Reverse Engineering APK

Decompiling / Reversing

When decompiling APKs, various tools can be used depending on the complexity and obfuscation of the code. The main tools are:

APKTool
JADX
Dex2Jar -> JD-GUI
Androguard

JADX

JADX is a widely used tool for decompiling APKs into Java code. It is open-source and can be installed from its GitHub repository.

Basic Usage:

jadx -d outdir your_app.apk

This command decompiles the APK and places the decompiled Java classes into the outdir directory.

Common Parameters:

-r, --no-res: Do not decode resources (useful to avoid errors during decompilation).
--escape-unicode: Escape non-Latin characters in strings.
-j, --threads-count: Set the number of threads for processing (e.g., -j 4 for 4 threads).
--show-bad-code: Include "bad code" that might be inconsistent or incorrectly decompiled.
--log-level: Set the log level (e.g., --log-level error).

Deobfuscation Parameters:

--deobf: Activate deobfuscation.
--deobf-min: Minimum length of name for renaming.
--deobf-max: Maximum length of name for renaming.
--deobf-rewrite-cfg: Force saving the deobfuscation map.
--deobf-use-sourcename: Use the source file name as class name alias.
--deobf-parse-kotlin-metadata: Parse Kotlin metadata to class and package names.

Flow Chart Generation: To create a flow chart of functions, use the --cfg parameter:

jadx -d out --cfg your_app.apk

Convert the resulting .dot files to images with tools like graphviz and pydot.

JADX-GUI

JADX-GUI provides a graphical interface for viewing and navigating decompiled code. It shares the same core as the command-line version of JADX.

DEX2jar

DEX2jar converts the classes.dex file from an APK to a JAR file that can be read by JD-GUI.

Steps:

Unzip the APK.
Convert classes.dex to JAR:
```
d2j-dex2jar.sh classes.dex
```
Open the resulting JAR file with JD-GUI.

JD-GUI

JD-GUI is used to display the classes inside a JAR file in a user-friendly GUI. It does not have special parameters and is straightforward to use.

APKTOOL

APKTOOL is a versatile tool for decompiling and rebuilding APKs, handling both resources and manifest files.

Basic Usage:

apktool d your_app.apk

Common Parameters:

-r: Do not decompile resource files.
--force-manifest: Ensure the AndroidManifest.xml is decompiled even when using the -r parameter.

APKTOOL is essential for tasks that require manipulating resources or rebuilding the APK after modification.

Androguard

Androguard is a powerful tool written in Python for reverse engineering Android applications. It can decompile APKs, analyze the manifest, and generate control flow graphs (CFGs). It is available on GitHub.

Basic Usage:

Display Android app manifest:
```
androguard axml path/to/app.apk
```
Display app metadata (version and app ID):
```
androguard apkid path/to/app.apk
```

Decompile Java code from an app:

androguard decompile path/to/app.apk --output path/to/directory

Decompiling and Creating CFGs: To decompile an APK and create control flow graphs:

androguard decompile -o outputfolder -f png -i someapp.apk --limit "^Lcom/elite/.*"

Ensure graphviz and pydot are installed:

sudo apt-get install graphviz
pip install -U pydot

This command will decompile the app and generate CFGs in the specified format, limited to methods matching the regex ^Lcom/elite/.*.

Example CFG:

The generated CFGs help trace back the control flow, useful for analyzing heavily obfuscated code.

Creating Call Graphs: To create a call graph from an APK:

androguard cg -o callgraph.gml path/to/app.apk

This generates a call graph in the specified format, which can be viewed with graph visualization tools like Gephi.

Filtering Call Graphs: Filter methods using regex to manage large call graphs:

androguard cg -o callgraph.gml --classname "^Lcom/elite/.*" path/to/app.apk

Androguard is highly configurable and can output detailed analysis, making it indispensable for thorough reverse engineering and deobfuscation efforts.

