Android Arsenal: Reverse engineering tools
- Androguard – reverse engineering , Android app malware and good software analysis
Androguard is a full python tool to play with Android files.
- DEX, ODEX
- Android’s binary xml
- Android resources
- Disassemble DEX/ODEX bytecodes
- Decompiler for DEX/ODEX files
- Android Apk decompiler – Online decompile for Apk and Dex Android files
- Android loadble kernel module
Android Loadable Kernel Modules – mostly used for reversing and debugging on controlled systems/emulators.
- antiptrace – simple ptrace hooking module for use to aid in reversing native applications on Android
- open-read-write – hooks lots of functions in an attempt to find out what files a piece of malware was touching
- antiunlink – prevents a specificed package name from unlinking files in it’s own directory, specifically for use against dexprotector
- AndBug – Android debug library
AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks. (If you just want to dump loaded classes, methods, or threads, there are example scripts for that.)
- ApkTool – tool for reverse engineering Android Apk files
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms, analyzing applications and much more.
- APK Studio
APK Studio is a cross-platform IDE for reverse-engineering (decompiling/editing) & recompiling of android application binaries within a single user-interface. It features a friendly layout, with a code editor which support syntax highlighting for Android SMALI (*.smali) code files.
- Bytecode-ViewerBytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.
It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.
- CodeInspectA Jimple-based Reverse-Engineering framework for Android and Java applications. CodeInspect supports as input format a complete Android Application Package (apk), just the Android bytecode (dex-file) or a jar-file. In the following we will describe the different features based on a malicious Android apk.
- Dedex – Command-line tool for disassembling Android DEX files.
The dextra utility began its life as an alternative to the AOSP’s dexdump and dx –dump, both of which are rather basic, and produce copious, but unstructured output. In addition to supporting all their features, it also supports various output modes, specific class, method and field lookup, as well as determining static field values. I later updated it to support ART (which is also one of the reasons why the tool was renamed).The dextra tool is provided as one of the free downloads provided for the “Android Internals” book (http://NewAndroidBook.com/). You are welcome to use it even if you don’t buy the book (though naturally you’re even more welcome to buy the book :-). Its method of operation and a lot more about Dalvik internals is covered in detail, in Chapters 10 and 11. Its latest version, as a tar file with binaries for OS X, Linux/Android x86_64 or Linux/Android ARMv7, can always be obtained at this page right here.
- Dex2Jar – Tools that use the android .dex and java .class files
- Dexdisassembler – a GTK tool for removing Android DEX files.
- EnjarifyEnjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.
- Fern FlowerFernflower is the first actually working analytical decompiler for Java and probably for a high-level programming language in general.
- The Introspy-Android
Introspy-Android comprises two separate components: a GUI interface to configure hooks, filters and options and a Cydia Substrate extension containing the core of the tool functionalities, including hooks and analysis of potential issues.Introspy-Android can be installed on a rooted device and dynamically configured to hook security-sensitive Android APIs at run-time. The tool records all the relevant API calls made by an application, including function calls, arguments and return values. It then perform tests for security issues in real time and persists the results in a database and in the Android logging system.The Introspy-Analyzer can then be used to analyse a database generated by the tracer, and generate HTML reports containing the list of logged function calls as well as a list of potential vulnerabilities affecting the application.
The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions.JD-Core is a library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library.JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process, even if you do not have them all.
JD-IntelliJ is a plug-in for… the IntilliJ IDE.
JEB is a modular reverse engineering platform for professionals. Its extensible nature allows reverse engineers to perform disassembly, decompilation, debugging, and analysis of code and document files, manually or as part of an analysis pipeline.
smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
This software will emulate a smali source file generated by apktool, it is intended to be used as a quick and dirty way to defeat various types of encryption and obfuscation while reversing an APK.
- StrongdbStrongdb is a gdb plugin that is written in Python, to help with debugging Android Native program.The main code uses gdb Python API.
- Xenotix APK ReverserXenotix APK Reverser is an OpenSource Android Application Package (APK) decompiler and disassembler powered by dex2jar, baksmali and jd-core Released under Apache License