hacktricks/mobile-pentesting/android-app-pentesting/apk-decompilers.md

# APK decompilers

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
{% endhint %}

**For further details on each tool check the original post from [https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr](https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr)**


### [JD-Gui](https://github.com/java-decompiler/jd-gui)

As the pioneering GUI Java decompiler, **JD-Gui** allows you to investigate Java code within APK files. It's straightforward to use; after obtaining the APK, simply open it with JD-Gui to inspect the code.

### [Jadx](https://github.com/skylot/jadx)

**Jadx** offers a user-friendly interface for decompiling Java code from Android applications. It's recommended for its ease of use across different platforms.

- To launch the GUI, navigate to the bin directory and execute: `jadx-gui`
- For command-line usage, decompile an APK with: `jadx app.apk`
- To specify an output directory or adjust decompilation options: `jadx app.apk -d <path to output dir> --no-res --no-src --no-imports`

### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)

**GDA**, a Windows-only tool, offers extensive features for reverse engineering Android apps. Install and run GDA on your Windows system, then load the APK file for analysis.

### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)

With **Bytecode-Viewer**, you can analyze APK files using multiple decompilers. After downloading, run Bytecode-Viewer, load your APK, and select the decompilers you wish to use for simultaneous analysis.

### [Enjarify](https://github.com/Storyyeller/enjarify)

**Enjarify** translates Dalvik bytecode to Java bytecode, enabling Java analysis tools to analyze Android applications more effectively.

- To use Enjarify, run: `enjarify app.apk`
  This generates the Java bytecode equivalent of the provided APK.

### [CFR](https://github.com/leibnitz27/cfr)

**CFR** is capable of decompiling modern Java features. Use it as follows:

- For standard decompilation: `java -jar ./cfr.jar "app.jar" --outputdir "output_directory"`
- For large JAR files, adjust the JVM memory allocation: `java -Xmx4G -jar ./cfr.jar "app.jar" --outputdir "output_directory"`

### [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine)

**Fernflower**, an analytical decompiler, requires building from source. After building:

- Decompile a JAR file: `java -jar ./fernflower.jar "app.jar" "output_directory"`
  Then, extract the `.java` files from the generated JAR using `unzip`.

### [Krakatau](https://github.com/Storyyeller/Krakatau)

**Krakatau** offers detailed control over decompilation, especially for handling external libraries.

- Use Krakatau by specifying the standard library path and the JAR file to decompile: `./Krakatau/decompile.py -out "output_directory" -skip -nauto -path "./jrt-extractor/rt.jar" "app.jar"`

### [procyon](https://github.com/mstrobel/procyon)

For straightforward decompilation with **procyon**:

- Decompile a JAR file to a specified directory: `procyon -jar "app.jar" -o "output_directory"`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
</details>
{% endhint %}
GitBook: [#3143] No subject 2022-04-28 23:27:22 +00:00			`# APK decompilers`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-03 10:43:38 +00:00
b 2024-07-18 23:16:27 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
b 2024-07-18 23:16:27 +00:00			`{% endhint %}`
			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-08 03:06:37 +00:00			`For further details on each tool check the original post from [https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr](https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00

a 2024-02-08 03:06:37 +00:00			`### [JD-Gui](https://github.com/java-decompiler/jd-gui)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`As the pioneering GUI Java decompiler, JD-Gui allows you to investigate Java code within APK files. It's straightforward to use; after obtaining the APK, simply open it with JD-Gui to inspect the code.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [Jadx](https://github.com/skylot/jadx)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`Jadx offers a user-friendly interface for decompiling Java code from Android applications. It's recommended for its ease of use across different platforms.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			- To launch the GUI, navigate to the bin directory and execute: `jadx-gui`
			- For command-line usage, decompile an APK with: `jadx app.apk`
			- To specify an output directory or adjust decompilation options: `jadx app.apk -d <path to output dir> --no-res --no-src --no-imports`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`GDA, a Windows-only tool, offers extensive features for reverse engineering Android apps. Install and run GDA on your Windows system, then load the APK file for analysis.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`With Bytecode-Viewer, you can analyze APK files using multiple decompilers. After downloading, run Bytecode-Viewer, load your APK, and select the decompilers you wish to use for simultaneous analysis.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [Enjarify](https://github.com/Storyyeller/enjarify)`
GitBook: [master] 401 pages and one asset modified 2020-11-23 10:05:59 +00:00
a 2024-02-08 03:06:37 +00:00			`Enjarify translates Dalvik bytecode to Java bytecode, enabling Java analysis tools to analyze Android applications more effectively.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			- To use Enjarify, run: `enjarify app.apk`
			`This generates the Java bytecode equivalent of the provided APK.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [CFR](https://github.com/leibnitz27/cfr)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`CFR is capable of decompiling modern Java features. Use it as follows:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			- For standard decompilation: `java -jar ./cfr.jar "app.jar" --outputdir "output_directory"`
			- For large JAR files, adjust the JVM memory allocation: `java -Xmx4G -jar ./cfr.jar "app.jar" --outputdir "output_directory"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`### [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 03:06:37 +00:00			`Fernflower, an analytical decompiler, requires building from source. After building:`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			- Decompile a JAR file: `java -jar ./fernflower.jar "app.jar" "output_directory"`
			Then, extract the `.java` files from the generated JAR using `unzip`.
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			`### [Krakatau](https://github.com/Storyyeller/Krakatau)`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			`Krakatau offers detailed control over decompilation, especially for handling external libraries.`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			- Use Krakatau by specifying the standard library path and the JAR file to decompile: `./Krakatau/decompile.py -out "output_directory" -skip -nauto -path "./jrt-extractor/rt.jar" "app.jar"`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			`### [procyon](https://github.com/mstrobel/procyon)`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			`For straightforward decompilation with procyon:`
GitBook: [master] one page modified 2021-03-22 09:38:34 +00:00
a 2024-02-08 03:06:37 +00:00			- Decompile a JAR file to a specified directory: `procyon -jar "app.jar" -o "output_directory"`
b 2024-07-18 23:16:27 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

b 2024-07-18 23:16:27 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
b 2024-07-18 23:16:27 +00:00			`{% endhint %}`
			`</details>`
			`{% endhint %}`