dex2jar VS Recaf

App tampering and repackaging can be performed by using reverse engineering or tampering tools, such as Apktool, dex2jar, etc.

A week ago I purchased a bluetooth device that takes some measurements. You require an Android or iOS application. The first thing the iOS app did was request permission for your location. Immediate fired up MITMproxy [1] running in transparent `--mode wireguard` and installed it's certificate in the iOS trust store. It was sending a whole bunch of data to China and HK. Since I don't have a jailbroken iPhone, it's off to Android.

For BLE scanning, Android does require permissions for location, but this application is using a Chinese branded tracking SDK and sending encrypted (within already encrypted TLS). So it's time to start reversing and instrumenting the runtime.

Well - not so easy, they used a commercial packer that encrypts their compiled bytecode and decrypts and runs it within a C++ library. I managed to bull the Dalvik out of memory using Frida[2], covert it to java bytecode with dex2jar[3] then into decompiled java with jadx [3].

Since the developer relied on the packer to hide/obfuscate their software, it's quite easy to follow. The libraries that do the location tracking on the otherhand are obfuscated so now I'm at the stage of identifying where to hook before the encrypted blobs are sent to servers in China.

I've sunk about 8 hours into this so far. The message here is that to understand what some applications on your phone does you need to really invest time and effort. The developers increase the cost to the consumer to know what their application is doing by obfuscation, encryption and packing. It's asymmetric.

[1] https://mitmproxy.org/posts/wireguard-mode/

[2] https://frida.re/docs/android/

[3] https://github.com/skylot/jadx

[3] https://github.com/pxb1988/dex2jar

I think they forgot to google translate the disadvantages of JEB Decompiler

I haven't used JEB to comment, but I've gotten a lot of mileage out of https://github.com/pxb1988/dex2jar#readme and then feed the normal Java jars it produces into https://github.com/mstrobel/procyon#readme and (of course) one shouldn't overlook picking your favorite tool for dealing with AndroidManifest.xml which often has fun things hiding in it

While digging up those links, I was reminded that some folks enjoy https://github.com/Konloch/bytecode-viewer#is-there-a-demo because it can be easier to "try out" a few of the decompilation engines, but I don't use it because it's hard to do batch things with it, versus dex2jar into procyon is automation friendly

Take a look at apktool: https://ibotpeaches.github.io/Apktool/ and dex2jar: https://github.com/pxb1988/dex2jar

IF you've got the legal situation all sorted out, and know that you need to change a Java class file, and know how to program in Java, I'd suggest Recaf. With it, you can import a jar file, decompile, edit and recompile any source files in it, and export the whole thing again.

No one seems to mention Recaf wich is the best option IMO. You can choose between different decompilers (Fernflower, CFR, Jadx, Procyon and others) has bytecode editing capabilities (you don't have to fully decompile, you can edit the bytecode directly), built in peephole optimizations for flow and number obfuscations, various search options for methods, members, strings, and method virtualization via SSVM

Uhhh, no? For something like JavaFX, which I've complained about its bad native handling before, you can still make a multi-platform jar with a little bit of effort. For instance my project Recaf is distributed as a single JAR file. Just install JDK 11+ and you're good to go.

I did something like this, but its not its own control/library: https://github.com/Col-E/Recaf/blob/dev3/recaf-ui/src/main/java/me/coley/recaf/ui/pane/DiffViewPane.java

The decompiler they used to view that code is not very good, that output is garbled.

If you're going to take apart JVM bytecode, you're better off using Recafe or Quiltflower.

https://github.com/Col-E/Recaf

https://github.com/QuiltMC/quiltflower

I've recently been searching for tools that can help me find rats within jar files. So far I've found jd-gui and Recaf, do you all have any suggestions for other tools?

Example: DecompilePane.java

#1: Are you interested in learning about low latency zero allocation programming? #2: Recaf: Java bytecode reversing tool I've been working on for the past 3.5 years | 37 comments #3: My experimental IDE plugin for displaying all project files in a single view, with zoom/pan and code editing. More info in comments. | 57 comments