Introduction: The Power of Control Flow Analysis in Android RE

In the intricate world of Android reverse engineering, understanding the flow of execution within an application is paramount. Control Flow Graphs (CFGs) provide a visual representation of all paths that might be traversed through a program during its execution, making them an indispensable tool for analysts. For Android applications, CFGs derived from Dalvik bytecode or native ARM code can reveal critical insights into an app’s behavior, identifying malicious logic, obfuscation techniques, or security vulnerabilities. However, manually navigating and extracting information from CFGs, especially in large and complex applications, can be an arduous and time-consuming task. This is where automation, specifically through scripting with powerful tools like the JEB Decompiler, becomes a game-changer.

This article will guide you through the process of leveraging JEB’s scripting capabilities to automate the extraction and analysis of Control Flow Graphs from Android binaries. We’ll explore how to write Python scripts to programmatically access CFG data, export it into standardized formats, and set the foundation for advanced, automated analysis workflows.

Prerequisites and Setup

Before diving into scripting, ensure you have the following:

• JEB Decompiler: An active license for JEB Pro or JEB Android with Python scripting enabled.
• Basic Python Knowledge: Familiarity with Python syntax and object-oriented programming concepts.
• Sample Android APK: Any APK will do, but a more complex one with various methods will be ideal for demonstrating CFG extraction.

Ensure your JEB installation is up-to-date to benefit from the latest API features and bug fixes.

Understanding CFGs in JEB

JEB excels at representing CFGs for various architectures and code levels, including Dalvik bytecode and native code (ARM, AArch64). When you decompile an Android method in JEB, the CFG is visually presented, allowing you to trace execution paths, identify basic blocks, and understand conditional jumps. Each node in a CFG represents a “basic block”—a sequence of instructions with a single entry point and a single exit point. Edges represent control transfers between these blocks.

While the graphical view is excellent for manual inspection, programmatic access through JEB’s API unlocks unprecedented power. The API allows you to:

• Enumerate methods and classes.
• Retrieve the CFG for any given method.
• Access individual basic blocks within a CFG.
• Inspect instructions within each basic block.
• Determine predecessors and successors of basic blocks.

The Imperative for Automation

Consider scenarios involving hundreds or thousands of methods, each with its own CFG. Manual analysis quickly becomes infeasible. Automation is critical for:

• Large-scale Analysis: Processing multiple applications or vast codebases efficiently.
• Pattern Recognition: Identifying recurring obfuscation patterns, cryptographic routines, or API misuse across many methods.
• Integration with External Tools: Exporting CFGs to graph visualization tools (e.g., Graphviz, Gephi) or graph databases for further analysis.
• Custom Rule Engines: Developing custom detection rules for malware or vulnerabilities based on specific control flow structures.

Developing Your First JEB Script for CFG Extraction

Let’s start with a simple Python script to iterate through all methods of an Android unit and print basic information about their Control Flow Graphs. We’ll focus on Dalvik methods for this example.

Step 1: Basic CFG Enumeration

First, open an APK in JEB. Then, navigate to “File” -> “Scripts” -> “New Script…” or use the script editor in the bottom pane. Save the following as cfg_enumerator.py:

from jeb.api import IScript
from jeb.api.ui import View

class CFGEnumerator(IScript):

    def run(self, ctx):
        # Get the current UI context
        engctx = ctx.getEnginesContext()
        if not engctx:
            print('Requires an opened project with an active engine')
            return

        # Get the primary Android unit (APK)
        unit = engctx.getFocusedUnit()
        if not unit or unit.getType() != 'APK':
            print('Requires an opened APK')
            return

        print(f'Analyzing APK: {unit.getName()}')

        # Iterate over all Dalvik classes
        for c in unit.getClasses():
            # Iterate over all methods in the class
            for m in c.getMethods():
                method_signature = m.getSignature()
                
                # Check if a CFG exists for the method
                if m.hasCFG():
                    cfg = m.getCFG()
                    print(f"  Method: {method_signature}")
                    print(f"    Total basic blocks: {cfg.getBasicBlockCount()}")
                    
                    # Optionally, iterate basic blocks and their instructions
                    # for block in cfg.getBasicBlocks():
                    #     print(f"      Block @ 0x{block.getAddress():X}")
                    #     for insn in block.getInstructions():
                    #         print(f"        {insn.format(m)}")
                    #     print(f"        Successors: {[hex(s.getAddress()) for s in block.getSuccessors()]}")
                    #     print(f"        Predecessors: {[hex(p.getAddress()) for p in block.getPredecessors()]}")
                else:
                    print(f"  Method: {method_signature} (No CFG available)")

        print("CFG enumeration complete.")

Execute this script. You’ll see output in JEB’s console listing each method and, if a CFG is present, the number of basic blocks it contains. This simple script demonstrates how to traverse the JEB API to access method-level CFG data.

