0
1
00:00:08,070 --> 00:00:14,940
So in the previous lesson we saw that by using APKtool we were able to obtain smali code of an
1

2
00:00:14,940 --> 00:00:19,320
application in which we did not have the actual source code.
2

3
00:00:19,500 --> 00:00:26,290
In an ideal situation you would get the actual source code but that is not possible however there are
3

4
00:00:26,290 --> 00:00:32,350
tools called Decompilers that are able to provide almost Java source code.
4

5
00:00:32,350 --> 00:00:39,180
There are a number of different compilers available popular ones include JDGUI and Jad.
5

6
00:00:39,220 --> 00:00:43,340
However there is one tool that contains a different number of compilers.
6

7
00:00:43,360 --> 00:00:45,550
This tool is called byte code viewer.
7

8
00:00:46,300 --> 00:00:49,360
So we downloaded this in the previous section.
8

9
00:00:49,360 --> 00:00:51,880
Let's go to our downloads folder.
9

10
00:00:52,000 --> 00:01:04,390
Now we run it using Java dash jar byte code viewer dot jar this tool is also available on Windows.
10

11
00:01:04,430 --> 00:01:09,270
In that case you would just click on the jar file.
11

12
00:01:09,340 --> 00:01:12,390
Now let's open the user interface of byte code viewer.
12

13
00:01:13,580 --> 00:01:23,900
What we want to do here is add our APK so home flip cortex and here we have the APK so when you import
13

14
00:01:23,900 --> 00:01:30,830
the APK byte code viewer which is an excellent tool is going to decompile the app and provide you with
14

15
00:01:30,830 --> 00:01:38,110
the Decompiled source as well as the byte code and Smali. You have your packages on the left and when
15

16
00:01:38,110 --> 00:01:45,930
you click on say main activity you can see that we've got what looks like Java code.
16

17
00:01:46,120 --> 00:01:50,840
Now it is important to note that this is not compilable code.
17

18
00:01:51,130 --> 00:01:55,200
Usually there will be errors because the Decompilation doesn't work perfectly.
18

19
00:01:56,450 --> 00:02:04,630
But from here you can see a more human readable picture when compared to Smali. Now bytecodeviewer
19

20
00:02:04,630 --> 00:02:05,840
has different panes.
20

21
00:02:06,880 --> 00:02:11,790
The first pane is the Java Decompiler which is decompiled using Fernflour.
21

22
00:02:12,160 --> 00:02:20,290
And here under the second pane you can see the actual byte code but we can change these.
22

23
00:02:20,380 --> 00:02:23,810
So for example what if we don't want to use fernflour,
23

24
00:02:23,830 --> 00:02:33,780
but instead we want to use Jadx, Change the pane close it and open it again and here you see that the
24

25
00:02:33,780 --> 00:02:41,580
same code Decompiled using jadX, so sometimes you find that certain decompilers work while others give
25

26
00:02:41,580 --> 00:02:42,300
you errors.
26

27
00:02:43,730 --> 00:02:47,650
That is why a tool like byte code viewer is great.
27

28
00:02:47,720 --> 00:02:51,560
Another thing you can do is set a pain to show Smalley.
28

29
00:02:51,590 --> 00:03:00,290
So again go to the pane and choose smali code let's close this again and again here you can see we
29

30
00:03:00,290 --> 00:03:07,850
now have jadx decompiled code on the left and the Smali code on the right. The Smali is the same code
30

31
00:03:07,880 --> 00:03:11,480
as we saw before using APK tool.
31

32
00:03:11,580 --> 00:03:16,090
So this is very good for seeing a side by side comparison.
32

33
00:03:16,150 --> 00:03:19,990
For example here we have request permission method in Java.
33

34
00:03:20,380 --> 00:03:29,130
And here we have it in Smali so all of this method over here which is request permission translates
34

35
00:03:29,130 --> 00:03:38,540
to this code over here in Smali. So Java is more human readable but Smali is more reliable. The smali
35

36
00:03:38,560 --> 00:03:46,050
code is compilable meaning you can technically change some values in the Smali and recompile it.
36