PreviousSigning the APK NextDeep Links Hacking

Last updated 9 months ago

Was this helpful?

Reverse Engineering APK

Decompiling / Reversing

When decompiling APKs, various tools can be used depending on the complexity and obfuscation of the code. The main tools are:

APKTool
JADX
Dex2Jar -> JD-GUI
Androguard

JADX

JADX is a widely used tool for decompiling APKs into Java code. It is open-source and can be installed from its GitHub repository.

Basic Usage:

jadx -d outdir your_app.apk

This command decompiles the APK and places the decompiled Java classes into the outdir directory.

Common Parameters:

-r, --no-res: Do not decode resources (useful to avoid errors during decompilation).
--escape-unicode: Escape non-Latin characters in strings.
-j, --threads-count: Set the number of threads for processing (e.g., -j 4 for 4 threads).
--show-bad-code: Include "bad code" that might be inconsistent or incorrectly decompiled.
--log-level: Set the log level (e.g., --log-level error).

Deobfuscation Parameters:

--deobf: Activate deobfuscation.
--deobf-min: Minimum length of name for renaming.
--deobf-max: Maximum length of name for renaming.
--deobf-rewrite-cfg: Force saving the deobfuscation map.
--deobf-use-sourcename: Use the source file name as class name alias.
--deobf-parse-kotlin-metadata: Parse Kotlin metadata to class and package names.

Flow Chart Generation: To create a flow chart of functions, use the --cfg parameter:

jadx -d out --cfg your_app.apk

Convert the resulting .dot files to images with tools like graphviz and pydot.

JADX-GUI

JADX-GUI provides a graphical interface for viewing and navigating decompiled code. It shares the same core as the command-line version of JADX.

DEX2jar

DEX2jar converts the classes.dex file from an APK to a JAR file that can be read by JD-GUI.

Steps:

Unzip the APK.
Convert classes.dex to JAR:
```
d2j-dex2jar.sh classes.dex
```
Open the resulting JAR file with JD-GUI.

JD-GUI

JD-GUI is used to display the classes inside a JAR file in a user-friendly GUI. It does not have special parameters and is straightforward to use.

APKTOOL

APKTOOL is a versatile tool for decompiling and rebuilding APKs, handling both resources and manifest files.

Basic Usage:

apktool d your_app.apk

Common Parameters:

-r: Do not decompile resource files.
--force-manifest: Ensure the AndroidManifest.xml is decompiled even when using the -r parameter.

APKTOOL is essential for tasks that require manipulating resources or rebuilding the APK after modification.

Androguard

Basic Usage:

Display Android app manifest:
```
androguard axml path/to/app.apk
```
Display app metadata (version and app ID):
```
androguard apkid path/to/app.apk
```

Decompile Java code from an app:

androguard decompile path/to/app.apk --output path/to/directory

Decompiling and Creating CFGs: To decompile an APK and create control flow graphs:

androguard decompile -o outputfolder -f png -i someapp.apk --limit "^Lcom/elite/.*"

Ensure graphviz and pydot are installed:

sudo apt-get install graphviz
pip install -U pydot

This command will decompile the app and generate CFGs in the specified format, limited to methods matching the regex ^Lcom/elite/.*.

Example CFG:

The generated CFGs help trace back the control flow, useful for analyzing heavily obfuscated code.

Creating Call Graphs: To create a call graph from an APK:

androguard cg -o callgraph.gml path/to/app.apk

This generates a call graph in the specified format, which can be viewed with graph visualization tools like Gephi.

Filtering Call Graphs: Filter methods using regex to manage large call graphs:

androguard cg -o callgraph.gml --classname "^Lcom/elite/.*" path/to/app.apk

Androguard is highly configurable and can output detailed analysis, making it indispensable for thorough reverse engineering and deobfuscation efforts.

PreviousSigning the APK NextDeep Links Hacking

Last updated 9 months ago

Was this helpful?