Tutorial of a cool and brand-new Decompiler

Introduction(new version)

GDA is a Dalvik bytecode decompiler written entirely in c++. So, unlike most app analysis tools, GDA does not need to rely on the Java platform, And as the use of the Bytecode directly translated into Java code without Smali code translation. So it is more succinct, more portable and faster. In addition, it supports APK, DEX, ODEX and OAT files.

一、MAIN WINDOWS

Open GDA and drag the APK file you want to analyze to the software UI:

 1. View all strings in DEX; 
 2. View all the strings used by all the methods; 
 3. View all APIs used by methods; 
 4. View AndroidManifest files;
 5. Show data by Hexadecimal way; 
 6. Suspicious (malicious behavior analysis); 
 7. Vulnerability static scanning (to be implemented); 
 8. Expanding permissions and viewing the method which the permissions belong to; 
 9. Classes and methods, if there are more DexClass*, indicating that APK uses multi-dex.
 10, DEX head, click on “DexClass*” item to display the corresponding head, each color block represents a different area of ​the head. the prompt will be shown when the mouse moves over on it. right-clicking in the area that is offset and jump to reference location.
 11. Overview of the permissions applied by the application; 
 12. Double-click to view historical access; 
 13. Click to enter the entry function (method); 
 14. Connect the Android device for the memory dump.

If the APP is packed, GDA will automatically recognize and show the packer between the Dex header and the APK permission. Otherwise, nothing. As shown in the figure:

The DEX Header is just for fun, you can see the tip that shows the field of the header by moving the cursor over. Click the right mouse button and you can enter the subheader or offset table. Then, click the Entry button on the right-top to enter the APK entry function (usually onCreate of the main Activity):

In the java code area, you can press F5 to view the smali assembly code.

Double-click on a method to enter the method, view its code, and press X to do cross-reference and view the caller.

And, you can also extend the tree on the left of the GUI, then choose an item and click right button of the mouse, you will get a pop menu like the following fig:

二、Shortcut key

The shortcut key description

GDA shortcut key

shortcut description
F5 Switch java to smali, pressing it again for back to java
F Trace the args and return value by dataflow analysis
X Cross-referencing, locating callers (of strings, classes, methods, field, Smali, Java)
Esc/<-/Backspace Back to the last visit
Forward to the next visit
G Jump to somewhere by you inputting offset
N Rename the variable/method/class name
S Search for all the elements by the given string
C Comments. Only supports the Java code
DoubleClick The cursor’s placed at the method/str/field/class, and double-click to access objects
M the cursor’s placed at the Smali line and pressing the key ‘M’ to edit the instruction
UP Press ‘up’ key to access the up-method in the tree control
Down Press “down” key to access the down-method in the tree control
D Dump the binary data of methods, only supports the Smali window
Enter The modification of edit boxes take effect
H Show data in Hex
Ctr+H Pop searching history window
Ctr+A Select all
Ctr+C Copy
Ctr+V Paste, only for editable boxes
Ctr+X Cut
Ctr+F Find out the string of the current window
Ctr+S Save the modifications into the GDA database file

三、Auxiliary tool

1. XML decoder

Fully self-implemented decoding function can bypass the Anti-decoding technology, successfully parse XML

2. Algorithmic Tool

the tool supports the following algorithm:

Hash algorithm: md2 md4 md5 sha sha1 sha224 sha256 sha384 sha512 symmetric encryption: des idea rc2 rc4 rc4-40 rc2-40 rc2-64 bf cast5 aes (128 192 256), with mode such as ecb cbc ofb cfb, other modes such as (cfb1 cfb8) asymmetric encryption: RSA encoding algorithm: base62, base64 3.

The tool accepts 3-types data as input for the key textbox, clear textbox and ciphertext box. Simply, you can directly input string as source data, and also input binary data indicated by “hex:” like the following fig. And you can double click the text box so that the file dialog will be popped, and choose a file as input.

3. Dumper

For instructions, please visit the following links: https://zhuanlan.zhihu.com/p/26341224

4.Searching Tool(S)

四、Example of Android Malware Static Analysis

This section introduces the basic usage of GDA through a malware sample file. A.Summary Analysis Summary Analysis is to make a simple understanding of APK as a whole. Here is an example of an Android Malware to illustrate the use of GDA.

  1. First, you should drag the malware sample into the GDA. And very quickly you can see its basic information.

You are able to judge whether the APK is packed according to the presented information. If the APK is not packed, nothing would be presented between DexHeader and Permission.

  1. Then you can check to see if the virus applies for sensitive permissions. As you see at the bottom of the main window, the APK has enabled a lot of sensitive permissions e.g. READ_SMS, SEND_SMS, READ_CALL_LOG, READ_PHONE_STATE and so on.

  1. By clicking the button in toolbar marked in red, you will check the signature information of the APK.

  1. In addition, the AndroidManifest in the top of the tree control can guide you to analyze the config info of Activity, Service, Receive and others in AndroidManifest.xml.

  1. Next, you can click the “MalScan” in the tree box to scan the malicious behavior of the APK. So, the following fig shows that malware has many malicious operations.

If you want to go further and analyze the methods associated with this behavior, you can double-click method@xxxxxx to view the code of the method, such as clicking to enter “[method@0001e5]: com.itcast.cn112.m.a” below of "#Read contacts, SMS and other information:” The code of the method will be shown in the following figure.

Of course, it is more difficult to analyze the Smali code. So you can press F5 to decompile it.

As you can see from the figure, the short message box is accessed in this method. In addition, you can also analyze the string and APIs used by the DEX. AllStrings will get all the strings in the DEX, and AppStrings will only get referenced strings by methods’ code. In fact, AppStrings is a more useful string. The string@ area also supports the operations of cross-reference (X), editing (right-click menu), and double-clicking.

The method@ area in the operation of AllAPI supports cross-reference function.

B、JAVA pseudo-code analysis

Here, we mainly analyze the DEX so that understand the more detail behavior and execution flow. The following is a brief introduction to the basic use of GDA.

  1. Begin with an analysis of the entry point, click the entry button to enter the entry function of the DEX. Usually, the OnCreate function of MainActivity is the first execution function of the APK.

In order to efficiently analyze the entire DEX, we need to log the identified methods or classes. so, GDA support to rename the method, class, field name and make comments. Double-click a.d(); enter the method.

the figure shows that the method is just a log method, so we rename the method name, GDA will upgrade all the referenced place.

And rename all the identifiable methods in the same way.

!(https://github.com/charles2gan/GDA-android-reversing-Tool/blob/master/GDA_PIC/24_modified name.png)

Sometimes a further description is needed, so the comments(C) can be used.

Many times, you need to analyze the callers of the current method. You can view them by cross-reference.

Sometimes you want to know where a string is being used. You can place the mouse between the double quotes of the string and press X to see the reference methods.

now, the basic usage has been finished, if you have some problems, please comments. And welcome reporting the error.

9 Likes

Can you provide the download link please?

2 Likes