26 Excellent Android reverse engineering tools
工欲善其事 its prerequisite, good Android reverse engineering tools play a multiplier role in reverse engineering.
1. Smali/baksmali
Smali/baksmali is a powerful apk file editing tool for Dalvik virtual machines (Google's own virtual machines designed for Android) to Decompile and Decompile Classes.dex. Its syntax is a loose-jasmin/dedexer syntax, and it implements the. dex format for all functions (annotations, debug information, line information, etc.).
: Portal
2. Andbug
The Andbug is a debugging tool for the Android platform Dalvik virtual machine, which is based on the JDWP protocol and uses the Python package, with flexibility and customization that is an artifact-level Android security tool for reverse engineers and developers. It uses the same interface as the Android Eclipse plug-in debug, with its Java Debug Line Protocol (JDWP) and Dalvik Debug Monitor (DDM) allowing the user to monitor the Dalvik virtual machine and check the status of the process.
Unlike Google's own Android SDK debugging tool, Andbug does not seek source code. However, it needs to be packaged in Python, because for most important tasks it needs to use a script breakpoint (scripted breakpoints) concept called "hooks".
: Portal
3. Androguard
Androguard (also known as Android Guard) is the reverse engineering of Android applications, providing features such as malware analysis. Its characteristics are:
Use dad as the anti-compiler;
can analyze malicious software;
written primarily by Python;
Support visualization;
Androguard Support:
DEX, ODEX;
APK;
binary XML for Android;
Android resource files;
Dex/odex bytes of decomposition;
Dex/odex File anti-compilation program;
: Portal
4. Apktool
Apktool is the APK compilation tool provided by Google, capable of deserializing and compiling the APK, installing the Framework-res framework required by the anti-compilation system APK, and cleaning up the last anti-compilation folder. It can completely unpack the APK, after unpacking you can see the apk inside the declaration file, layout files, image resource files, Smali files, language files and so on by Dex. If you want to Chinese, modify the interface, modify the code, Apktool can help you complete one-stop.
Characteristics:
Decompile the resource file to the original format (including Resources.arsc,classes.dex,9.png, XML, etc.);
Reconstruct the decoding resources back into binary apk/jar;
Organize and process apk that relies on framework resources;
Smali debug (removed from 2.1.0, replaced by Ideasmali);
assist in repetitive tasks;
: Portal
5. AFE
The AFE (Android frameworkfor exploitation) is an open source project that runs in Unix-based's operating system and can be used to prove a security vulnerability in the Android operating system, and it also indicates that the Android botnet can exist. Using AFE makes it very easy to automatically create malware from an Android platform and discover vulnerabilities in applications (such as leaking Content providers,insecure filestorage,directory traversal, etc.) and execute arbitrary commands on the infected device.
The AFE consists of two parts, the PC side (hereinafter referred to as the AFE) and the mobile phone (hereinafter referred to as Afeserver). Most of the AFE is written entirely in Python. The AFE is extensible and can be freely added to other modules or ported existing tools to the AFE framework. Afeserver is an Android app that runs on a mobile phone to connect to the Python interface of Afe and execute the AFE's command to send to the phone.
Function:
Perfect command-line interface;
Identify application vulnerabilities;
Automate the creation of malicious applications;
: Portal
6. BYPASS SIGNATURE and PERMISSION CHECKS foripcs
The tool provides bypass signing and permission checking services for IPCS by using Cydia substrate.
About Cydia Substrate
Cydia substrate is a code modification platform. It can modify the code of any master process, whether it is written in Java or C/s (native code).
: Portal
7. ANDROID Opendebug
The tool uses Cydia substrate to run all applications on the device, and once any application is installed, there is a debugger connected to them.
Note: This tool can only be used in test devices!
: Portal
8. DARE
Dare, the computer department of the University of Pennsylvania, released the APK reverse engineering tool to decompile the APK files used in the Android system into Javaclass files, which can then be processed by existing Java tools, including anti-compilation. Currently supported for use in Linux and Mac OS x.
: Portal
9. Dex2jar
Dex2jar is a collection of tools that can manipulate the Android Dalvik (. dex) file format and Java (. Class). Contains the following features
Dex-reader/writer: Used for read-write dalvikexecutable (. dex) file formats. Contains a simple API (similar to ASM);
D2j-dex2jar: Performs a DEX-to-class file format conversion;
Smali/baksmali: Consistent with Smali tools, but more friendly to Chinese;
Other tools: String decryption
: Portal
Ten. Enjarify
Enjarify is a Python3-based, Dex2jar-like anti-compilation tool launched by Google that converts Dalvik bytecode into corresponding Java bytecode, with better compatibility, accuracy and efficiency than Dex2jar.
: Portal
Dedexer.
Dedexer is an open source tool for anti-compile Dex files. Features include:
No need to run in Android emulator;
The ability to set the Dex file according to the Java source Code package directory structure to build a directory, each class file corresponding to a DDX file;
Can be used as a jasmin-like anti-compilation engine;
: Portal
Fino.
