In this article, we will be focusing on the Android penetration testing tools such as Dex2Jar, JD-GUI, and Baksmali to work with reverse engineering Android APK files. Introduction Dex2Jar Dex2Jar is a freely available tool to work with Android “.dex” and Java “.class” files. As you may aware that “.dex” files are compiled Android application code file. Android programs are compiled into “.dex” (Dalvik Executable) files, which are in turn zipped into a single “.apk” file on the device. The “.dex” files can be created automatically by Android, by translating the compiled applications written in the Java programming language. ![]() ![]() The core feature of Dex2Jar is to convert the classes.dex file of an APK to classes.jar or vice versa. So, it is possible to view the source code of an Android application using any Java decompiler, and it is completely readable. Here, we get.class files and not the actual Java source code that was written by the application developer. Download Java Decompiler for free. The aim of this project is to develope a decompiler for java which is platform independent and has options to obfuscate the class file also. The project takes class file as input and decompiles it and provides the source file. Also, it is possible to get “.smali” files directly from the classes.dex file or vice versa. Mlb 2k12 pc digital download. That means you can change the source code of an application directly working with this format. JD-GUI JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. (From the official ) If you open the “.jar” file with JD-GUI, you can view the source code of the application which is Java classes in a readable format, and it is also very easy to navigate through the code. Smali and Baksmali Smali/Baksmali is an assembler/disassembler for the dex format used by Dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax and supports the full functionality of the dex format (annotations, debug info, line info, etc.) (From the official ). With the help of Baksmali, we can disassemble the classes.dex file into “.smali” code, Smali does the opposite of Baksmali. Installation and Setup Dex2Jar We can find Dex2Jar tool pre-installed on Kali-Linux under reverse engineering tools, illustrated in below screenshot. You can download the latest version of Dex2Jar from. The installation process is quite straightforward; you just must unzip the package in a folder of your choice and then add Environment Variables System “PATH.” That is it; you are ready to start using dex2jar! Below is the content of the Dex2Jar folder after extracting, I am using the latest available version, i.e., version: reader-2.0, translator-2.0, ir-2.0. As you can see in the above screenshot, there are several scripts available (for Unix, Mac and Windows systems), each key feature of dex2jar is provided in a separate script. You may set the Environment Variables System “PATH” variable to access Dex2Jar from anywhere. Illustrated below: Now, Open the command prompt from anywhere and enter the below command. Note that you may need to give permission to Dex2Jar.bat file to execute. D2j-dex2jar OR d2j-dex2jar.bat As you can see, there are various switches that are self-explanatory, and you can use as per your requirement. Below are few important options -o option: you can specify the name of the output file. -f option: simply tells dex2jar to overwrite output file if it already exists. When converting DEX to JAR, you may get Out of Memory Error for large size DEX file. Here, we need to increase the size of the JVM memory in d2j_invoke script. Change the values accordingly to your system requirements such as -Xmx2048m. JD-GUI You can download the JD-GUI from the official. Download the respective flavor available (for Unix, Mac and Windows systems). For Windows system you can download the executable or JAR of JD-GUI, we would be using JAR file for this exercise. I am using the latest version available for JD-GUI, i.e., jd-gui-1.4.0.jar. Once you download the JAR file, simply double-click on the JAR file or enter the command ( java -jar jd-gui-1.4.0.jar) in command prompt in windows directory where you have saved the JD-GUI.jar Smali and Baksmali You can download the latest versions of the Smali and Baksmali form the official. These files come in JAR format; I am using the latest available versions, i.e., smali-2.2.2.jar and baksmali-2.2.2.jar. You can download these files and keep in windows directory of your choice. To invoke these JAR files, we need to enter the below commands: Java -jar smali-2.2.2.jar Java -jar baksmali-2.2.2.jar Now, open command prompt and enter simple commands illustrated in the below screenshots and understand differed options available under Smali and Baksmali We can use switch a to assembles “.smali” files into a “.dex” file. Switch de or x can be used to deodex APK file, deodexing is basically repackaging of these APKs in a certain way, such that they are reassembled into classes.dex files (Read more ). To disassemble “.dex” file to “.smali” code we could use d or dis switch. Usage Dex2Jar and JD-GUI To demonstrate usage of Dex2Jar, I would be using the vulnerable APK file (diva-beta.apk) for this exercise that can be downloaded from.
0 Comments
Leave a Reply. |