Skip to content
charles2gan edited this page Mar 8, 2021 · 35 revisions

Introduction(new version)

GDA is a Dalvik bytecode decompiler written entirely in c++. Unlike the other app decompiler, GDA does not depend on the Java VM and supports APK, DEX, ODEX, OAT, JAR, AAR, and CLASS files.

一、MAIN WINDOWS

Open GDA and drag the APK file we want to analyze to the software UI:

 1. Basic information of the target file;
 2. API used by DEX file
 3. View all strings in DEX; 
 4. View all the strings used by all the methods; 
 5. Extract all the URLs in the DEX file (Pro version);
 6. View AndroidManifest files;
 7. The hexadecimal viewer that can edit data;
 8. Malicious behavior detection;
 9. Vulnerability scanning (Pro version); 
 10. Privacy leak scanning (Pro version);
 11. Expand the permission and view the module/method to which the permission belongs; 
 12. Click to enter the entry function (method);
 13. Connect the Android device for the memory dump;
 14. Search and access history records, double-click to view;
 15. The proportion distribution of each element in the target file;
 16. DEX head, click on “DexClass*” item to display the corresponding head, each color block represents a different area of ​the head. the prompt will be shown when the mouse moves over on it. right-clicking in the area that is offset and jump to reference location;
 17. Identification of packers;
 18. When you click the related object in the code, the index value of the object will be displayed;
 19. When you click the related object in the code, the package name of the object will be displayed;
 20. When you click the related object in the code, the name of the object will be displayed.

二、Shortcut key

The shortcut key description

GDA shortcut key

shortcut description
F5 Switch java and smali code
F Trace the args and return value by dataflow analysis
X Cross-referencing, locating callers (of strings, classes, methods, field, Smali, Java)
Esc/<-/Backspace Back to the last visit
-> Forward to the next visit
G Jump to somewhere by you inputting offset
N Rename the variable/method/class name
S Search for all the elements by the given string
C Comments. Only supports the Java code
DoubleClick Double-click the name of method/str/field/class to view objects
M the cursor's placed at the Smali code line and pressing the key 'M' to edit the instruction
UP\bigtriangleup Press 'up' key to access the up-method in the tree control
Down\bigtriangledown Press “down” key to access the down-method in the tree control
D Dump the binary data of methods, only supports the Smali mode
Enter The modification of edit boxes take effect
H Show data in Hex
Ctr+H Pop searching history window
Ctr+A Select all
Ctr+C Copy
Ctr+V Paste, only for editable boxes
Ctr+X Cut
Ctr+F Find out the string of the current window
Ctr+S Save the modifications into the GDA database file

三 、Example of Android Malware Static Analysis

This section introduces the basic usage of GDA through a malware sample file.

A.Summary Analysis

Summary Analysis is to make a simple understanding of the whole APK. Here is an example of Android Malware to illustrate the usage of GDA.

  1. First, we drag the malware sample into the GDA. And then we can see its basic information.

We are able to judge whether the APK is packed according to the presented information. If the APK is not packed, nothing would be presented below DexHeader.

  1. Then we can check the permissions of our APK. As we see at the bottom of the base information, the APK has enabled a lot of dangerous permissions e.g. READ_SMS, SEND_SMS, READ_CALL_LOG, READ_PHONE_STATE and so on.

  1. By clicking the button in the toolbar marked in red, we can check the signature information of the APK.

  1. In addition, the AndroidManifest at the top of the tree control can guide you to analyze the config info of Activity, Service, Receive and others in AndroidManifest.xml.

  1. Next, we can click the MalScan in the tree box to scan the malicious behavior of the APK. the following fig shows that malware has many malicious operations.

If we want to go further and analyze what would be done by methods, we could double-click method@xxxxxx to view the method code, such as clicking to view “[method@000197]: com.itcast.cn112.a.a” below of "#Sending message:”. The code of this method will be shown in the following figure.

Of course, if we want to analyze the Smali code, just press F5.

As we can see from the figure, this method will access SMS.

In addition, we can also see the strings and APIs used by the DEX. AllStrings will show all the strings in the DEX, and AppStrings will show the referenced strings by methods' code. In fact, AppStrings is a more useful string. The string@ area also supports the operations of cross-reference (X), editing (right-click), and double-clicking.

The method@ area in the operation of AllAPI supports the cross-reference function.

B、JAVA pseudo-code analysis

Here, we mainly show some interactive operations in java codes. The following is a brief introduction to the basic use of GDA.

  1. Begin with the entry point, click the entry button to view the entry method.

If the decompiling method is too large, we need to search the interesting keyword in the current code, we can press ctr+f to launch the searching box.

Now if we want to mark the identified methods, fields, or classes. we can rename them. For example, double-click a.d() and the following fig will be shown. Obviously, it's used to log information, so we rename the method name as 'log', GDA will upgrade all the referenced positions.

Then, we rename all the identifiable methods in the same way.

If we want to do a further description, the comments(C) can be used.

When we need to analyze the callers of the current method. We can view them by cross-reference.

When we want to know where a string is being used. You can place the mouse between the double quotes and press X to see the reference methods.

now, the basic usage has been finished, if you have some problems, please comment. And welcome reporting the error.

四、Auxiliary tool

1. XML decoder

Self-implemented decoding function can bypass the Anti-decoding technology:

2. Algorithmic Tool

the tool supports the following algorithm:

Hash algorithm: md2 md4 md5 sha sha1 sha224 sha256 sha384 sha512

symmetric encryption: des idea rc2 rc4 rc4-40 rc2-40 rc2-64 bf cast5 aes (128 192 256), with mode such as ecb cbc ofb cfb, other modes such as (cfb1 cfb8)

asymmetric encryption: RSA

encoding algorithm: base62, base64 3.

The alg-tool accepts 3-types inputs as the key, plaintext, and ciphertext. Simply, 1.we can directly input string as source data, and also 2. input binary data indicated by “hex:” like the following fig. And 3. we can double-click the text box to pop the file dialog, and then choose a file as inputs.

3. Dumper

For more detail, please visit the following links: https://zhuanlan.zhihu.com/p/26341224

4.Searching Tool(S)