Decompile React Native index.android.bundle - android

I am using React Native and integrated library react-native-obfuscating-transformer
to obfuscate my code. Now after decompiling my APK, I believe my whole js code is under assets/index.android.bundle.
How can I debundle it and see my code whether obfuscation worked or not.

For Macbook
brew install apktool
after install apktool, unzip apk file by run this command on terminal like this:
apktool d /pathOfApkFile.apk
After that you will get index.android.bundle file at pathOfApkFile/assets/index.android.bundle
than you can use react-native-decompiler for decompile index.android.bundle file
Decompile index.android.bundle File
you can decompile index.android.bundle by run this command
npx react-native-decompiler -i ./index.android.bundle -o ./output
after that, you will get JS decompiled file in ./output directory
JS Code Decompile
React Native is already doing uglify js code.
and react-native-obfuscating-transformer is also make complex uglifying code
It is something like MD5 and SHA256 encryption and there is no the tool available right know when make machine learning and bruteforce to give us estimated code
If you want to varify react-native-obfuscating-transformer is implemented or not then you can edit index.android.bundle and save code then implement react-native-obfuscating-transformer and edit and compare both file
you can make more uglify code by adding flag in build.gradle called bundleInRelease: true and add Hermes which turns js bundle to bytecode for efficiency
REF
Note: There is no way to decompile index.android.bundle because this file contains uglify code which has many reverses possible of one line
Java Code Decompile
you can use DEX2JAR to convert apk to java code
and you can view that code from JD-GUI
you can see this VIDEO

See https://android.jlelse.eu/getting-inside-apk-files-21dbd01529d4 :
If your app is written on React Native, using the same apktool you can find index.android.bundle file inside assets folder of decompiled APK folder.
To open it using IntelliJ IDEA, right click on the file, Associate with File Type… and choose JavaScript. And it is usual minified .js file.
In other words, opening the .bundle file in an IDE such as Intellij will yield a minified .js file, which can then be formatted and compared with your source code. I hope this helps!

There is a tool called APK Easy Tool download it from here, install it, and open it.
Select apk by choosing browse option and click on Extract apk, when it is extrcted click on decompiled apk directory, and open directory. you would see something like this
navigate inside Extracted APKs directory you would get the bundle.

Related

How can I extract full android project from apk file? [duplicate]

