Home
GDA is a Dalvik bytecode decompiler written entirely in c++. So, unlike most app analysis tools, GDA does not need to rely on the Java platform, And as the use of the Bytecode directly translated into Java code without Smali code translation. So it is more succinct, more portable and faster. In addition, it supports APK, DEX, ODEX and OAT files.
Open GDA and drag the APK file we want to analyze to the software UI:
1. View all strings in DEX;
2. View all the strings used by all the methods;
3. View all APIs used by methods;
4. View AndroidManifest files;
5. Show data by Hexadecimal way;
6. Suspicious (malicious behavior analysis);
7. Vulnerability static scanning (to be implemented);
8. Expanding permissions and viewing the method which the permissions belong to;
9. Classes and methods, if there are more DexClass*, indicating that APK uses multi-dex.
10, DEX head, click on “DexClass*” item to display the corresponding head, each color block represents a different area of the head. the prompt will be shown when the mouse moves over on it. right-clicking in the area that is offset and jump to reference location.
11. Overview of the permissions applied by the application;
12. Double-click to view historical access;
13. Click to enter the entry function (method);
14. Connect the Android device for the memory dump.
If the APP is packed, GDA will automatically recognize and show the packer between the Dex header and the APK permission. Otherwise, nothing.
As shown in the figure:
The DEX Header is just for fun, we can see the tip that shows the field of the header by moving the cursor over. Right-click on the color block, we can view the subheader or offset table.
Then, click the 'Entry' button on the right-top of the main Window, we will jump into the APK entry function (usually onCreate of the main Activity):
Here, we can press F5 to view the smali code like follow pic.
Double-click on a method to jump into it, and press key X to search the callers(cross-reference). Double-click one of the callers to view the decompiling code.
And, we can also extend the tree on the left of the GUI, then Right-click on a node, we will get a pop menu like the following fig:
Soon, we will do more things with GDA.
The shortcut key description
GDA shortcut key
| shortcut | description |
|---|---|
| F5 | Switch java and smali code |
| F | Trace the args and return value by dataflow analysis |
| X | Cross-referencing, locating callers (of strings, classes, methods, field, Smali, Java) |
| Esc/<-/Backspace | Back to the last visit |
| -> | Forward to the next visit |
| G | Jump to somewhere by you inputting offset |
| N | Rename the variable/method/class name |
| S | Search for all the elements by the given string |
| C | Comments. Only supports the Java code |
| DoubleClick | Double-click the name of method/str/field/class to view objects |
| M | the cursor's placed at the Smali code line and pressing the key 'M' to edit the instruction |
| UP\bigtriangleup | Press 'up' key to access the up-method in the tree control |
| Down\bigtriangledown | Press “down” key to access the down-method in the tree control |
| D | Dump the binary data of methods, only supports the Smali mode |
| Enter | The modification of edit boxes take effect |
| H | Show data in Hex |
| Ctr+H | Pop searching history window |
| Ctr+A | Select all |
| Ctr+C | Copy |
| Ctr+V | Paste, only for editable boxes |
| Ctr+X | Cut |
| Ctr+F | Find out the string of the current window |
| Ctr+S | Save the modifications into the GDA database file |
Self-implemented decoding function can bypass the Anti-decoding technology:
the tool supports the following algorithm:
Hash algorithm: md2 md4 md5 sha sha1 sha224 sha256 sha384 sha512
symmetric encryption: des idea rc2 rc4 rc4-40 rc2-40 rc2-64 bf cast5 aes (128 192 256), with mode such as ecb cbc ofb cfb, other modes such as (cfb1 cfb8)
asymmetric encryption: RSA
encoding algorithm: base62, base64 3.
The alg-tool accepts 3-types inputs as the key, plaintext, and ciphertext. Simply, 1.we can directly input string as source data, and also 2. input binary data indicated by “hex:” like the following fig. And 3. we can double-click the text box to pop the file dialog, and then choose a file as inputs.
For more detail, please visit the following links: https://zhuanlan.zhihu.com/p/26341224
This section introduces the basic usage of GDA through a malware sample file.
A.Summary Analysis
Summary Analysis is to make a simple understanding of the whole APK. Here is an example of an Android Malware to illustrate the usage of GDA.
- First, we drag the malware sample into the GDA. And then we can see its basic information.
We are able to judge whether the APK is packed according to the presented information. If the APK is not packed, nothing would be presented between DexHeader and Permission.
- Then we can check permissions of our APK. As we see at the bottom of the main window, the APK has enabled a lot of dangerous permissions
e.g. READ_SMS, SEND_SMS, READ_CALL_LOG, READ_PHONE_STATEand so on.
- By clicking the button in toolbar marked in red, we can check the signature information of the APK.
- In addition, the
AndroidManifestat the top of the tree control can guide you to analyze the config info ofActivity, Service, Receiveand others in AndroidManifest.xml.
- Next, we can click the
MalScanin the tree box to scan the malicious behavior of the APK. the following fig shows that malware has many malicious operations.
If we want to go further and analyze what would be done by methods, we could double-click method@xxxxxx to view the method code, such as clicking to view “[method@0001e5]: com.itcast.cn112.m.a” below of "#Read contacts, SMS and other information:”. The code of this method will be shown in the following figure.
Of course, if we want to analyze the Smali code, just press F5.
As we can see from the figure, this method will access SMS.
In addition, we can also see the strings and APIs used by the DEX. AllStrings will show all the strings in the DEX, and AppStrings will show the referenced strings by methods' code. In fact, AppStrings is a more useful string. The string@ area also supports the operations of cross-reference (X), editing (right-click), and double-clicking.
The method@ area in the operation of AllAPI supports cross-reference function.
B、JAVA pseudo-code analysis
Here, we mainly show some interactive operation in java codes. The following is a brief introduction to the basic use of GDA.
- Begin with the entry point, click the entry button to view the entry method.
Now if we want to mark the identified methods, fields or classes. we can rename them.
For example, double-click a.d() and the following fig will be shown.
Obviously, it's used to log information, so we rename the method name as 'log', GDA will upgrade all the referenced position.
Then, we rename all the identifiable methods in the same way.
If we want to do a further description, the comments(C) can be used.
When we need to analyze the callers of the current method. We can view them by cross-reference.
When we want to know where a string is being used. You can place the mouse between the double quotes and press X to see the reference methods.
now, the basic usage has been finished, if you have some problems, please comment. And welcome reporting the error.