Miscellaneous

This section describes miscellaneous features offered by the RCP client.

Saving and Loading

A JEB project can be persisted to a file on disk called a JEB Database (version 2) file. Such files have a .jdb2 extension.

JDB2 files can be shared among users, and reloaded later on. They can grow significantly larger than the original artifact(s), as they contain the analysis results for all - or most of all, see below - units in your project. They are encrypted and compressed.

Make sure to load a JDB2 with a version of JEB equal or newer than the one that generated that JDB2.

Note: Each module determines whether or not persistence of the units they produce is supported. All official non-beta modules support persistence.

Caution: The analysis of large artifacts, yielding potentially hundreds or thousands of units, can translate into very large JDB2.

Unit Notifications

Notifications are generated by modules when they encounter areas of interest during analysis of their input data. The menu entry File, Unit notifications allows the user to view notificatins for all units produced in the currently opened project.

In the example below, the Android DEX plugin has generated a notification indicating that the analyzed Android app contained multiple DEX files, and that those were merged successfuly:

Notifications are generated at the discretion of the analysis modules. They can be classified in one of nine levels:

Type Description
AREA_OF_INTEREST A generic type to signify an area of interest within a unit.
CORRUPTION Input corruption has been detected.
DEPRECATED_FEATURE The unit has detected features that have been deprecated.
ERROR A generic type to signify an error in the unit.
INFO A generic type similar to AREA_OF_INTEREST.
MALICIOUS The intent is malicious.
POTENTIALLY_HARMFUL This type indicates usage of a feature not recommended by guidelines due to its potential dangerousness.
UNSUPPORTED_FEATURE Some input cannot be parsed because of a limitation within the unit itself.
WARNING A generic type to signify a warning in the unit.

Note: See this reference page for additional details.

Exporting Output

The RCP client offers a special "Export" command for Decompiler plugins. This command allows exporting of one, some, or all of the decompiled code that can be generated by a given decompiler (methods, classes, etc.).

This command is accessible via the File, Export menu entry. Make sure to focus a code view or a decompiled code view before attempting to run this command.

Project Properties

The properties of a project can be examined by right-clicking the project node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the project node is selected.

Artifact Properties

Similarly to Project properties, the properties of an artifact can be examined by right-clicking the artifact node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the artifact node is selected.

Unit Properties

Similar to Project and Artifact properties, the properties of a unit can be examined by right-clicking the corresponding unit node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the unit node is selected.

Listing Parsers

The full list of input processor plugins (whose term was simplified to parsers in the UI) loaded within your JEB instance context can be seen by running the File, Engines, Parsers command.

Parsers can be selectively disabled if you would like JEB. For example, if you would like JEB to not process ZIP files as such (ie, treat them as plain binary files), you may disable the zip parser.

Note: technically speaking, parsers are JEB plugins that implement the IUnitIdentifier interface. Refer to the "Developing with JEB" section of this guide for more information.

Adding Artififacts

Commonly, most projects will contain a single artifact file, such as a binary executable or an application file. However, you may add as many artifacts as you want to a project

Select the menu entry File, Add an Artifact to add an artifact to an existing project. The newly added artifact will be processed, and added to the current project tree:

Reparsing Data

This advanced feature is available by right-clicking a unit in the Project Explorer view, and selecting Parse at...:

Reparsing allows a user to (re)parse a unit or parts of a unit by specifying explicitly what the input data should be parsed as.

For instance, you may have input data identified as XML data, and initially parsed as such - therefore yielding an XML unit. However, you may discover that this XML data contains bytes that would correspond to a ZIP file (eg, starting with PK...). By reparsing the XML data at the given ZIP header offset using the ZIP module, you ask JEB to process that data as ZIP and create a ZIP unit out of it:

Reparsing can be helpful when dealing with complicated, obfuscated, or multi-layered files.