search

Storyyeller / Krakatau

Java decompiler, assembler, and disassembler
GNU General Public License v3.0
1.95k stars 219 forks source link

static code analysis tool in progress + ClassNotFoundException #127

Closed vincentcox closed 6 years ago

vincentcox commented 6 years ago

Background

I'm working on a (open source) static code analysis tool for investing the security of mobile application's. The purpose is to search the files in the APK (or IPA) file for passwords, URL's, strings,... To give you an idea, below is the screenshot of a report coming out of the tool (work in progress): image

As you can see, a certain file contains an URL which can further be used for testing the API (WEB).

The issue

I am struggling to get the source code out of the apk. I'm poking around with enjarify and managed to get .class files. Now this tool seems interesting to convert .class files to javascript source files (no worries, I will give credit and will adjust the license accordingly to this project). However when I try via the console, I get the following error: 

 python decompile.py -path OUT -r enjarify
Krakatau  Copyright (C) 2012-17  Robert Grosse
This program is provided as open source under the GNU General Public License.
See LICENSE.TXT for more details.

Attempting to automatically locate the standard library...
Found at  /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/rt.jar
processing target enjarify/android/app/ActivityTracker, 5718 remaining
Loading enjarify/android/app/ActivityTracker
failed to open OUT/enjarify/android/app/ActivityTracker.class
Traceback (most recent call last):
  File "decompile.py", line 158, in <module>
    decompileClass(path, targets, args.out, args.skip, magic_throw=args.xmagicthrow)
  File "decompile.py", line 101, in decompileClass
    c = e.getClass(target.decode('utf8'))
  File "/mnt/d/Downloads_browser/Krakatau-master/Krakatau-master/Krakatau/environment.py", line 24, in getClass
    result = self._loadClass(name)
  File "/mnt/d/Downloads_browser/Krakatau-master/Krakatau-master/Krakatau/environment.py", line 90, in _loadClass
    raise ClassLoaderError('ClassNotFoundException', name)
Krakatau.error.ClassLoaderError:
ClassNotFoundException: enjarify/android/app/ActivityTracker
vincentcox@DESKTOP:/mnt/d/Downloads_browser/Krakatau-master/Krakatau-master$ ls /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/rt.jar
/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/rt.jar
vincentcox@DESKTOP:/mnt/d/Downloads_browser/Krakatau-master/Krakatau-master$

Do you have an idea on how to fix this?

If you have some recommendations/tips for me on my journey, feel free to post them.

Storyyeller commented 6 years ago

The Krakatau decompiler requires that all classes referenced by the jar to be decompiled have their definitions provided. So for any library the app uses, you'll need to pass that on the command line via -path. In particularly, you'll need a copy of the relevant android sdk jar. Apart from that, it looks like you have your directories set up wrong. In general, it's a lot easier to decompile jars than unpacked folders.

But apart from that, I'm not sure whether you actually need Krakatau. If all you're doing is looking at constant strings, it will be a lot easier and faster and more reliable to just read the string table of the dex file(s) directly. Are you sure you need Java source code?

Storyyeller commented 6 years ago

Since you haven't responded, I'm going to go ahead and close this.

vincentcox commented 6 years ago

Sorry for the lack of response. The notification got buried in my emails. I really appreciate your answer because this gave me new perspective on how to approach this problem. This issue can indeed be closed.

Storyyeller commented 2 years ago

Note that I'm currently working on a redesign Krakatau 2, which is planned to remove this limitation.