The dedexer disassembler
      Gabor Paller
 gaborpaller@gmail.com
       2009.10.22
Background
●   As we all know, Android is a Linux-Java
    platform.
    ●   The underlying operating system is a version of
        Linux
    ●   The application model exposed to the developer is
        Java-based
●   Android is not Java
    ●   Google does not use the Java logo in relation with
        Android
    ●   Android application model has no relationship with
        any Java standard (JSR)
Dalvik
●   At the core of Android, there is the proprietary
    Dalvik virtual machine executing Android
    programs.
●   Some interesting Dalvik properties
    ●   It lives in symbiosis with the Linux process/access
        right system to provide application separation
    ●   It has its own bytecode format which is in distant
        relationship with the Java bytecode format
Life of a Java application in Android
●   Java is just a front-end
    ●   Developer codes in Java
    ●   The source code is compiled by the Java compiler
        into .class files
    ●   Then the dx (dexer) tool which is part of the Android
        SDK processes the .class files into Dalvik's
        proprietary format
    ●   The result of a proprietary file format called DEX
        that contains Dalvik bytecode.
    ●   The format has no relationship with the Java
        bytecode
Why should you care?
●   Well, you shouldn't
    ●   You have to dig very deep to find discrepancies
        between the execution environment projected by
        Dalvik and JVM (classloading).
    ●   If you develop your own language (like Simple), you
        may compile directly to Dalvik bytecode. Even in
        this case there is an option of compiling to Java
        bytecode first and leave the Dalvik bytecode to dx.
●   Big exception: reverse engineering
Inside the APK
Disassembly options
●   For binary XML files, use a binary-to-textual
    XML converter like AXMLPrinter2
●   For the DEX file, use dedexer
    ●   Alternative products:
        –   Dexdump – comes with the Android SDK, less convenient
            to use than dedexer because e.g. it does not support
            labels, produces one large file, etc.
        –   Baksmali – a competing open-source DEX disassembler.
            Comes with a Dalvik bytecode assembler (smali)
●   In any case, you have to live with Dalvik
    bytecode disassembly – there's no way back to
    Java presently!
Using dedexer
●   Download ddx.jar from
    http://dedexer.sourceforge.net
●   Unpack the DEX file from the APK file.
●   Issue:
    java -jar ddx.jar -d target_dir source_dex_file
●   The decompiled files will be produced in
    target_dir with .ddx extension. We will learn,
    how to read those files.
Before
●   class PatternSet {
         Pattern[] patterns; /* whole
    pattern set */
         Pattern[] trainingpatterns; /*
    patterns to be used during training */
         Pattern[] crossvalpatterns; /*
    patterns to be used during cross
    validation */
    ...
After
●   .class PatternSet
    .super java/lang/Object
    .source PatternSet.java

    .field crossvaldeviations [D
    .field crossvalpatterns [Lpattern;
    .field patterns [LPattern;
Before
●   public PatternSet (String sourceFile,
    int noofinputs, int nooftargets, double
    ratiotraining, double ratiocrossval,
    double ratiotest, Randomizer randomizer)
    {
    ...
After
●   .method public
    <init>(Ljava/lang/String;IIDDDLRandomize
    r;)V
    .limit registers 23
    ; this: v12 (LpatternSet;)
    ; parameter[0] : v13
    (Ljava/lang/String;)
    ; parameter[1] : v14 (I)
    ; parameter[2] : v15 (I)
    ; parameter[3] : v16 (D)
    ; parameter[4] : v18 (D)
    ; parameter[5] : v20 (D)
    ; parameter[6] : v22 (LRandomizer;)
Before
LineReader linereader = new
LineReader(sourceFile);
int counter = 0;
double temp_double;
while (linereader.NextLineSplitted()){
...
After
●   new-instance    v1,LineReader
    ; v1 : LlineReader;
    invoke-direct   {v1,v13},LineReader/<init>
    ; <init>(Ljava/lang/String;)V
    ; v1 : LLineReader; , v13 : Ljava/lang/String;
    .line 27
    const/4 v2,0
    ; v2 : single-length
    l24aa:
    .line 29
    invoke-virtual
    {v1},LineReader/NextLineSplitted          ;
    NextLineSplitted()Z
    ; v1 : LlineReader;
    move-result     v3 ; v3 : single-length
    if-eqz v3,l24da ; v3 : single-length
Comments
●   Instruction set is available on the
    http://dedexer.sourceforge.net page.
●   This was generated with the brand new
    dedexer feature (-r switch) that tracks register
    usage. It is essentially a data flow analyser.
Conclusion
●   Reverse-engineering of DEX files is more
    tiresome than it could be.
●   Presently, knowledge of Dalvik bytecode is
    required.
●   Dedexer does less than it could when
    disassembling optimized DEX (ODEX) files.
●   This is the main direction of development
    currently.
●   I do not intend to do DEX-to-Java.

