Monday, June 16, 2014

Android reverse engineering/decompiling guide 

If  you  are searching on decompiling Android .apk for reverse engineering to study it’s code for security research or to regain your lost code or just for the sake of curiosity you would have come across number of guides on methods and tools on how to achieve it.
So I am writing this guide to show you on how to use the readily available tools to decompile an Android application and compare the Pro’s and Con’s of such tools.
Note : This guide is intended to enable you access the complete source code of an application for analysis rather than just changing the application’s icon or minor functionalities for hacking purposes.
So if you are looking for such minor hacks, you refer a number of guides on that on Xda forums.
Disclaimer : This guide is for educational purposes only. Copying/Reusing the decompiled code without the author’s permission is illegal. If you wish to use the content from this post kindly acknowledge with me and link to the original source article here. Remember decompilation of any application does not guarantee to give you 100% error-free source code which you can right away convert to an working application. You should have the programming knowledge used in building the application, in order to analyse and fix the decompiled source code.

Following are the methods which can be used to Reverse Engineer/decompile an Android application :
Obtaining the .apk from your Android Mobile :
The .apk file of the Android application you wish to decompile would be found either in /data/apps or in /system/apps in your smartphone. You can use file explorer on the rooted Android smart phone or  adb shell from your computer to obtain the .apk file to your computer.
Java :
All the below methods assume you have set your java installed and environment set properly.
Method 1 : Dare + JD Decompiler +Cavaj (or) DJ Decompiler

Tools required :
For Retargeting :
Dare :
Platform : Linux (Recommended)
For Decompiling :
JD Decompiler :
Platform : OSX/Linux/Windows
Cavaj :
Platform : Windows
Dj Decompiler :
Platform : Windows

Procedure : 
Download Dare from Psu(Pennsylvania State University) website to your Linux machine or a Linux VM.
1) copy the .apk to the the dare directory eg: test.apk .
2) create an output folder e.g: out inside the dare directory.
3) Open Terminal cd to the dare directory.
4) ./dex-preopt –bootstrap
5) ./dare -c -e -p -d out test.apk
You can find the .class files in the out directory along with the decompiled source code. If you feel that the decompiled source could be improved, you can decompile the .class files with JD-Decompiler and Cavan (or) DJ decompiler.

