Missing Java Annotations

[silverdragon727]

I was dealing with an app using Retrofit (Java Annotations play an important role in that library). Enjarify seemed to work smoothly, but when I opened output .jar frustrating things came out. I can't find any Java Annotation that should have applied to methods.
Unluckily I‘m not good at python so have no idea. Is enjarify planned to support Java Annotations?

[Storyyeller]

Which app is that? I didn't bother supporting annotations because that would complicate things and it didn't seem important, but if you have an example where it is necessary, I can look into it.

[Aspsine]

Same issues.
I think Retrofit, view/data inject with Anonotaions is very common in android development.

[Lanchon]

hi @Storyyeller,

dex2jar seems to be abandon-ware now, for a couple of years already. it has, as i remember you mentioned a long while back somewhere, some issues that enjarify supposedly fix. it hasn't been updated to handle dex 037, and typically chokes on 037 files if you override the version check.

enjarify seems to be our only option going forward, and thus its importance is growing.

you've rewritten enjarify from scratch in various languages (unfortunately none that builds to java bytecode) which makes it difficult to follow up your work, as we don't know which is the canonical implementation that will get updated in the future, if any.

IMHO it is very important for the reversing community, which includes android malware analysts, to have a high quality, up-to-date dedexer tool. a dedexer allows analysts to expand their limited dex toolsets with more mature tools developed for java bytecode.

unfortunately enjarify is not up to the task because translating annotations is necessary to retain the semantics of code. many libraries depend on runtime reflection of annotations. and one can presume that some code (picture obfuscated unpackers) depend on annotations being present in the class/dex files. (and some build tools definitely depend on annotations, but these tools have already been run by their creators on the code being analyzed.)

enjarify cannot replace the dying dex2jar until it can process annotations. i assume you work for google, and your employer has an interest in android malware analysis. maybe you can convince your employer that improving enjarify in this way is worthwhile.

from a technical standpoint i suspect there are two levels of translation needed. besides the actual format translation applied to all annotation instances, i believe some annotations will be instances of dalvikvm-defined annotation classes, and those will have to be replaced with their equivalent javavm-defined annotations. the complete set of required replacements should be found in the source of the dx tool for java 7, and of the jack toolset for java 8. but i assume you already know all of this.

thanks for your time, and thank you for your amazing work in enjarify and krakatau.

[Storyyeller]

Unfortunately, I no longer have the opportunity to work on Enjarify at Google. Any changes I make would have to be done on my own time, like the Rust rewrite I did.

[Lanchon]

that sucks. so which is going to be the real enjarify from now on? i know the go version won't. but rust or python?

[Storyyeller]

Python, though I might decide to switch to Rust at some point in the future. It's not that important right now as neither is being worked on, but the Python version is easier to use and is one patch ahead of the Rust version (2a94b40)