{"id":445,"date":"2016-03-31T07:08:45","date_gmt":"2016-03-31T15:08:45","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=445"},"modified":"2019-07-10T15:10:41","modified_gmt":"2019-07-10T23:10:41","slug":"jeb-android-debuggers","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/jeb-android-debuggers\/","title":{"rendered":"An introduction to JEB Android Debuggers"},"content":{"rendered":"<p><em>=&gt; Updated July 10, 2019<br \/>\n<\/em><em>=&gt; Other blog posts in the <a href=\"https:\/\/www.pnfsoftware.com\/blog\/category\/debugging\/\">series<\/a>:<\/em><br \/>\n<em>&#8211; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/debugging-android-apps-on-android-pie-and-above\/\">Debugging Android apps on Android Pie and above<\/a><br \/>\n&#8211; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/crypto-monitoring-android-debuggers-api\/\">Crypto Monitoring with the Android Debuggers API<br \/>\n<\/a>&#8211; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/debugging-dynamically-loaded-dex-files-with-jeb\/\">Debugging Dynamically Loaded DEX Bytecode Files<br \/>\n<\/a><\/em>&#8211; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-debuggers-interpreter\/\"><em>Advanced Debugger Usage via the Interpreter<\/em><\/a><\/p>\n<p>Dalvik and native code debugging has been supported in JEB since version 2.2:<\/p>\n<ul>\n<li>Linux ELF and Windows PE code object support (32-bit and 64-bit)<\/li>\n<li>Disassemblers for Intel x86 and x86-64, ARM 32-bit (including floating point support), ARM 64-bit (Aarch64) and MIPS.<\/li>\n<li>Debuggers for Android Dalvik virtual machines and native Android processes<\/li>\n<\/ul>\n<p>This post presents the details and caveats pertaining to the Android debuggers, shows how to debug APK&#8217;s Dalvik and native code, and explains the debuggers limitations.<\/p>\n<figure style=\"width: 1341px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9debcae357cf572d40d73bbe69be8e6e.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9debcae357cf572d40d73bbe69be8e6e.png\" alt=\"\" width=\"1341\" height=\"754\" \/><\/a><figcaption class=\"wp-caption-text\">An on-going debugging session of Android Dalvik and native ARM code.<\/figcaption><\/figure>\n<h2>Introduction<\/h2>\n<p>Debugging closed-source Android apps has historically been challenging at best, close to impossible at worst. JEB took a stab at solving this problem by abstracting away a wealth of low-level details and caveats related to debugging so\u00a0that analysts\u00a0can focus on the Dalvik code and associated decompiled Java source, as well as native code.<\/p>\n<p>The\u00a0Android debuggers make the task of reverse-engineering complex apps, e.g. those using a mix and bytecode and machine code, finally\u00a0possible in practice. With the rise of app\u00a0protectors and obfuscators, support for full-scale debugging has become more and more pressing. \u00a0Earlier in February, we published <a href=\"https:\/\/www.youtube.com\/watch?v=qfnvR7nA0wU\" target=\"_blank\" rel=\"noopener noreferrer\">a video highlighting one major feature of these debuggers<\/a>:\u00a0the ability to seamlessly debug to-and-from Dalvik and native code. We will explain in details how to use the features highlighted in the video.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/qfnvR7nA0wU\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>Another area we will explore is the <strong>debugging API<\/strong>. The debuggers abide to the JEB <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/com\/pnfsoftware\/jeb\/core\/units\/code\/debug\/IDebuggerUnit.html\">IDebuggerUnit<\/a> family\u00a0set of interface. They can be used to automate debugging tasks, and allow for easy integration in analysis pipelines.<\/p>\n<h2>Requirements<\/h2>\n<p>The JEB Android debuggers run on all JEB-supported platforms (Windows, Linux, macOS). Please verify the following before attempting to start a debugging session:<\/p>\n<ul>\n<li><strong>Make sure to have the <a href=\"http:\/\/developer.android.com\/sdk\/index.html#Other\">Android SDK<\/a> installed.<\/strong> Ideally, you also want to have either ANDROID_SDK_ROOT or <em>ANDROID_SDK<\/em> environment variable pointing to the SDK folder.