The hard drive on my laptop just crashed and I lost all the source code for an app that I have been working on for the past two months.
All I have is the APK file that is stored in my email from when I sent it to a friend.
Is there any way to extract my source code from this APK file?
Simplest way: use the online tool Decompiler, upload the apk and get the source code.
Procedure for decoding .apk files, step-by-step method:
Step 1:
Make a new folder and copy over the .apk file that you want to decode.
Now rename the extension of this .apk file to .zip (rename from filename.apk to filename.zip) and save it. Now you can access the classes.dex files. At this stage, you are able to see drawables, but not the .xml and .java files.
Step 2:
Now extract this .zip file in the same folder or a new folder.
Download dex2jar (Don't download the code, click on the releases button that's on the right, then download the file named dex2jar-X.X.zip) and extract it to the same folder or a new folder.
Move the classes.dex file into the dex2jar folder.
Now open Command Prompt and change the directory to that folder. Then write d2j-dex2jar classes.dex (for Mac or Ubuntu write ./d2j-dex2jar.sh classes.dex) and press enter. You now have the classes.dex.dex2jar file in the same folder.
Download java decompiler, Right click on jd-gui, click on Open File, and open classes.dex.dex2jar file from that folder: Now you get the class files.
Save all of these class files (In jd-gui, click File -> Save All Sources) by src name. At this stage, you get the Java code but the .xml files are still unreadable.
Step 3:
Now open another new folder
Put in the .apk file which you want to decode
Download the latest version of apktool AND apktool install window (both can be downloaded from the same link) and place them in the same folder
Open the Command Prompt
Now run command apktool if framework-res.apk (if you don't have it get it here)and next
apktool d myApp.apk (myApp.apk denotes the filename that you want to decode)
Now you get a file folder in that folder and can easily read the .xml files.
Step 4:
It's not any step, just copy the contents of both folders (both new folders) to the single one
AND ENJOY THE SOURCE CODE!
This is an alternative description - just in case someone got stuck with the description above. Follow the steps:
download apktool.bat (or apktool for Linux) and apktool_<version>.jar from http://ibotpeaches.github.io/Apktool/install/
rename the jar file from above to apktool.jar and put both files in the same folder
open a dos box (cmd.exe) and change into that folder; verify that a Java Environment is installed (for Linux check the notes regarding required libraries as well)
Start: apktool decode [apk file]
Intermediate result: resource files, AndroidManifest.xml
unzip APK file with an unpacker of your choice
Intermediate result: classes.dex
download and extract dex2jar-0.0.9.15.zip from http://code.google.com/p/dex2jar/downloads/detail?name=dex2jar-0.0.9.15.zip&can=2&q=
drag and drop classes.dex onto dex2jar.bat (or enter <path_to>\dex2jar.bat classes.dex in a DOS box; for Linux use dex2jar.sh)
Intermediate result: classes_dex2jar.jar
unpack classes_dex2jar.jar (might be optional depending on used decompiler)
decompile your class files (e.g. with JD-GUI or DJ Decompiler)
Result: source code
Note: it is not allowed to decompile third party packages; this guide is intended to recover personal source code from an APK file only; finally, the resulting code will most likely be obfuscated
While you may be able to decompile your APK file, you will likely hit one big issue:
it's not going to return the code you wrote. It is instead going to return whatever the compiler inlined, with variables given random names, as well as functions given random names. It could take significantly more time to try to decompile and restore it into the code you had, than it will be to start over.
Sadly, things like this have killed many projects.
For the future, I highly recommend learning a Version Control System, like CVS, SVN and git etc.
and how to back it up.
There is also a new application on the Play Store with which it is possible to decompile an apk (system applications too) and view the source code right on your smartphone. It saves the files to your SD card so you can view it on your computer too. It does not require root or something else.
Just install and have fun. I think this is the easiest way to decompile an app.
apktool is the best thing you can try. I have saved some xml with it, but honestly I don't know how it will work with the .java code.
I would recommend you to have a code repository even if your are the only coder. I've been using Project Locker for my own projects. It gives you free svn and git repos.
These two articles describe how to combine the use of apktool and dex2jar to take an APK file and create an Eclipse project that can build and run it.
http://blog.inyourbits.com/2012/11/extending-existing-android-applications.html
http://blog.inyourbits.com/2012/12/extending-existing-android-applications.html
Basically you:
Use apktool to get the resource files out of the apk
Use dex2jar to get a jar file that contains the classes in a format that Eclipse will like.
Create an Eclipse project point it at the resource files and the new jar file
Open the jar file with a zip utility and delete the existing resources
Open the jar file with JDGui to view the source code
Take whatever source code you need from JDGui, stick it in a class inside Eclipse and modify it
Delete that class from the jar file (so you don't have the same class defined multiple times)
Run it.
apktool will work. You don't even need to know the keystore to extract the source code (which is a bit scary). The main downside is that the source is presented in Smali format instead of Java. Other files such as the icon and main.xml come through perfectly fine though and it may be worth your time to at least recover those. Ultimately, you will most likely need to re-write your Java code from scratch.
You can find apktool here. Simply just download apktool and the appropriate helper (for Windows, Linux, or Mac OS). I recommend using a tool such as 7-zip to unpack them.
