Reverse Engineering APK

Decompiling / Reversing

When decompiling APKs, various tools can be used depending on the complexity and obfuscation of the code. The main tools are:

• APKTool

• JADX

• Dex2Jar -> JD-GUI

• Androguard

JADX

JADX is a widely used tool for decompiling APKs into Java code. It is open-source and can be installed from its GitHub repository.

Basic Usage:

jadx -d outdir your_app.apk

This command decompiles the APK and places the decompiled Java classes into the outdir directory.

Common Parameters:

• -r, --no-res: Do not decode resources (useful to avoid errors during decompilation).

• --escape-unicode: Escape non-Latin characters in strings.

• -j, --threads-count: Set the number of threads for processing (e.g., -j 4 for 4 threads).

• --show-bad-code: Include "bad code" that might be inconsistent or incorrectly decompiled.

• --log-level: Set the log level (e.g., --log-level error).

Deobfuscation Parameters:

• --deobf: Activate deobfuscation.

• --deobf-min: Minimum length of name for renaming.

• --deobf-max: Maximum length of name for renaming.

• --deobf-rewrite-cfg: Force saving the deobfuscation map.

• --deobf-use-sourcename: Use the source file name as class name alias.

• --deobf-parse-kotlin-metadata: Parse Kotlin metadata to class and package names.

Flow Chart Generation: To create a flow chart of functions, use the --cfg parameter:

jadx -d out --cfg your_app.apk

Convert the resulting .dot files to images with tools like graphviz and pydot.

JADX-GUI

JADX-GUI provides a graphical interface for viewing and navigating decompiled code. It shares the same core as the command-line version of JADX.

DEX2jar

DEX2jar converts the classes.dex file from an APK to a JAR file that can be read by JD-GUI.

Steps:

1. Unzip the APK.

2. Convert classes.dex to JAR:

   d2j-dex2jar.sh classes.dex

3. Open the resulting JAR file with JD-GUI.

JD-GUI

JD-GUI is used to display the classes inside a JAR file in a user-friendly GUI. It does not have special parameters and is straightforward to use.

APKTOOL

APKTOOL is a versatile tool for decompiling and rebuilding APKs, handling both resources and manifest files.

Basic Usage:

apktool d your_app.apk

Common Parameters:

• -r: Do not decompile resource files.

• --force-manifest: Ensure the AndroidManifest.xml is decompiled even when using the -r parameter.

APKTOOL is essential for tasks that require manipulating resources or rebuilding the APK after modification.

Androguard

Androguard is a powerful tool written in Python for reverse engineering Android applications. It can decompile APKs, analyze the manifest, and generate control flow graphs (CFGs). It is available on GitHub.

Basic Usage:

• Display Android app manifest:

  androguard axml path/to/app.apk

• Display app metadata (version and app ID):

  androguard apkid path/to/app.apk

• Decompile Java code from an app:

  androguard decompile path/to/app.apk --output path/to/directory

Decompiling and Creating CFGs: To decompile an APK and create control flow graphs:

androguard decompile -o outputfolder -f png -i someapp.apk --limit "^Lcom/elite/.*"

Ensure graphviz and pydot are installed:

sudo apt-get install graphviz
pip install -U pydot

This command will decompile the app and generate CFGs in the specified format, limited to methods matching the regex ^Lcom/elite/.*.

Example CFG:

• The generated CFGs help trace back the control flow, useful for analyzing heavily obfuscated code.

Creating Call Graphs: To create a call graph from an APK:

androguard cg -o callgraph.gml path/to/app.apk

This generates a call graph in the specified format, which can be viewed with graph visualization tools like Gephi.

Filtering Call Graphs: Filter methods using regex to manage large call graphs:

androguard cg -o callgraph.gml --classname "^Lcom/elite/.*" path/to/app.apk

Androguard is highly configurable and can output detailed analysis, making it indispensable for thorough reverse engineering and deobfuscation efforts.