<\/li>\n<li><strong>Enable Developer options and allow USB debugging<\/strong> on the intended physical target device. (Debugging is enabled by default on the emulators.) On physical devices running Android 4.2 and above, one way to make sure of that is to run the <em>adb devices<\/em> command. If the device is shown as unauthorized, a pop-up on your phone will appear to request authorization.<\/li>\n<\/ul>\n<h2>Debugging non-debuggable apps<\/h2>\n<p>Normally, only apps whose <a href=\"http:\/\/developer.android.com\/guide\/topics\/manifest\/application-element.html#debug\">Android Manifest explicitly has a\u00a0<em>debuggable<\/em> flag set to true<\/a> are debuggable. However, this is rarely the case when analyzing in-the-wild applications, malicious or otherwise. In such cases, you have several options.<\/p>\n<ul>\n<li><strong>Run the app in an emulator<\/strong>. Emulators have the <em>ro.debuggable<\/em> property set to 1. This means they will debug all apps, regardless of the <em>debuggable<\/em>\u00a0flag in the Manifest.<\/li>\n<li><strong>Use a rooted phone<\/strong>. A rooted phone will allow you to modify the <em>ro.debuggable<\/em> property, and change it from 0 (standard on production devices) to 1. The rooting process is out-of-scope for this document: it is device specific and rooting instructions\u00a0can easily be found online. As for <em>ro.debuggable<\/em>, we will explain how to change this system property in a separate blog entry.<\/li>\n<li><strong>Unpack\/modify\/repack your app<\/strong>. (Update: <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/manual\/android-debugging\/#generating-debuggable-apk\">JEB can do this for you<\/a>) Depending on whether the Manifest is obfuscated or not, this may be the simplest option. If the Manifest is obfuscated, the repacking process may not work. Another caveat applies: signing. You will have to sign the repacked app using your own key; be aware of the implications if you choose that option. <sup class='footnote'><a href='#fn-445-1' id='fnref-445-1' onclick='return fdfootnote_show(445)'>1<\/a><\/sup><\/li>\n<\/ul>\n<h4>Caveat: Native code in non-debuggable apps<\/h4>\n<p>When it comes to debugging <span style=\"text-decoration: underline;\">native<\/span> code of <span style=\"text-decoration: underline;\">non-debuggable<\/span> apps on a rooted phone or emulator, other limitations apply. <sup class='footnote'><a href='#fn-445-2' id='fnref-445-2' onclick='return fdfootnote_show(445)'>2<\/a><\/sup> JEB tries its best at abstracting them away. However, things might be unstable depending on which phone and OS is being used. Do not hesitate to let us know if you encounter issues.<\/p>\n<p>Note that most of our tests are done on Nexus devices running vanilla Android 5.1 and 6.0. Using similar devices for debugging will\u00a0likely reduce the chances of running into corner-case problematic situations.<\/p>\n<h2>Starting a debugging session<\/h2>\n<p>Currently, JEB can start Android debugging sessions only when analyzing APK files. If your main artifact in JEB is an orphan DEX file, the UI client will refuse to start a debugging session.<\/p>\n<p>First, retrieve your\u00a0target\u00a0APK and get the app ready for debugging:<\/p>\n<ul>\n<li>Make sure the APK matches the one that will be executed on the target phone. You can download the APK using <em>adb<\/em> <sup class='footnote'><a href='#fn-445-3' id='fnref-445-3' onclick='return fdfootnote_show(445)'>3<\/a><\/sup>:\n<ul>\n<li><em>adb shell pm list packages -f<\/em> to retrieve a list of packages and the associated path to APK<\/li>\n<li><em>adb pull &lt;pathToAPK&gt;<\/em> to download the APK<\/li>\n<\/ul>\n<\/li>\n<li>Start the app on the phone\n<ul>\n<li>Via the App Launcher for instance, if attaching to an already running app is an acceptable scenario<\/li>\n<li>If you want the app to wait for the debuggers to attach to it before it starts executing any code, you can run something like:\u00a0<em>adb shell am start -D -S -n &lt;packageName&gt;\/&lt;activityName&gt;<\/em>\n<ul>\n<li>A popup will be displayed on the phone, indicating it is waiting for a debugger to attach to the VM<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Second, in the RCP desktop client:<\/p>\n<ul>\n<li>Start an analysis of the APK file<\/li>\n<li>Open a view of a main DEX file<\/li>\n<li>Once\u00a0the focus is on the DEX\u00a0view, open the <em>Debugger<\/em> menu, and click on <em>Start&#8230;<\/em><\/li>\n<\/ul>\n<figure style=\"width: 464px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/f29441bbef3b1c12045ee8df50969719.