There are a few ways to do this:
Use the "Profile or Debug APK" feature in Android Studio 3.0.
It allows you to open and explore APKs in Android Studio. Classes are decompiled into smali. Resources are not extracted and things like "Go to Definition", "Find All References" and debugging don't work without the source code (android studio 3.0 canary 9). Some additional smali features might work with smalidea.
Use jadx.
Jadx decompiles the code in a given APK to java source files.
Use apktool.
Apktool is a command line tool which extracts resources and decompiles code into smali for a given apk. You can recompile using apktool also. Here's an example of it in action:
$ apktool d test.apk
I: Using Apktool 2.2.4 on test.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: 1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
$ apktool b test
I: Using Apktool 2.2.4 on test
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
May be the easy one to see the source:
In Android studio 2.3, Build -> Analyze APK -> Select the apk that you want to decompile.
You will see it's source code.
Link for reference:
https://medium.com/google-developers/making-the-most-of-the-apk-analyzer-c066cb871ea2
This site https://www.apkdecompilers.com/ did it automatically.
I tried the site mentioned in the accepted answer first but that didn't work for me.
I personally recommend Show Java Android App to get the source code. You can download it from play store or from here
based on your condition, if your android apk:
Condition1: NOT harden (by Tencent Legu/Qihoo 360/...)
Choice1: using online service
such as:
using www.javadecompilers.com
goto:
http://www.javadecompilers.com/apk
Note: internally using Jadx
to auto decode from apk to java sourcecode
steps:
upload apk file + click Run + wait some time + click Download to get zip + unzip ->
sources/com/{yourCompanyName}/{yourProjectName}
is your expected java source code
Choice2: decompile/crack by yourself
use related tool to decompile/crack by yourself:
use jadx/jadx-gui convert apk to java sourcecode
download jadx-0.9.0.zip then unzip to got bin/jadx, then:
command line mode:
in terminal run: jadx-0.9.0/bin/jadx -o output_folder /path_to_your_apk/your_apk_file.apk
output_folder will show decoded sources and resources
sources/com/{yourCompanyName}/{yourProjectName} is your expected java sourcecode
GUI mode
double click to run jadx-0.9.0/bin/jadx-gui (Linux's jadx-gui.sh / Windows's jadx-gui.bat)
open apk file
it will auto decoding -> see your expected java sourcecode
save all or save as Gradle project
eg:
Condition2: harden (by Tencent Legu/Qihoo 360/...)
the main method of 3 steps:
apk/app to dex
dex to jar
jar to java src
detailed explanation:
Step1: apk/app to dex
use tool (FDex2/DumpDex) dump/hook out (one or multiple) dex file from running app
steps:
prepare environment
a rooted android
real phone
or emulator
here using Chinese Nox App Player夜神安卓模拟器
install your android apk
to the phone or emulator
installed Xposed Installer
install FDex2/DumpDex into XPosed and enable it
Note: need restart Xposed to make FDex2 work
FDex2 download address, Chinese:
脱壳工具 FDex2-CSDN下载
链接: https://pan.baidu.com/s/1lTF8CN96bxWpFwv7J174lg 提取码: 3e3t
install your android apk to phone/emulator
dump out dex from running app
run FDex2 then click your apk name to enable later to capture/hook out dex
(in phone/emulator) run your app
find and copy out the dump out whole apk resources in /data/data/com/yourCompanyName/yourProjectName
in its root folder normally will find several dex file
Step2: dex to jar
use tool (dex2jar) convert (the specific, containing app logic) dex file to jar file
download dex2jar got dex-tools-2.1-SNAPSHOT.zip, unzip got dex-tools-2.1-SNAPSHOT/d2j-dex2jar.sh, then
sh dex-tools-2.1-SNAPSHOT/d2j-dex2jar.sh -f your_dex_name.dex
eg:
dex-tools-2.1-SNAPSHOT/d2j-dex2jar.sh -f com.xxx.yyy8825612.dex
dex2jar com.xxx.yyy8825612.dex -> ./com.xxx.yyy8825612-dex2jar.jar
Step3: jar to java src
use one of tools:
Jadx
Procyon
GUI tool based on procyon:
Luyten
Bytecode Viewer
CRF
JD-GUI
some others:
Krakatau
Fernflower
Cavaj
convert jar to java src
for from jar to java src converting effect:
Jadx > Procyon > CRF >> JD-GUI
so recommend use: Jadx/jadx-gui
steps:
double click to run jadx-gui
open dex file
File -> save all
eg:
exported java src:
More detailed explanation can see my online ebook Chinese tutorial:
安卓应用的安全和破解
tutorial's source code on github: crifan/android_app_security_crack: 安卓应用的安全和破解
Below ONLINE tool:
http://www.javadecompilers.com/apk
it do ALL by one click: decompiled .java files + resources + xml (in one .zip file) with very good decompiler (jadx return java code in places/functions where other compiles return comments inside function like "unable to decompile" or some android assembler/machine code)
I'll show you other way to decompile the .apk files.
You can follow the first 2 steps from "prankul garg". So you have another opportunities:
Step 3':
Download the "JD-GUI", thats easy to found this one.
Open your .jar file in "jd-gui.exe". (File > Open file > 'found your .jar file'). After this procedure, you can save all resources in a .zip file.
So,
1st - You have to rename the .apk file to .zip
2nd - You have to decode .dex file (if you want, decode the .apk file to dex2jar, that's possible)
3rd - You have to decode .jar file with JD-GUI
Apktool for reverse engineering 3rd party, closed, binary Android apps.
It can decode resources to nearly original form and rebuild them after making some modifications.
It makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc.
http://ibotpeaches.github.io/Apktool/
apktool is THE way to go.
Online apktool service exists as well: http://www.javadecompilers.com/apktool
Some limitations, obviously, exist due to the service ‘online nature’: you may extract and research assets and the manifest file, but it is impossible to recompile the application at the moment.
Still, this is a no-hassle way to 'open' the android application.
You can try DexPatcher. It even integrates with Android Studio. It uses Apktool and Dex2Jar internally.
