search

skylot / jadx

Dex to Java decompiler
Apache License 2.0
41.66k stars 4.88k forks source link

Integration with me (radare2) #676

Open radare opened 5 years ago

radare commented 5 years ago

I have been evaluating the case of having jadx integrated with r2, i can do the necessary glue to get the data loaded into r2, but i will need some more information from jadx to have this.

This is the only thing I will need to get it working:

As long as parsing the textual output is always tricky it will be good to have an option to get:

Which should also contain a mapping information to rename all the symbols information when the deobf option is used for example.

XVilka commented 5 years ago

More information on integration as well (though it is more relevant to the native code):

skylot commented 5 years ago

@radare such integration will be great! I will do my best to help you!

The output of the decompiler in JSON format

You are right the only way to output additional information is to use another format instead java source code. For me JSON is good. So we need to decide what information you need and how to organize it. Maybe you can provide output example or point a link if this format already defined somewhere.

radare commented 5 years ago

Nope. There’s no such json spec anywhere. So feel free to define one that fits java/dalvik

As i said the main requirement is to know the address of the first instruction that is related to a specific line in the decompiler output.

On 30 May 2019, at 13:47, skylot notifications@github.com wrote:

@radare such integration will be great! I will do my best to help you!

The output of the decompiler in JSON format

You are right the only way to output additional information is to use another format instead java source code. For me JSON is good. So we need to decide what information you need and how to organize it. Maybe you can provide output example or point a link if this format already defined somewhere.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

skylot commented 5 years ago

@radare I made the implementation of JSON output, please check PR #690. Feel free to post any suggestions :)

radare commented 5 years ago

i will try tonight or tomorrow to write the r2pipe script that parses those json files and load the info into r2

On 15 Jun 2019, at 14:09, skylot notifications@github.com wrote:

@radare https://github.com/radare I made the implementation of JSON output, please check PR #690 https://github.com/skylot/jadx/pull/690. Feel free to post any suggestions :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/skylot/jadx/issues/676?email_source=notifications&email_token=AAG75FRWO3HIF76GLKFJXT3P2TLVZA5CNFSM4HRCLMJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXYW2BA#issuecomment-502361348, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FSRY7C4SURPCYFBBQ3P2TLVZANCNFSM4HRCLMJA.

radare commented 5 years ago

Sorry i was really busy irl this weekend. here's the PoC.

https://github.com/radare/radare2-extras/commit/c7ffc478e57d274aee34929a3ca675afa93bba06

I have some more improvements in mind, but ive noticed some source lines contain no offset. im just inheriting the last one or the method one if not found. But this shouldnt happen i think.

Some other information that would be good to add is the low level analysis information like conditional branches, so i can basically use jadx as an analysis backend for r2 for java and dalvik code. because right now r2 is not handling the try/catch blocks, so the code in those regions is not considered part of the function.

About your comment on the methods section yeah, thats known but since last week dalvik files wasnt loaded properly and i did some huge refactorings in the rbin api this month, and proper printing those is in my todo list. having jadx integrated will simplify a lot many situations and help me improve r2

Here there are some screenshots about the PoC script for r2:

Bear in mind that this is loaded as comments for now, i have half of the logic done to load this as source lines to be able to use the source debugger apis for emulation and debugging.

Screenshot 2019-06-16 at 20 29 15 Screenshot 2019-06-16 at 20 29 36 Screenshot 2019-06-16 at 20 29 54 Screenshot 2019-06-16 at 20 31 02 Screenshot 2019-06-16 at 20 31 24
skylot commented 5 years ago

Wow, this looks nice :+1:

But high level java code is not fit good with low level dissamble, there are tons of difference like:

So I think jadx need to output more low level code for a better match. For now, you can check --fallback cli option, which will output just dissamble, but I can made it more "java" look with inlining and nice variable names.

radare2:

/ (fcn) sym.Landroid_support_v4_app_Fragment.method.getContext__Landroid_content_Context 26
|   sym.Landroid_support_v4_app_Fragment.method.getContext__Landroid_content_Context ();
|           0x001d5470      54108017       iget-object v0, v1, Landroid/support/v4/app/Fragment;->mHost Landroid/support/v4/app/FragmentHostCallback; ; Fragment.java:580
|       ,=< 0x001d5474      39000400       if-nez v0, 0x001d547c
|       |   0x001d5478      1201           const/4 v1, 0
|      ,==< 0x001d547a      2807           goto 0x001d5488
|      |`-> 0x001d547c      54118017       iget-object v1, v1, Landroid/support/v4/app/Fragment;->mHost Landroid/support/v4/app/FragmentHostCallback;
|      |    0x001d5480      6e1016120100   invoke-virtual {v1}, Landroid/support/v4/app/FragmentHostCallback.getContext()Landroid/content/Context; ; 0x1216 ; sym.Landroid_support_v4_app_FragmentHostCallback.method.getContext__Landroid_content_Context
|      |    0x001d5486      0c01           move-result-object v1
\      `--> 0x001d5488      1101           return-object v1

jadx fallback mode:

    public android.content.Context getContext() {
            r1 = this;
            android.support.v4.app.FragmentHostCallback r0 = r1.mHost
            if (r0 != 0) goto L_0x0006
            r1 = 0
            goto L_0x000c
        L_0x0006:
            android.support.v4.app.FragmentHostCallback r1 = r1.mHost
            android.content.Context r1 = r1.getContext()
        L_0x000c:
            return r1
    }

decompiled code:

    public Context getContext() {
        if (this.mHost == null) {
            return null;
        }
        return this.mHost.getContext();
    }

