https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L126-L129

Also need to make sure the non-direct invoke-kinds work.

The plugin is slow with large files. It should be profiled to see what's taking up the most time.

One place to look at: https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/android/smali.py#L626-L627

Dalvik technically supports 65536 registers, but Binary Ninja hangs when more than a thousand or so RegisterInfos are added. The current workaround is to just set 256 of them.

Also, I don't know what setting Architecture.regs actually does.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L27

This is currently not a priority because

1. I don't see a big use case. Smali is already pretty high-level.
2. It would be a lot of work, and I'm not positive it would be possible to lift every instruction due to Dalvik being a VM.

I've never done anything with lifting before though, so please leave a comment if you think otherwise.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/binaryview.py#L53

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L62

Upstream issue: Vector35/binaryninja-api#551

When you open up a Dex file, the default view is the hex view. For ELF files, the default is graph view (or maybe that's from my settings. Point is, it's not hex).

• Did I do MIT license correctly? Should get someone else to double-check.
• Are there any complications because this is a plugin? Does this repo need to acknowledge Binary Ninja's license in any way?

If you open multiple Dex files in different tabs in the same window, you will get bad behavior and wrong results.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L44-L58

Currently the following are implemented:

• field
• meth
• string
• type

And these are not:

• call_site
• method_handle
• proto

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/android/smali.py#L369-L371

In main README, probably.

Dissassembling every method in a large Dex file can take a long time. Request by @drosseau-carve:

The ability to say "I don't care about disassembling package X" (ie android.arch.core.internal)

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/android/dex.py#L887-L891

Unsure if this is causing any errors, but it needs to be double-checked.

The workaround to #8 using files would let an attacker with the ability to write to /tmp/out.json.pickle as your user at specific times perform a pickle deserialization attack.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/binaryview.py#L51

imo if someone already has the required access, it's probably already game over, but it's still bad to have this vuln.

I wrote some tests before I fully figured out how AccessFlags should be rendered as strings. I deleted the obviously wrong tests, but due to #5 I haven't actually ran the rest since writing the string functions.

They should either be deleted or finished.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/android/dex.py#L418

Depends on #5.

I use

• black
• isort
• mypy
• flake8

This should be documented somewhere with their options.

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/android/dex.py#L1141-L1143

I don't remember what this does, but my comment is telling me to double check this.

https://source.android.com/devices/tech/dalvik/dex-format.html#items

Things like line numbers, local parameter names, and file names. They start with . in baksmali output.

packed-switch and sparse-switch instructions do not have branches set. Methods with these instructions will not have the full control flow graph, and will probably not disassemble completely.

More than two branches can't be added to an InstructionInfo object in get_instruction_info: https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L99-L108

According to rss, the right way to do this is to use LLIL_JUMP_TO in LLIL. I couldn't figure out how to do this. My best attempt (does not work):

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L170-L174

I just used it for throw opcodes because it sounded relevant and didn't raise any errors, and then punted figuring out what it did until later. https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/architecture.py#L91-L93

Traceback (most recent call last):
  File "C:\Users\Myself\AppData\Roaming\Binary Ninja\plugins\banjo\__init__.py", line 10, in <module>
    from binaryninjaui import UIContextNotification, UIContext  # type: ignore
  File "E:\binaryNinja2.1\BinaryNinja-personal-2.0.2097-dev\plugins\..\python3\binaryninjaui\__init__.py", line 5, in <module>
    from .binaryninjaui import *
ImportError: DLL load failed while importing binaryninjaui: The specified module could not be found.
Python plugin 'banjo' could not be loaded

Python 3.8 is installed

How to fix this?

I have a bunch uncommitted. I should finish and push them.

https://github.com/Vector35/community-plugins/

This will take a decent amount of work I think

I've tested this against a relatively small corpus of dex files that I have lying around. It needs to be tested against way more.

• Find collection of publicly-licensed Dex files
• Run disas_to_files.py on them and share results

Locally I've been using

#!/bin/sh

fn=$1
[ -z $fn ] && exit 1
bn=$(basename -s .dex -s .cdex "$fn")

set -e

time java -jar baksmali.jar d --parameter-registers false -o "$bn"_baksmali "$fn"
time disas_to_files.py -o "$bn"_banjo "$fn"
diff -r "$bn"_*

This plugin only supports disassembling Dex files.

It could unzip APKs and pull out any Dex files, but that's easy to do manually, and would require code to check for and alert the user if multiple dexs are found, no dexes are found, or other dex container files are found. This doesn't seem like the right tool to do that.

Adding support for odex, cdex, vdex, or whatever else there is would require writing a whole new parser for each container type. There are other tools that can convert these types into Dex files. Again, this doesn't seem like the right tool to have this functionality in.

If you feel differently, leave a comment.

Trying to change them from one format to another breaks them completely. I suspect that this has something to do with IntegerToken, which used to be marked as internal-only in the docs but isn't any more.

TODO investigate changes to https://api.binary.ninja/binaryninja.function.InstructionTextToken.html#binaryninja.function.InstructionTextToken to figure out how to fix this.

There are some Python unittest classes for low-level tests. Somewhere along the line in code reorganization they stopped working.

ImportError: Failed to import test module: dex
Traceback (most recent call last):
  File "/usr/lib/python3.8/unittest/loader.py", line 154, in loadTestsFromName
    module = __import__(module_name)
  File "/home/.../.binaryninja/plugins/banjo/android/dex.py", line 9, in <module>
    from .smali import (
ImportError: attempted relative import with no known parent package

https://github.com/CarveSystems/banjo/blob/bd07db6c3a8de9b4eff56d381c581909b0ea2b05/binaryview.py#L121

See if this makes sense.

Replacement for #14.

See 2ed32d4