37
00:03:46,180 --> 00:03:54,650
This is not the case with the Decompiled. Java so this takes some getting used to. At least if you have a
37

38
00:03:54,650 --> 00:03:56,290
preference of seeing Java
38

39
00:03:56,360 --> 00:03:58,130
and maybe you hate Smali.
39

40
00:03:58,220 --> 00:04:03,440
You can use this view to follow the smali code and understand what it is doing in its corresponding
40

41
00:04:03,440 --> 00:04:06,060
Java code.
41

42
00:04:06,290 --> 00:04:12,170
OK so let's consider the challenge we presented earlier where the network security analyst told us that
42

43
00:04:12,170 --> 00:04:20,350
they saw data being  exfiltrated to postman dash echo. Now by code viewer has a search utility over here.
43

44
00:04:22,130 --> 00:04:30,360
We can search strings regex method calls and field calls so based on this suspicion that the network
44

45
00:04:30,360 --> 00:04:38,380
security analysts told us. Let's search postman and yes here we can see that there are two instances
45

46
00:04:38,410 --> 00:04:47,700
of postman dash echo and we can see one instance inside sms receiver. Let's dig a little deeper into
46

47
00:04:47,700 --> 00:04:56,200
SMS receiver and try to figure out what's happening over here. So OK here we have a broadcast receiver.
47

48
00:04:56,950 --> 00:04:58,450
In a broadcast receiver,
48

49
00:04:58,450 --> 00:05:04,590
we're going to tap on the on receive now in on receive.
49

50
00:05:04,630 --> 00:05:08,720
He's checking the S M S that we received OK.
50

51
00:05:08,740 --> 00:05:17,720
They're creating the SMS defining a string called SB2 so SB2 is the SMS that we just received.
51

52
00:05:17,720 --> 00:05:25,200
And here we can see that they are starting a new network task and passing the SMS as an input to the
52

53
00:05:25,200 --> 00:05:25,990
network test.
53

54
00:05:27,290 --> 00:05:36,040
We don't have the task over here but we have it as SMS  receiver dollar net task so net task is pointing
54

55
00:05:36,040 --> 00:05:38,590
to access 0 0 0.
55

56
00:05:38,860 --> 00:05:41,480
But we do not have decompiled code of access.
56

57
00:05:41,480 --> 00:05:44,450
0 0 0.
57

58
00:05:44,610 --> 00:05:46,670
So this is a good example for us.
58

59
00:05:46,680 --> 00:05:51,770
Here we have a case where we can try different Decompilers to make better sense out of the code.
59

60
00:05:52,650 --> 00:05:58,680
So maybe JADX wasn't good enough to give us information what we could do in that case is change the
60

61
00:05:58,680 --> 00:06:08,050
Decompiler let's choose for example Fernflour which was the default one. OK close and open again.
61

62
00:06:09,130 --> 00:06:14,740
Now if we go to that task we can see it accessing access 0 0 0.
62

63
00:06:15,070 --> 00:06:23,900
Then if we go back to s m s receiver we can see what access 0 0 0 is doing so what it is doing here
63

64
00:06:23,900 --> 00:06:33,810
is calling HTTP post and passing in the SMS data as a parameter then if we look in HTTP post we
64

65
00:06:33,810 --> 00:06:41,250
can see the postman dash echo url. So here we have some suspicious activity where we have an app
65

66
00:06:41,280 --> 00:06:47,580
that is meant to be just a shopping list and for some reason it created a broadcast receiver to receive
66

67
00:06:47,580 --> 00:06:56,240
sms and it sent the SMS to a server so just like that by using the DEcompilers we've managed to
67

68
00:06:56,240 --> 00:07:01,310
go through the flow of the code and we understood that this malware is actually doing something quite
68

69
00:07:01,310 --> 00:07:02,000
malicious.
69

70
00:07:03,280 --> 00:07:09,490
Also it was a good example to show the need for different compilers some are better than others and
70

71
00:07:09,490 --> 00:07:15,850
sometimes it is best to use them in combination. the most trustworthy source however is always Smali
71

72
00:07:15,970 --> 00:07:17,440
since it is compilable.
72

73
00:07:18,100 --> 00:07:21,220
However as we saw here it is less human readable.