{"id":517,"date":"2016-09-02T14:27:19","date_gmt":"2016-09-02T22:27:19","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=517"},"modified":"2018-12-19T13:36:27","modified_gmt":"2018-12-19T21:36:27","slug":"jeb-library-code-matching-for-android","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/jeb-library-code-matching-for-android\/","title":{"rendered":"Library Code Matching for Android with JEB"},"content":{"rendered":"<p>We have released and\u00a0<a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-androsig\">open-sourced<\/a>\u00a0<strong>Androsig, a JEB plugin that can be used to sign and match library code for Android applications<\/strong>. That plugin was written by our summer intern, Ruoxiao Wang.<\/p>\n<p>The<span style=\"font-weight: 400;\">\u00a0purpose of the plugin is to help deobfuscate lightly-obfuscated applications that perform name mangling and hierarchy flattening (such as <a href=\"https:\/\/sourceforge.net\/projects\/proguard\/files\/\">Proguard<\/a> and other common Java and Dalvik protectors). <strong>Using our generic collection of signatures for common libraries, library code can be recognized; methods and classes can be renamed; package hierarchies can be rebuilt<\/strong>.\u00a0<\/span><\/p>\n<p>Example on a random obfuscated application, obfuscated by Proguard, before and after matching:<\/p>\n<figure style=\"width: 649px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/10\/1374bab6d06df9c8f074056f506736fd.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/10\/1374bab6d06df9c8f074056f506736fd.png\" width=\"649\" height=\"625\" \/><\/a><figcaption class=\"wp-caption-text\">Code before matching: class, method, and package names obfuscated; hierarchy was flattened<\/figcaption><\/figure>\n<figure style=\"width: 699px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/10\/d70c4998438b7462cfe2342ba30a54e8.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/10\/d70c4998438b7462cfe2342ba30a54e8.png\" width=\"699\" height=\"423\" \/><\/a><figcaption class=\"wp-caption-text\">After matching: class and method names restored, code hierarchy and packages restored (partially)<\/figcaption><\/figure>\n<h1>Installation<\/h1>\n<p>First, <a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-androsig\/tree\/master\/out\">download the latest version<\/a> of the compiled binary\u00a0<strong>JebAndroidSigPlugin-x.y.z.jar<\/strong>\u00a0and drop it into the JEB coreplugins\/ folder. <strong>You will need a JEB Pro license for the plugin to operate.<\/strong><\/p>\n<p>This single JAR offers two plugin entry-points, as can be seen in the picture below:<\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/e5d6a2851023bd87d1cdced6f0368827.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/e5d6a2851023bd87d1cdced6f0368827.png\" width=\"1552\" height=\"704\" \/><\/a><\/p>\n<p>Secondly, download a bundle of signatures for various versions of the most common Android library.<\/p>\n<p><a href=\"http:\/\/jebdecompiler2.s3.amazonaws.com\/androsig_db_20160901.zip\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/10\/e8b07d32e831fb9c9f500e753cfc86a6.png\" width=\"106\" height=\"120\" \/><\/a><\/p>\n<p><strong><a href=\"http:\/\/jebdecompiler2.s3.amazonaws.com\/androsig_db_20160901.zip\">Link<\/a>\u00a0to signatures library archive.<\/strong><\/p>\n<p>Reference:\u00a0<a href=\"https:\/\/docs.google.com\/spreadsheets\/d\/1PKUlJJtel-dHMl4lQHeHHoF8CvK2ONfoTnbLnst7viY\/pubhtml\">list of library signatures contained in this archive<\/a><\/p>\n<p>Extract the contents of the archive into the <strong>coreplugins\/android_sigs\/<\/strong> folder.<\/p>\n<h1>Matching obfuscated code<\/h1>\n<ul>\n<li>Open an Android APK or Dalvik DEX file to be analyzed<\/li>\n<li>Execute the <em>Android Code Recognition<\/em> engines plugin<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/0d2501397fe4f41616acb2d61d9779ed.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/0d2501397fe4f41616acb2d61d9779ed.png\" width=\"1204\" height=\"346\" \/><\/a><\/p>\n<ul>\n<li>Customize the matching parameters, if necessary (See below for details)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/65db3996eab0c49371aab957edf62280.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/65db3996eab0c49371aab957edf62280.png\" width=\"1428\" height=\"470\" \/><\/a><\/p>\n<ul>\n<li>Press OK. The code will be analyzed, and methods and classes that match signatures present in the database will be renamed and refactored.