i Android Malware Analysis Tools – Part1 – All things in moderation

Android Malware Analysis Tools – Part1

Hi all!
To day, we will learn about some tools using malware analysis on android mobile.

Dex2jar

dex2jar is a tool to work with files .dex of android and file .jar of java. We can use dex2jar converter file .dex to file .jar.
– DEX-reader: read the file API DEX (Dalvik Executable) and Odex, which is the format of Android.
– DEX translator, perform the conversion. It converts files into formats DEX to DEX-IR. After optimization, the format switches to ASM.
– DEX-IR: it serves compilation DEX and used by reading the above components.
– DEX-Tools: this library will work with the .class file to modify duty APK file or JAR

Package in dex2jar tools
+ d2j-jar2dex – converter file jar to dex by call to dx

Syntax: d2j-jar2dex [option]  path-file

Option:
-f, –force force overwrite
-h, –help Write message help
-o, –output path output file .dex,path default: $current_dir/[name_jar]-jar2dex.dex

  • d2j-jar-remap -Rename package/class/method/field in file jar2dex.dex
Syntax: d2j-jar-remap [option] jar

option:
-c ,–config config file remap
-f, –force force overwrite
-h,–help Write message help
-o, –output path output file jar, default $current_dir/[jar-name]-remap.jar

  • d2j-dex2jar – Converter file dex to file jar
Syntax: d2j-dex2jar [options]  [file1 … fileN]

Options:
-d,–debug-info write debug information
-e,–exception-file path error file, default $current_dir/[file-name]-error.zip
-f,–force force overwrite
-h,–help Write message help
-n,–not-handle-exception exception not handle by dex2jar
-o,–output path output file jar,default $current_dir/[file-name]-dex2jar.jar
-os,–optmize-synchronized
-p,–print-ir print information decompile to screen console.
-r,–reuse-reg use file register create file java .class
-s same with –topological-sort/-ts
-ts,–topological-sort sort block by topological, that will generate more readable code,default enabled
Example
[email protected]:~$ sh d2j-dex2jar.sh -f demo.apk
dex2jar classes.dex -> classes-dex2jar.jar

$sh d2j-dex2jar.sh -f -o ketqua demo.dex
The results will be included in file ketqua.zip in the current directory.(if folder ketqua not created)
$sh d2j-dex2jar.sh -f -o ~/Downloads/tool/ketqua demo.dex
The results will be included in folder /home/manh/Downloads/tool/ketqua if folder ketqua is created.

  • d2j-jasmin2jar -converter file .j sang file .class
Syntax: d2j-jasmin2jar [option] path-file

options:
-e, –encoding encode encode file .j, default UTF-8
-f, –force force overwrite
-g, –autogenerate-linenumbers auto generate line numbers
-h,–help Print this help message
-o,–output path-out-jar-file output .jar file, default is $current_dir/[jar-name]-jasmin2jar.jar

  • d2j-jar-access – add or delete class/method/field in file jar
Syntax: d2j-jar-access [options] path-file

options:
-ac,–add-class-access [ACC] add access from class
-af,–add-field-access [ACC] add access from field
-am,–add-method-access [ACC] add access from method
-f,–force force overwrite
-h,–help Print this help message
-o,–output out-dir output dir of .j files, default is $current_dir/[jar-name]-access.jar
-rc,–remove-class-access ACC remove access from class
-rd,–remove-debug remove debug info
-rf,–remove-field-access ACC remove access from field
-rm,–remove-method-access ACC remove access from method

  • d2j-asm-verify – Verify .class in jar
Syntax:d2j-asm-verify [options] [jar0] [jar1 ... jarN]

options:
-d,–detail Print detail error message
-h,–help Print this help message

  • d2j-init-deobf – Generate an init config file for deObfuscate a jar
Syntax: d2j-init-deobf [option] [jar]

option:
-f,–force force overwrite
-h,–help Print this help message
-max,–max-length [MAX] do the rename if the length > MIN, default is 40
-min,–min-length [MIN] do the rename if the length < MIN, default is 2
-o,–output out-file output .jar file, default is $current_dir/[file-name]-deobf-init.txt

  • d2j-apk-sign – Sign an android apk file use a test certificate
Syntax: d2j-apk-sign [option] apk

options:
-f,–force force overwrite
-h,–help Print this help message
-o,–output out-apk-file output .apk file, default is $current_dir/[apk-name]-signed.apk
-w,–sign-whole Sign whole apk file

  • d2j-jar2jasmin – Disassemble .class in jar file to jasmin file-name
Syntax:d2j-jar2jasmin [option] jar  

options:
-d,–debug disassemble debug info
-e,–encoding enc encoding for .j files, default is UTF-8
-f,–force force overwrite
-h,–help Print this help message
-o,–output out-dir output dir of .j files, default is $current_dir/[jar-name]-jar2jasmin/

In the next chapter, we will take a deep look on some other tools related to malware analysis on mobiles.

Leave a Reply