Android penetration tools walkthrough series Dex2Jar, JD-GUI, and Baksmali
In this article, we will be focusing on Android penetration testing tools such as Dex2Jar, JD-GUI, and Baksmali to work with reverse engineering Android APK files.
FREE role-guided training plans
Dex2Jar
Dex2Jar is a freely available tool to work with Android ".dex" and Java ".class" files. As you may aware that ".dex" files are compiled Android application code file. Android programs are compiled into ".dex" (Dalvik Executable) files, which are in turn zipped into a single ".apk" file on the device. The ".dex" files can be created automatically by Android, by translating the compiled applications written in the Java programming language.
The core feature of Dex2Jar is to convert the classes.dex file of an APK to classes.jar or vice versa. So, it is possible to view the source code of an Android application using any Java decompiler, and it is completely readable. Here, we get .class files and not the actual Java source code that was written by the application developer.
Also, it is possible to get ".smali" files directly from the classes.dex file or vice versa. That means you can change the source code of an application directly working with this format.
JD-GUI
JD-GUI is a standalone graphical utility that displays Java source codes of ".class" files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. (From the official website)
If you open the ".jar" file with JD-GUI, you can view the source code of the application which is Java classes in a readable format, and it is also very easy to navigate through the code.
Smali and Baksmali
Smali/Baksmali is an assembler/disassembler for the dex format used by Dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax and supports the full functionality of the dex format (annotations, debug info, line info, etc.) (From the official website).
With the help of Baksmali, we can disassemble the classes.dex file into ".smali" code, Smali does the opposite of Baksmali.
Installation and setup
Dex2Jar
We can find Dex2Jar tool pre-installed on Kali-Linux under reverse engineering tools, illustrated in below screenshot.
You can download the latest version of Dex2Jar from here. The installation process is quite straightforward; you just must unzip the package in a folder of your choice and then add Environment Variables System "PATH." That is it; you are ready to start using dex2jar!
Below is the content of the Dex2Jar folder after extracting, I am using the latest available version, i.e., version: reader-2.0, translator-2.0, ir-2.0.
As you can see in the above screenshot, there are several scripts available (for Unix, Mac and Windows systems), each key feature of dex2jar is provided in a separate script.
You may set the Environment Variables System "PATH" variable to access Dex2Jar from anywhere. Illustrated below:
Now, Open the command prompt from anywhere and enter the below command. Note that you may need to give permission to Dex2Jar.bat file to execute.
d2j-dex2jar OR d2j-dex2jar.bat
As you can see, there are various switches that are self-explanatory, and you can use as per your requirement. Below are few important options
-o option: you can specify the name of the output file.
-f option: simply tells dex2jar to overwrite output file if it already exists.
When converting DEX to JAR, you may get Out of Memory Error for large size DEX file. Here, we need to increase the size of the JVM memory in d2j_invoke script.
Change the values accordingly to your system requirements such as -Xmx2048m.
JD-GUI
You can download the JD-GUI from the official website. Download the respective flavor available (for Unix, Mac and Windows systems). For Windows system you can download the executable or JAR of JD-GUI, we would be using JAR file for this exercise.
I am using the latest version available for JD-GUI, i.e., jd-gui-1.4.0.jar. Once you download the JAR file, simply double-click on the JAR file or enter the command (java -jar jd-gui-1.4.0.jar) in command prompt in windows directory where you have saved the JD-GUI.jar
Smali and Baksmali
You can download the latest versions of the Smali and Baksmali form the official website. These files come in JAR format; I am using the latest available versions, i.e., smali-2.2.2.jar and baksmali-2.2.2.jar. You can download these files and keep in windows directory of your choice. To invoke these JAR files, we need to enter the below commands:
Java -jar smali-2.2.2.jar
Java -jar baksmali-2.2.2.jar
Now, open command prompt and enter simple commands illustrated in the below screenshots and understand differed options available under Smali and Baksmali
We can use switch a to assembles ".smali" files into a ".dex" file.
Switch de or x can be used to deodex APK file, deodexing is basically repackaging of these APKs in a certain way, such that they are reassembled into classes.dex files (Read more here).
To disassemble ".dex" file to ".smali" code we could use d or dis switch.
Usage
Dex2Jar and JD-GUI
To demonstrate usage of Dex2Jar, I would be using the vulnerable APK file (diva-beta.apk) for this exercise that can be downloaded from here.
We can extract the executable code of the Android application in JAR format. We can simply give the ".apk" file to Dex2Jar or extract the ".apk" file and give classes.dex to Dex2Jar with one of the below commands.
d2j-dex2jar diva-beta.apk
d2j-dex2jar -f -o classes.jar diva-beta.apk
As we can see Dex2Jar has created the jar file with the default name, i.e., diva-beta-dex2jar.jar. You may specify the output file name with -o switch.
Now, we can open the output file with JD-GUI and see the source code of the application. Open the JD-GUI.jar UI application and drag and drop the ".jar" file that we have extracted from the APK.
It is very easy to read and navigate through the code with Java decompiler JD-GUI. Pen testers can use this utility to understand APK code, identify security and business logic flows in the APK code. JD-GUI has a search feature that can be utilized to search the keywords (passwords, keys, etc.) in the source code, note that this search is case-sensitive. Illustration below
Back to Dex2Jar, it also supports conversion from ".class" to ".dex." We can use the below command to convert jar to dex that we can put back into APK zip and reuse.
d2j-jar2dex -f -o classes.dex diva-beta-dex2jar.jar
Jar2dex has created the classes.dex file that can be used to build the APK file. This relatively simple to use the tool, we can extract or put back a lot of information from and to an APK file, but currently, it does not have support for XML resources which are an important file of APK.
Smali and Baksmali
So, as we know that it is possible to get ".smali" files directly from the classes.dex file with the help of Baksmali. We already have the classes.dex file that we have extracted from the diva-beta.apk file, we would disassemble this ".dex" file into ".smali" code with below command.
java -jar baksmali-2.2.2.jar d classes.dex
As we can see the new output folder has been created with the name out, go to the folder and see the contents of the folder.
We can see the ".smali" files; we can view and edit this ".smali" code with any simple editor such as (Notepad++), illustrated above. That means you can change the source code of an application directly working with this format, start your tinkering and make the necessary modifications to the Smali code, once finished we can assemble ".smali" code into classes.dex with the help of smali.jar.
Now, open the command prompt in the directory where we have smali.jar file and the disassembled ".smali" code. Use below command to assemble Smali code into classes.dex file.
java -jar smali-2.2.2.jar a out
Here, out is the folder name where we have disassembled classes.dex file into ".smali" files. Switch a is for assemble.
Here, we can see that out.dex file has been created with ".smali" resources under out folder. You can rename the dex file to something like classes.dex and put back into APK zip and reuse.
So, we understand that there are many reasons we should take into consideration these reverse engineering tools. We may leverage these tools to look at specific business logic and security implementations in the Android application code such as API keys, authentication tokens or unused resources, etc. to identify the security flaws and suggest improvements.
FREE role-guided training plans
Sources
- Dex2jar - Github
- Smali Overview - Bitbucket
- JD - benow
- Insecure and vulnerable app - Payatu
- Developers forum