You can use those tools independently as well.
Apktool decompiles apk, and extracts .dex files, which can further be converted to jar using Dex2Jar. Jar can be decompiled by using JD-GUI. You can see the Java code with the help of that tool. Although the similarity of decompiled code to the actual code cannot be guaranteed. There are some advanced code obfuscation tools available in the market, which mess up the code to make it difficult to decompile / understand. eg. Proguard
Android studio offers you to analyse any apk file.
1 - From build menu choose analyse apk option and select apk file.
2 - This will result in you the classes.dex file and other files.
3 - Click on classes.dex which will give you the list of folders, packages, libraries and files.
4 - From and android studio settings install a plugin called "Dex to Jar"
5 - click on any activity file of your extracted project and choose dex to jar from the build menu.
This will result in you the actual code of your java file.
Cheers.
Step 1:
Make a new folder and copy over the .apk file that you want to decode.
Now rename the extension of this .apk file to .zip (e.g. rename from filename.apk to filename.zip) and save it. Now you can access the classes.dex files, etc. At this stage you are able to see drawables but not xml and java files, so continue.
Step 2:
Now extract this .zip file in the same folder (or NEW FOLDER).
Download https://github.com/pxb1988/dex2jar/releases/tag/2.0 : dex2jar-2.0
Now open command prompt and change directory to that folder (or NEW FOLDER). Then execute :
d2j-dex2jar.bat classes.dex
Download this decompiler http://java-decompiler.github.io/ to decompile classes-dex2jar.jar
Step 3:
Now open another new folder
Put in the .apk file which you want to decode
Download the latest version of apktool AND apktool (https://ibotpeaches.github.io/Apktool/install/) install window (both can be downloaded from the same link) and place them in the same folder
Open a command window
Now run command like apktool if framework-res.apk (if you don't have it get it here)and next
apktool d myApp.apk (where myApp.apk denotes the filename that you want to decode)
now you get a file folder in that folder and can easily read the apk's xml files.
Copycontents of both folders to a single folder
Done !
In order to decompile APK and get the code from it you have multiple online tools & I usually prefer to use Online APK Decompiler.
It is very easy to use and within few minutes you will be able to download the source code from it.
If you want to download APK from playstore and decompile. you can easily download it from it too.
The simplest way is using Apk OneClick Decompiler. That is a tool package to decompile & disassemble APKs (android packages).
FEATURES
All features are integrated into the right-click menu of Windows.
Decompile APK classes to Java source codes.
Disassemble APK to smali code and decode its resources.
Install APK to phone by right-click.
Recompile APK after editing smali code and/or resources.
During recompile:
Optimize png images
Sign apks
Zipalign
REQUIREMENTS
Java Runtime Environment (JRE) must be installed.
You can download it from this link Apk OneClick Decompiler
Enjoy that.
I found the following as the simplest method:
Rename your app.apk to app.zip (Change extension from apk to zip)
Extract the zip file into a folder
Use JADX tool to read the source code, present in classes.dex file.
There's an app for that and generally takes just a few clicks and you are done.
https://github.com/Nuvolect/DeepDive-Android
Select Apps, under "Installed Apps" select your app. If it is not
there you can load the APK.
Select "Extract APK"
Select "Unpack APK"
Select "Decompile with Jadx". This can take a few seconds or a few minutes depending
on the speed of your device
After that you can browse the source code, download it to another computer with elFinder or search through it using Lucene.
In addition to Jadx it has CFR and Fernflower decompilers.
I developed a Tool - Code Analyzer, it runs in iPhone/iPad/Mac, to analyze Java/Android files, https://decompile.io
1. Extracting the source from a native Android application
The source code of a native Android application is not difficult to obtain, but it does require extra tools that are compatible with Windows, Mac, and Linux. My personal favorites when it comes to tools are dex2jar and JD-GUI.
If you’re unfamiliar with these tools, dex2jar will read Dalvik Executable files and convert them to the standard JAR format. JD-GUI will read JAR files and decompile the class files found in them.
To make the extraction process easier to understand, let’s start by creating a fresh native Android project:
android create project --target 19 --name TestProject --path . --activity TestProjectActivity --package com.nraboy.testproject
The above command will leave you with an Android project in your current command prompt path.
Since our project has an Activity class already included, lets jump straight into the build process. You can give me a hard time all day long about using Ant instead of Gradle or Maven, but for this tutorial I’m going to stick with it.
ant debug
The above command will create a debug build typically found at bin/TestProject-debug.apk.
Using your favorite unzip tool, extract the APK file. 7-zip is a popular tool, but if you’re on a Mac you can just run the following from the Terminal:
unzip TestProject-debug.apk
This will leave us with a bunch of files and folders, but one is important to us. Make note of classes.dex because it contains all of our source code. To convert it into something readable we need to run dex2jar on it. You can use dex2jar on Mac, Linux, and Windows, but I’m going to explain from a Mac perspective.
With the classes.dex file in your extracted dex2jar directory, run the following from the Terminal:
./dex2jar.sh classes.dex
Open the JD-GUI application that you downloaded because it is now time to decode the JAR and packaged class files. Open the freshly created classes_dex2jar.jar file and you should see something like the following:
See how easy it was to get to the source code of your native Android APK? Now what can you do to better protect yourself?