Enhancing the Script: Exporting to Graphviz DOT Format

While enumerating CFG properties is useful, visualizing them externally provides much greater flexibility. The DOT language is a plain text graph description language supported by Graphviz tools, making it an excellent choice for exporting CFGs. We’ll modify our script to generate a DOT file for a specific method’s CFG.

Step 2: Generating a DOT File for a Method’s CFG

Create a new script, say cfg_to_dot.py, or modify the previous one:

from jeb.api import IScript
from jeb.api.ui import View
import os

class CFGToDOT(IScript):

    def run(self, ctx):
        engctx = ctx.getEnginesContext()
        if not engctx:
            print('Requires an opened project with an active engine')
            return

        unit = engctx.getFocusedUnit()
        if not unit or unit.getType() != 'APK':
            print('Requires an opened APK')
            return

        # Prompt the user to select a method
        # This part requires JEB UI and interaction, for automation, you might iterate or target a specific method
        # For a more focused example, let's hardcode a method for demonstration purposes
        # In a real scenario, you'd find a method via a search or selection.
        # Example: Find 'onCreate' method in a typical Android app
        target_method_sig = 'Lcom/example/app/MainActivity;->onCreate(Landroid/os/Bundle;)V' # Adjust this to your target method

        target_method = None
        for c in unit.getClasses():
            for m in c.getMethods():
                if m.getSignature() == target_method_sig:
                    target_method = m
                    break
            if target_method:
                break

        if not target_method:
            print(f"Target method '{target_method_sig}' not found.")
            return

        if not target_method.hasCFG():
            print(f"Method '{target_method_sig}' does not have a CFG.")
            return

        cfg = target_method.getCFG()
        print(f"Generating DOT for method: {target_method_sig}")

        # Prepare DOT file content
        dot_content = ['digraph CFG {', '  node [shape=box];']

        # Add nodes
        for block in cfg.getBasicBlocks():
            block_addr = f"0x{block.getAddress():X}"
            
            # Format instructions nicely for the node label
            instructions_str = ""
            for insn in block.getInstructions():
                instructions_str += insn.format(target_method) + "\l" # "\l" for left-justified newline in DOT
            
            # Escape double quotes within the label
            label = instructions_str.replace('"', '"')
            dot_content.append(f'  "{block_addr}" [label="{label}"];')

        # Add edges
        for block in cfg.getBasicBlocks():
            block_addr = f"0x{block.getAddress():X}"
            for successor in block.getSuccessors():
                successor_addr = f"0x{successor.getAddress():X}"
                dot_content.append(f'  "{block_addr}" -> "{successor_addr}";')

        dot_content.append('}')

        # Define output path
        output_dir = ctx.getDataDir() # JEB's default data directory
        output_filename = os.path.join(output_dir, f"{target_method.getName()}_cfg.dot")

        with open(output_filename, 'w') as f:
            f.write('n'.join(dot_content))

        print(f"DOT file saved to: {output_filename}")
        print("Use Graphviz (e.g., 'dot -Tpng -o output.png input.dot') to visualize it.")

Important: Adjust target_method_sig to a method that actually exists in your loaded APK. A good candidate would be a constructor or a simple public method from one of the app’s activities.

Step 3: Visualizing with Graphviz

After running cfg_to_dot.py in JEB, a .dot file will be generated in your JEB data directory. To visualize it, you’ll need Graphviz installed. Open a terminal and navigate to where you saved the DOT file, then run:

dot -Tpng -o onCreate_cfg.png onCreate_cfg.dot

This command will generate a PNG image of the method’s CFG, offering a clear visual representation of its control flow outside of JEB.

Advanced Scripting Concepts and Practical Applications

The examples above lay the groundwork. Here are avenues for further exploration:

• Conditional Edge Labeling: For conditional branches, differentiate between “true” and “false” edges in the DOT graph for clearer visualization.
• Node Styling: Use DOT attributes to style nodes based on criteria, such as blocks containing API calls of interest, specific string comparisons, or cryptographic operations.
• Interprocedural CFG (ICFG): While JEB primarily focuses on intraprocedural CFGs, scripts can be extended to model interprocedural calls by parsing call instructions and linking to the CFGs of called methods.
• Dynamic Analysis Integration: Combine static CFG analysis with dynamic execution traces (e.g., from Frida or Xposed) to highlight executed paths within the static CFG.
• Automated Malware Triage: Develop scripts to automatically extract CFGs from suspicious methods, identify common obfuscation patterns (e.g., spaghetti code, anti-analysis loops), and flag potentially malicious components.

Conclusion

Mastering Android CFG analysis with JEB scripting is a powerful skill that elevates your reverse engineering capabilities from manual inspection to automated, large-scale analysis. By programmatically interacting with JEB’s robust API, you can efficiently extract, process, and visualize control flow information, saving invaluable time and uncovering deeper insights into complex applications. The ability to export CFGs to standard formats like DOT opens up possibilities for integration with a vast ecosystem of graph analysis tools, making JEB an even more versatile platform for security researchers and reverse engineers.