Skip to content

Scripting for Android Reversing

This section focuses on writing JEB Python scripts specifically to aid in the analysis of Android applications.

Dex units#

Recall JEB analysis modules produce IUnits, visible in the Project Explorer view:

Sample Project, Artifact, Units and sub-units

IDexUnit and associated classes#

The dex unit interface is your entry-point to access dex elements:

from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit, IApkUnit

class SomeScript(IScript):
  def run(self, ctx):
    prj = ctx.getMainProject()  # current project; None if no project is opened
    dex = prj.findUnit(IDexUnit)  # find the first dex unit
    #dexlist = prj.findUnits(IDexUnit)  # retrieve a list of dex units
    #apk = prj.findUnits(IApkUnit)  # find the first dex unit
    for m in dex.getMethods():
      print m.getSignature()  # print method reference descriptor

dex file representation#

The diagram below is a high-level view of JEB types holding dex file information. This structure mirrors the dex file format's. (Not all types are represented, refer to the API reference for a complete list.)

APK units#

Android APK are represented by IApkUnits.

from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IApkUnit

class SomeScript(IScript):
  def run(self, ctx):
    prj = ctx.getMainProject()  # current project; None if no project is opened
    apk = prj.findUnits(IApkUnit)  # find the first apk unit
    print(apk.isDebuggable())
    # ...

UI client specifics#

When a script is run within the UI client, the ctx provided to the run() method is IGraphicalClientContext (extending IClientContext). Additional methods are provided to interact with workspace widgets (unit views, fragments, etc.).

The diagram below shows the connection between UI elements types and the document types they hold.

Reference type: IGraphicalClientContext

dexdec units#

The entry-point interface is IDexDecompilerUnit, usually a child of an underlying IDexUnit. dexdec units produce IJavaSourceUnit, holding decompiled elements (classes and methods).

Accessing the IR#

The Dex decompiler plugin can load external Intermediate Representation (IR) plugins that are called during the decompilation pipeline to further refine and optimize a method decompilation. Those plugins can be compiled as jar, and/or written in Java or Python.

See this tutorial for a complete step-by-step example on how to write a dexdec IR script plugin, in Python.

Reference documentation

Accessing the Java AST#

Java AST generated by dexdec can be manipulated via the Java AST API.

Reference documentation