dex2jar

dex2jar is a tool for converting Android DEX (Dalvik Executable) files to JAR format, enabling analysis of Android apps with Java decompilers. This guide covers APK analysis, conversion, and reverse engineering workflows.

Installation

macOS/Linux

# Download from releases
wget https://github.com/ThexXTURBOXx/dex2jar/releases/download/v2.1-SNAPSHOT/dex2jar-2.1-SNAPSHOT.zip
unzip dex2jar-2.1-SNAPSHOT.zip
chmod +x dex2jar-2.1/d2j-dex2jar.sh

# Or build from source
git clone https://github.com/ThexXTURBOXx/dex2jar.git
cd dex2jar
mvn package
ls dist/

# Add to PATH
export PATH=$PATH:/path/to/dex2jar/

Windows

# Download ZIP from releases
# https://github.com/ThexXTURBOXx/dex2jar/releases

# Extract and add to PATH
set PATH=%PATH%;C:\path\to\dex2jar

# Or use WSL
# Follow Linux instructions above

Verify Installation

d2j-dex2jar.sh --version
d2j-dex2jar --help

Basic DEX to JAR Conversion

Simple Conversion

# Convert DEX to JAR
d2j-dex2jar.sh classes.dex

# Output: classes-dex2jar.jar

# Specify output file
d2j-dex2jar.sh -o myapp.jar classes.dex

# Keep intermediate files
d2j-dex2jar.sh -k classes.dex

# Show progress
d2j-dex2jar.sh -v classes.dex

Multiple DEX Files

# Convert all DEX files in directory
for dex in *.dex; do
    d2j-dex2jar.sh -o "${dex%.dex}.jar" "$dex"
done

# Or use loop through each
d2j-dex2jar.sh classes.dex
d2j-dex2jar.sh classes2.dex
d2j-dex2jar.sh classes3.dex

APK Analysis Workflow

Extracting APK Contents

# APK is just a ZIP file
unzip myapp.apk -d myapp_extracted/

# Or using jar
jar xf myapp.apk

# Or using 7z
7z x myapp.apk

# Key files in APK:
# AndroidManifest.xml    - App metadata
# classes.dex            - Main bytecode
# classes2.dex           - (optional) secondary bytecode
# lib/                   - Native libraries
# res/                   - Resources
# assets/                - Asset files

Complete APK Extraction Workflow

#!/bin/bash
APK="myapp.apk"
OUTPUT="myapp_analysis"

# Extract APK
mkdir -p $OUTPUT
cd $OUTPUT
unzip "../$APK"

# Extract all DEX files
for dex in classes*.dex; do
    d2j-dex2jar.sh -o "${dex%.dex}.jar" "$dex"
done

# Extract strings
strings classes.dex | head -50

# Examine AndroidManifest
cat AndroidManifest.xml  # (needs decoding)

cd ..

Decompiling to Java Source

Using CFR

# Requires: cfr.jar
# Download from: https://www.benf.org/other/cfr/

java -jar cfr.jar classes-dex2jar.jar

# Output to directory
java -jar cfr.jar --outputdir src/ classes-dex2jar.jar

# Specific options
java -jar cfr.jar --codeassertions false --sugarasserts false \
    --outputdir src/ classes-dex2jar.jar

Using Procyon

# Download: https://bitbucket.org/mstrobel/procyon/downloads/

java -jar Procyon.jar classes-dex2jar.jar -o src/

# With options
java -jar Procyon.jar -unicode true -outputdir src/ classes-dex2jar.jar

Using JD-GUI

# Download: http://jd.benow.ca/

# GUI tool
jd-gui classes-dex2jar.jar

# Command-line
jd-cli classes-dex2jar.jar -od src/

AndroidManifest Analysis

Decoding AndroidManifest.xml

# Option 1: Using apktool
apktool d myapp.apk

# Option 2: Using AXMLPrinter
java -cp AXMLPrinter2.jar com.android.apktool.axml.AXMLPrinter myapp/AndroidManifest.xml

# Option 3: Using Android Studio
# Built-in decompiler in Tools > APK Analyzer

Analyzing Manifest Content

<!-- Key elements to look for: -->

<!-- App name and version -->
<manifest android:versionCode="1" android:versionName="1.0"
    package="com.example.app">

<!-- Permissions requested -->
<uses-permission android:name="android.permission.INTERNET" />

<!-- Activities (screens) -->
<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

<!-- Services (background) -->
<service android:name=".MyService" />

<!-- Broadcast receivers -->
<receiver android:name=".MyReceiver" />

<!-- Content providers -->
<provider android:name=".MyProvider" />

<!-- Exported components -->
<activity android:name=".AdminActivity" android:exported="true" />

Advanced DEX Analysis

Reverse Conversion (JAR to DEX)