The Android SDK ships with Proguard, which is a obfuscation module. What is obfuscation you ask?
Obfuscation via Wikipedia:
Obfuscation (or beclouding) is the hiding of intended meaning in
communication, making communication confusing, willfully ambiguous,
and harder to interpret.
While obfuscation will not encrypt your source code, it will make it more difficult to make sense of. With Proguard configured, run Ant in release mode and your code should be obfuscated on build.
2. Extracting the source from a hybrid Android application
The source code of hybrid applications are by far the easiest to extract. You don’t need any extra software installed on your computer, just access to the APK file.
To make things easier to understand, lets first create a fresh Apache Cordova project and then extract it. Start by doing the following:
cordova create TestProject com.example.testproject TestProject
cd TestProject
cordova platform add android
During the project creation process you are left with the default Apache Cordova CSS, HTML, and JavaScript templates. That is fine for us in this example. Let’s go ahead and build our project into a distributed APK file:
cordova build android
You’re going to be left with platforms/android/ant-build/CordovaApp-debug.apk or something along the lines of platforms/android/ant-build/*-debug.apk.
Even though this is a debug build, it is still very usable. With 7-zip or similar installed, right click the APK file and choose to extract or unzip it. In the extracted directory, you should now have access to all your web based source files. I say web based because any Java files used by Apache Cordova will have been compiled into class files. However, CSS, HTML, and JavaScript files do not get touched.
You just saw how depressingly easy it is to get hybrid application source code. So what can you do to better protect yourself?
You can uglify your code, which is a form of obfuscation.
Doing this will not encrypt your code, but it will make it that much more difficult to make sense of.
If you want to uglify your code, I recommend you install UglifyJS since it is pretty much the standard as of now. If you prefer to use a task runner, Grunt and Gulp have modules for UglifyJS as well.
There are lots of applications and methods in the market to decompile the apk file into java class but if the app is compiled with ProGuard rule then you are in a big trouble because this rule will shrink all the dex files into a small character name and then you can not trace back the implementation. see https://developer.android.com/studio/build/shrink-code for mode clarification.
Happy Coding...
Single click solution (Windows only)
after reading this loooooonnnnnngggg post,
i have decided to create an automated process to decompile APKs in a single click,
i have decided to share it on github:
https://github.com/shaybc/apk-decompiler
simply unzip,
copy the apk you want to decompile into "apk-source" folder
and run "go.bat"
find the result in the: "apk-output" folder
thats it, enjoy
I've been driving myself crazy for days trying to get dex2jar to work on a fedora 31 laptop against an apk that just wasn't going to work. This python 3 script did the trick in minutes and installing jd-gui made class files human readable.
http://java-decompiler.github.io/
https://github.com/Storyyeller/enjarify
specifically, here's what I ran:
# i installed apktool before the rest of the stuff, may not need it but here it is
$> cd /opt
$> sudo mkdir apktool
$> cd apktool/
$> sudo wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
$> sudo wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.4.1.jar
$> sudo mv apktool_2.4.1.jar apktool.jar
$> sudo mv apktool* /usr/bin/
$> sudo chmod a+x /usr/bin/apktool*
# and enjarify
$> cd /opt
$> sudo git clone https://github.com/Storyyeller/enjarify.git
$> cd enjarify/
$> sudo ln -s /opt/enjarify/enjarify.sh /usr/bin/enjarify
# and finally jd-gui
$> cd /opt
$> sudo git clone https://github.com/java-decompiler/jd-gui.git
$> cd jd-gui/
$> sudo ./gradlew build
# I made an alias to kick of the jd-gui with short commandline rather than long java -jar blahblahblah :)
$> echo "jd-gui='java -jar /opt/jd-gui/build/launch4j/lib/jd-gui-1.6.6.jar'" >> ~/.bashrc
Now one should be able to rum the following to get class files:
$> enjarify yourapkfile.apk
And to start jd-gui:
$> jd-gui
Then just open your class files!
Use this tool
http://www.javadecompilers.com/
But recently, a new wave of decompilers has forayed onto the market: Procyon, CFR, JD, Fernflower, Krakatau, Candle.
Here's a list of decompilers presented on this site:
CFR -
Free, no source-code available, http://www.benf.org/other/cfr/
Author: Lee Benfield
Very well-updated decompiler! CFR is able to decompile modern Java features - Java 9 modules, Java 8 lambdas, Java 7 String switches etc.
It'll even make a decent go of turning class files from other JVM langauges back into java!
JD -
free for non-commercial use only, http://jd.benow.ca/
Author: Emmanuel Dupuy
Updated in 2015. Has its own visual interface and plugins to Eclipse and IntelliJ . Written in C++, so very fast. Supports Java 5.
Procyon -
open-source, https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
Author: Mike Strobel
Fernflower -
open-source, https://github.com/fesh0r/fernflower
Author: Egor Ushakov
Updated in 2015. Very promising analytical Java decompiler, now becomes an integral part of IntelliJ 14. (https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler)
Supports Java up to version 6 (Annotations, generics, enums)
JAD -
given here only for historical reason. Free, no source-code available, jad download mirror
Author: Pavel Kouznetsov
Yes, it is possible.
There are tons of software available to reverse engineer an android .apk file.
Recently, I had compiled an ultimate list of 47 best APK decompilers on my website. I arranged them into 4 different sections.
Open Source APK Decompilers
Online APK Decompilers
APK Decompiler for Windows, Mac or Linux
APK Decompiler Apps
I hope this collection will be helpful to you.
Link: https://www.edopedia.com/blog/best-apk-decompilers/