More Related Content

PDF
Understanding the Dalvik bytecode with the Dedexer tool
PDF
Inc0gnito 2015 Android DEX Analysis Technique
PDF
LinkedIn - Disassembling Dalvik Bytecode
PPTX
Dancing with dalvik
PPTX
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
PDF
Qt Application Programming with C++ - Part 2
PPT
Stoop 305-reflective programming5
PPT
Behavioral Reflection
Understanding the Dalvik bytecode with the Dedexer tool
Inc0gnito 2015 Android DEX Analysis Technique
LinkedIn - Disassembling Dalvik Bytecode
Dancing with dalvik
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Qt Application Programming with C++ - Part 2
Stoop 305-reflective programming5
Behavioral Reflection

What's hot (17)

PDF
NDK Primer (AnDevCon Boston 2014)
PDF
Lecture1
PDF
L Fu - Dao: a novel programming language for bioinformatics
PDF
Vhdl introduction
PDF
Java Course 2: Basics
PPTX
Qt Framework Events Signals Threads
PDF
Virtual Machines Lecture
PDF
Java Course 3: OOP
PPTX
Java OOP Concepts 1st Slide
PPTX
Hacking for fun and for profit
PDF
Java Programming Guide Quick Reference
PPT
Spdas2 vlsibput
PDF
EKON 25 Python4Delphi_mX4
PPTX
Objective-c for Java Developers
PPT
Unit 2 Java
NDK Primer (AnDevCon Boston 2014)
Lecture1
L Fu - Dao: a novel programming language for bioinformatics
Vhdl introduction
Java Course 2: Basics
Qt Framework Events Signals Threads
Virtual Machines Lecture
Java Course 3: OOP
Java OOP Concepts 1st Slide
Hacking for fun and for profit
Java Programming Guide Quick Reference
Spdas2 vlsibput
EKON 25 Python4Delphi_mX4
Objective-c for Java Developers
Unit 2 Java
Ad

Viewers also liked (18)

PPTX
Introduction to computers
PDF
Android reverse engineering: understanding third-party applications. OWASP EU...
PDF
1351 anglyskoe slovo_dlya_detey_i_vzroslykh
PDF
Merkel wiper auas
PDF
HAKQ Profile
PDF
Marriott management philosophy
PDF
Emc cla rii on fibre channel storage fundamentals
PDF
Solinea Lazuli Tower Project Brief
PDF
Being Miss Geeky - WIT
PDF
Effectivnoe upravlenie personalom
DOC
Report abc company draft
PDF
Does Your Stuff Scale?
PPT
Mh beethoven
PDF
Helping Journalists Get It Right
PDF
02មហាគ្រោះជាតិខ្មែរ great danger-khmer-nation-official-khmerlanguage​​ by tie...
PDF
China high speed railway lines network-201407
PDF
Obo mne
PDF
Propertics of element
Introduction to computers
Android reverse engineering: understanding third-party applications. OWASP EU...
1351 anglyskoe slovo_dlya_detey_i_vzroslykh
Merkel wiper auas
HAKQ Profile
Marriott management philosophy
Emc cla rii on fibre channel storage fundamentals
Solinea Lazuli Tower Project Brief
Being Miss Geeky - WIT
Effectivnoe upravlenie personalom
Report abc company draft
Does Your Stuff Scale?
Mh beethoven
Helping Journalists Get It Right
02មហាគ្រោះជាតិខ្មែរ great danger-khmer-nation-official-khmerlanguage​​ by tie...
China high speed railway lines network-201407
Obo mne
Propertics of element
Ad

