Intrepidus Group

Decompiling Android Apps: undx, dex2jar, and smali

Posted: October 1, 2010 – 11:57 am | Author: | Filed under: android, Mobile Security, Tools

If you have ever needed to know what a Java application is really doing, you have probably played around with a Java decompiler at some point.  JAD will always have a special place in my heart for that, but I find myself giving JD-GUI the late night phone call now when I just need a quick peek into a JAR file. Maybe she’s not perfect, but most nights she gives me what I need.

Unfortunately in the mobile world, tools to decompile our “Java” applications aren’t quite as mature yet. If we’re looking at a Blackberry COD file, there’s coddec and some patches that can help us peek at the code. A while back we were looking for something that could do the same for Android applications and we came across Marc Schönefeld’s “undx” tool. You’re probably saying right now, “wait, Android applications aren’t Java, they’re Dalvik.” That’s true, but why can’t they be decompiled as well since it’s still bytecode and not machine code? Marc decided to take on that challenge. Feed undx an Android APK file and it will try to convert it to a JAR file (which you can then feed to JD-GUI or JAD).

While undx does an ok job on most APK files, we had a strange case on our hands a while back. It was using a few Dalvik opcodes which undx wasn’t expecting. Marc was awesome enough to have undx open sourced, so we were able to add those codes in and make a few minor tweaks that  helped us out. We’ve put our changes up at GitHub and hope others might find this build useful as well.

As Marc points out, undx is a first step at converting Dalvik to Java. It’s far from perfect or complete. Looking at the decompiled code will show you a number of functions which, well, don’t really function. Variables may have the wrong type, case statements may just fall through, and loops sometimes never break out. We’ve found that Dex2Jar does a much better job converting Dalvik to Java. We’ve placed few screenshot comparisons in our previous post. In some cases, Dex2Jar does a very impressive job. However, against larger or more complex applications, it can fail.

More and more, we’ve been finding that smali/baksmali gives us what we need: Dalvik in a readable format that we can alter, recompile, then test on a device. Its true that smali/baksmali has a different goal than undx and dex2jar (smali/baksmali is an assembler/disassembler), but it gives us what we need to do most of the time in a quick and easy way (especially when packaged with APKTool). We’ve written a few scripts that can work with the smali output and help us zero in on the code we’re interested in for an assessment, and then its ability to support changes to the application and quickly recompile is priceless. This is likely a tool we’ll be working with considerably going forward with Android.

-benn, quine, and mxs

Both comments and trackbacks are currently closed.

One Comment

  1. drrr
    Posted October 2, 2010 at 3:39 pm | Permalink

    someone needs to write an IDA processor module for dalvik with a dex loader. maybe in python.

3 Trackbacks

  1. [...] This post was mentioned on Twitter by ChrisJohnRiley, Radek Červinka and HuntingKnowledge, Ronny Vaningh. Ronny Vaningh said: RT @ChrisJohnRiley [SharedReader] Decompiling Android Apps: undx, dex2jar, and smali [...]

  2. By Week 39 in Review – 2010 | Infosec Events on October 3, 2010 at 11:19 pm

    [...] Decompiling Android Apps: undx, dex2jar, and smali – If you have ever needed to know what a Java application is really doing, you have probably played around with a Java decompiler at some point. [...]

  3. By Mobile Hackery « Security Aegis on February 17, 2011 at 2:32 am

    [...] Thanks to the guys at Intrepidis and Zach Lanier for the talk. A round of beers next BSides. More tech talk on Android decompiling here. [...]


This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24799 items have been purified.