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/f29441bbef3b1c12045ee8df50969719.png\" alt=\"\" width=\"464\" height=\"228\" \/><\/a><figcaption class=\"wp-caption-text\">The Debugger\/Start, used to start or attach a debugger, is available once the code view of a support Code unit has the focus. Here, the focus was on Dalvik bytecode.<\/figcaption><\/figure>\n<p>In the <em>Attach<\/em> dialog window:<\/p>\n<ul>\n<li>Select the target phone and the target process that matches your app, and click <em>Attach<\/em>.<\/li>\n<li>Unless you tick the <em>&#8220;Suspend all threads&#8221;,\u00a0<\/em>The app will be immediately be run\/resumed after attaching.<\/li>\n<li>The process filter is normally filled out with the APK package name. Simply press enter to filter out entries.<\/li>\n<li>(No longer the case) <del><strong>Your entry must have a D flag<\/strong>. This flag indicates that the target device will accept incoming debugger-attach requests to the target process. If you are trying to attach to an entry that does not have this flag, the operation will fail.<\/del><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9de389ccbfc04ebf770d7e3031d12533.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9de389ccbfc04ebf770d7e3031d12533.png\" alt=\"\" width=\"482\" height=\"440\" \/><\/a><\/p>\n<ul>\n<li>After attaching, the app, you should see one or two additional nodes in the Project tree view.\n<ul>\n<li>If the app does not contain native code: there will be one node, representing the Dalvik VM debugger<\/li>\n<li>If the app contains native libraries (*.so files in lib\/ folders): there will be an additional node to represent the native code debugger<\/li>\n<\/ul>\n<\/li>\n<li>When a debugger is successfully attached, the corresponding node has a light green background.<\/li>\n<\/ul>\n<figure style=\"width: 242px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/8185a583a9664b1d9d89e6d91950f745.png\" alt=\"\" width=\"242\" height=\"262\" \/><figcaption class=\"wp-caption-text\">Example: Two debugger nodes (VM, Process) currently not yet attached to the target<\/figcaption><\/figure>\n<figure style=\"width: 239px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/d067dc1dc3be15ec4b4421ea6edd4867.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/d067dc1dc3be15ec4b4421ea6edd4867.png\" alt=\"\" width=\"239\" height=\"278\" \/><\/a><figcaption class=\"wp-caption-text\">Example: One debugger node (Dalvik only) currently attached to the target<\/figcaption><\/figure>\n<h4>Views and layout<\/h4>\n<ul>\n<li>Open the VM debugger views by double-clicking the VM unit node. At this point, <strong>you will want to customize your layout<\/strong>: debugger views can seriously clutter the\u00a0workspace area. See an example of customized layout below:<\/li>\n<\/ul>\n<figure style=\"width: 1342px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/1eb7a56ba699320743c4cae71a43a842.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/1eb7a56ba699320743c4cae71a43a842.png\" alt=\"\" width=\"1342\" height=\"729\" \/><\/a><figcaption class=\"wp-caption-text\">This customized layout shows: &#8211; the code hierarchies (Dalvik, Native) in the lower left corner &#8211; the VM debugger views stacked on the top right corner &#8211; the Process debugger views stacked on the lower right corner &#8211; the Console and Logs at the bottom<\/figcaption><\/figure>\n<p>Layouts can be customized via the <em>Window<\/em> menu; more details can be found in <a href=\"\/blog\/jeb-ui-how-to\/\" target=\"_blank\" rel=\"noopener noreferrer\">a previous blog entry<\/a>.<\/p>\n<p>The debuggers should now be attached.<\/p>\n<ul>\n<li>The Process\u00a0debugger is <strong>never <\/strong>paused after attaching<\/li>\n<li>The VM debugger is paused if and only if the <em>&#8220;suspend threads&#8221;<\/em> option box was ticked<\/li>\n<\/ul>\n<p><strong>Keep in mind\u00a0that pausing the Process debugger (ie, suspending the native threads) will obviously freeze the higher-level Dalvik VM!<\/strong><\/p>\n<p>Next up, let&#8217;s review the debugger controls and controls.<\/p>\n<h2>Basic debugger controls via the UI<\/h2>\n<h4>Active debugger<\/h4>\n<p>The most important thing to remember about debugger controls is that <strong>the UI controls affect the debugger related\u00a0to the view currently focused<\/strong>.