Similar to The dedexer disassembler (20)

PDF
Docker primer and tips
PPTX
PPTX
PPTX
Настройка окружения для кросскомпиляции проектов на основе docker'a
PDF
Getting Native with NDK
PPTX
Android ndk - Introduction
PDF
OWF12/PAUG Conf Days Dart a new html5 technology, nicolas geoffray, softwar...
PDF
Best Practices for Developing & Deploying Java Applications with Docker
PDF
NDK Programming in Android
PPTX
Ii 1300-java essentials for android
PDF
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
PPTX
Introduction to Docker
PDF
DSD-INT 2014 - Delft3D Open Source Workshop - Qinghua Ye & Adri Mourits, Delt...
PDF
CodeMotion tel aviv 2015 - android reverse engineering lab
PDF
Dart Jump Start
PPTX
Curso de Desenvolvimento Mobile - Android - Stack
PDF
為什麼Method數超過65535會build fail?
PPTX
2 22CA026_Advance Java Programming_Data types and Operators.pptx
PDF
Docker for developers
PDF
Docker for developers
Docker primer and tips
Настройка окружения для кросскомпиляции проектов на основе docker'a
Getting Native with NDK
Android ndk - Introduction
OWF12/PAUG Conf Days Dart a new html5 technology, nicolas geoffray, softwar...
Best Practices for Developing & Deploying Java Applications with Docker
NDK Programming in Android
Ii 1300-java essentials for android
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Introduction to Docker
DSD-INT 2014 - Delft3D Open Source Workshop - Qinghua Ye & Adri Mourits, Delt...
CodeMotion tel aviv 2015 - android reverse engineering lab
Dart Jump Start
Curso de Desenvolvimento Mobile - Android - Stack
為什麼Method數超過65535會build fail?
2 22CA026_Advance Java Programming_Data types and Operators.pptx
Docker for developers
Docker for developers

More from Gabor Paller (11)

PDF
Towards a floating plastic waste early warning system
PDF
Dataflow-based heterogeneous code generator for IoT applications
PDF
Sigfox szenzorfejlesztéssel kapcsolatos tapasztalatok
PDF
Energy-efficient operation of GSM-connected infrared rodent sensors
PDF
AgroDat poster at Sensornets 2015 conference
PDF
Connect your Android to the real world with Bluetooth Low Energy
PDF
Sensor fusion between car and smartphone
PDF
Advantages and limitations of PhoneGap for sensor processing
PDF
Better motion control using accelerometer/gyroscope sensor fusion
PDF
Motion recognition with Android devices
PDF
LiveFolders as feeds
Towards a floating plastic waste early warning system
Dataflow-based heterogeneous code generator for IoT applications
Sigfox szenzorfejlesztéssel kapcsolatos tapasztalatok
Energy-efficient operation of GSM-connected infrared rodent sensors
AgroDat poster at Sensornets 2015 conference
Connect your Android to the real world with Bluetooth Low Energy
Sensor fusion between car and smartphone
Advantages and limitations of PhoneGap for sensor processing
Better motion control using accelerometer/gyroscope sensor fusion
Motion recognition with Android devices
LiveFolders as feeds

