Scripting for Android Reversing
This section focuses on writing JEB Python scripts specifically to aid in the analysis of Android applications.
Recall JEB analysis modules produce
IUnits, visible in the Project Explorer view:
IDexUnit and associated classes#
The dex unit interface is your entry-point to access dex elements:
from com.pnfsoftware.jeb.client.api import IScript from com.pnfsoftware.jeb.core.units.code.android import IDexUnit, IApkUnit class SomeScript(IScript): def run(self, ctx): prj = ctx.getMainProject() # current project; None if no project is opened dex = prj.findUnit(IDexUnit) # find the first dex unit #dexlist = prj.findUnits(IDexUnit) # retrieve a list of dex units #apk = prj.findUnits(IApkUnit) # find the first dex unit for m in dex.getMethods(): print m.getSignature() # print method reference descriptor
dex file representation#
The diagram below is a high-level view of JEB types holding dex file information. This structure mirrors the dex file format's. (Not all types are represented, refer to the API reference for a complete list.)
Android APK are represented by
from com.pnfsoftware.jeb.client.api import IScript from com.pnfsoftware.jeb.core.units.code.android import IApkUnit class SomeScript(IScript): def run(self, ctx): prj = ctx.getMainProject() # current project; None if no project is opened apk = prj.findUnits(IApkUnit) # find the first apk unit print(apk.isDebuggable()) # ...
UI client specifics#
When a script is run within the UI client, the
ctx provided to the run() method is
IClientContext). Additional methods are provided to interact with workspace widgets (unit views, fragments, etc.).
The diagram below shows the connection between UI elements types and the document types they hold.
Reference type: IGraphicalClientContext
The entry-point interface is
IDexDecompilerUnit, usually a child of an underlying
IDexUnit. dexdec units produce
IJavaSourceUnit, holding decompiled elements (classes and methods).
Accessing the IR#
The Dex decompiler plugin can load external Intermediate Representation (IR) plugins that are called during the decompilation pipeline to further refine and optimize a method decompilation. Those plugins can be compiled as jar, and/or written in Java or Python.
See this tutorial for a complete step-by-step example on how to write a dexdec IR script plugin, in Python.
Accessing the Java AST#
Java AST generated by dexdec can be manipulated via the Java AST API.