jadx icon indicating copy to clipboard operation
jadx copied to clipboard

Published 20 hours ago verified publisher icon skylot

[feature] Scripting support in jadx

Open skylot opened this issue 3 years ago • 9 comments

This issue summarize discussion started in #1172.

Scripting support in jadx will be a nice feature to help automate analysis operations, allows transforming and modification of decompiled code. Here is a list of possible applications:

  1. Custom deobfuscation, restoration of encrypted strings and other code simplifications.
  2. Code positioning of sensitive API function calls. Tracking the calling relationship of specific functions or variables. Anti-aliasing.
  3. Binary feature code search.

Scripting language possible options (will support only one):

  1. Plain Java - too verbose, but can directly use jadx API.
  2. Kotlin script - nice and close to Java, but still in experimental state.

Feel free to share your possible use cases, expectations and suggestions in comments :+1:

skylot avatar May 21 '21 11:05 skylot

What about python as one of the scripting options? Python is easy and fun when it's used as a scripting language, and mostly can get the job done very quickly like in no time. 😋

busmaker avatar May 27 '21 12:05 busmaker

@LBJ-the-GOAT To my knowledge there is no good library for exposing Java objects to Python. There was the Jython framework, but it is Python2 only and therefore already outdated.

jpstotz avatar May 27 '21 13:05 jpstotz

@jpstotz oh, I didn't notice that, thanks for remaining me :)

busmaker avatar May 27 '21 15:05 busmaker

This library is pretty good for exposing java to python https://github.com/bartdag/py4j

Myles1 avatar May 31 '21 02:05 Myles1

This library is pretty good for exposing java to python https://github.com/bartdag/py4j

I am not sure if the way py4j works is a good choice. From what I have seen it uses TCP to communicate between Python and Java and by default it opens the TCP port on all interfaces. Therefore the default config allows to remotely control the whole application. I would assume that this also includes code injection.

Even if you would limit that server to a localhost interface this would still make Jadx vulnerable on multi-user systems. For that reason I vote against py4j.

jpstotz avatar May 31 '21 13:05 jpstotz

I don't really have a horse in this race, but in case it helps, they do support tls https://www.py4j.org/advanced_topics.html#security

Myles1 avatar Jun 02 '21 02:06 Myles1

What about python as one of the scripting options? Python is easy and fun when it's used as a scripting language, and mostly can get the job done very quickly like in no time. 😋

Perhaps Javascript could be the way? The application already has a feature for generating Frida snippets which are written in Javascript. If plugins/script ever become a thing this could make it possible to have JadX directly interact with Frida as well.

idb- avatar Sep 28 '22 10:09 idb-

Perhaps Javascript could be the way? The application already has a feature for generating Frida snippets which are written in Javascript.

Jadx generates Strings for Frida indeed and those Strings contain JavaScript code, but Jadx does not have any capability to interpret or generate arbitrary JavaScript code.

jpstotz avatar Sep 30 '22 10:09 jpstotz

Jadx scripting support now in master. Check readme and usage examples.

skylot avatar Apr 23 '23 17:04 skylot