Blackberry Application - Reverse Engineering

Java code compiled for the BlackBerry goes through the following steps using the tools mentioned:

 

1. Code is compiled using the javac.exe compiler, and an application JAR file is generated. At this point, all Java methods, constructs, and classes are fair game.
2. The preverify.exe tool is run against the generated JAR files and looks for code constructs that are not allowed in JME applications (for example, calls to Java native invocation or invalid Java instructions). The pre-verifier is used in both BlackBerry and JME development. Once the pre-verifier step completes, the Classes are marked as verified.
3. RIM’s compiler, rapc.exe, converts the verified JAR file to a BlackBerry executable COD file. Rapc is an optimizing compiler that removes symbolic information and adds RIM proprietary instructions to the binary in order to reduce size and improve performance.
4. If the application is going to be deployed to a real device or to a simulator with security enabled, the COD file is signed using the RIM Signature Tool and the developer’s signing keys. For more details on BlackBerry code signing, see the section titled “Permissions and User Controls.”

  

Getting Dirty and Deeper into BB Apps:

The BlackBerry JVM uses an extended JME instruction set and a custom package format called a COD file. To make reversing more difficult and improve performance, RIM’s compiler removes debug information and collapses member names when compiling code. The custom instruction set and executable file format are not officially documented, and what is known is spread across the Internet in various blog posts and message boards. All these hurdles make things look pretty rough to the aspiring BlackBerry engineer.

Thankfully, some members of the reverse-engineering community have released information about COD files and some tools to disassemble BlackBerry applications. Most notable are Dr. Bolsen for his coddec tool and Stephen Lawler for updates and instructions. Coddec will do a half decompile/half disassemble on BlackBerry COD files. The disassembly is actually created by modified versions of classes that were decompiled from RIM’s rapc compiler.

Unfortunately, coddec does not come with much documentation, and getting it to build can be slightly challenging. To build and run the tool, follow these instructions, which are based on Stephen Lawler’s work:

1. Install the Java Development Kit (JDK); these instructions are tested with JDK 1.6.0 R13. Also install the BlackBerry JDE, because coddec uses it in its disassembly.
2. Download coddec from Dr. Bolsen’s website (http://drbolsen.wordpress.com/2008/07/14/coddec-released/) and extract the coddec archive to a local directory. For this example, we will call that directory c:\coddec.
3. Download Stephen Lawler’s coddec patch.
4. Apply the patch using the GNU patch command or TortoiseMerge.
5. The patch has one mistake in it, so manually change the code c c1 = new c(l, j, i1, dataoutputstream1); in \net\rim\tools\compiler\exec\c.java to the following: c_static c1 = new c_static(l, j, i1, dataoutputstream1);
6. Copy net_rim_api.jar from \Program Files\Research In Motion\BlackBerry JDE 4.7.0\lib to the c:\coddec directory. This file contains APIs that will be referenced by coddec.
7. Collect a list of files by running the following command in the c:\coddec directory: dir /s /b *.java > files.txt
8. Run the following command from a Windows command prompt that has the Java compiler in the path: for /f %x in (files.txt) do (javac.exe -Xlint:unchecked -cp .\;c:\coddec %x). This command compiles all of the files. There will be lots of warnings (about 100) but there should be no errors.
9. Run coddec from the command prompt in the c:\coddec directory by typing     java -cp . net.rim.tools.compiler.Compiler HelloWorld.cod. HelloWorld.cod is the name of the COD file to be decompiled.
10. The results will be output into the c:\coddec\decompiled directory.

Coddec’s output is a combination of de-compilation and disassembly of files.