<\/p>\n<p>Unlike most tools, JEB allows multiple debuggers and debugging sessions to take place at once. Therefore, be mindful of which debugger is being controlled when pressing menu entries or toolbar buttons:\u00a0If the focus is within the DEX view or any VM debugger view, the controls are connected to the VM debugger; if the focus is within a code view connected to the Process debugger, the controls are connected to the Process debugger.<\/p>\n<h4>Controls<\/h4>\n<p>Basic\u00a0debugger controls can be accessed via the Debugger menu or the toolbar area. They allow:<\/p>\n<ul>\n<li>Attaching, detaching, terminating the process<\/li>\n<li>Pausing and resuming the process and, possibly, its individual threads<\/li>\n<li>Stepping (into, over, out of)<\/li>\n<li>Toggling execution breakpoints <sup class='footnote'><a href='#fn-445-4' id='fnref-445-4' onclick='return fdfootnote_show(445)'>4<\/a><\/sup><\/li>\n<\/ul>\n<figure style=\"width: 703px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/5a79a2d59eaa99f7106e6ffeee6696b1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/5a79a2d59eaa99f7106e6ffeee6696b1.png\" alt=\"\" width=\"703\" height=\"113\" \/><\/a><figcaption class=\"wp-caption-text\">The toolbar contains a subset of the most common and useful controls, that are also accessible via the Debugger menu.<\/figcaption><\/figure>\n<p>Not all controls can or are implemented for all debuggers. Currently for instance, pausing individual threads of the Process\u00a0debugger is not possible. When a control is not available, depending on which control it is and the severity of the failed operation, the user may\u00a0be unable to activate it (eg, grayed button), receive an error in the logger, or\u00a0receive a pop-up error in the client.<\/p>\n<p>Breakpoints can be set\/unset using the handy Control+B (or Command+B) shortcut. An icon is displayed in the left vertical bar of a code view to represent enabled\/disabled breakpoints .<\/p>\n<figure style=\"width: 1070px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/6828c226d4b113ecc0078d142a411ebc.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/6828c226d4b113ecc0078d142a411ebc.png\" alt=\"\" width=\"1070\" height=\"314\" \/><\/a><figcaption class=\"wp-caption-text\">One enabled and one disabled breakpoints.<\/figcaption><\/figure>\n<h4>Debugger views<\/h4>\n<p>Here are some of the views rendered by the UI client when visualizing a debugger unit. (Other views were added over time.)<\/p>\n<ul>\n<li>The Threads view displays thread identifiers,\u00a0status (running, suspended, waiting, etc.) as well as the stackframes when a thread is paused. Depending on the target processor, there may be one or more stackframes, showing the location (program counter register or address) \u00a0of the current thread.<\/li>\n<li>The Breakpoints view displays active and inactive code breakpoints. (More on breakpoints and breakpoint types later.)<\/li>\n<li>The Locals view shows the generic variables registers. They can be virtual slots of a VM, registers of a native process, complex variables inferred by the decompiler, etc.<\/li>\n<\/ul>\n<figure style=\"width: 546px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/a00554755d7056750155c65e1f2cd7ab.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/a00554755d7056750155c65e1f2cd7ab.png\" alt=\"\" width=\"546\" height=\"433\" \/><\/a><figcaption class=\"wp-caption-text\">Debugger views of a running Dalvik VM<\/figcaption><\/figure>\n<figure style=\"width: 546px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/db41a1cddbc0580171c42830c568aa1e.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/db41a1cddbc0580171c42830c568aa1e.png\" alt=\"\" width=\"546\" height=\"434\" \/><\/a><figcaption class=\"wp-caption-text\">Debugger views of a paused Dalvik VM. Stackframes are visible, along with some local variables.<\/figcaption><\/figure>\n<p>Every debugger has specifics\u00a0that are relevant to the target being debugged. While the JEB API and front-end are trying to abstract the nitty-gritty\u00a0details away, there are times when generic controls are not enough. In the next section, we discuss how users can issue such commands via the debugger console.