An Android dynamic analysis tool.
: Portal
Indroid.
The purpose of this project is to verify that a simple debug function on the Nix system a.k.a Ptrace function can be abused by malicious software to inject malicious code into the remote process. Indroid creates a remote thread (createremotethread) for arm-based Nix devices.
If you want to learn more about the framework, you can click on the following link:
Watch Defcon 19 Related videos: Portal
View report details: Portal
CreateRemoteThread is the creation of a thread that runs in the other process's address space (also known as a remote thread).
INTENT SNIFFER
The Intent sniffer tool can be used on any device running Google's Android operating system. In the Android platform, Intent is one of the most common ways to communicate between applications, and the Intent sniffer tool implements broadcast Intent that monitor runtime routing, which is the Intent sent between applications on the system. It does not monitor the intent of an explicit broadcast, but instead defaults to (in most cases) a broadcast with no priority.
The tool can also dynamically upgrade the scanned action and category for intent that are based on application reflection and dynamic Review setup.
: Portal
Introspy.
Introspy is a black-box test tool that helps us understand the behavior of Android applications at runtime, helping us identify potential security issues.
: Portal
. JAD
Jad is a Java anti-compilation tool that can be used to decompile Java class files into source code from the command line.
: Portal
Jd-gui.
Jd-gui is a standalone graphical user interface tool that displays the Java source code for the ". Class" file. Users can use Jd-gui to browse and reconstruct the immediate access methods and fields of the source code to display the deserialized code in a code-height manner.
: Portal
CFR
CFR (Class File Reader), Java anti-compiler, support Java 8 LAMDA expression, Java 7 string conversion, etc., the developer is Leebenfield.
: Portal
Krakatau.
Krakatau developer for Storyyeller, currently consists of three tools--java class file anti-compilation and disassembly tools, the creation of class file assembly tools.
: Portal
PROCYON.
Java anti-compiler and meta-programming framework Procyon can be built in the anti-compilation tool, obviously has its unique advantages. It has control flow analysis, as well as type inference, and supports the JAVA8 feature, and its developer is Mike Strobel.
: Portal
Fernflower.
Fernflower is a powerful tool for anti-compilation analysis of Java programs. Currently in development phase, if you have bug reports and suggestions for improvement, you can send mail to [email protected]
: Portal
Redexer.
Redexer is the Dalvik bytecode (for Android app) analysis framework, which is a set of OCaml-based utilities that help programmers parse and manipulate Dalvik virtual machines. Redexer was developed by the plum organization from the University of Maryland at Park, where the main authors are: Jinseong jeon,kristopher Micinski and Jeff Foster.
About OCaml
OCaml is the main implementation of the CAML programming language, founded by Xavierleroy,jérme Vouillon,damien Doligez,didier Rémy and others in 1996.
: Portal
Simplify Android anti-aliasing tool
The simplify Android anti-obfuscation tool actually interprets its behavior by executing an app, and then tries to optimize the code to achieve consistent behavior, but it's easier for people to understand. Each type of optimization is very simple and generic, so it doesn't matter what particular type of obfuscation technology is used. It consists mainly of 3 parts: Smalivm,simplify and demo app.
: Portal
Bytecode VIEWER
Bytecode Viewer is an advanced lightweight Java bytecode Viewer, Guiprocyon Java anti-compiler, GUI CFR java anti-compiler, GUI fernflower java anti-compiler, GUI Jar-jar, Hex Inspector Look , Code Finder, debugger, and so on.
This open source tool is developed in full use of the Java programming language. The tool was designed and developed by Konloch and is currently being maintained primarily by Konloch, which is maintaining this open source project.
In this tool, there is also a plug-in system that allows you to interact with the loaded class files. For example, you can write a string of anti-obfuscation tools, a malicious code finder, or something else you can think of.
Not only can you use a plugin that someone else has written in advance, but you can also use your own plugin. Not only that, it also supports the use of groovy scripts, Python scripts, and Ruby scripts. When the plug-in state is activated, it loads each individual class file into the BCV, so that the user can use ASM to control the loaded class files.
: Portal
RADARE2.
The Radare2 is an open source reverse engineering platform that can disassemble, debug, analyze, and manipulate binary files.
Main Features:
Multi-platform and multi-architecture;
Height script;
Hex editor;
IO parcel;
File system support;
debugger support, etc.;
: Portal
JEB for ANDROID
Jeb is a powerful anti-compilation tool for Android applications designed for security professionals. For reverse engineering or audit apk files, you can increase efficiency by reducing the analysis time of many engineers.
The characteristics of the performance are:
Comprehensive Dalvik anti-compiler;
interoperability;
Full test apk file content;
Multi-platform (supports operating systems such as Windows, Linux, and Macs)
Website address: Portal
: Portal
26 Excellent Android reverse engineering tools