The dedexer disassembler

  • 2. Background ● As we all know, Android is a Linux-Java platform. ● The underlying operating system is a version of Linux ● The application model exposed to the developer is Java-based ● Android is not Java ● Google does not use the Java logo in relation with Android ● Android application model has no relationship with any Java standard (JSR)
  • 3. Dalvik ● At the core of Android, there is the proprietary Dalvik virtual machine executing Android programs. ● Some interesting Dalvik properties ● It lives in symbiosis with the Linux process/access right system to provide application separation ● It has its own bytecode format which is in distant relationship with the Java bytecode format
  • 4. Life of a Java application in Android ● Java is just a front-end ● Developer codes in Java ● The source code is compiled by the Java compiler into .class files ● Then the dx (dexer) tool which is part of the Android SDK processes the .class files into Dalvik's proprietary format ● The result of a proprietary file format called DEX that contains Dalvik bytecode. ● The format has no relationship with the Java bytecode
  • 5. Why should you care? ● Well, you shouldn't ● You have to dig very deep to find discrepancies between the execution environment projected by Dalvik and JVM (classloading). ● If you develop your own language (like Simple), you may compile directly to Dalvik bytecode. Even in this case there is an option of compiling to Java bytecode first and leave the Dalvik bytecode to dx. ● Big exception: reverse engineering
  • 7. Disassembly options ● For binary XML files, use a binary-to-textual XML converter like AXMLPrinter2 ● For the DEX file, use dedexer ● Alternative products: – Dexdump – comes with the Android SDK, less convenient to use than dedexer because e.g. it does not support labels, produces one large file, etc. – Baksmali – a competing open-source DEX disassembler. Comes with a Dalvik bytecode assembler (smali) ● In any case, you have to live with Dalvik bytecode disassembly – there's no way back to Java presently!
  • 8. Using dedexer ● Download ddx.jar from http://dedexer.sourceforge.net ● Unpack the DEX file from the APK file. ● Issue: java -jar ddx.jar -d target_dir source_dex_file ● The decompiled files will be produced in target_dir with .ddx extension. We will learn, how to read those files.
  • 9. Before ● class PatternSet { Pattern[] patterns; /* whole pattern set */ Pattern[] trainingpatterns; /* patterns to be used during training */ Pattern[] crossvalpatterns; /* patterns to be used during cross validation */ ...
  • 10. After ● .class PatternSet .super java/lang/Object .source PatternSet.java .field crossvaldeviations [D .field crossvalpatterns [Lpattern; .field patterns [LPattern;
  • 11. Before ● public PatternSet (String sourceFile, int noofinputs, int nooftargets, double ratiotraining, double ratiocrossval, double ratiotest, Randomizer randomizer) { ...
  • 12. After ● .method public <init>(Ljava/lang/String;IIDDDLRandomize r;)V .limit registers 23 ; this: v12 (LpatternSet;) ; parameter[0] : v13 (Ljava/lang/String;) ; parameter[1] : v14 (I) ; parameter[2] : v15 (I) ; parameter[3] : v16 (D) ; parameter[4] : v18 (D) ; parameter[5] : v20 (D) ; parameter[6] : v22 (LRandomizer;)
  • 13. Before LineReader linereader = new LineReader(sourceFile); int counter = 0; double temp_double; while (linereader.NextLineSplitted()){ ...
  • 14. After ● new-instance v1,LineReader ; v1 : LlineReader; invoke-direct {v1,v13},LineReader/<init> ; <init>(Ljava/lang/String;)V ; v1 : LLineReader; , v13 : Ljava/lang/String; .line 27 const/4 v2,0 ; v2 : single-length l24aa: .line 29 invoke-virtual {v1},LineReader/NextLineSplitted ; NextLineSplitted()Z ; v1 : LlineReader; move-result v3 ; v3 : single-length if-eqz v3,l24da ; v3 : single-length
  • 15. Comments ● Instruction set is available on the http://dedexer.sourceforge.net page. ● This was generated with the brand new dedexer feature (-r switch) that tracks register usage. It is essentially a data flow analyser.
  • 16. Conclusion ● Reverse-engineering of DEX files is more tiresome than it could be. ● Presently, knowledge of Dalvik bytecode is required. ● Dedexer does less than it could when disassembling optimized DEX (ODEX) files. ● This is the main direction of development currently. ● I do not intend to do DEX-to-Java.