[
{
"path": ".gitignore",
"content": ".DS_Store\n.python-version\n"
},
{
"path": "README.md",
"content": "# apkx - Android APK Decompilation for the Lazy\n\nA Python wrapper to popular free dex converters and Java decompilers. Extracts Java source code directly from the APK. Useful for experimenting with different converters/decompilers without having to worry about classpath settings and command line args.\n\n## Installation\n\n```bash\n$ git clone https://github.com/b-mueller/apkx\n$ cd apkx\n$ sudo ./install.sh\n```\n\nNotes: \n\n- JRE needs to be installed and in PATH\n- enjarify requires Python 3\n\n## Usage\n\nPass the APK filename on the command line:\n\n```bash\n$ apkx HelloWorld.apk \nExtracting HelloWord.apk to HelloWord\nConverting: classes.dex -> classes.jar (dex2jar)\ndex2jar HelloWord/classes.dex -> HelloWord/classes.jar\nDecompiling to HelloWord/src (cfr)\n```\n\nThe default combination of converter and decompiler is dex2jar and cfr. Use the -c and -d flags to change this. E.g.:\n\n```bash\n$ apkx -c enjarify -d procyon HelloWorld.apk\n```\n\nTo get help, run:\n\n```bash\n$ apkx -h\n```\n\n## Tools\n\nThis script integrates the following tools:\n\n- [Procyon](https://bitbucket.org/mstrobel/procyon) by Mike Strobel - [Apache License Version 2.0](https://www.apache.org/licenses/LICENSE-2.0.html)\n- [CFR](http://www.benf.org/other/cfr/) by Lee Benfield - [MIT License](https://opensource.org/licenses/MIT)\n- [dex2jar](https://github.com/pxb1988/dex2jar) by Bob Pan - [Apache License Version 2.0](https://www.apache.org/licenses/LICENSE-2.0.html)\n- [enjarify](https://github.com/Storyyeller/enjarify) by Storyyeller - [Apache License Version 2.0](https://www.apache.org/licenses/LICENSE-2.0.html)\n\n## About\n\nThis script accompanies the [OWASP Mobile Security Testing Guide](https://github.com/OWASP/owasp-mstg). For further instructions and usage examples, see also:\n\n- [Tampering and Reverse Engineering on Android](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md)\n- [Testing Resiliency Against Reverse Engineering on Android](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md)\n\n"
},
{
"path": "apkx",
"content": "#!/usr/bin/python\n#\n# apkx -- A Python wrapper for popular dex converters and Java decompilers.\n# Because nobody likes messing with Java classpaths & jar command lines.\n# v0.9.2\n#\n# Author: Bernhard Mueller\n# This file is part of the OWASP Mobile Testing Guide (https://github.com/OWASP/owasp-mstg)\n#\n# See also:\n#\n# Dex2jar - https://github.com/pxb1988/dex2jar\n# CFR - http://www.benf.org/other/cfr/\n# \n# This program is free software: you can redistribute it and/or modify \n# it under the terms of the GNU General Public License as published by \n# the Free Software Foundation, version 3.\n\nimport os\nimport sys\nimport subprocess\nimport zipfile\nimport re\nimport argparse\n\ncwd = os.path.dirname(os.path.realpath(__file__))\nFNULL = open(os.devnull, 'w')\n\ndef convert(converter, lib_path, ext_path, infile, outfile):\n\n\tif (converter == 'dex2jar'):\n\t\tsubprocess.call(['java', '-Xms512m', '-Xmx1024m', '-cp', lib_path, 'com.googlecode.dex2jar.tools.Dex2jarCmd', ext_path + '/' + infile, '-o', ext_path + '/' + outfile, '-f'])\n\telif (converter == 'enjarify'):\n\t\tsubprocess.call([cwd + '/enjarify.pex', ext_path + '/' + infile, '-o', ext_path + '/' + outfile, '--force'])\n\ndef decompile(decompiler, lib_path, ext_path, jar_filename):\n\n\tif (decompiler == 'cfr'):\n\t\tsubprocess.call(['java','-Xms512m', '-Xmx1024m', '-cp', lib_path, 'org.benf.cfr.reader.Main', ext_path + '/' + jar_filename, '--outputdir', src_path, '--caseinsensitivefs', 'true', '--silent', 'true'], stdout=FNULL)\n\telif (decompiler == 'procyon'):\n\t\tsubprocess.call(['java','-Xms512m', '-Xmx1024m', '-cp', lib_path, 'com.strobel.decompiler.DecompilerDriver', '-jar', ext_path + '/' + jar_filename, '--o', src_path], stdout=FNULL)\n\n\n'''\n====== Main ======\n'''\n\nparser = argparse.ArgumentParser(description='Decompile an Android APK archive.')\n\nparser.add_argument('-c', '--converter', help='Dex to jar conversion method (default: dex2jar)', choices=['dex2jar','enjarify'], default = \"dex2jar\")\nparser.add_argument('-d', '--decompiler', help='Decompiler backend to use (default: cfr)', choices=['cfr','procyon'], default = \"cfr\")\nparser.add_argument('apkfile', help='File to decompile')\n\nargs = parser.parse_args()\n\n'''\n\tUnzip the application package.\n'''\n\next_path = os.path.splitext(os.path.basename(args.apkfile))[0]\nsrc_path = ext_path + \"/src\"\n\nlib_path = cwd + \"/apkx-libs.jar\"\n\nprint(\"Extracting \" + args.apkfile + \" to \" + ext_path)\n\ntry:\n\tzip_ref = zipfile.ZipFile(args.apkfile, 'r')\n\tzip_ref.extractall(ext_path)\n\tzip_ref.close()\nexcept IOError as e:\n\tprint(\"Error extracting apk: \" + str(e))\n\tsys.exit(0)\n\n'''\n\tIterate over all .dex files\n'''\n\nfor root, dirs, files in os.walk(ext_path):\n\tfor file in files:\n\t\tif file.endswith((\".dex\")):\n\t\t\tjar_filename = os.path.splitext(file)[0] + \".jar\"\n\n\t\t\tprint('Converting: ' + file + ' -> ' + jar_filename + ' (' + args.converter + ')')\n\n\t\t\t'''\n\t\t\t\tConversion Step\n\t\t\t'''\n\n\t\t\ttry:\n\t\t\t\tconvert(args.converter, lib_path, ext_path, file, jar_filename)\n\t\t\texcept Exception as e:\n\t\t\t\tprint('Error converting dex to jar:'+ str(e))\n\t\t\t\tnext\n\n\t\t\t'''\n\t\t\t\tDecompilation Step\n\t\t\t'''\n\n\t\t\tprint(\"Decompiling to \" + src_path + ' (' + args.decompiler + ')')\n\n\t\t\ttry:\n\t\t\t\tdecompile(args.decompiler, lib_path, ext_path, jar_filename)\n\t\t\texcept Exception as e:\n\t\t\t\tprint('Error decompiling:' + str(e))\n\n"
},
{
"path": "install.sh",
"content": "#!/bin/bash\n\nif [[ $EUID > 0 ]]; then \n echo \"The installation script needs to be run as root.\"\n exit 1\nelse\n cp apkx apkx-libs.jar enjarify.pex /usr/local/bin \n chmod 755 /usr/local/bin/apkx /usr/local/bin/enjarify.pex\nfi\n"
}
]