Vdex Extractor
A command-line tool for decompiling and extracting Android Dex bytecode from Vdex files.
Compilation
Clone this repository
If you want to cross-compile for Android devices, install the Android NDK
make.sh calls the bash script with the required build targets
$ ./make.sh– If CC is not defined from env, gcc is used by default$ ./make.sh gcc– Compile with gcc$ ./make.sh clang– Compile with clang$ ./make.sh cross-android– Cross-compile using NDK (armeabi-v7a, arm64-v8a, x86, and x86_64) Executables are copied to the bin directory, for debug version use$ DEBUG=true ./make.sh
Dependencies
The following external libraries should be installed on the host system:
zlib
macOS: brew install zlib-devel macOS with macports: port install zlib Linux: apt install libz-dev Other Linux/Unix systems: Check available package managers or compile from source Windows using cygwin: Install zlib-devel from the cygwin installer
Usage
$ bin/vdexExtractor -h
vdexExtractor ver. 0.5.2
Anestis Bechtsoudis
Copyright 2017 - 2018 by CENSUS S.A. All Rights Reserved.
-i, --input= : Input directory (recursive search) or single file
-o, --output= : Output path (default same as input)
-f, --file-override : Allow overwrite if file already exists (default:false)
--no-unquicken : Disable unquicken bytecode decompiler (don't de-odex)
--deps : Dump validated dependency information
--dis : Enable bytecode disassembler
--ignore-crc-error : Decompile Dex ignoring CRC errors
--new-crc= : Extract checksum text file for Apk or Dex file location
--get-api : Get Android API level based on Vdex version
-v, --debug=LEVEL : Log level Default: '3' (INFO)
-l, --log-file=: Save disassembler or validated dependencies output to log file
-h, --help : Help informationBytecode Unquickening Decoder
Vdex files contain all quick_info data (old vtable) used to recover the dex-to-dex transformation applied during bytecode optimization. Here is a standalone tool created to quickly recover optimized bytecode without needing to build the entire libart from AOSP. The full unquicken functionality of Vdex is also implemented as part of the AOSP oatdump libart tool. It can be obtained here. If you want to use oatdump in the Oreo version, you can use the corresponding patch here or use the oreo-release branch in the oatdump++ tool’s fork and build (internal and AOSP_SRC_ROOT workspace). Google has released the provided patches and the Android Pie version of the ART runtime.
Validating Iterator Dependencies
When the Dex bytecode file is first compiled (optimized), dex2oat will execute a validation dependency collector as part of the method validation process. The validation dependency collector class is used to log the results of parsing and the type assignability tests of classes/methods/fields defined in the class path. The compilation driver initializes classes and registers all Dex files being compiled. Classes defined in Dex files outside this collection (or synthetic classes with no associated Dex files) are considered to be in the class path. All recorded dependencies are stored in the generated Vdex file, as well as the corresponding Oat file from the OatWriter class. The vdexExtractor tool integrates a Vdex dependency walker function that can iterate through all dependency information and dump it in a human-readable format. The following code snippet demonstrates an example of dumping dependencies from a sample Vdex file.
Integrated Disassembler
To debug the decompiler and assist in Dex bytecode investigation tasks, a lightweight disassembler has been implemented. The disassembler output is very similar to the output provided by the AOSP dexdump2 utility of the platform/art project. The disassembler can be used independently of the unquickening decompiler. The example output is illustrated in the following code snippet. Lines prefixed with [new] indicate the output of the decompiled instructions (of the previous line) located at that offset. Note that all accelerated offsets and vtable references have been restored to their original signatures and prototypes.
Dex Converter
Android 9 (Pie) introduces a new type of Dex file, called Compact Dex (Cdex). Cdex is an internal file format for ART that compresses various Dex data structures (such as method headers) and deduplicates common data blobs (such as strings) across multiple indexed files. The deduplicated data from the Dex files of the input applications is stored in the shared portion of the Vdex container.
Now that the Vdex container stores Cdex files instead of standard Dex, the vdexExtractor backend (since version 019) has been updated to support them. However, since the tool does not implement Dex IR, it cannot convert Cdex files back to standard Dex without using external tools. For this purpose, a "compact_dex_converter" tool has been written, which uses libdexlayout (Dex IR) from the AOSP art repo. The source code for this tool can be obtained here. Compiling the tool requires allocating the necessary AOSP repository and building it as an AOSP module. For convenience, vdexExtractor is implementing a helper tool (see “tools/deodex” in the next section) that downloads a set of precompiled binaries and wraps the required automation. Additionally, the “compact_dex_converter” binary can be downloaded from the following links:
Linux x86-64
Using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhEsiuPjOF_ssIfOe
Debugging using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhE3Z2jdBXJIhazjc
Static compilation: https://1drv.ms/u/s!ArDC4mvMyPrRhEq96XX-LsCACF2s
Static compilation debugging: https://1drv.ms/u/s!ArDC4mvMyPrRhEwmwM8—zdhoCB2
Linux x86-64 Old CPU (without SSE4.2 and without POPCNT #29)
Using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhFP46IyBqOtihS9s
Debugging using shared libraries: https://1drv.ms/u/s!ArrDC4mvMyPrRhFXEGW9vrlMlTKDJ
Static compilation: https://1drv.ms/u/s!ArDC4mvMyPrRhFIFZCF9TtEHVooc
Static compilation debugging: https://1drv.ms/u/s!ArDC4mvMyPrRhFSMELB_H3w5Cdfe
ARM64 (aarch64)
Using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhEindMOf3aWCbQRr
Debugging using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhEnU9Ei_3MeQipGr
Static compilation: Not supported
Apple Systems
Using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhE45gEUNolEiZ50u
Debugging using shared libraries: https://1drv.ms/u/s!ArDC4mvMyPrRhFG5WH_zNz0jNarZ
Static compilation: Not supported
The 's' suffix in the binary name indicates “static compilation” while 'd' indicates a "debug" build. They can also be combined (e.g., 'ds' – static compiled debug version).
Utility Scripts
extract-apps-from-device.sh
Extracts the ART compiler output resources (oat, ART, vdex) of installed packages (user and system) from the connected Android device. It also supports extracting APK archives of installed packages. Due to DAC permissions, some system application data may not be extractable without root access.
update-vdex-location-checksums.sh updates the Vdex file location checksums using the extracted CRCs from the input Apk archive file. For more information on how to use this feature to spoof ART and bypass SafetyNet application integrity checks, see the original article.
tools/deodex/run.sh is a helper tool for batch decompiling (deodexing) Vdex resources back to standard Dex files. This tool automatically handles CompactDex files (introduced in Android Pie) and uses the compact_dex_converter tool to convert back to StandardDex. Since the converter is compiled as part of the AOSP source code, for convenience, the developers maintain a set of binaries for Linux and macOS.
*Reference Source: github, compiled by Zhou Dato, please indicate the source from FreeBuf.COM