Decompiling .apk file created in Appcelerator and getting to .js files

Is there any way to get to .js files with code created with Appcelerator from compiled .apk?
I lost a source coude of one of projects and now have only .apk files and would like not to rewrite the whole code.
Thank in advance
If you would like to do this manually:
In release version of the app, Titanium puts all of the assets into Java class called AssetCryptImpl, you would have to decompile apk and look for that class file in the sources.
AssetCryptImpl file will contain private method called initAssetsBytes, which returns one large chunk of data as CharBuffer, which contains encrypted data for all of the asset files. The other method called initAssets, will contain all of the original asset filenames and also ranges for each of the asset files.
Asset data is encrypted using AES in ECB mode, and last 16 bytes from asset data are the decryption key. Asset decryption method implementation is inside JNI library but its not hard to rewrite. filterDataInRange will call native code to decrypt the resource.
You can easily rewrite filterDataInRange method, with your implementation, which will get the key and decrypt the resource data and write it to file. And write a method which will call readAsset for each filename from HashMap, from initAssets method.
If you want one click solution:
You can use the tool called ti_recover.
Install it with node package manager:
npm install ti_recover
Than use it from terminal/command line:
ti_recover apkfile.apk outputdir
Depends on how the Titanium app was built. If it's an emulator build, then yes, you can get the JavaScript files. If the apk is from a device or dist build, then no.
For device and dist builds, Titanium minifies and encrypts all JavaScript, then injects it into the Java code before compiling it.
So if you have an apk from an emulator build, you can just rename the .apk to .zip and unzip and the JS files will be there.
One thing to note is if your app is an Alloy app, then you'll only get the compiled Alloy code, not the original Alloy code. That means you won't find any .xml views, .tss styles, etc.
This Website might be your best bet. It uses a range of technologies to decompile .apk files.
You can try making a new folder and copy over the .apk file that you want to decode. Rename the extension of this .apk file to .zip (e.g. rename from filename.apk to filename.zip) and save it. After extructing, Now you can access the classes.dex files, etc. Also, in Asset folder you will get the resources. Though you can't get the .js file by following this process. You can use this http://www.javadecompilers.com/apk website. But still it will give you a java dicompilation.

Decompile android apk file to create java source code [duplicate]

