Android penetration tools walkthrough series Dex2Jar, JD-GUI, and Baksmali
In this article, we will be focusing on Android penetration testing tools such as Dex2Jar, JD-GUI, and Baksmali to work with reverse engineering Android APK files.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Dex2Jar
Dex2Jar is a freely available tool to work with Android ".dex" and Java ".class" files. As you may aware that ".dex" files are compiled Android application code file. Android programs are compiled into ".dex" (Dalvik Executable) files, which are in turn zipped into a single ".apk" file on the device. The ".dex" files can be created automatically by Android, by translating the compiled applications written in the Java programming language.
The core feature of Dex2Jar is to convert the classes.dex file of an APK to classes.jar or vice versa. So, it is possible to view the source code of an Android application using any Java decompiler, and it is completely readable. Here, we get .class files and not the actual Java source code that was written by the application developer.
Also, it is possible to get ".smali" files directly from the classes.dex file or vice versa. That means you can change the source code of an application directly working with this format.
JD-GUI
JD-GUI is a standalone graphical utility that displays Java source codes of ".class" files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. (From the official website)
If you open the ".jar" file with JD-GUI, you can view the source code of the application which is Java classes in a readable format, and it is also very easy to navigate through the code.
Smali and Baksmali
Smali/Baksmali is an assembler/disassembler for the dex format used by Dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax and supports the full functionality of the dex format (annotations, debug info, line info, etc.) (From the official website).
With the help of Baksmali, we can disassemble the classes.dex file into ".smali" code, Smali does the opposite of Baksmali.
Installation and setup
Dex2Jar
We can find Dex2Jar tool pre-installed on Kali-Linux under reverse engineering tools, illustrated in below screenshot.
You can download the latest version of Dex2Jar from here. The installation process is quite straightforward; you just must unzip the package in a folder of your choice and then add Environment Variables System "PATH." That is it; you are ready to start using dex2jar!
Below is the content of the Dex2Jar folder after extracting, I am using the latest available version, i.e., version: reader-2.0, translator-2.0, ir-2.0.
As you can see in the above screenshot, there are several scripts available (for Unix, Mac and Windows systems), each key feature of dex2jar is provided in a separate script.
You may set the Environment Variables System "PATH" variable to access Dex2Jar from anywhere. Illustrated below:
Now, Open the command prompt from anywhere and enter the below command. Note that you may need to give permission to Dex2Jar.bat file to execute.
d2j-dex2jar OR d2j-dex2jar.bat
As you can see, there are various switches that are self-explanatory, and you can use as per your requirement. Below are few important options
-o option: you can specify the name of the output file.
-f option: simply tells dex2jar to overwrite output file if it already exists.
When converting DEX to JAR, you may get Out of Memory Error for large size DEX file. Here, we need to increase the size of the JVM memory in d2j_invoke script.
Change the values accordingly to your system requirements such as -Xmx2048m.
JD-GUI
You can download the JD-GUI from the official website. Download the respective flavor available (for Unix, Mac and Windows systems). For Windows system you can download the executable or JAR of JD-GUI, we would be using JAR file for this exercise.
I am using the latest version available for JD-GUI, i.e., jd-gui-1.4.0.jar. Once you download the JAR file, simply double-click on the JAR file or enter the command (java -jar jd-gui-1.4.0.jar) in command prompt in windows directory where you have saved the JD-GUI.jar
Smali and Baksmali
You can download the latest versions of the Smali and Baksmali form the official website. These files come in JAR format; I am using the latest available versions, i.e., smali-2.2.2.jar and baksmali-2.2.2.jar. You can download these files and keep in windows directory of your choice. To invoke these JAR files, we need to enter the below commands:
Java -jar smali-2.2.2.jar
Java -jar baksmali-2.2.2.jar
Now, open command prompt and enter simple commands illustrated in the below screenshots and understand differed options available under Smali and Baksmali
We can use switch a to assembles ".smali" files into a ".dex" file.
Switch de or x can be used to deodex APK file, deodexing is basically repackaging of these APKs in a certain way, such that they are reassembled into classes.dex files (Read more here).
To disassemble ".dex" file to ".smali" code we could use d or dis switch.
Usage
Dex2Jar and JD-GUI
To demonstrate usage of Dex2Jar, I would be using the vulnerable APK file (diva-beta.apk) for this exercise that can be downloaded from here.
We can extract the executable code of the Android application in JAR format. We can simply give the ".apk" file to Dex2Jar or extract the ".apk" file and give classes.dex to Dex2Jar with one of the below commands.
d2j-dex2jar diva-beta.apk
d2j-dex2jar -f -o classes.jar diva-beta.apk
As we can see Dex2Jar has created the jar file with the default name, i.e., diva-beta-dex2jar.jar. You may specify the output file name with -o switch.
Now, we can open the output file with JD-GUI and see the source code of the application. Open the JD-GUI.jar UI application and drag and drop the ".jar" file that we have extracted from the APK.
It is very easy to read and navigate through the code with Java decompiler JD-GUI. Pen testers can use this utility to understand APK code, identify security and business logic flows in the APK code. JD-GUI has a search feature that can be utilized to search the keywords (passwords, keys, etc.) in the source code, note that this search is case-sensitive. Illustration below
Back to Dex2Jar, it also supports conversion from ".class" to ".dex." We can use the below command to convert jar to dex that we can put back into APK zip and reuse.
d2j-jar2dex -f -o classes.dex diva-beta-dex2jar.jar
Jar2dex has created the classes.dex file that can be used to build the APK file. This relatively simple to use the tool, we can extract or put back a lot of information from and to an APK file, but currently, it does not have support for XML resources which are an important file of APK.
Smali and Baksmali
So, as we know that it is possible to get ".smali" files directly from the classes.dex file with the help of Baksmali. We already have the classes.dex file that we have extracted from the diva-beta.apk file, we would disassemble this ".dex" file into ".smali" code with below command.
java -jar baksmali-2.2.2.jar d classes.dex
As we can see the new output folder has been created with the name out, go to the folder and see the contents of the folder.
We can see the ".smali" files; we can view and edit this ".smali" code with any simple editor such as (Notepad++), illustrated above. That means you can change the source code of an application directly working with this format, start your tinkering and make the necessary modifications to the Smali code, once finished we can assemble ".smali" code into classes.dex with the help of smali.jar.
Now, open the command prompt in the directory where we have smali.jar file and the disassembled ".smali" code. Use below command to assemble Smali code into classes.dex file.
java -jar smali-2.2.2.jar a out
Here, out is the folder name where we have disassembled classes.dex file into ".smali" files. Switch a is for assemble.
Here, we can see that out.dex file has been created with ".smali" resources under out folder. You can rename the dex file to something like classes.dex and put back into APK zip and reuse.
So, we understand that there are many reasons we should take into consideration these reverse engineering tools. We may leverage these tools to look at specific business logic and security implementations in the Android application code such as API keys, authentication tokens or unused resources, etc. to identify the security flaws and suggest improvements.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Sources
- Dex2jar - Github
- Smali Overview - Bitbucket
- JD - benow
- Insecure and vulnerable app - Payatu
- Developers forum
In this Series
- Android penetration tools walkthrough series Dex2Jar, JD-GUI, and Baksmali
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness