The dedexer disassembler
4 likes3,018 views
The document outlines the structure and functioning of Android's Dalvik virtual machine and its bytecode format, explaining that Android applications are primarily Java-based but do not adhere to Java standards. It discusses the conversion process from Java source code to Dalvik bytecode using tools like dedexer, and provides guidance on reverse engineering Dex files. The author concludes that reverse-engineering Dex files is complex, necessitating a solid understanding of Dalvik bytecode.
![Before
● class PatternSet {
Pattern[] patterns; /* whole
pattern set */
Pattern[] trainingpatterns; /*
patterns to be used during training */
Pattern[] crossvalpatterns; /*
patterns to be used during cross
validation */
...](https://image.slidesharecdn.com/dedexer-12562855904027-phpapp01/85/The-dedexer-disassembler-9-320.jpg)
![After
● .method public
<init>(Ljava/lang/String;IIDDDLRandomize
r;)V
.limit registers 23
; this: v12 (LpatternSet;)
; parameter[0] : v13
(Ljava/lang/String;)
; parameter[1] : v14 (I)
; parameter[2] : v15 (I)
; parameter[3] : v16 (D)
; parameter[4] : v18 (D)
; parameter[5] : v20 (D)
; parameter[6] : v22 (LRandomizer;)](https://image.slidesharecdn.com/dedexer-12562855904027-phpapp01/85/The-dedexer-disassembler-12-320.jpg)
The dedexer disassembler
- 1. The dedexer disassembler Gabor Paller [email protected] 2009.10.22
- 2. Background ● As we all know, Android is a Linux-Java platform. ● The underlying operating system is a version of Linux ● The application model exposed to the developer is Java-based ● Android is not Java ● Google does not use the Java logo in relation with Android ● Android application model has no relationship with any Java standard (JSR)
- 3. Dalvik ● At the core of Android, there is the proprietary Dalvik virtual machine executing Android programs. ● Some interesting Dalvik properties ● It lives in symbiosis with the Linux process/access right system to provide application separation ● It has its own bytecode format which is in distant relationship with the Java bytecode format
- 4. Life of a Java application in Android ● Java is just a front-end ● Developer codes in Java ● The source code is compiled by the Java compiler into .class files ● Then the dx (dexer) tool which is part of the Android SDK processes the .class files into Dalvik's proprietary format ● The result of a proprietary file format called DEX that contains Dalvik bytecode. ● The format has no relationship with the Java bytecode
- 5. Why should you care? ● Well, you shouldn't ● You have to dig very deep to find discrepancies between the execution environment projected by Dalvik and JVM (classloading). ● If you develop your own language (like Simple), you may compile directly to Dalvik bytecode. Even in this case there is an option of compiling to Java bytecode first and leave the Dalvik bytecode to dx. ● Big exception: reverse engineering
- 7. Disassembly options ● For binary XML files, use a binary-to-textual XML converter like AXMLPrinter2 ● For the DEX file, use dedexer ● Alternative products: – Dexdump – comes with the Android SDK, less convenient to use than dedexer because e.g. it does not support labels, produces one large file, etc. – Baksmali – a competing open-source DEX disassembler. Comes with a Dalvik bytecode assembler (smali) ● In any case, you have to live with Dalvik bytecode disassembly – there's no way back to Java presently!
- 8. Using dedexer ● Download ddx.jar from http://dedexer.sourceforge.net ● Unpack the DEX file from the APK file. ● Issue: java -jar ddx.jar -d target_dir source_dex_file ● The decompiled files will be produced in target_dir with .ddx extension. We will learn, how to read those files.
- 9. Before ● class PatternSet { Pattern[] patterns; /* whole pattern set */ Pattern[] trainingpatterns; /* patterns to be used during training */ Pattern[] crossvalpatterns; /* patterns to be used during cross validation */ ...
- 10. After ● .class PatternSet .super java/lang/Object .source PatternSet.java .field crossvaldeviations [D .field crossvalpatterns [Lpattern; .field patterns [LPattern;
- 11. Before ● public PatternSet (String sourceFile, int noofinputs, int nooftargets, double ratiotraining, double ratiocrossval, double ratiotest, Randomizer randomizer) { ...
- 12. After ● .method public <init>(Ljava/lang/String;IIDDDLRandomize r;)V .limit registers 23 ; this: v12 (LpatternSet;) ; parameter[0] : v13 (Ljava/lang/String;) ; parameter[1] : v14 (I) ; parameter[2] : v15 (I) ; parameter[3] : v16 (D) ; parameter[4] : v18 (D) ; parameter[5] : v20 (D) ; parameter[6] : v22 (LRandomizer;)
- 13. Before LineReader linereader = new LineReader(sourceFile); int counter = 0; double temp_double; while (linereader.NextLineSplitted()){ ...
- 14. After ● new-instance v1,LineReader ; v1 : LlineReader; invoke-direct {v1,v13},LineReader/<init> ; <init>(Ljava/lang/String;)V ; v1 : LLineReader; , v13 : Ljava/lang/String; .line 27 const/4 v2,0 ; v2 : single-length l24aa: .line 29 invoke-virtual {v1},LineReader/NextLineSplitted ; NextLineSplitted()Z ; v1 : LlineReader; move-result v3 ; v3 : single-length if-eqz v3,l24da ; v3 : single-length
- 15. Comments ● Instruction set is available on the http://dedexer.sourceforge.net page. ● This was generated with the brand new dedexer feature (-r switch) that tracks register usage. It is essentially a data flow analyser.
- 16. Conclusion ● Reverse-engineering of DEX files is more tiresome than it could be. ● Presently, knowledge of Dalvik bytecode is required. ● Dedexer does less than it could when disassembling optimized DEX (ODEX) files. ● This is the main direction of development currently. ● I do not intend to do DEX-to-Java.