This section describes miscellaneous features offered by the RCP client.
Saving and Loading¶
A JEB project can be persisted to a file on disk called a JEB Database (version 2) file. Such files have a .jdb2 extension.
JDB2 files can be shared among users, and reloaded later on. They can grow significantly larger than the original artifact(s), as they contain the analysis results for all - or most of all, see below - units in your project. They are encrypted and compressed.
Make sure to load a JDB2 with a version of JEB equal or newer than the one that generated that JDB2.
Note: Each module determines whether or not persistence of the units they produce is supported. All official non-beta modules support persistence.
Caution: The analysis of large artifacts, yielding potentially hundreds or thousands of units, can translate into very large JDB2.
Notifications are generated by modules when they encounter areas of interest during analysis of their input data. The menu entry File, Unit notifications allows the user to view notificatins for all units produced in the currently opened project.
In the example below, the Android DEX plugin has generated a notification indicating that the analyzed Android app contained multiple DEX files, and that those were merged successfuly:
Notifications are generated at the discretion of the analysis modules. They can be classified in one of nine levels:
|AREA_OF_INTEREST||A generic type to signify an area of interest within a unit.|
|CORRUPTION||Input corruption has been detected.|
|DEPRECATED_FEATURE||The unit has detected features that have been deprecated.|
|ERROR||A generic type to signify an error in the unit.|
|INFO||A generic type similar to AREA_OF_INTEREST.|
|MALICIOUS||The intent is malicious.|
|POTENTIALLY_HARMFUL||This type indicates usage of a feature not recommended by guidelines due to its potential dangerousness.|
|UNSUPPORTED_FEATURE||Some input cannot be parsed because of a limitation within the unit itself.|
|WARNING||A generic type to signify a warning in the unit.|
Note: See this reference page for additional details.
The RCP client offers a special "Export" command for Decompiler plugins. This command allows exporting of one, some, or all of the decompiled code that can be generated by a given decompiler (methods, classes, etc.).
This command is accessible via the File, Export menu entry. Make sure to focus a code view or a decompiled code view before attempting to run this command.
The properties of a project can be examined by right-clicking the project node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the project node is selected.
- The name is customizable. The default name is always derived from the primary artifact, with a JDB2 extension. This extension stands for "JEB Database Version 2", and represent a serialized version of your project which users can save and load on their JEB version 2 software.
- The creation and modification timestamps are read-only.
- The user-notes are obviously writeable and saved with the JDB2.
Similarly to Project properties, the properties of an artifact can be examined by right-clicking the artifact node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the artifact node is selected.
Similar to Project and Artifact properties, the properties of a unit can be examined by right-clicking the corresponding unit node in the Project Explorer view, via the File menu, or by using the Alt+Enter key combo when the unit node is selected.
- The unit name is customizable, however, we recommend users to not change unit names.
- The unit type corresponds to the module type that created the unit (in this example, 'apk')
- The creation timestamp is the time at which the unit was created from its parent artifact or unit
- The status field indicates potential problems: N/A means the unit was processed properly, and its contents can be examined; other string messages can be reported by modules to indicate processing error, or simply, lack of processing in the case of lazy processing.
The full list of input processor plugins (whose term was simplified to parsers in the UI) loaded within your JEB instance context can be seen by running the File, Engines, Parsers command.
Parsers can be selectively disabled if you would like JEB. For example, if you would like JEB to not process ZIP files as such (ie, treat them as plain binary files), you may disable the zip parser.
Note: technically speaking, parsers are JEB plugins that implement the IUnitIdentifier interface. Refer to the "Developing with JEB" section of this guide for more information.
Commonly, most projects will contain a single artifact file, such as a binary executable or an application file. However, you may add as many artifacts as you want to a project
Select the menu entry File, Add an Artifact to add an artifact to an existing project. The newly added artifact will be processed, and added to the current project tree:
This advanced feature is available by right-clicking a unit in the Project Explorer view, and selecting Parse at...:
Reparsing allows a user to (re)parse a unit or parts of a unit by specifying explicitly what the input data should be parsed as.
For instance, you may have input data identified as XML data, and initially parsed as such - therefore yielding an XML unit. However, you may discover that this XML data contains bytes that would correspond to a ZIP file (eg, starting with
PK...). By reparsing the XML data at the given ZIP header offset using the ZIP module, you ask JEB to process that data as ZIP and create a ZIP unit out of it:
Reparsing can be helpful when dealing with complicated, obfuscated, or multi-layered files.