{"id":1317,"date":"2014-12-26T19:59:33","date_gmt":"2014-12-26T17:59:33","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=1317"},"modified":"2014-12-26T19:59:33","modified_gmt":"2014-12-26T17:59:33","slug":"codeinspect","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2014\/12\/26\/codeinspect\/","title":{"rendered":"CodeInspect says &#8220;Hello World&#8221;: A new Binary Analysis Tool for Android and Java Bytecode"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1317 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1317')){$('.twoclick_social_bookmarks_post_1317').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2014\\\/12\\\/26\\\/codeinspect\\\/\",\"post_id\":1317,\"post_title_referrer_track\":\"CodeInspect+says+%26%238220%3BHello+World%26%238221%3B%3A+A+new+Binary+Analysis+Tool+for+Android+and+Java+Bytecode\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>We are very happy to announce a new tool in our toolchain: <span style=\"text-decoration: underline\"><strong>CodeInspect<\/strong><\/span> <strong>&#8211; A Jimple-based Reverse-Engineering framework\u00a0for Android and Java applications<\/strong>.<\/p>\n<p>Developing an Android application in an IDE is very convenient since features like\u00a0<strong><em>code completion<\/em><\/strong>, <em>&#8220;<strong>Open Declaration<\/strong>&#8220;<\/em>, <strong><em>renaming variables<\/em><\/strong>, <strong><em>searching files<\/em><\/strong>\u00a0etc. help the developer a lot. Especially <strong><em>code-debugging<\/em><\/strong> is a very important feature\u00a0in IDEs. Usually, all those features are available for the source code and not for the bytecode, since they support the developer not a reverse-engineer. Well, but all those features would be be also very helpful for\u00a0reverse-engineering Android or Java applications. This is the reason why we came up with a new reverse-engineering framework that works on the intermediate representation Jimple and supports all the features above and a lot more. In the following we give a detailed description about CodeInspect and its features.<!--more--><\/p>\n<p>CodeInspect\u00a0supports as input format a complete Android Application Package (<em>apk<\/em>), just the Android bytecode (<em>dex-file<\/em>) or a <em>jar-file<\/em>. In the following we will describe the different features based on a malicious Android apk.<\/p>\n<p>&nbsp;<\/p>\n<h1>Framework Overview<\/h1>\n<p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/CodeInspectOverview.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-1329\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/CodeInspectOverview.png\" alt=\"CodeInspectOverview\" width=\"675\" height=\"342\" \/><\/a><\/p>\n<p>The figure above is a screenshot of CodeInspect. As one can see, CodeInspect is based on the Eclipse RCP framework. One can define a workspace with different projects (apks). Furthermore, CodeInspect contains different <em>perspectives<\/em>,\u00a0different <em>views<\/em>\u00a0and a new <em>editor<\/em> for the intermediate representation. The main perspectives are the &#8220;CodeInspect&#8221; perspective as shown in the screenshot and the &#8220;Debug&#8221; perspective which is known from the general Eclipse IDE including views for\u00a0&#8220;Expressions&#8221;, &#8220;Breakpoints&#8221; and &#8220;Variables&#8221;. Other basic views in the CodeInspect perspective are:<\/p>\n<ul>\n<li>Project Explorer: It shows all the important files in a <em>readable<\/em> format of an apk<\/li>\n<li>Outline: Shows all the fields and methods of a specific class. By clicking on an item, one directly jumps to the corresponding line in code.<\/li>\n<li>Console: Shows the console output.<\/li>\n<li>Problems: Shows all the warning and errors (e.g., compilation errors) that occur in the project.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1>Importing the Bytecode<\/h1>\n<p>Importing a complete apk is done with a few clicks. One just has to provide the path to the Android-SDK and the Android bytecode is converted into the human readable intermediate representation &#8211; Jimple (more information in the next section). All other files, stored in the apk, will be extracted. The following video shows the complete import process:<\/p>\n<div style=\"width: 584px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-1317-1\" width=\"584\" height=\"329\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Import.mp4?_=1\" \/><a href=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Import.mp4\">http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Import.mp4<\/a><\/video><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h1>Bytecode-Intermediate-Represenation<\/h1>\n<p>Reading the bytecode of an application is most of the time not convenient for a reverse-engineer. Reading the source code is much more convenient. Unfortunately, decompiling the bytecode into source code is most of the time NOT 100% possible. Therefore, we use\u00a0an intermediate representation called Jimple\u00a0(&#8220;Java but simple&#8221;), which comes together with the static analysis framework <a href=\"https:\/\/github.com\/Sable\/soot\/wiki\">Soot<\/a>. The framework and the intermediate representation have existed for over 10 years now and Soot has an active community. The Jimple\u00a0intermediate representation is, as the\u00a0acronym hints, a &#8220;java-based&#8221; representation of the bytecode that is very easy to read. For further information on Jimple\u00a0or Soot, we refer the reader to the following sources:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/Sable\/soot\">https:\/\/github.com\/Sable\/soot<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Sable\/soot\/wiki\">https:\/\/github.com\/Sable\/soot\/wiki<\/a><\/li>\n<li><a href=\"http:\/\/sable.github.io\/soot\/\">http:\/\/sable.github.io\/soot\/<\/a><\/li>\n<li><a href=\"https:\/\/www.informatik.tu-darmstadt.de\/fileadmin\/user_upload\/Group_EC-Spride\/Publikationen\/Instrumenting_Android_and_Java_Applications_as_Easy_as_abc.pdf\">Instrumenting Android and Java Applications as Easy as abc<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1>General IDE Support<\/h1>\n<p>Features like code refactoring (e.g., renaming variables or methods), jumping to the declaration of a variable with a single click or debugging the application is useful during the development process. But on the other side, those features are also very useful for manual reverse-engineering the bytecode, which is most of the time very time consuming. There is always a trade-off between time and money one wants to invest when reverse-engineering applications.