Simplify

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

Before and After

The code on the left is decompilation of an obfuscated app, and the code on the right has been deobfuscated.

There are three parts to the project: smalivm, simplify, and the demo app.

1. smalivm: Provides a virtual machine sandbox for executing Dalvik methods. After executing a method, it returns a graph containing all possible register and class values for every execution path. It works even if some values are unknown, such as file and network I/O. For example, any if or switch conditional with an unknown value results in both branches being taken.
2. simplify: Analyzes the execution graphs from smalivm and applies optimizations such as constant propagation, dead code removal, unreflection, and some peephole optimizations. These are fairly simple, but when applied together repeatedly, they’ll decrypt strings, remove reflection, and greatly simplify the code. It does not rename methods and classes.
3. demoapp: Contains simple, heavily commented examples for using smalivm in your own project. If you’re building something that needs to execute Dalvik code, check it out.

Usage

usage: java -jar simplify.jar <input> [options]

deobfuscates a dalvik executable

 -et,--exclude-types <pattern>   Exclude classes and methods which include REGEX, eg: "com/android", applied after include-types

 -h,--help                       Display this message

 -ie,--ignore-errors             Ignore errors while executing and optimizing methods. This may lead to unexpected behavior.

    --include-support            Attempt to execute and optimize classes in Android support library packages, default: false

 -it,--include-types <pattern>   Limit execution to classes and methods which include REGEX, eg: ";->targetMethod\("

    --max-address-visits <N>     Give up executing a method after visiting the same address N times, limits loops, default: 10000

    --max-call-depth <N>         Do not call methods after reaching a call depth of N, limits recursion and long method chains, default: 50

    --max-execution-time <N>     Give up executing a method after N seconds, default: 300

    --max-method-visits <N>      Give up executing a method after executing N instructions in that method, default: 1000000

    --max-passes <N>             Do not run optimizers on a method more than N times, default: 100

 -o,--output <file>              Output simplified input to FILE

    --output-api-level <LEVEL>   Set output DEX API compatibility to LEVEL, default: 15

 -q,--quiet                      Be quiet

    --remove-weak                Remove code even if there are weak side effects, default: true

 -v,--verbose <LEVEL>            Set verbosity to LEVEL, default: 0

Changelog v1.3

This version has a few fixes but mostly the new Smali Debugger tool which allows you to step through smalivm executions line by line, set breakpoints, etc. It was an experiment to see if smalivm could easily be used as a library (it’s easier now) and to play with Kotlin. Check it out and let me know what you think.

Version bump to 1.3.x because of some changes to the API.

Here’s the changelog.

• Many small improvements to make smalivm a better library for more than just simplify
• Fix correctness bugs around invoking methods and maintaining correct state
• Updated dependencies

Download

Tutorial

Copyright (C) 2016 CalebFenton