileDecoder.java:99)
at brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:339)
at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:133)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:104)
at brut.apktool.Main.cmdDecode(Main.java:165)
at brut.apktool.Main.main(Main.java:81)

Logging instrumentation inserts `onCreate` etc.. even if methods are final in superclass

Rewriting the GasBuddy app, the app crashes because it fails logging instrumentation

W/dalvikvm(25331): Method Lgbis/gbandroid/ui/init/InitActivity;.onCreate overrides final Lgbis/gbandroid/ui/GbActivity;.onCreate
W/dalvikvm(25331): failed creating vtable
W/dalvikvm(25331): Link of class 'Lgbis/gbandroid/ui/init/InitActivity;' failed

The problem is that the app has declared those methods final, but that redexer wants to overwrite them.

Solution: if a method is final and we insert a new method, switch the final tag off in the superclass.

compilation issue

On OSX, ocaml 4.06.01 and ruby 2.5.1p57, I face the following error trying to make redexer.

$ make

ocamlbuild -use-ocamlfind main.native

ocamlfind ocamlopt -c -package sha,str,unix,ppx_deriving.std,ppx_deriving_yojson,yojson -I src -I ocamlutil -I src/ext -o src/util.cmx src/util.ml
File "src/util.ml", line 108, characters 15-23:
Warning 3: deprecated: S.create
Use Bytes.create instead.
File "src/util.ml", line 111, characters 16-31:
Warning 3: deprecated: String.set
Use Bytes.set instead.
File "src/util.ml", line 124, characters 8-51:
Error: This expression has type bytes list
but an expression was expected of type string list
Type bytes is not compatible with type string
Command exited with code 2.
Compilation unsuccessful after building 27 targets (0 cached) in 00:00:02.
make: *** [main.native] Error 10

This error probably has to do with strings being mutable by default before ocaml version 4.06. So for the time being a workaround is switching back to ocaml version 4.02.2:

opam init --comp 4.02.2
opam switch 4.02.2

zipalign is removed in new sdk tools

maybe need change the location at the apk.rb

How to trace an error "Killed"

Is there any way to know what happened when a "killed" is reported?

When I dealt with an apk (air.WatchESPN.apk) from google play, the output is as following:
"/home/test/Tools/redexer/scripts/../redexer -out tmp_dir_u3aadsiw/classes.dex tmp_dir_u3aadsiw/classes.dex -logging 2>&1
Killed
./scripts/cmd.rb:258:in `

': rewriting dex failed (RuntimeError)"

Thanks,

Logger fails to account for static methods, assumes all will have at least one param

Redexer checks for `onStart` when it should not

This comes from a bug report by Santosh, who reported that in:

Automatic_Task_Killer_4_0_2.apk

There was a bug where redexer throws an error from get_the_mtd. I added some code to the dex module to report errors better so that the report shows that in that app we have the following:

Fatal error: exception Dex.Wrong_dex("get_the_mtd : can't find method onStart")

Here's the backtrace:

Fatal error: exception Dex.Wrong_dex("get_the_mtd : can't find methodonStart")
Raised at file "src/dex.ml", line 832, characters 10-65
Called from file "src/modify.ml", line 607, characters 17-43
Called from file "src/ext/logging.ml", line 148, characters 38-63
Called from file "list.ml", line 75, characters 12-15
Called from file "src/visitor.ml", line 143, characters 4-17
Called from file "ocamlutil/dynArray.ml", line 342, characters 2-18
Called from file "src/visitor.ml", line 162, characters 2-36
Called from file "ocamlutil/stats.ml", line 154, characters 10-15
Re-raised at file "ocamlutil/stats.ml", line 158, characters 7-8
Called from file "src/ext/logging.ml", line 591, characters 2-40
Called from file "ocamlutil/stats.ml", line 154, characters 10-15
Re-raised at file "ocamlutil/stats.ml", line 158, characters 7-8
Called from file "src/main.ml", line 188, characters 2-33
Called from file "src/main.ml", line 301, characters 8-13
Called from file "src/main.ml", line 310, characters 0-7

Redexer crashes during logging

After trying to log various applications, in some of them redexer produced the following error and crashed (the error was the same for all the apps):

Raised at file "list.ml", line 179, characters 16-25
Called from file "src/modify.ml", line 445, characters 9-41
Called from file "src/modify.ml", line 460, characters 18-43
Called from file "src/ext/logging.ml", line 426, characters 22-44
Called from file "src/visitor.ml", line 144, characters 4-17
Called from file "list.ml", line 73, characters 12-15
Called from file "ocamlutil/dynArray.ml", line 342, characters 2-18
Called from file "src/visitor.ml", line 191, characters 2-36
Called from file "ocamlutil/stats.ml", line 106, characters 10-15
Re-raised at file "ocamlutil/stats.ml", line 110, characters 7-8
Called from file "src/ext/logging.ml", line 625, characters 2-45
Called from file "ocamlutil/stats.ml", line 106, characters 10-15
Re-raised at file "ocamlutil/stats.ml", line 110, characters 7-8
Called from file "src/main.ml", line 202, characters 2-33
Re-raised at file "src/main.ml", line 180, characters 2-48
Called from file "src/main.ml", line 358, characters 8-13

Building on Mac

Hi,
i'm trying to build on Mac,
when i run configure i get

checking if performance counters are usable...
result: no (cannot compile ocamlutil/stats_stubs.c.in)

however stats_stubs.o is generated, but making returns linking error

ld: warning: ignoring file ocamlutil/stats_stubs.o, file was built for i386 which is not the architecture being linked (x86_64): ocamlutil/stats_stubs.o
Undefined symbols for architecture x86_64:
"_has_performance_counters", referenced from:
.L172 in stats.o
_camlStats__28 in stats.o
"_read_pentium_perfcount", referenced from:
.L215 in stats.o
_camlStats__28 in stats.o
"_reset_performance_counters", referenced from:
.L178 in stats.o
.L175 in stats.o
_camlStats__28 in stats.o
"_sample_pentium_perfcount_10", referenced from:
.L168 in stats.o
_camlStats__28 in stats.o
"_sample_pentium_perfcount_20", referenced from:
.L170 in stats.o
_camlStats__28 in stats.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
File "caml_startup", line 1:

can you help me to build it ?

Extract the disassemly and DEX parsers into separate opam packages

It would be nice to be able to reuse the code in other projects.

the discuss of 'directed exploration'

I find 2 questions,

How to the call graph of the direct method? It seems different from the paper of Figure 5.

THE LOG I FETCH IS:

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$10;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$11;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$1;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$2;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$3;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$4;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$5;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$6;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$7;

        Lcom/huanxiao/store/ui/LoginActivity;->onCreate(Landroid/os/Bundle;)V
  -##-> Lcom/huanxiao/store/ui/LoginActivity$8;

The repackage APK files seem is no different from the original APK files. This function whether help us to add some necessary invoke like the paper say and what's the different of the AndroidManifest.xml and dex file in result file?

insert instructions bug

the insrt_insns_under_off function in modify.ml is buggy:
you move the instruction which was originally at the cursor
if the instruction was in a try/catch block, it will end up out of it!
note that this bug is quite subtle: if there are multiple instructions in a try/catch block, the inserted instructions are included in the try/catch block (pointers to the start and end of the block don't change); the bug only shows up when there is only a single instruction in a try/catch block

fix: go through the try_item list and move the pointers...

btw. what is the motivation for insrt_insns_under_off in the logging module? why
not to use the simple insrt_insns?