\u00a0The following video shows an excerpt of the general IDE features of CodeInspect:<\/p>\n<div style=\"width: 584px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-1317-2\" width=\"584\" height=\"329\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_GeneralIDE.mp4?_=2\" \/><a href=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_GeneralIDE.mp4\">http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_GeneralIDE.mp4<\/a><\/video><\/div>\n<p>&nbsp;<\/p>\n<h1>Debugging<\/h1>\n<p>One of our main features in CodeInspect is the debug functionality. With the help of CodeInspect, one is able to\u00a0debug\u00a0the intermediate representation (Jimple) of the applications. <strong><em>Just imagine debugging the source code of an Android application in Eclipse, where in our case you are able to directly debug the bytecode which is represented in\u00a0a human readable intermediate represenation!<\/em><\/strong><\/p>\n<p>CodeInspect supports all Android versions, including Android versions compiled to ART. Furthermore,\u00a0debugging works as you would expect it from\u00a0debugging the source code:<\/p>\n<ul>\n<li>set some breakpoints<\/li>\n<li>choose any Android device you want (NO emulator modification necessary!)<\/li>\n<li>click on &#8220;debug&#8221;<\/li>\n<\/ul>\n<p>and the compiled Application gets debugged. In the following we show a video where CodeInspect uses its debugging feature:<\/p>\n<p>&nbsp;<\/p>\n<div style=\"width: 584px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-1317-3\" width=\"584\" height=\"329\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Debugger.mp4?_=3\" \/><a href=\"http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Debugger.mp4\">http:\/\/sseblog.ec-spride.de\/wp-content\/uploads\/2014\/12\/CodeInspect_Debugger.mp4<\/a><\/video><\/div>\n<h1><\/h1>\n<p>&nbsp;<\/p>\n<h1>Code Modification<\/h1>\n<p>During reverse engineering applications, it is always very convenient to modify the original (potentially malicious\/obfuscated) code. In the following we describe standard Jimple\u00a0code-modifications, advanced Java-based modifications and Manifest-modifications.<\/p>\n<h2>Standard Jimple-Modification<\/h2>\n<p>We regard to a standard Jimple-modification in cases where the Jimple\u00a0code gets modified either by removing Jimple\u00a0statements, modifying them, or by adding new Jimple\u00a0statements. This can be useful\u00a0for removing emulator checks in the code or &#8220;simulating&#8221; server responses by changing a<\/p>\n<p><span style=\"font-family: 'courier new', courier\">String a = InputStream.readLine();<\/span><\/p>\n<p>to<\/p>\n<p><span style=\"font-family: 'courier new', courier\">String a = <span style=\"color: #993366\">&#8220;#m1234:My Text&#8221;<\/span>;<b class=\"b4\">\u00a0<\/b>\u00a0<\/span><\/p>\n<p>Adding new statements will be supported by a code-completion feature.<\/p>\n<h2>Advanced Java-Based Modification<\/h2>\n<p>There are cases where a simple Jimple\u00a0modification is not sufficient enough or takes too long. Therefore, we added a feature where one can add Java source-code or even Java projects to the original compiled apk. This means one can enhance the bytecode by adding Java source code which gets then compiled into the original apk.<\/p>\n<h2>Manifest Modifications<\/h2>\n<p>Especially advanced modification could result in a modification of the Android manifest, e.g. by adding new code that requires a new permission. Well, but also simpler modifications such as changing the &#8220;<em>exported<\/em>&#8220;-flag from <em>false<\/em> to <em>true<\/em> is very important for a further component-fuzzing for instance.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>How and when can I use it?<\/em><\/strong><\/p>\n<p>CodeInspect is currently in an alpha-testing-phase and we will provide more information on our <a href=\"http:\/\/sseblog.ec-spride.de\/\">blog<\/a> as soon as possible.<\/p>\n<p><em><strong>Involved in\u00a0this project are&#8230;<\/strong><\/em><\/p>\n<p>Marc Miltenberger, <a href=\"http:\/\/www.ec-spride.tu-darmstadt.de\/en\/research-groups\/secure-software-engineering-group\/staff\/steven-arzt\/\">Steven Arzt<\/a>, Stephan Huber,\u00a0<a href=\"http:\/\/www.ec-spride.tu-darmstadt.de\/en\/research-groups\/secure-software-engineering-group\/staff\/siegfried-rasthofer\/\">Siegfried Rasthofer<\/a>\u00a0and <a href=\"http:\/\/www.bodden.de\/about-me\/\">Eric Bodden<\/a><\/p>\n<p><strong><em>More information&#8230;<\/em><\/strong><\/p>\n<p>If you find this project interesting and want more concrete information, just contact\u00a0<a href=\"http:\/\/www.ec-spride.tu-darmstadt.de\/en\/research-groups\/secure-software-engineering-group\/staff\/siegfried-rasthofer\/#c105\">me<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are very happy to announce a new tool in our toolchain: CodeInspect &#8211; A Jimple-based Reverse-Engineering framework\u00a0for Android and Java applications. Developing an Android application in an IDE is very convenient since features like\u00a0code completion, &#8220;Open Declaration&#8220;, renaming variables, &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2014\/12\/26\/codeinspect\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6581,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,21,51,71],"tags":[],"class_list":["post-1317","post","type-post","status-publish","format-standard","hentry","category-android","category-dynamic-analysis","category-security-analysis","category-static-analysis"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6581"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=1317"}],"version-history":[{"count":0,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1317\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=1317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=1317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=1317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}