dex2jar VS bytecode-viewer

App tampering and repackaging can be performed by using reverse engineering or tampering tools, such as Apktool, dex2jar, etc.

A week ago I purchased a bluetooth device that takes some measurements. You require an Android or iOS application. The first thing the iOS app did was request permission for your location. Immediate fired up MITMproxy [1] running in transparent `--mode wireguard` and installed it's certificate in the iOS trust store. It was sending a whole bunch of data to China and HK. Since I don't have a jailbroken iPhone, it's off to Android.

For BLE scanning, Android does require permissions for location, but this application is using a Chinese branded tracking SDK and sending encrypted (within already encrypted TLS). So it's time to start reversing and instrumenting the runtime.

Well - not so easy, they used a commercial packer that encrypts their compiled bytecode and decrypts and runs it within a C++ library. I managed to bull the Dalvik out of memory using Frida[2], covert it to java bytecode with dex2jar[3] then into decompiled java with jadx [3].

Since the developer relied on the packer to hide/obfuscate their software, it's quite easy to follow. The libraries that do the location tracking on the otherhand are obfuscated so now I'm at the stage of identifying where to hook before the encrypted blobs are sent to servers in China.

I've sunk about 8 hours into this so far. The message here is that to understand what some applications on your phone does you need to really invest time and effort. The developers increase the cost to the consumer to know what their application is doing by obfuscation, encryption and packing. It's asymmetric.

[1] https://mitmproxy.org/posts/wireguard-mode/

[2] https://frida.re/docs/android/

[3] https://github.com/skylot/jadx

[3] https://github.com/pxb1988/dex2jar

I think they forgot to google translate the disadvantages of JEB Decompiler

I haven't used JEB to comment, but I've gotten a lot of mileage out of https://github.com/pxb1988/dex2jar#readme and then feed the normal Java jars it produces into https://github.com/mstrobel/procyon#readme and (of course) one shouldn't overlook picking your favorite tool for dealing with AndroidManifest.xml which often has fun things hiding in it

While digging up those links, I was reminded that some folks enjoy https://github.com/Konloch/bytecode-viewer#is-there-a-demo because it can be easier to "try out" a few of the decompilation engines, but I don't use it because it's hard to do batch things with it, versus dex2jar into procyon is automation friendly

Take a look at apktool: https://ibotpeaches.github.io/Apktool/ and dex2jar: https://github.com/pxb1988/dex2jar

I think they forgot to google translate the disadvantages of JEB Decompiler

I haven't used JEB to comment, but I've gotten a lot of mileage out of https://github.com/pxb1988/dex2jar#readme and then feed the normal Java jars it produces into https://github.com/mstrobel/procyon#readme and (of course) one shouldn't overlook picking your favorite tool for dealing with AndroidManifest.xml which often has fun things hiding in it

While digging up those links, I was reminded that some folks enjoy https://github.com/Konloch/bytecode-viewer#is-there-a-demo because it can be easier to "try out" a few of the decompilation engines, but I don't use it because it's hard to do batch things with it, versus dex2jar into procyon is automation friendly

Here's a good tool for inspecting the bytecode of applications, with built in decompiler support: https://github.com/Konloch/bytecode-viewer

If you're curious what anything (Lombok or otherwise) compiles to, JVM bytecode is much simpler than the kinds C/C++ compiles to. It's fairly readable even with the JDK disassembler javap. There are also various community disassemblers and decompilers that provide nicer output than javap. I use https://github.com/Konloch/bytecode-viewer, which is a GUI frontend for several. If one decompiler doesn't handle a class well, another usually does.

I use Bytecode Viewer, https://github.com/Konloch/bytecode-viewer with Dark Mode.

if you do use this plugin i'd recommend also using https://bytecodeviewer.com/ to check the supposed malicious lines of code.

Take a look at tools like this one to get an idea of what you can actually get: https://bytecodeviewer.com/

Also, you can always install the latest release and then put it through a Java decompiler to get the complete source code. It might have some errors since decompilers aren't perfect, but will give you a more complete source code than anything I can legally provide.