How can one decompile Android DEX (VM bytecode) files into corresponding Java source code?
It's easy
Get these tools:
dex2jar to translate dex files to jar files
jd-gui to view the java files in the jar
The source code is quite readable as dex2jar makes some optimizations.
Procedure:
And here's the procedure on how to decompile:
Step 1:
Convert classes.dex in test_apk-debug.apk to test_apk-debug_dex2jar.jar
d2j-dex2jar.sh -f -o output_jar.jar apk_to_decompile.apk
d2j-dex2jar.sh -f -o output_jar.jar dex_to_decompile.dex
Note 1: In the Windows machines all the .sh scripts are replaced by .bat scripts
Note 2: On linux/mac don't forget about sh or bash. The full command should be:
sh d2j-dex2jar.sh -f -o output_jar.jar apk_to_decompile.apk
Note 3: Also, remember to add execute permission to dex2jar-X.X directory e.g. sudo chmod -R +x dex2jar-2.0
dex2jar documentation
Step 2:
Open the jar in JD-GUI
To clarify somewhat, there are two major paths you might take here depending on what you want to accomplish:
Decompile the Dalvik bytecode (dex) into readable Java source. You can do this easily with dex2jar and jd-gui, as fred mentions. The resulting source is useful to read and understand the functionality of an app, but will likely not produce 100% usable code. In other words, you can read the source, but you can't really modify and repackage it. Note that if the source has been obfuscated with proguard, the resulting source code will be substantially more difficult to untangle.
The other major alternative is to disassemble the bytecode to smali, an assembly language designed for precisely this purpose. I've found that the easiest way to do this is with apktool. Once you've got apktool installed, you can just point it at an apk file, and you'll get back a smali file for each class contained in the application. You can read and modify the smali or even replace classes entirely by generating smali from new Java source (to do this, you could compile your .java source to .class files with javac, then convert your .class files to .dex files with Android's dx compiler, and then use baksmali (smali disassembler) to convert the .dex to .smali files, as described in this question. There might be a shortcut here). Once you're done, you can easily package the apk back up with apktool again. Note that apktool does not sign the resulting apk, so you'll need to take care of that just like any other Android application.
If you go the smali route, you might want to try APK Studio, an IDE that automates some of the above steps to assist you with decompiling and recompiling an apk and installing it on a device.
In short, your choices are pretty much either to decompile into Java, which is more readable but likely irreversible, or to disassemble to smali, which is harder to read but much more flexible to make changes and repackage a modified app. Which approach you choose would depend on what you're looking to achieve.
Lastly, the suggestion of dare is also of note. It's a retargeting tool to convert .dex and .apk files to java .class files, so that they can be analyzed using typical java static analysis tools.
I'd actually recommend going here:
https://github.com/JesusFreke/smali
It provides BAKSMALI, which is a most excellent reverse-engineering tool for DEX files.
It's made by JesusFreke, the guy who created the fameous ROMs for Android.
Since Dheeraj Bhaskar's answer is relatively old as many years past.
Here is my latest (2019 year) answer:
Main Logic
from dex to java sourcecode, currently has two kind of solution:
One Step: directly convert dex to java sourcecode
Two Step: first convert dex to jar, second convert jar to java sourcecode
One step solution: dex directly to java sourcecode
Tools
jadx
Process
download jadx-0.9.0.zip, unzip it, in bin folder can see command line jadx or GUI version jadx-gui, double click to run GUI version: jadx-gui
open dex file
then can show java source code:
File -> save as gradle project
then got java sourcecode:
Two Step solution
Step1: dex to jar
Tools
dex2jar
Process
download dex2jar zip, unzip got d2j-dex2jar.sh, then:
apk to jar: sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk
dex to jar: sh d2j-dex2jar.sh -f ~/path/to/dex_to_decompile.dex
example:
➜ v3.4.8 /Users/crifan/dev/dev_tool/android/reverse_engineering/dex-tools/dex-tools-2.1-SNAPSHOT/d2j-dex2jar.sh -f com.huili.readingclub8825612.dex
dex2jar com.huili.readingclub8825612.dex -> ./com.huili.readingclub8825612-dex2jar.jar
➜ v3.4.8 ll
-rw------- 1 crifan staff 9.5M 3 21 10:00 com.huili.readingclub8825612-dex2jar.jar
-rw------- 1 crifan staff 8.4M 3 19 14:04 com.huili.readingclub8825612.dex
Step2: jar to java sourcecode
Tools
jd-gui: most popular, but many code will decompile error
CRF: popular, minor code will decompile error
Procyon: popular, no code decompile error
GUI tool based on Procyon
Luyten:
Bytecode Viewer
others
Krakatau
Fernflower
old one: AndroChef
etc.
Process
here demo Procyon convert jar to java source code:
download procyon-decompiler-0.5.34.jar
then using syntax:
java -jar /path/to/procyon-decompiler-0.5.34.jar -jar your_to_decompile.jar -o outputFolderName
example:
java -jar /Users/crifan/dev/dev_tool/android/reverse_engineering/Procyon/procyon-decompiler-0.5.34.jar -jar com.huili.readingclub8825612-dex2jar.jar -o com.huili.readingclub8825612
using editor VSCode to open exported source code, look like this:
Conclusion
Conversion correctness : Jadx > Procyon > CRF > JD-GUI
Recommend use: (One step solution's) Jadx
for more detailed explanation, please refer my online Chinese ebook: 安卓应用的安全和破解
A more complete version of fred's answer:
Manual way
First you need a tool to extract all the (compiled) classes on the DEX to a JAR.
There's one called dex2jar, which is made by a chinese student.
Then, you can use jd-gui to decompile the classes on the JAR to source code.
The resulting source should be quite readable, as dex2jar applies some optimizations.
Automatic way
You can use APKTool. It will automatically extract all the classes (.dex), resources (.asrc), then it will convert binary XML to human-readable XML, and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with
JARs obfuscated with Pro Guard!
Just tell APKTool to decode the APK into a directory, then modify what you want,
and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile.
The generated code won't be Java source.
But you should be able to read it, and even edit it if you're familiar with jasmin.
If you want Java source, please go over the Manual way.
Sometimes you get broken code, when using dex2jar/apktool, most notably in loops. To avoid this, use jadx, which decompiles dalvik bytecode into java source code, without creating a .jar/.class file first as dex2jar does (apktool uses dex2jar I think). It is also open-source and in active development. It even has a GUI, for GUI-fanatics. Try it!
I have used
dex2jar + jd-gui
javadecompilers.com
enjarify
Apktool
But none beats google's own tools
1)Android Studio 2.x:
build> analyze apk
2)Android Studio 3.0:
Profile or Debug APK
Since no one mentioned this, there's one more tool: DED homepage
Install how-to and some explanations: Installation.
It was used in a quite interesting study of the security of top market apps(not really related, just if you're curious): A Survey of Android Application Security
Once you downloaded your APK file , You need to do the following steps to get a editable java code/document.
Convert your apk file to zip (while start your download don't go with "save" option , just go with "save as" and mention your extension as .zip) by doing like this you may avoid APKTOOL...
Extract the zip file , there you can find somefilename.dex. so now we need to convert dex -> .class
To do that, you need "dex2jar"(you can download it from http://code.google.com/p/dex2jar/ , after extracted, in command prompt you have to mention like, [D:\dex2jar-0.09>dex2jar somefilename.dex] (Keep in mind that your somefilename.dex must be inside the same folder where you have keep your dex2jar.)
Download jad from http://www.viralpatel.net/blogs/download/jad/jad.zip and extract it. Once extracted you can see two files like "jad.exe" and "Readme.txt" (sometimes "jad.txt" may there instead of "jad.exe", so just rename its extension as.exe to run)
Finally, in command prompt you have to mention like [D:\jad>jad -sjava yourfilename.class] it will parse your class file into editable java document.
Android Reverse Engineering is possible
. Follow these steps to get .java file from apk file.
Step1 . Using dex2jar
Generate .jar file from .apk file
command : dex2jar sampleApp.apk
Step2 . Decompiling .jar using JD-GUI
it decompiles the .class files i.e., we'll get obfuscated .java back from the apk.
With Dedexer, you can disassemble the .dex file into dalvik bytecode (.ddx).
Decompiling towards Java isn't possible as far as I know.
You can read about dalvik bytecode here.
Recent Debian have Python package androguard:
Description-en: full Python tool to play with Android files
Androguard is a full Python tool to play with Android files.
* DEX, ODEX
* APK
* Android's binary xml
* Android resources
* Disassemble DEX/ODEX bytecodes
* Decompiler for DEX/ODEX files
Install corresponding packages:
sudo apt-get install androguard python-networkx
Decompile DEX file:
$ androdd -i classes.dex -o ./dir-for-output
Extract classes.dex from Apk + Decompile:
$ androdd -i app.apk -o ./dir-for-output
Apk file is nothing more that Java archive (JAR), you may extract files from archive via:
$ unzip app.apk -d ./dir-for-output
A lot has changed since most of these answers were posted. Now-a-days there a are many easy tools with GUI's, like these:
APK Easy Tool for Windows (GUI tool, friendly)
Bytecode Viewer - APK/Java Reverse Engineering Suite
URET Android Reverser Toolkit
Best place to find them is on the XDA Developers forum.
You might try JADX (https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler), this is a perfect tool for DEX decompilation.
And yes, it is also available online on (my :0)) new site: http://www.javadecompilers.com/apk/
This can be done in following five steps:
This gem does these things for you automatically even the installation of required tools
convert apk file to zip
unzip the file
extract classes.dex from it
use dex to jar to convert classes.dex into jar file
use jadx gui to open the jar file as java source code
Easiest method to decompile an android app is to download an app named ShowJava from playstore . Just select the application that needs to be decompiled from the list of applications. There are three different decompiler you can use to decompile an app namely -
CFR 0.110, JaDX 0.6.1 or FernFlower (analytical decompiler) .
If you're not looking to download dex2jar, then just use the apk_grabber python script to decompile any apk into jar files. Then you read them with jd-gui.

