Decompiling Android Apps: undx, dex2jar, and smali
If you have ever needed to know what a Java application is really doing, you have probably played around with a Java decompiler at some point. JAD will always have a special place in my heart for that, but I find myself giving JD-GUI the late night phone call now when I just need a quick peek into a JAR file. Maybe she’s not perfect, but most nights she gives me what I need.
Unfortunately in the mobile world, tools to decompile our “Java” applications aren’t quite as mature yet. If we’re looking at a Blackberry COD file, there’s coddec and some patches that can help us peek at the code. A while back we were looking for something that could do the same for Android applications and we came across Marc Schönefeld’s “undx” tool. You’re probably saying right now, “wait, Android applications aren’t Java, they’re Dalvik.” That’s true, but why can’t they be decompiled as well since it’s still bytecode and not machine code? Marc decided to take on that challenge. Feed undx an Android APK file and it will try to convert it to a JAR file (which you can then feed to JD-GUI or JAD).
While undx does an ok job on most APK files, we had a strange case on our hands a while back. It was using a few Dalvik opcodes which undx wasn’t expecting. Marc was awesome enough to have undx open sourced, so we were able to add those codes in and make a few minor tweaks that helped us out. We’ve put our changes up at GitHub and hope others might find this build useful as well.
As Marc points out, undx is a first step at converting Dalvik to Java. It’s far from perfect or complete. Looking at the decompiled code will show you a number of functions which, well, don’t really function. Variables may have the wrong type, case statements may just fall through, and loops sometimes never break out. We’ve found that Dex2Jar does a much better job converting Dalvik to Java. We’ve placed few screenshot comparisons in our previous post. In some cases, Dex2Jar does a very impressive job. However, against larger or more complex applications, it can fail.
More and more, we’ve been finding that smali/baksmali gives us what we need: Dalvik in a readable format that we can alter, recompile, then test on a device. Its true that smali/baksmali has a different goal than undx and dex2jar (smali/baksmali is an assembler/disassembler), but it gives us what we need to do most of the time in a quick and easy way (especially when packaged withAPKTool). We’ve written a few scripts that can work with the smali output and help us zero in on the code we’re interested in for an assessment, and then its ability to support changes to the application and quickly recompile is priceless. This is likely a tool we’ll be working with considerably going forward with Android.
-benn, quine, and mxs
Published date:  01 October 2010
Written by:  benn