Common Actions

One principal intended use for JEB is the analysis of binary code. This section focuses on the basics of code analysis and refactoring, such as:

In the RCP client, many interactions can be achieved via the Action and Navigation menus. Those actions are implemented by most JEB analysis modules that perform code disassembly.

Note: Other action groups such as Native code actions and Debugging actions are detailed in later sections.

Note: The examples in this section are based on the analysis of Raasta.apk using the Android DEX parser. Keep in mind that features and behaviors of Actions depend on the module implementing and performing them.

Renaming

An important requirement for analysts is the ability to rename code items such as types, methods and routines, fields and data items, packages, etc. consistently across a code base.

Tip: Within the Rename dialog box, press Ctrl+Space to bring up your renaming history.

Commenting

Anywhere in the code, press the / (slash) key to add a comment. Comments are attached to addresses or items.

Pressing the Enter key on an item or double-clicking it will bring the caret to the definition of the item.

You can navigate back and forth using the traditional Alt + Arrow Left (or Escape) and Alt + Arrow Right key combos, or via the Navigation menu.

The Next Item and Previous Item command allow you to jump to the similar item after or before the currently selected item.

Cross-references

Cross-references on an item allow the examination of items referencing it. Press the X key to visualize them.

You can jump to a cross-reference by double-clicking it.

Type Hierarchies

Use the T key on a type item (such as a class or an interface) to visualize its ancestors and children. Double-click on a type item to jump to the item definition.

Restructuring

The Create Package and Move to Package actions offer powerful refactoring possibilities, especially useful in the case of large obfuscated binary files.

If the module supports it, users are able to:

The following screenshot is an example where the class AppHelp was moved from the com.pnfsoftware.raasta package to a newly created package named com.abc.

Want to learn more? Have a look at our YouTube demo video that demonstrates advanced refactoring and automatic restructuring of a heavily obfuscated Android malware application.

Object Overrides

The O key allows the examination of overrides, such as virtual method redefinitions in the case of object-oriented bytecode files.

Note: As said above, keep in mind that plugins are allowed to attach the semantic they want to a given action. For instance, in the case of a document analysis plugin, the Overrides action may or may not be relevant. If it existed, it would certainly have a different meaning than "method overrides".

Rebasing Constants

This feature allows the selection of the radix used to render immediate constant integers. Press the B key repeatedly to cycle through the bases offered by the plugin.

Typically, bases 8, 10, 16 are offered. Some plugins may offer additional bases such as base 2, or non-conventional representation modes, such as character-based immediate rendering.