Reverse engineering from an APK file to a project

I accidently erased my project from Eclipse, and all I have left is the APK file which I transferred to my phone. Is there a way to reverse the process of exporting an application to the .apk file, so I can get my project back?
There are two useful tools which will generate Java code (rough but good enough) from an unknown APK file.
Download dex2jar tool from dex2jar.
Use the tool to convert the APK file to JAR:
Windows:
$ d2j-dex2jar.bat demo.apk
dex2jar demo.apk -> ./demo-dex2jar.jar
MacOS / Linux:
$ d2j-dex2jar.sh -f demo.apk -o demo.jar
Once the JAR file is generated, use JD-GUI to open the JAR file. You will see the Java files.
The output will be similar to:
Then you can use other tools to retrieve the AndroidManifest.xml and resource files (like images, translations, etc...) from the APK file.
Apktool
$ java -jar apktool.jar -q decode -f demo.apk -o outputDir
AXMLParser
$ apkinfo demo.apk
NinjaDroid
$ ninjadroid demo.apk --all --extract
First of all I recommend this video may this is clears all yours doubts
If not please go through it
Procedure for decoding .apk files, step-by-step method:
Step 1:
Make a new folder and put .apk file in it (which you want to decode). Now rename the extension of this .apk file to .zip (eg.: rename from filename.apk to filename.zip) and save it.
If problems in the converting into .zip please refers link
After getting .zip now you get classes.dex files, etc. At this stage you are able to see drawable but not xml and java files, so continue.
If you don’t see the extensions go through check the configuration
Step 2:
Now extract this zip apk file in the same folder. Now download dex2jar from this link
and extract it to the same folder. Now open command prompt and change directory to that folder.
Then write dex2jar classes.dex and press enter. Now you get classes.dex.dex2jar file in the same folder.
Then download java decompiler
And now double click on jd-gui and click on open file. Then open classes.dex.dex2jar file from that folder. Now you get class files and save all these class files (click on file then click "save all sources" in jd-gui) by src name. Extract that zip file (classes_dex2jar.src.zip) and you will get all java files of the application.
At this stage you get java source but the xml files are still unreadable, so continue.
Step 3:
Now open another new folder and put these files
put .apk file which you want to decode
download Apktool for windows v1.x And Apktool
install window using google and put in the same folder
download framework-res.apk file using google and put in the same folder (Not all apk file need framework-res.apk file)
Open a command window
Navigate to the root directory of APKtool and type the following command:
apktool if framework-res.apk.
Above command should result in Framework installed ....
apktool d "appName".apk ("appName" denotes application which you want to decode) now you get a file folder in that folder and now you can easily read xml files also.
Step 4:
Finally we got the res/ as well as java code of project which is our target at starting.
P.S. If you are not able to get res folder by above steps please do install new apktool
Is Java 1.7 installed? Install Apktool 2.x
Is Java 1.6 or higher installed? Install Apktool 1.x
Enjoy and happy coding
No software & No too much steps..
Just upload your APK & get your all resources from this site..
https://www.apkdecompilers.com/
This website will decompile the code embedded in APK files and extract all the other assets in the file.
note: I decompile my APK file & get code within one miniute from this website
Update 1:
I found another online decompiler site,
http://www.javadecompilers.com/apk/ - Not working continuously asking for popup blocking
Update 2:
I found apk decompiler app in play store,
https://play.google.com/store/apps/details?id=com.njlabs.showjava
We can decompile the apk files in our android phone. and also we can able to view the java & xml files in this application
Update 3:
We can use another option Analyze APK feature from Android studio 2.2 version
Build -> Analyze APK -> Select your APK -> it give results
In Android Studio 3.5, It's soo easy that you can just achieve it in a minute.
following is a step wise process.
1: Open Android Studio, Press window button -> Type Android Studio -> click on icon to open android studio splash screen which will look like this.
2: Here you can see an option "Profile or debug APK" click on it and select your apk file and press ok.
3:
It will open all your manifest and java classes with in a minute depending upon size of apk.
That's it.
Not really. There are a number of dex disassembler/decompiler suites out there such as smali, or dex2jar that will generate semi-humanreadable output (in the case of dex2jar, you can get java code through the use of something like JD-GUI but the process is not perfect and it is very unlikely that you'll be able to 100% recreate your source code. However, it could potentially give you a place to start rebuilding your source tree.
There is a new way to do this.
Android Studio 2.2 has APK Analyzer it will give lot of info about apk, checkout it here :- http://android-developers.blogspot.in/2016/05/android-studio-22-preview-new-ui.html
Try this tool: https://decompile.io, it runs on iPhone/iPad/Mac
Yes, you can get your project back. Just rename the yourproject.apk file to yourproject.zip, and you will get all the files inside that ZIP file. We are changing the file extension from .apk to .zip. From that ZIP file, extract the classes.dex file and decompile it by following way.
First, you need a tool to extract all the (compiled) classes on the DEX to a JAR.
There's one called dex2jar, which is made by a Chinese student.
Then, you can use JD-GUI to decompile the classes in the JAR to source code. The resulting source code should be quite readable, as dex2jar applies some optimizations.
Below are some of the tools which you can use to perform reverse engineering from an APK file to source code :
Dex2jar
Java decompiler
Apktool
Apk Analyser
For the Android platform, you can try ShowJava, available on the Play Store.
You can consult the generated code through the app interface and the generated java files and folders structure are stored in ShowJava folder in /sdcard, alongside the resulting .jar file from the conversion.
The app is free with an ad banner at the bottom of the main view, but there is an in-app purchase option (3,99$) to remove it. In-app purchase does not add any functionality beside removing the ad banner.
Disclosure : I'm not the developer of the app neither I'm affiliated with him in any way.
Follow below steps to do this or simply use apkToJava gem for this process, it even takes care of installing the required tools for it to work.
convert apk file to zip
unzip the file
extract classes.dex from it
use dex to jar to convert classes.dex into jar file
use jadx gui to open the jar file as java source code
If you are looking for a professional alternative, have a look at JEB Decompiler from PNF Software.
There is a demo version that will let you decompile most code.
Another tool that you may want to use is APK Studio
It relies howewer on third party tools: Apktool, jadx, ADB and Uber APK signer that you need to download separately.

How to obfuscate an APK in Android 2.1/2.2

We know in SDK 2.3 we can obfuscate APK with Proguard.
The question is: How to obfuscate APK in Andorid 2.1/2.2 SDK?
Edit the file (in the project root) project.propierties and add the line
proguard.config=proguard.cfg
And its done. When you try to generate the signed apk of your app it will take a little longer and it will be obfuscated.
If you receive the "Conversion to dalvik error" when generating the apk you need to update the proguard of your sdk. For doing it you need to go to the ProGuard page to the download section. Download the last stable version and put it content in
SDK_ROOT/tools/proguard
Deleting the existing content before of course.
You can check the Proguard manual at their page (link is above) and the Android's Proguard page for more info about ProGuard
if you want to verify if the code was obfuscated do this:
download:
1.
dex translator tool - http://code.google.com/p/dex2jar/
then this tool to view the classes:
JDGUI- http://java.decompiler.free.fr/?q=jdgui
2.
after you install dex2jar unzip it etc and remember the folder its in.
open up the apk file using winzip or winrar. You'll see a file there called classes.dex
copy that file into the same folder that dex2jar is in (the dex translator tool you just downloaded).
3.
In the same folder click on setclasspath.bat
Open up a command prompt and traverse to the same folder that dex translator is in and run:
dex2jar classes.dex
-another file shows up now. Open up JDGUI and open up the file that got generated its called classes_dex2jar.jar ....
4.
you can observe if the decompiled code is obfuscated(readable) now.

Categories

Resources