This slideset presents the motivation behind the Android bytecode disassembler called dedexer and sets the expectations with some examples.

1. The dedexer disassembler
Gabor Paller
gaborpaller@gmail.com
2009.10.22

2. Background
● As we all know, Android is a Linux-Java
platform.
● The underlying operating system is a version of
Linux
● The application model exposed to the developer is
Java-based
● Android is not Java
● Google does not use the Java logo in relation with
Android
● Android application model has no relationship with
any Java standard (JSR)

3. Dalvik
● At the core of Android, there is the proprietary
Dalvik virtual machine executing Android
programs.
● Some interesting Dalvik properties
● It lives in symbiosis with the Linux process/access
right system to provide application separation
● It has its own bytecode format which is in distant
relationship with the Java bytecode format

4. Life of a Java application in Android
● Java is just a front-end
● Developer codes in Java
● The source code is compiled by the Java compiler
into .class files
● Then the dx (dexer) tool which is part of the Android
SDK processes the .class files into Dalvik's
proprietary format
● The result of a proprietary file format called DEX
that contains Dalvik bytecode.
● The format has no relationship with the Java
bytecode

5. Why should you care?
● Well, you shouldn't
● You have to dig very deep to find discrepancies
between the execution environment projected by
Dalvik and JVM (classloading).
● If you develop your own language (like Simple), you
may compile directly to Dalvik bytecode. Even in
this case there is an option of compiling to Java
bytecode first and leave the Dalvik bytecode to dx.
● Big exception: reverse engineering

6. Inside the APK

7. Disassembly options
● For binary XML files, use a binary-to-textual
XML converter like AXMLPrinter2
● For the DEX file, use dedexer
● Alternative products:
– Dexdump – comes with the Android SDK, less convenient
to use than dedexer because e.g. it does not support
labels, produces one large file, etc.
– Baksmali – a competing open-source DEX disassembler.
Comes with a Dalvik bytecode assembler (smali)
● In any case, you have to live with Dalvik
bytecode disassembly – there's no way back to
Java presently!

8. Using dedexer
● Download ddx.jar from
http://dedexer.sourceforge.net
● Unpack the DEX file from the APK file.
● Issue:
java -jar ddx.jar -d target_dir source_dex_file
● The decompiled files will be produced in
target_dir with .ddx extension. We will learn,
how to read those files.

9. Before
● class PatternSet {
Pattern[] patterns; /* whole
pattern set */
Pattern[] trainingpatterns; /*
patterns to be used during training */
Pattern[] crossvalpatterns; /*
patterns to be used during cross
validation */
...

10. After
● .class PatternSet
.super java/lang/Object
.source PatternSet.java
.field crossvaldeviations [D
.field crossvalpatterns [Lpattern;
.field patterns [LPattern;

11. Before
● public PatternSet (String sourceFile,
int noofinputs, int nooftargets, double
ratiotraining, double ratiocrossval,
double ratiotest, Randomizer randomizer)
{
...

12. After
● .method public
<init>(Ljava/lang/String;IIDDDLRandomize
r;)V
.limit registers 23
; this: v12 (LpatternSet;)
; parameter[0] : v13
(Ljava/lang/String;)
; parameter[1] : v14 (I)
; parameter[2] : v15 (I)
; parameter[3] : v16 (D)
; parameter[4] : v18 (D)
; parameter[5] : v20 (D)
; parameter[6] : v22 (LRandomizer;)

13. Before
LineReader linereader = new
LineReader(sourceFile);
int counter = 0;
double temp_double;
while (linereader.NextLineSplitted()){
...

14. After
● new-instance v1,LineReader
; v1 : LlineReader;
invoke-direct {v1,v13},LineReader/<init>
; <init>(Ljava/lang/String;)V
; v1 : LLineReader; , v13 : Ljava/lang/String;
.line 27
const/4 v2,0
; v2 : single-length
l24aa:
.line 29
invoke-virtual
{v1},LineReader/NextLineSplitted ;
NextLineSplitted()Z
; v1 : LlineReader;
move-result v3 ; v3 : single-length
if-eqz v3,l24da ; v3 : single-length

15. Comments
● Instruction set is available on the
http://dedexer.sourceforge.net page.
● This was generated with the brand new
dedexer feature (-r switch) that tracks register
usage. It is essentially a data flow analyser.

16. Conclusion
● Reverse-engineering of DEX files is more
tiresome than it could be.
● Presently, knowledge of Dalvik bytecode is
required.
● Dedexer does less than it could when
disassembling optimized DEX (ODEX) files.
● This is the main direction of development
currently.
● I do not intend to do DEX-to-Java.