# \[2] Perform static analysis to locate some functions of interest To begin the static analysis phase, we will need a copy of our APK file to serve as our specimen. There are a number of ways to obtain this: * Extract a sample from the device directly (see [guide here](/other-processes/extracting-apk-specimen-from-the-device.md)) * Work with the acquired device data. * Note the version from your acquired content and download a website (like [APKPure](https://www.apkpure.com)) {% hint style="info" %} In our lab, the specimen has already been obtained and can be found in the lab directory under "APKs". {% endhint %} Let's fire up [jadx gui](https://github.com/skylot/jadx/releases/). This is a free reverse engineering tool for Android APKs. It requires the Java Runtime Environment (JRE) 8 installed, but is also available prepackaged in a version that includes it. The releases page for jadx can be found [here](https://github.com/skylot/jadx/releases). Look for the download ending with "-with-jre-windows.zip". Once launched, it will give you the following Open File dialog. If you downloaded the lab kit, look in the folder called 'APKs'. Double click to open the APK. ![](/files/-M4FE1wYFSDV_4KZx2iK) Once loaded, you can begin browsing through the list of classes on the lefthand side. You will see lots of entries beginning with 'android', 'com.facebook' etc. A lot of these are from libraries used by the app. Rather than sifting through this list manually, we will use the clues we established in Lab 1 in order to point us in the right direction. To open up the text search window, press CTRL+SHIFT+F or select it from the Navigation menu. ![](/files/-M6VQY9W6gqKla2Zbv4Y) The first time you open the text search, it will take some time as the app has to perform APK-wide decompilation. When finished, we are ready to start searching for our suspects. Let's search for some values from [lab 1.2](/lab/1-lab-setup-and-initial-app-exploration/1.2-review-files-in-the-app-data-directory.md), starting with `pin` ![](/files/-M6VeCafe-XVTv2kE7y4) So we do hits, but... 3k is a lot to go through and as you can see, there is significant false positives. So, what do we do? Well, in our case the key for pin is a string. In Java, strings are enclosed in double quotes. Let's modify our search to include double quotes and see how we do on results: ![](/files/-M6Vez3pqVBNelfMY6k5) Much better. Now, instead of "android.support" (and many others) we are seeing only classes from within the "com.github.browep.privatephotovault" namespace and, if we look at the **Code** side of the view, we can see some super interesting stuff. At this point, we have developed some leads to investigate using static analysis. Looking at the list, in the class `CryptoUtils`, we see two calls to a function called `pinsMatch`, so let's check that out by double clicking on the result and then right clicking and choosing "go to declaration". ![](/files/-M6Vg8-HacSyiA_g6zm6) {% hint style="warning" %} In this case, it turns out the target function is only a few lines away! But, **Go to declaration** is capable of looking across the whole APK and can be very useful. {% endhint %} ![](/files/-M6VgR2SNwCCwfPhkZed) Alright, so there's a couple of things happening here. However, rather than working to develop an understanding first, then testing later, let's dive in to some DBI to give us a bit of a roadmap to follow. {% hint style="info" %} Unlike many APKs, this one is not obfuscated. Were it obfuscated, instead of seeing `com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch` we might see `a.b.a.c.d.d.a`. If this happens, all is not lost, we simply have more work to do in terms of static analysis. Dealing with obfuscation is out of scope for this lab, but rest assured it's still very doable. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://summit-labs.frida.ninja/lab/2-perform-static-analysis-to-locate-some-functions-of-interest.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.