<\/li>\n<\/ul>\n<h1>Generating signatures<\/h1>\n<p>Generating your own library signatures (for library code, analyzed malware, or else) is as easy as its matching counterpart.<\/p>\n<ul>\n<li>Open the APK containing the code to be signed<\/li>\n<li>Execute the &#8220;Android Code Recognition&#8221; engines plugin<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/f9747ca98c405b82508244685c7a1864.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/f9747ca98c405b82508244685c7a1864.png\" width=\"1260\" height=\"264\" \/><\/a><\/p>\n<ul>\n<li>Specify the library name and other options<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/ae65764df82d93088ae768ded7b8be12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/ae65764df82d93088ae768ded7b8be12.png\" width=\"257\" height=\"166\" \/><\/a><\/p>\n<ul>\n<li>Press OK. The signature *<strong>.sig<\/strong> file will be created in the <strong>coreplugins\/android_sigs\/<\/strong> folder. (Always make sure that all your signature files are in that folder.)<\/li>\n<\/ul>\n<h1>About the Matching Results<\/h1>\n<p>Upon successful execution, the matching plugin will generate two files in the temporary folder: <strong>androsig-mapping.txt<\/strong> and <strong>androsig-report.txt<\/strong>.<\/p>\n<p>The mapping file shows which obfuscated methods and classes were matched, and to what:<\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/acdde013e7d7394e9690bf5c36927b9f.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/acdde013e7d7394e9690bf5c36927b9f.png\" width=\"1999\" height=\"519\" \/><\/a><\/p>\n<p>The report file gives you a summary of how many methods and classes were unmatched and matched, \u00a0where they are coming from, as well as library distribution code. That result data is also output to the JEB logger:<\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/3ca5127dbdf98f7ecd3800d1f7b6df79.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/3ca5127dbdf98f7ecd3800d1f7b6df79.png\" width=\"278\" height=\"377\" \/><\/a><\/p>\n<h1>About the Matching Parameters<\/h1>\n<p>The matching process can be customized by two parameters, as shown on the picture below:<\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/65db3996eab0c49371aab957edf62280.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/09\/65db3996eab0c49371aab957edf62280.png\" width=\"1428\" height=\"470\" \/><\/a><\/p>\n<p>For most use cases, the default values will suffice. However, both parameters can be fine tuned to have more aggressive or less aggressive (looser) matching:<\/p>\n<ul>\n<li>More aggressive matching will result in more matches, at the expense of <em>false positives<\/em> (FP in this context refer to methods or classes incorrectly matched)<\/li>\n<li>Looser matching will result in less matches, at the expense of <em>false negatives<\/em> (FN in this context refer to methods or classes that should have been matched)<\/li>\n<\/ul>\n<p>Typically, false positives happen on either small methods or classes containing lots of unmatched methods. Experiment with those parameters if need be; as said, the defaults generally yield correct results.<\/p>\n<p>Also feel free to customize the plugin if need be, or use it as a learning tool and tutorial in order to bootstrap your own plugins development needs. It is by no means a robust plugin, but should help reverse engineers focus on code that matters (that is, <strong>non<\/strong>-library code) in the case of many Android applications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have released and\u00a0open-sourced\u00a0Androsig, a JEB plugin that can be used to sign and match library code for Android applications. That plugin was written by our summer intern, Ruoxiao Wang. The\u00a0purpose of the plugin is to help deobfuscate lightly-obfuscated applications that perform name mangling and hierarchy flattening (such as Proguard and other common Java and &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-library-code-matching-for-android\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Library Code Matching for Android with JEB<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,8,12],"tags":[],"class_list":["post-517","post","type-post","status-publish","format-standard","hentry","category-android","category-jeb2","category-tutorial"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=517"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/517\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}