Reverse Engineering Tools

📍First, you need to understand why you are reverse engineering

• The main purpose of this technique is to understand how applications work, analyze them, find vulnerable implementations, hardcoded data, and so on.

• One goal might be to find the hidden API endpoint that the app is using. We can do this by:

  1. Pressing Ctrl + Shift + F

  2. Searching for "http"

📍Reverse Engineering Tools

• Dex2jar

• Jadx & jadx-gui

• Androguard

---

📌Dex2jar & jd-gui

• How to get the Java source code?

• Steps

  1. Unzip the APK file to get the classes.dex file:

     $ unzip file.apk

  2. Use the dex2jar tool to convert the classes.dex file to a Java file with a .jar extension:

     $ dex2jar classes.dex
     dex2jar classes.dex -> ./classes-dex2jar.jar

  3. Use the jd-gui tool to view the Java code:

     $ jd-gui classes-dex2jar.jar 

---

📌Jadx & jadx-gui

• To run Jadx:

  jadx app.apk --log-level ERROR

• Output: We will get two directories.

We are more interested in the Java code. The structure is organized according to the package name of the Java classes.

• To automate this entire process, you can use the find command as shown below:

• To automate this whole process, you can use find which is shown in this command below

  $ find ./ -iname "*.apk" -exec jadx {} -d out/{} \;

While dex2jar often produces better results with fewer errors, jadx works with the whole application.

📍jadx-gui

• jadx-gui performs the same functions as jadx but includes a graphical user interface similar to jd-gui. It provides a clear view of the app and additional features, such as deobfuscation (renaming classes, methods, and fields with names shorter than three characters).

• To run JADX-GUI:

  jadx-gui <apk_name> 

If you encounter issues with jadx-gui, consider viewing the source code with Eclipse IDE, a popular tool for Java development.

---

📌Androguard

• Androguard is a powerful open-source tool for analyzing Android applications, written in Python.

• It has a lot of modules, but we will focus on 3 necessary modules:

  1. Analyze module

  2. Call Graph(cg) module

  3. Flow Graph module

📍Analyze Module

• The Analyze module performs static analysis of a binary. You can load a binary into the module, which then provides an IPython shell. This shell allows you to browse through the application and inspect its components interactively.

• Hands-on it

  • To analyze an APK:

    androguard analyze <file.apk>

    • Output

  

  • Androguard automatically creates three objects:

    1. a: Represents the APK file.

    2. d: Represents the Dalvik (DEX) format.

    3. dx: Provides analysis options and data flow information.

  • We will focus on the a and dx objects.

📍Call Graph Module

• It's super amazing for analyzing obfuscated binaries.

• Handy for tasks like detecting routing, handling certificate pinning, and analyzing decryption or encryption methods.

📍Flow Graph Module

• The key difference between this module and the Call Graph Module is:

  • Call Graph: Focuses on the sequence of method calls (e.g., method1 calls method2, which calls method3, and so on).

  

  • Flow Graph: Focuses on the control flow within a single function.

  

---