<\/p>\n<p>In the case of the Dalvik VM, the Locals view can be used to display complex objects or arrays, as is shown below:<\/p>\n<figure style=\"width: 992px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9d3a662b2795555514e255e4c45b0d83.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9d3a662b2795555514e255e4c45b0d83.png\" alt=\"\" width=\"992\" height=\"434\" \/><\/a><figcaption class=\"wp-caption-text\">Variables view of the top-level frame of a suspended Dalvik thread<\/figcaption><\/figure>\n<p>In the case of local variables, <strong>the type of a Dalvik slot (v0, v1, etc. ) is usually inferred thanks to the Dalvik decompiler.<\/strong> A JEB build that does not ship with the decompiler will not be able to display most frame variables accurately.<\/p>\n<h4>Live variables overlays<\/h4>\n<p>When a thread is paused, the debuggers (native as well as Dalvik&#8217;s) provide overlay information when the mouse cursor hovers over registers, variables, class fields, or any other visual element that holds data.<\/p>\n<figure style=\"width: 621px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/7ead19493a679dc8f027371cf62ec50f.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/7ead19493a679dc8f027371cf62ec50f.png\" alt=\"\" width=\"621\" height=\"181\" \/><\/a><figcaption class=\"wp-caption-text\">Overlay on a Dalvik frame variable<\/figcaption><\/figure>\n<figure style=\"width: 630px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/a9b2214366d2a60787a4f1203e3dc852.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/a9b2214366d2a60787a4f1203e3dc852.png\" alt=\"\" width=\"630\" height=\"432\" \/><\/a><figcaption class=\"wp-caption-text\">Overlay on a class instance field<\/figcaption><\/figure>\n<p>In the case of the Dalvik debugger, overlays also work in Java decompiled views.<\/p>\n<h2>Advanced controls via the console<\/h2>\n<p>The debugger units make use of the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/IUnit.html#getCommandInterpreter--\">IUnit.getCommandInterpreter<\/a> method to <strong>provide clients with command interpreters to execute advanced debugger commands<\/strong>, that may not be readily made available by graphical clients.<\/p>\n<p>In the UI client, command interpreters offered by units are accessible via the <em>Console<\/em> tab. Once the Android debuggers are attached, switch over to the Console view, and type\u00a0<em>list<\/em>. This command will list all command interpreters currently attached to the console:<\/p>\n<figure style=\"width: 556px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/07320112d18a6eebed646407732317f1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/07320112d18a6eebed646407732317f1.png\" alt=\"\" width=\"556\" height=\"224\" \/><\/a><figcaption class=\"wp-caption-text\">Two interpreters are made available, one by the VM debugger, another one by the Process debugger<\/figcaption><\/figure>\n<p>An interpreter has a numeric id as well as the name of the unit that created it. Switch to an interpreter with the <em>use &lt;id|name&gt;<\/em>\u00a0command.<\/p>\n<figure style=\"width: 555px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/6d6e06c495d206dd9b4a427c65ebfea5.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/6d6e06c495d206dd9b4a427c65ebfea5.png\" alt=\"\" width=\"555\" height=\"223\" \/><\/a><figcaption class=\"wp-caption-text\">Switching to the interpreter connected to the Process debugger<\/figcaption><\/figure>\n<p>The special command <em>help<\/em>, available in all interpreter contexts, lists all commands made available by the interpreter currently in use.<\/p>\n<figure style=\"width: 557px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/17836d72a1b67c39b3e52fc533b6686f.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/17836d72a1b67c39b3e52fc533b6686f.png\" alt=\"\" width=\"557\" height=\"331\" \/><\/a><figcaption class=\"wp-caption-text\">Functions provided by the Process debugger interpreter<\/figcaption><\/figure>\n<p>In this example, we can see that the Process debugger offers ways to read and write to memory, set registers, and also issue low-level GDB commands (use this option carefully).<\/p>\n<h4>Settings<\/h4>\n<p>The Android\u00a0debuggers offer options to control low-level debugger parameters, such as ports and timeouts.