One principal intended use for JEB is the analysis of binary code. This section focuses on the basics of code analysis and refactoring, such as:
- renaming items such as methods or fields
- changing the code structure by moving items to packages
- navigating a code base via cross-references
- viewing type hierarchies
In the RCP client, many interactions can be achieved via the Action and Navigation menus. Those actions are implemented by most JEB analysis modules that perform code disassembly.
Note: The examples in this section are based on the analysis of Raasta.apk using the Android DEX parser. Keep in mind that features and behaviors of Actions depend on the module implementing and performing them.
An important requirement for analysts is the ability to rename code items such as types, methods and routines, fields and data items, packages, etc. consistently across a code base.
- Position the caret on the item to be renamed
- Hit the N key or select Action, Rename
- Enter the new name and press Enter
Tip: Within the Rename dialog box, press Ctrl+Space to bring up your renaming history.
Anywhere in the code, press the / (slash) key to add a comment. Comments are attached to addresses or items.
Pressing the Enter key on an item or double-clicking it will bring the caret to the definition of the item.
You can navigate back and forth using the traditional Alt + Arrow Left (or Escape) and Alt + Arrow Right key combos, or via the Navigation menu.
The Next Item and Previous Item command allow you to jump to the similar item after or before the currently selected item.
Cross-references on an item allow the examination of items referencing it. Press the X key to visualize them.
You can jump to a cross-reference by double-clicking it.
Use the T key on a type item (such as a class or an interface) to visualize its ancestors and children. Double-click on a type item to jump to the item definition.
The Create Package and Move to Package actions offer powerful refactoring possibilities, especially useful in the case of large obfuscated binary files.
If the module supports it, users are able to:
- Create artifical packages (aka, namespaces) using the K key.
- Move items, such as types, to existing or artificial packages using the L key.
The following screenshot is an example where the class
AppHelp was moved from the
com.pnfsoftware.raasta package to a newly created package named
Want to learn more? Have a look at our YouTube demo video that demonstrates advanced refactoring and automatic restructuring of a heavily obfuscated Android malware application.
The O key allows the examination of overrides, such as virtual method redefinitions in the case of object-oriented bytecode files.
Note: As said above, keep in mind that plugins are allowed to attach the semantic they want to a given action. For instance, in the case of a document analysis plugin, the Overrides action may or may not be relevant. If it existed, it would certainly have a different meaning than "method overrides".
This feature allows the selection of the radix used to render immediate constant integers. Press the B key repeatedly to cycle through the bases offered by the plugin.
Typically, bases 8, 10, 16 are offered. Some plugins may offer additional bases such as base 2, or non-conventional representation modes, such as character-based immediate rendering.