Generic Unpacking for APK

JEB 5.9 ships with a new component for Android app (APK) reverse engineering: the Generic Unpacker.

The generic unpacker will attempt to emulate the APK to collect Dex files that would be generated dynamically, at runtime (i.e. not classes[N].dex). Many APK protectors, legitimate or otherwise – used for malicious purposes -, employ such techniques to make the Dalvik bytecode more difficult to access and analyze.

How to use the APK unpacker

First, open the target APK in JEB. In some cases, the unpacker module will let you know that there is a high-probability that the APK was packed:

In many cases, that heuristic won’t be triggered and no specific hint issued. Either way, you may start the unpacker via the Android menu, Generic Unpacking…

Start the Generic Unpacker via the Android menu

An options dialog will be displayed. At the time of writing (JEB 5.9), the only available option is the maximum duration after which the unpacking process should be aborted (the default is set to 3 minutes, although in most cases, unpacking will stop well before that time-out).

Options dialog for the unpacker

Press “Start” and let the unpacker attempt to recover hidden dex files.

After it’s done, a frame dialog will list the unpacker results, consisting of dexdec MESSAGE notifications indicating which dex files were recovered, and where. The logger will display similar information.

For each recovered dex, a corresponding dex unit will be created under a sub-folder named “unpacked” (highlighted in green, located under the APK unit).

The unpacker has completed and is displaying its results (one dex file was recovered)

Analyzing the collected Dex

At this point, you may decide to analyze the recovered dex files(s) separately. In this case, simply open up the dex unit(s) under “unpacked”, and proceed as normal (another bytecode hierarchy, disassembly view, etc. will be opened).

Alternatively, you may want to integrate the recovered dex with the already existing bytecode. To do this, follow these steps:

  • Right-click on the recovered dex unit, select Extract to… and save the dex to a location of your choice
  • Navigate to the primary dex unit (generally named “Bytecode”), to which you want to integrate that saved dex to, and open it with a double-click
  • Go to the Android menu, select Add/Merge additional Dex files… and select the file previously saved
  • The collected dex will be integrated with the existing bytecode unit, and the bytecode hierarchy will reflect that update

Limitations

The unpacker will not be able to handle all cases. Feel free to report any problem or bug you are encountering, we will see if anything can be done to support most cases.

In upcoming updates, the unpacker will also provide a small API to allow users to write plugins in the form of emulator hooks to do whatever is needed to perform an unpacking task that the built-in unpacker would fail at.

Until next time! (The next blog shall be part 3 of “How to use JEB”, to analyze more complicated/obfuscated native code. Stay tuned.)

Nicolas