<\/p>\n<figure style=\"width: 706px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/471f4a483887a55c3fdb3e2c18f65ac1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/471f4a483887a55c3fdb3e2c18f65ac1.png\" alt=\"\" width=\"706\" height=\"228\" \/><\/a><figcaption class=\"wp-caption-text\">The .parsers.dbug_apk.* engines options<\/figcaption><\/figure>\n<p>If you wish to disable native debuggers entirely, set the <em>DoNotUseNativeDebugger<\/em> to true.<\/p>\n<h2>API for Scripting and Automation<\/h2>\n<p>Debugger modules in JEB implement the set of interfaces contained in the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/debug\/package-summary.html\">com.pnfsoftware.jeb.core.units.code.debug<\/a> public package. The principal interface in this package is <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/debug\/IDebuggerUnit.html\">IDebuggerUnit<\/a>. Plugins, scripts, or third-party clients wishing to automate the usage of debuggers can us these well-defined interfaces. <span style=\"text-decoration: underline;\">The official UI client uses this public API. Anything that the UI client does (and more) can be done and\/or automated by third-party code.<\/span><\/p>\n<p>Check out <a href=\"https:\/\/www.pnfsoftware.com\/blog\/crypto-monitoring-android-debuggers-api\/\">our post on Android crypto primitives hooking<\/a> to see how the API can be used to retrieve pre-encryption or post-decryption data on the fly.<\/p>\n<p>Within the next couple of weeks, we will upload sample code on our <a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-samplecode\/\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub <\/a>repository demonstrating how to use the JEB Debugger API.<\/p>\n<figure style=\"width: 618px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/c6ca188340755f2df17875aab0a7c973.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/c6ca188340755f2df17875aab0a7c973.png\" alt=\"\" width=\"618\" height=\"420\" \/><\/a><figcaption class=\"wp-caption-text\">Sample code making use the of the JEB Debugger API<\/figcaption><\/figure>\n<p>More on scripting: https:\/\/www.pnfsoftware.com\/blog\/crypto-monitoring-android-debuggers-api\/<\/p>\n<p>-nicolas<\/p>\n<div class='footnotes' id='footnotes-445'>\n<div class='footnotedivider'><\/div>\n<ol>\n<li id='fn-445-1'> A technical implication is that apps performing health checks such as signature verification can easily detect that they have been signed by an unauthorized key. But then again, running an app on a rooted phone or an emulator is also something easily detectable. Each method has its advantages and shortcomings, be aware of them. <span class='footnotereverse'><a href='#fnref-445-1'>&#8617;<\/a><\/span><\/li>\n<li id='fn-445-2'> They mostly have to do with the <em>run-as<\/em> Android utility. JEB ships with a modified version of the utility to allow debugging the native code part of non-debuggable apps. <span class='footnotereverse'><a href='#fnref-445-2'>&#8617;<\/a><\/span><\/li>\n<li id='fn-445-3'> We strongly recommend our users to get familiar with the Android system tools and debugging tools ecosystem, in particular <em>adb<\/em>, <em>am<\/em>, and <em>pm<\/em>. <span class='footnotereverse'><a href='#fnref-445-3'>&#8617;<\/a><\/span><\/li>\n<li id='fn-445-4'> Toggling breakpoints on and off is currently not available in decompiled views. <span class='footnotereverse'><a href='#fnref-445-4'>&#8617;<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>=&gt; Updated July 10, 2019 =&gt; Other blog posts in the series: &#8211; Debugging Android apps on Android Pie and above &#8211; Crypto Monitoring with the Android Debuggers API &#8211; Debugging Dynamically Loaded DEX Bytecode Files &#8211; Advanced Debugger Usage via the Interpreter Dalvik and native code debugging has been supported in JEB since version &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-android-debuggers\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">An introduction to JEB Android Debuggers<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,14,8],"tags":[],"class_list":["post-445","post","type-post","status-publish","format-standard","hentry","category-android","category-debugging","category-jeb2"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=445"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/445\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}