The dedexer disassembler

7,225 views

Published on

This slideset presents the motivation behind the Android bytecode disassembler called dedexer and sets the expectations with some examples.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,225
On SlideShare
0
From Embeds
0
Number of Embeds
1,362
Actions
Shares
0
Downloads
8
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The dedexer disassembler

  1. 1. The dedexer disassembler Gabor Paller gaborpaller@gmail.com 2009.10.22
  2. 2. Background ● As we all know, Android is a Linux-Java platform. ● The underlying operating system is a version of Linux ● The application model exposed to the developer is Java-based ● Android is not Java ● Google does not use the Java logo in relation with Android ● Android application model has no relationship with any Java standard (JSR)
  3. 3. Dalvik ● At the core of Android, there is the proprietary Dalvik virtual machine executing Android programs. ● Some interesting Dalvik properties ● It lives in symbiosis with the Linux process/access right system to provide application separation ● It has its own bytecode format which is in distant relationship with the Java bytecode format
  4. 4. Life of a Java application in Android ● Java is just a front-end ● Developer codes in Java ● The source code is compiled by the Java compiler into .class files ● Then the dx (dexer) tool which is part of the Android SDK processes the .class files into Dalvik's proprietary format ● The result of a proprietary file format called DEX that contains Dalvik bytecode. ● The format has no relationship with the Java bytecode
  5. 5. Why should you care? ● Well, you shouldn't ● You have to dig very deep to find discrepancies between the execution environment projected by Dalvik and JVM (classloading). ● If you develop your own language (like Simple), you may compile directly to Dalvik bytecode. Even in this case there is an option of compiling to Java bytecode first and leave the Dalvik bytecode to dx. ● Big exception: reverse engineering
  6. 6. Inside the APK
  7. 7. Disassembly options ● For binary XML files, use a binary-to-textual XML converter like AXMLPrinter2 ● For the DEX file, use dedexer ● Alternative products: – Dexdump – comes with the Android SDK, less convenient to use than dedexer because e.g. it does not support labels, produces one large file, etc. – Baksmali – a competing open-source DEX disassembler. Comes with a Dalvik bytecode assembler (smali) ● In any case, you have to live with Dalvik bytecode disassembly – there's no way back to Java presently!
  8. 8. Using dedexer ● Download ddx.jar from http://dedexer.sourceforge.net ● Unpack the DEX file from the APK file. ● Issue: java -jar ddx.jar -d target_dir source_dex_file ● The decompiled files will be produced in target_dir with .ddx extension. We will learn, how to read those files.
  9. 9. Before ● class PatternSet { Pattern[] patterns; /* whole pattern set */ Pattern[] trainingpatterns; /* patterns to be used during training */ Pattern[] crossvalpatterns; /* patterns to be used during cross validation */ ...
  10. 10. After ● .class PatternSet .super java/lang/Object .source PatternSet.java .field crossvaldeviations [D .field crossvalpatterns [Lpattern; .field patterns [LPattern;
  11. 11. Before ● public PatternSet (String sourceFile, int noofinputs, int nooftargets, double ratiotraining, double ratiocrossval, double ratiotest, Randomizer randomizer) { ...
  12. 12. After ● .method public <init>(Ljava/lang/String;IIDDDLRandomize r;)V .limit registers 23 ; this: v12 (LpatternSet;) ; parameter[0] : v13 (Ljava/lang/String;) ; parameter[1] : v14 (I) ; parameter[2] : v15 (I) ; parameter[3] : v16 (D) ; parameter[4] : v18 (D) ; parameter[5] : v20 (D) ; parameter[6] : v22 (LRandomizer;)
  13. 13. Before LineReader linereader = new LineReader(sourceFile); int counter = 0; double temp_double; while (linereader.NextLineSplitted()){ ...
  14. 14. After ● new-instance v1,LineReader ; v1 : LlineReader; invoke-direct {v1,v13},LineReader/<init> ; <init>(Ljava/lang/String;)V ; v1 : LLineReader; , v13 : Ljava/lang/String; .line 27 const/4 v2,0 ; v2 : single-length l24aa: .line 29 invoke-virtual {v1},LineReader/NextLineSplitted ; NextLineSplitted()Z ; v1 : LlineReader; move-result v3 ; v3 : single-length if-eqz v3,l24da ; v3 : single-length
  15. 15. Comments ● Instruction set is available on the http://dedexer.sourceforge.net page. ● This was generated with the brand new dedexer feature (-r switch) that tracks register usage. It is essentially a data flow analyser.
  16. 16. Conclusion ● Reverse-engineering of DEX files is more tiresome than it could be. ● Presently, knowledge of Dalvik bytecode is required. ● Dedexer does less than it could when disassembling optimized DEX (ODEX) files. ● This is the main direction of development currently. ● I do not intend to do DEX-to-Java.

×