This is the 10th day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021

preface

Before we get started, let’s talk about why we’re doing decompilation. The main goal is not to hack other people’s projects for illegal purposes, but to learn how other people implement specific feature points in development, which is the real purpose of decompilation. So as programmers we do decompilation in order to keep learning the technical mentality, and in turn decompilation also serves the security of the application encryption better.

Apk file composition

What we ultimately want is the source code for Apk, so we know the file structure of Apk before we get the source code from it. The specific Apk file directory is as follows:

  1. Meta-inf: indicates the signature file.
  2. Res: resource files in which XML files are converted from text format to binary AXML file format during compilation.
  3. Androidmanifest.xml: Android configuration file, which is still converted to AXML format during compilation.
  4. Classes.dex: a bytecode-like file (Dalvik bytecode) generated by compilation of Java code.
  5. Resources. Arsc: Index table with resources with ID values (the resources in the implies folder do not generate indexes).
  6. Other files: can be added by the developer, such as assets, or lib (native so code) directories.

Android applications run on Davlik VM, so applications execute specific dex files instead of.class files. Apk Java code content is in classe.dex, so dex file protection is very important.

Source decompilation

Simple use of apkTool, dex2JAR, JD-GUI decomcompile APK to obtain Java source code

apktool

Apktool can be used to obtain Apk res, smali, AndroidManifest and other resource files.

apktool.bat d (apk)
Copy the code

What is smali? I’ve never seen it before.

Smali is an intermediate language in dex format used by the Dalvik virtual machine for Android. Smali can be understood as an assembly language, similar to C and assembly language compilation and decomcompilation.

Open the SMali file and you can see some of the logic. If you know how to modify it, you can recompile the decompiled signature to produce a new modified APK. You can learn more about the syntax of smali here.

Dex2jar and jd – GUI

Change the suffix of apk to rar or zip. Apk ->.rar. Unzip it and pull out the Classes dex file. Use dex2jar to convert dex into jar packages

dex2jar.bat classes.dex
Copy the code

After success, open the JAR package with JD-GUI and you can see the Java source code of APK.

The above is a simple decompilation process using the decompilation tool, the premise is that apK generation before doing any shell reinforcement and other security encryption.

The SO file was decompiled

There may be so files in Apk, and you need to decompile the source code using other methods.

We can use IDA to decompile so’s code logic to get assembly code. When we see assembly instructions, we can know exactly what the SO file code does. Even though assembly language is obscure and difficult to understand, assembly language is the programmer’s basic language.

Hardened Apk decompilation

It may be difficult to obtain source information for processed Apk using simple decompression methods, and Java code may not be available when opening jar packages converted from Classess dex using JD-GUI. There are many general schemes for Apk reinforcement: encrypt and split the source Apk, and then put an external shell Application to do some initialization operations. Use IDA to break the dvmDexFileOpenPartial function and use dump to get dex data from memory. However, some reinforcement have reverse mode operation, so file confusion encryption, making debugging become difficult, which is also the difficulty of reinforcement decompilation.

Decompiler tool

  • Jadx
  • AppTool
  • jd-gui
  • android-classyshark