Analysis Basics¶
The primary use case for JEB is the analysis of binary code. This section focuses on the basics of code analysis and refactoring, such as:
- Renaming items such as methods or fields
- Changing the code structure by moving items to packages
- Commenting
- Navigating a code base via cross-references
- Viewing type hierarchies
- Viewing method overrides
- Graphing routines (CFG)
- Replacing items or rebasing immediates
In the UI client, most fundamental interactions can be achieved via the Action and Navigation menus. Those actions are implemented by most JEB analysis modules that perform code disassembly.
Note: Other action groups such as Native code actions and Debugging actions are detailed in later sections.
Note: The examples in this section are based on the analysis of Raasta.apk using the Android DEX parser. Keep in mind that features and behaviors of Actions depend on the module implementing and performing them.
Decompiling¶
The next section covers decompiling code in depth.
Renaming¶
An important requirement for analysts is the ability to rename code items such as types, methods and routines, fields and data items, packages, etc. consistently across a code base.
- Position the caret on the item to be renamed
- Hit the N key or select Action, Rename
- Enter the new name and press Enter
Tip: Within the Rename dialog box, press Ctrl+Space to bring up your renaming history.
Commenting¶
Anywhere in the code, press the / (slash) key to add a comment. Comments are attached to addresses or items.
Navigating¶
Pressing the Enter key on an item or double-clicking it will bring the caret to the definition of the item.
You can navigate back and forth using the traditional Alt + Arrow Left (or Escape) and Alt + Arrow Right key combos, or via the Navigation menu.
The Next Item and Previous Item command allow you to jump to the similar item after or before the currently selected item.
Cross-references¶
Cross-references on an item allow the examination of items referencing it. Press the X key to visualize them.
You can jump to a cross-reference by double-clicking it.
Type Hierarchies¶
Use the T key on a type item (such as a class or an interface) to visualize its ancestors and children. Double-click on a type item to jump to the item definition.
Restructuring¶
The Create Package and Move to Package actions offer powerful refactoring possibilities, especially useful in the case of large obfuscated binary files.
If the module supports it, users are able to:
- Create artifical packages (aka, namespaces) using the K key.
- Move items, such as types, to existing or artificial packages using the L key.
The following screenshot is an example where the class AppHelp
was moved from the com.pnfsoftware.raasta
package to a newly created package named com.abc
.
Want to learn more? Have a look at our YouTube demo video that demonstrates advanced refactoring and automatic restructuring of a heavily obfuscated Android malware application.
Type Hierarchies¶
The H key allows the examination of type hierarchy, such as parent classes, descendant classes, implemented interfaces, etc.
Object Overrides¶
The O key allows the examination of overrides, such as virtual method redefinitions in the case of object-oriented bytecode files.
Rebasing Constants¶
This feature allows the selection of the radix used to render immediate constant integers. Press the B key repeatedly to cycle through the bases offered by the plugin.
Typically, bases 8, 10, 16 are offered. Some plugins may offer additional bases such as base 2, or non-conventional representation modes, such as character-based immediate rendering.