{"id":373,"date":"2015-09-28T13:56:47","date_gmt":"2015-09-28T21:56:47","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=373"},"modified":"2018-12-19T13:37:59","modified_gmt":"2018-12-19T21:37:59","slug":"setting-up-jeb2-to-parse-odex-files","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/setting-up-jeb2-to-parse-odex-files\/","title":{"rendered":"Setting up JEB2 to parse optimized DEX (odex) files"},"content":{"rendered":"

This blog assumes that\u00a0JEB version 2.1.0<\/a> or above is used along with the OAT plugin 1.0.2<\/a>\u00a0or above.<\/em><\/p>\n

Parsing support for optimized DEX files\u00a0was added to JEB2 to allow the analysis of non-deodex’ed files. Since ODEX files are target-dependant, the executing Dalvik VM is no longer restricted to regular opcodes. ODEX files may make use of “illegal” opcodes, optimized opcodes, or even the once regular but now dead extended\u00a0opcodes. Whenever possible, parsing will take place, and instructions displayed in the assembly view.<\/p>\n

In the screenshot\u00a0below, note that opcode \u00a043h<\/strong> (illegal for non-optimized code) is used, as well as iput-wide-volatile<\/strong> (optimized opcode for field access).<\/p>\n

\"\"<\/a><\/p>\n

In that second screenshot, notice the use of a non-standard jumbo opcode<\/strong>.<\/p>\n

\"\"<\/a><\/p>\n

If you are analyzing an extracted ODEX file (one whose header bytes start with “dey\\n”<\/strong>), then all versions of JEB2 shall be able to process it. The Project tree will look like the following (project > artifact > odex unit > dex unit<\/strong>):<\/p>\n

\"\"<\/a><\/p>\n

If you are analyzing an OAT file (DEX file precompiled to native and ready to run within the ART runtime), then you will need one additional plugin: the OAT plugin<\/strong>. This plugin can be registered on Business and Enterprise versions of JEB2. (Note: older versions of JEB 2.0, mainly versions 2.0.12 and above, require the third-party ELF plugin<\/strong> as well.<\/em>)<\/p>\n

Installation steps:<\/p>\n

    \n
  1. Visit\u00a0our public GitHub account<\/a><\/li>\n
  2. Download the latest package of the OAT plugin<\/a><\/li>\n
  3. Drop the JAR file in the coreplugins\u00a0folder within your JEB2 installation directory<\/li>\n
  4. Restart JEB2. The lines “Plugin loaded … OATPlugin” should be visible in the console<\/li>\n<\/ol>\n
    \"\"<\/a>
    The OAT plugin is loaded (the ELF third-party plugin is no longer required with JEB 2.1+)<\/figcaption><\/figure>\n

    Now, you may open an OAT file. The project view should be similar to the following (project > artifact > elf unit > oat unit > dex or odex unit<\/strong>):<\/p>\n

    \"\"<\/a><\/p>\n

    Here is another example of an ELF file containing an OAT section, containing 2 optimized DEX files:<\/p>\n

    \"\"<\/a>
    An ELF\/OAT file containing 2 DEX files<\/figcaption><\/figure>\n

    That is it for this blog post. We are planning to release more documentation and tutorials about our APIs In the coming days. In the meantime, remember to check our open-source plugins on GitHub, they are great starting points for anyone interested in writing their own parsers or back-end plugins.\u00a0Stay tuned, and happy analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"

    This blog assumes that\u00a0JEB version 2.1.0 or above is used along with the OAT plugin 1.0.2\u00a0or above. Parsing support for optimized DEX files\u00a0was added to JEB2 to allow the analysis of non-deodex’ed files. Since ODEX files are target-dependant, the executing Dalvik VM is no longer restricted to regular opcodes. ODEX files may make use of … Continue reading Setting up JEB2 to parse optimized DEX (odex) files<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,8],"tags":[],"class_list":["post-373","post","type-post","status-publish","format-standard","hentry","category-android","category-jeb2"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=373"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/373\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}