Pros :
Once again projects by students and researcher’s triumph over commercial softwares. Soot is an java optimisation framework by McGill University, using it for optimising and decompiling using built in dava decompiler is a step ahead of other decompilers out there.
Cons :
Nothing to mention specifically other than natural difficulties faced by decompilers and retargeting algorithm.
Method 2 : dex2jar + JD Decompiler + Cavaj (or) DJ Decompiler
Tools required :
For dex translation :
dex2jar :
Platform :  OSX/Linux/Windows
For Decompiling :
JD Decompiler :
Platform : OSX/Linux/Windows
Cavaj :
Platform : Windows
Dj Decompiler :
Platform : Windows
Procedure :
Download dex2jar from the above link.
1) Open the .apk with any zip unarchiver like unzip/winzip/winRAR,7zip and obtain the classes.dex file.
2) Drop the classes.dex into the dex2jar folder.
2) cd to the dex2jar- folder
3) ./ classes.dex
Inside the dex2jar folder you can find classes_dex2jar.jar which you can decompile using JD-Decompiler or DJ-Decompiler/Cavaj Decompiler to obtain the source code. You can build latest version of dex2jar easily in your computer using maven as shown here.
Pros :
Easy and fast to use. Multiple platforms support. Updated regularly by Xiaobo Pan.
Cons :
Nothing in particular other than the difficulties faced by the decompilers.
Method 3 : AndroChef  Java Decompiler
Tools Required :
AndroChef java Decompiler :
Platform : Windows
Procedure :
Download the AndroChef Java Decompiler from the neshkov’s website.
1. Select the .dex/.jar/.apk file.
2. Select the output directory.
3. Select the options (For first time I recommend you to unselect all the options).
4. Click Decompile button.
You will find the decompiled application in jar format in the output directory you specified, remember the classes in the jar are already decompiled so you don’t have to use another decompiler like JD-Decompiler for reading it. Just unzip the jar and find the source code files inside.
Pros :
1. Complete Android Decompilation suite, very easy to use.
2. Exception statements are handled correctly.
Cons :
1. Not free, expensive.
2. Did not handle String builders properly in my use. If it comes across errors in decompiler, it omits the entire method without decompiling and gives you //Comment saying it cannot be decompiled.
Obtaining the resources and other files from the Android app :
Tools Required :
Procedure :
1. Download apktool to a folder with the .apk .
2. java -jar apktool_1.5.0.jar d test.apk If you get any error you have to use the framework files, see the above link for more information on that. Your disassembled files should be in the same folder with the source folders arranged in the recursively according to the package. Your source files should be in the .smali language the intermediate dalvik language code. I would talk more about the small in my next post on the topic.
Advanced Tricks:
Selective Decompilation :
Tools Required : 
Smali -
Backsmali -
Procedure :
Now that you’ve learnt that .dex files get decompiled by the tools mentioned in the above methods, if you want to decompile just few source files instead of all the files in the classes.dex it can be done as follows,
1. Unzip the .apk and place the classes.dex in the same folder as Smali/Baksmali .
java -jar baksmali-1.4.0.jar classes.dex
You will find the out folder in your current directory. The out folder will have the small files of your source. You can keep the small files you want the source in the folder and move other smali files to some other directory.
java -jar smali-1.4.0.jar out
Where out is the directory with the small files. This will produce a out.dex in the current directory.
Now you can use the dex2jar method above to decompile the out.dex to readable source files.
Decompiling System applications :
Most system applications are accompanied by an .odex file with the same name as the .apk . You have to deodex the application before decompiling.
For deodexing an application read deodex instructions for smali page here .
A word on the Decompilers :
JD-GUI : Fast and efficient decompiler. Try catch exceptions are not handled properly some times. else() condition replaced with While(true) and for() conditions with infinite loop like for(;;) in some cases. So look out for logic carefully and implement the proper conditional statements.
JD-eclipse : An eclipse plugin of the same JD-GUI decompiler with some 3rd party additions like Realign plugin from Mchr3k . See more information about it here .
DJ Decompiler / Cavaj : Both using famous but extinct JAD decompiler former being paid and the latter free. Amazingly you can still use these decompilers for decompiling the Android source files from the .class files. But beware that the conditions are arranged in labels and break statements. So you have to follow each labels and break statement to construct your own conditional statements. Try catch exceptions are not handled so you are on your own on that.
JADeclipse : This is a plugin for eclipse using JAD mentioned above.
1. Download JAD for your platform from here. Download JAD eclipse plugin from here.
2. Put the JAD binary in your HDD partition.
3. Configure the path to the Jad executable in eclipse under eclipse > Preferences… > Java > JadClipse > Path to Decompiler.
4. Go to eclipse > Preferences… > General > Editors > File Associations and make sure that the JadClipse Class File Viewer has the default file association for *.class  files.
5. import class files as .jar (zip the folder containing .class files as .jar) open it with JADeclipse to see the decompiled source.
AndroChef : The decompiler used in the AndroChef suite handles the conditional statements and Try catch exceptions perfectly. But incase of any errors it would omit the entire method from decompilation. Some say it has to do with null exceptions.
Setting up the project in Eclipse :
1. Considering you have set up an android application development  in eclipse with Android sdk, you can use the folder structure you obtained from Apk tool and replace the .smali files with the decompiled source files from any of the above methods.
2. Import the project as Android project with source in the eclipse.
3. Fix the errors, use the multiple decompilation methods above to compare the source files and fix the errors.