Dalvik and Disassembly#
Plugins generate IUnit objects. Units can generate documents abiding to a standard interface, making them easy to render by clients implementing the JEB API. The primary document generated by an IDexUnit is a text document representing the disassembly of the input DEX files - or merged DEX files.
Auto dex merging#
Merging is done automatically, regardless of index limitations in place that may have required dex-splitting in the first place.
In rare cases, you may want to disable merging. Upon loading an APK, several APK plugin options will be presented to you. Untick Merge multi-dex to disable auto-merging:
DEX parsing options#
DEX plugin options are accessible in the Engines options UI panel. Filter on "dex." to list them.
The user will also be presented a Processing Properties dialog box when opening a new file, giving the user a chance to adjust the default options stored in your jeb-engines.cfg files.
Addressing#
All addresses to types, methods and fields uses the canonical JVM notation, e.g.:
- type Blah in package com.abc:
Lcom/abc/Blah; - method foo(int):void in the type com.abc.Blah:
Lcom/abc/Blah;->foo(I)V - field name:String in the type com.abc.Blah:
Lcom/abc/Blah;->name:Ljava/lang/String
JEB extends the method notation to reference code locations via a suffix +OFFSET.
- Reference the instruction at offset 0x20 in the internal method foo():
Lcom/abc/Blah;->foo(I)V+20h
Types Naming Conventions#
Historically, addressing in Java can be quite confusing. There exists three types of notations:
- The JVM notation (canonical representation) is the one used by DEX's TypeDescriptors, e.g.
Ljava/lang/Object;. JEB's DEX plugins use and provide JVM canonical names. - Two JLS notations:
- binary form, uses dots to separate package names, e.g.:
java.lang.Object - internal binary (or just, 'internal') uses slashes, e.g.:
java/lang/Object
- binary form, uses dots to separate package names, e.g.:
- The java.lang.Class API uses inconsistent representations, mostly the binary form.
Android plugins use the JVM notation internally and externally (public API).
Example: to reference a method void foo(String) in package a.b.c, its JVM address should be provided: La/b/c;->foo(Ljava/lang/String;)V. API methods using DEX addresses expect canonical addresses. The graphical client is less strict: although it expects canonical addresses by default as well, fall-back mechanisms are implemented to determine which address the user may have intended to use, and attempt to see if it's a match.
See our Reference Document.
Disassembly#
The default output uses modified smali (as explained in the previous section). Rendering options, accessible by a mouse right-click, can be used to customize the output.