Original code (from here):

public Context getContext() {
   return mHost == null ? null : mHost.getContext();
}

Anyway, current output can be shown as is alongside with radare dissamble :)

radare commented 5 years ago

On 16 Jun 2019, at 22:28, skylot notifications@github.com wrote:

Wow, this looks nice 👍

But high level java code is not fit good with low level dissamble, there are tons of difference like:

inverted conditions - jadx can invert condition to make code look "better" duplicated return - jadx can split return into several parts each part will have same offset but different argument lots of removed code for "resugaring"

Yeah, thihs is a PoC, which workss fine with r2dec because it doessnt perform many optimizations to the IR, but i'm improving the support for this and maybe it will be good to have different levels of decompilation optimizations so r2 could be used to debug them and improve the decompilers in cases of false translations, or compilation errors happen

So I think jadx need to output more low level code for a better match. For now, you can check --fallback cli option, which will output just dissamble, but I can made it more "java" look with inlining and nice variable names.

Yeah with this the graphs look nicer indeed :) thanks for the tip! i'll finish the script and make an r2pm package for it, so it will be easier to integrate with cutter too.

is this undefined offset for some lines intended?

i will need to be merged in master (and will be good to know when you plan to do another release) so it will be easier for the users to use the plugin withouht having to build it from git.

radare2:

/ (fcn) sym.Landroid_support_v4_app_Fragment.method.getContextLandroid_content_Context 26 | sym.Landroid_support_v4_app_Fragment.method.getContextLandroid_content_Context (); | 0x001d5470 54108017 iget-object v0, v1, Landroid/support/v4/app/Fragment;->mHost Landroid/support/v4/app/FragmentHostCallback; ; Fragment.java:580 | ,=< 0x001d5474 39000400 if-nez v0, 0x001d547c | | 0x001d5478 1201 const/4 v1, 0 | ,==< 0x001d547a 2807 goto 0x001d5488 | |-> 0x001d547c 54118017 iget-object v1, v1, Landroid/support/v4/app/Fragment;->mHost Landroid/support/v4/app/FragmentHostCallback; | | 0x001d5480 6e1016120100 invoke-virtual {v1}, Landroid/support/v4/app/FragmentHostCallback.getContext()Landroid/content/Context; ; 0x1216 ; sym.Landroid_support_v4_app_FragmentHostCallback.method.getContext__Landroid_content_Context | | 0x001d5486 0c01 move-result-object v1 \--> 0x001d5488 1101 return-object v1 jadx fallback mode:

public android.content.Context getContext() {
        r1 = this;
        android.support.v4.app.FragmentHostCallback r0 = r1.mHost
        if (r0 != 0) goto L_0x0006
        r1 = 0
        goto L_0x000c
    L_0x0006:
        android.support.v4.app.FragmentHostCallback r1 = r1.mHost
        android.content.Context r1 = r1.getContext()
    L_0x000c:
        return r1
}

decompiled code:

public Context getContext() {
    if (this.mHost == null) {
        return null;
    }
    return this.mHost.getContext();
}

Original code (from here https://android.googlesource.com/platform/frameworks/support/+/cef09fe/v4/java/android/support/v4/app/Fragment.java#620):

public Context getContext() { return mHost == null ? null : mHost.getContext(); } Anyway, current output can be shown as is alongside with radare dissamble :)

yeah like in the last screenshot, and may look good also in panels — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/skylot/jadx/issues/676?email_source=notifications&email_token=AAG75FXVMOYQF25IB3BT75TP22O7VA5CNFSM4HRCLMJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXZUSWY#issuecomment-502483291, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FQCKZQPOD2KQEMIEDLP22O7VANCNFSM4HRCLMJA.

skylot commented 5 years ago

is this undefined offset for some lines intended?

No, I just not finished offset attach in some places, because current code generation too high level and sometimes don't know about original instructions. I think I miss offset for places like try/catch, loops header, switch, synchronized blocks. If you find other places please tell me ))

and will be good to know when you plan to do another release

I will make a release as soon as you need it. Actually, I made lots of changes (like rewrite some parts from scratch) and jadx not very stable just now, but I think it is better than the previous release :)

oriori1703 commented 2 years ago

@radare @skylot is this still being worked on?

Jadx has changed and improved a lot in the last three and a half years, so I think it's worth revisiting this idea

trufae commented 2 years ago

Yes, I was planning to come back to check jadx before r2-5.8 is out and improve the integration with the r2jadx decompiler (r2pm package) and see if there's anything else that jadx can do to expose the data to integrate with r2 (or other tools).