# d2j-jar2dex converts JAR back to DEX
d2j-jar2dex.sh -o modified.dex modified.jar

# Useful for:
# - Testing modifications
# - Repackaging APK
# - Testing patches

Obfuscation and String Analysis

# Extract strings from DEX
strings classes.dex | sort | uniq > strings.txt

# Look for suspicious patterns
grep -i "url\|http\|password\|key\|api" strings.txt

# Extract resources
for dex in classes*.dex; do
    strings "$dex" | grep -i "secret\|token\|encrypt"
done

Analyzing APK Structure

# APK size analysis
du -sh myapp.apk
unzip -l myapp.apk | tail -1

# DEX size
ls -lh classes.dex
ls -lh classes2.dex  # (if present)

# Large files in APK
unzip -l myapp.apk | sort -k4 -n | tail -20

Common Analysis Tasks

Finding Activities and Exports

# Extract class names from DEX
d2j-dex2jar.sh classes.dex
strings classes-dex2jar.jar | grep -E "MainActivity|Service|Provider"

# Or use apktool
apktool d myapp.apk
grep "android:name" apktool.yml

# Find exported activities
grep "exported=\"true\"" AndroidManifest.xml

Identifying Permissions Usage

# Map manifest permissions to code
apktool d myapp.apk
d2j-dex2jar.sh myapp/sources/classes.dex

# Check Java source for permission usage
grep -r "INTERNET\|CAMERA\|LOCATION" sources/

# Common suspicious permissions:
# INTERNET - Network access
# WRITE_EXTERNAL_STORAGE - File system access
# READ_CONTACTS - Personal data
# ACCESS_FINE_LOCATION - GPS location
# RECORD_AUDIO - Microphone

Finding Hardcoded Secrets

# Extract all strings
d2j-dex2jar.sh classes.dex
strings classes-dex2jar.jar > all_strings.txt

# Search for secrets
grep -i "key\|secret\|password\|token\|api" all_strings.txt

# Look for API endpoints
grep -E "http://|https://" all_strings.txt

# Check for common secret patterns
grep -E "aws_|firebase_|parse|api_key|secret_key" all_strings.txt

Workflow for Malware Analysis

#!/bin/bash
APK="$1"

echo "[*] Extracting APK..."
unzip "$APK" -d extracted_apk/
cd extracted_apk/

echo "[*] Converting DEX files..."
for dex in classes*.dex; do
    d2j-dex2jar.sh -o "${dex%.dex}.jar" "$dex"
done

echo "[*] Extracting strings..."
for dex in classes*.dex; do
    echo "=== Strings from $dex ==="
    strings "$dex" | grep -E "http|api|key|secret" > strings_$dex.txt
done

echo "[*] Analysis files created:"
echo "  - Manifests: AndroidManifest.xml"
echo "  - JAR files: classes*.jar"
echo "  - Strings: strings_classes*.txt"

echo "[*] Decompile with CFR:"
echo "  java -jar cfr.jar --outputdir src/ classes-dex2jar.jar"

Integration with Other Tools

Combined Workflow with apktool

# apktool provides more detailed analysis
apktool d myapp.apk -o myapp_src/

# Then convert DEX
d2j-dex2jar.sh myapp_src/classes.dex

# Compare results
# apktool gives decoded resources and manifest
# dex2jar gives Java decompilation

Using with Frida for Dynamic Analysis

# Static analysis (dex2jar)
d2j-dex2jar.sh classes.dex
# Use CFR to get source

# Find methods of interest
grep -r "onCreate\|onStart\|onResume" src/

# Dynamic analysis with Frida
# Hook methods identified by static analysis
frida -U -f com.example.app -l hook.js --no-pause

Troubleshooting

Conversion Failures

# DEX file corrupted
# Try with verbose output
d2j-dex2jar.sh -v classes.dex

# Specify Java options
D_JAVA_OPTIONS=-Xmx2g d2j-dex2jar.sh large_classes.dex

# May need 64-bit Java
java -version
# Should show 64-Bit Server

Decompilation Issues

# CFR options for obfuscated code
java -jar cfr.jar --codeassertions false \
    --sugarasserts false \
    --showversion false \
    classes-dex2jar.jar

# Try different decompilers if CFR fails
# procyon, jd-cli, fernflower

Large APKs

# Process each DEX separately
for dex in classes*.dex; do
    d2j-dex2jar.sh -o "${dex%.dex}.jar" "$dex"
    java -jar cfr.jar --outputdir "src_${dex}" "${dex%.dex}.jar"
done

# Combine sources
find src_* -type f -name "*.java" -exec cp {} src/ \;

Best Practices

• Always work on a copy of the APK
• Analyze permissions first in AndroidManifest.xml
• Look for exported components (security issue)
• Search strings for API endpoints and secrets
• Compare permissions to actual code usage
• Check third-party libraries (usually in separate folders)
• Use multiple decompilers if one fails
• Document suspicious activities and methods
• Verify findings dynamically when possible
• Check git history if available

Resources

• dex2jar GitHub: https://github.com/ThexXTURBOXx/dex2jar
• CFR Decompiler: https://www.benf.org/other/cfr/
• apktool: https://ibotpeaches.github.io/Apktool/
• Android Developer Docs: https://developer.android.com/

---

Last updated: 2026-03-30