Disassembling Android applications

Workshop
Passage en Seine III
June 17
th
2011
Pierre Pronchery <[email protected]
Android: about

Seen on http://www.dalvikvm.com/
Android programs are compiled into .dex (Dalvik
Executable) files, wic are in turn !ipped into a
single .apk (Android "ackage) file on te device. .dex
files can be created b# automaticall# translating
compiled applications written in te $ava programming
language%

Let's see for ourselves...

Android: just a ZIP archive #1
$ file app.apk
app.apk: Zip archive data, at least v2.0 to
extract
$ unzip app.apk
[...]
$ ls
AndroidManifest.xl
M!"A#$%&'
assets'
classes.dex
res'
resources.arsc
Android: just a ZIP archive #2
$ file *
AndroidManifest.xml: DBase 3 data file
META-INF: directory
assets: directory
classes.dex: Dali! dex file ersion "3#
res: directory
reso$rces.arsc: data
$ %tf dex
%tf: I don&t !no% %'at dex means(
Android: DEX eecutables
http://www.netmite.com/android/mydroid/dalvik/docs/

DEX file layout:

Inspired from the D!"# file format

$eader% identifiers% types% encodin&s% maps% items...

Dalvik 'ytecode instruction list

(ava 'ytecode instruction list )for comparison*

Android: to be or not to be !ava #1

+n http://en.wikipedia.or&/wiki/Dalvik,virtual,machine :
Dalvik &is' a clean(room implementation rater tan a
development on top of a standard $ava runtime, &and'
does not inerit cop#rigt(based license restrictions
from eiter te standard(edition or open(source(edition
$ava runtimes.%
Dalvik does not align to $ava )E nor $ava *E class
librar# profiles (e.g., $ava *E classes, A+, or )wing
are not supported). -nstead it uses its own librar# built
on a subset of te Apace .armon# $ava
implementation.%
Android: to be or not to be !ava #2

+n http://en.wikipedia.or&/wiki/Dalvik,virtual,machine :
/nlike $ava 0*s, wic are stack macines, te
Dalvik 0* is a register(based arcitecture1

,e 0* was slimmed down to use less space

,e constant pool as been modified to use onl# 23(bit

indexes to simplif# te interpreter

)tandard $ava b#tecode executes 4(bit stack instructions.

5ocal variables must be copied &...' b# separate instructions.
Dalvik &uses a' 67(bit instruction set tat works directl# on
local variables. ,e local variable is commonl# picked b# a 8(
bit 9virtual register9 field.%
Android: Dalvi" b#tecode
$ cat src/arch/dalvik.ins
[...]
{ "add-double", 0xab, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "add-double/'addr", 0xcb, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
{ "add-,loat", 0xa-, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "add-,loat/'addr", 0xc-, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
{ "add-int", 0x.0, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "add-int/'addr", 0xb0, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
{ "add-int/lit%", 0xd%, OP1, OP!"#$%, OP!"#$%, OP!/% &,
{ "add-int/lit1-", 0xd0, OP1, OP!"#$(, OP!"#$(, OP!/1- &,
{ "add-lon0", 0x.b, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "add-lon0/'addr", 0xbb, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
{ "a0et", 0x((, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-boolean", 0x(1, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-b2te", 0x(%, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-char", 0x(., OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-ob3ect", 0x(-, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-short", 0x(a, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "a0et-4ide", 0x(5, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "and-int", 0x.5, OP1, OP!"#$%, OP!"#$%, OP!"#$% &,
{ "and-int/'addr", 0xb5, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
{ "and-int/lit%", 0xdd, OP1, OP!"#$%, OP!"#$%, OP!/% &,
{ "and-int/lit1-", 0xd5, OP1, OP!"#$(, OP!"#$(, OP!/1- &,
{ "and-so/6uch6ore", 0xc0, OP1, OP!"#$(, OP!"#$(, )O*!+O+# &,
(une -.th /0-- 1SES III 2 /0-- 3
$et the code: %hat and %here

Disassem'ler found in the Defora+S asm pro4ect

$osted 'y and part of Defora+S

Development happens in a 56S tree:

$ cvs
#d:pserver:anon(ous)anoncvs.defora.or*:'+ata',
-. co +efora/.

#ormal releases availa'le

e' interface and daily archives availa'le

asm depends on li'System and li'cpp

(une -.th /0-- 1SES III 2 /0-- -0
$et the code: &ormal releases
#resh from yesterday:

http://www.defora.or&/os/download/download/78/./li'System20.-.9.tar.&:

http://www.defora.or&/os/download/download/78;//cpp20.0.-.tar.&:

http://www.defora.or&/os/download/download/78;8/asm20./.0.tar.&:
Simple as pie hopefully:
$ ake 01!&$234'usr'local4 install
[...]
)may install a conflictin& cpp 'inary< 4ust remove it*
(une -.th /0-- 1SES III 2 /0-- --
$et the code: compilation
$ ake 5ootstrap
[...]
"he source tree is no6 confi*ured for (our
environent. !ssential li5raries and tools 6ill
no6 5e installed in this folder: 7'usr'local7
8ou can still exit this script 6ith the ,"19:,
ke( co5ination.
/ther6ise, press !%"!1 to proceed.
,"19:,
$ ;cd .(ste'src'li5.(ste << ake install=
$ ;cd Apps'+evel'src'cpp << ake install << r #f
'usr'local'cpp=
$ ;cd Apps'+evel'src'as << ake install=
(une -.th /0-- 1SES III 2 /0-- -/
'se the code: disassemble
$ deas
>sa*e: deas [#a arch][#f forat] filenae
deas [#a arch][#f forat] #s strin*
deas #l
$ deas classes.dex
classes.dex: dex#dalvik
+isasse5l( of section .text:
[...]
(une -.th /0-- 1SES III 2 /0-- -7
(odi&# the code: contributing
=hrou&h Defora+S:

Introduce yourself on devel>lists.defora.or&

"eport 'u&s or wishes

Send patches

?ain my trust )and an account*

5ommit directly :=
(une -.th /0-- 1SES III 2 /0-- -;
Android: $oogle did it
Some links to share:

http://mylifewithandroid.'lo&spot.com/

http://paller&a'or.uw.hu/android'lo&/

http://developer.android.com/reference/dalvik/'ytecode/+pcodes.html

http://:easter.'lo&spot.com//00./--/how2to2decompile2de@2file2on2android,/A.html

http://www.dalvikvm.com/
(une -.th /0-- 1SES III 2 /0-- -8
)uggestions

!nythin& I may have missedB

#eed'ack% ?@ and A?@ mail at khor'en>defora.or&