Android learning experience (16) --- Dex file structure instance parsing (2), androiddex

Android learning experience (16) --- Dex file structure instance parsing (2), androiddex

I posted some of my Android learning experiences on my blog, hoping to help you.
This article describes how to analyze the structure and composition of dex files through an instance.

Learn from Leb128 data type Android (5) --- dex data type LEB128
Learn about dex file structure by referring to instance analysis (15) --- Dex file structure analysis (1)
Learn how to use the baksmali tool for Android (4) --- write and run smali files on MAC

1. Compile

An example is provided to analyze the composition of the dex file.

Create a Hello. java file and enter the following values. This is the sample we learned.

public class Hello {    public static void main(String[] argc) {        System.out.println("Hello world");    }}

Compile it into a. class file and compile it into a. dex file.

Open with 0xED for viewing

2. Header

We use the Dex Header in the previous section for parsing.
Use the header data of the first 0x70 in the dex file to query and fill in the table

First 0x70 data

3. MapList

In the Header, MapOff points to the MapList structure.
The MapList structure is defined in section 4. We query and fill in the Form

In map_off, the offset address is 0x0240. the first 16 bits of the corresponding address are the number of mapitems: 0x000D (14)

4. string_id_item

First, we can check that there are 14 string_id_item and size in MapList, starting from 0x70.

We read 14 strings from 0x176 and 0x17E respectively, and fill in the table

5. type_id_item

In the MapList, we can see that there are 7 type_id_item items, starting from 0xA8.

Because this indicates the stringids index, query the string_id_item table to obtain

6. proto_id_item

View proto_id_item. The number is three, starting from 0xC4.

View the proto_id_item structure and enter the table

7. field_id_item

We can check field_id_item in MapList. The number is 1, starting from 0xE8.

View the field_id_item structure and enter the table

8. method_id_item

In MapList, we can see four method_id_item numbers, starting from 0xF0.

View the description of method_id_item in the previous section and enter the table

9. class_def_item

We can check class_def_item in MapList. The number is 1, starting from 0x110.

Using the DexClassDef structure in the previous section, we enter the form

We can see that class_def_item in MapList does have the same offset address and number.

Because DexClass. h defines u4 as Leb128

The following two direct methods are followed:

The first one is 00 81 80 04 B0 02

Analyze the code_item structure from 0x130

The analysis logic is as follows:

(1) In Dalvik VM Instruction Format, the op operator is located at the first low 8 bit of 16 bit Data and starts with op = 0x70 (2) find the Syntax and format in Bytecode for Dalvik VM. Syntax = invoke-directformat = 0x35c (3) Search for 35c in Dalvik VM Instruction Format and find that the commands with op = 0x70 occupy 2 16-bit data, the format is B | A | op cccc g | F | E | D, where B = 1, A = 0. We found: [B = 1] op {vD}, kind @ CCCC obtained above CCCC = 3, D = 0; 0E Operation Code corresponds to return-void

The command is as follows:

invoke-direct {v0}, Ljava/lang/Object;.<init>:()V return-void

The second is 01 09 C8 02.

Analyze the code_item structure from 0x148

The analysis logic is as follows:

(1) In Dalvik VM Instruction Format, the op operator is located at the first low 8 bit of 16 bit Data and starts with op = 0x62 (2) find the Syntax and format in Bytecode for Dalvik VM. Syntax = sget-objectformat = 0x21c (3) searches for 21c in Dalvik VM Instruction Format and finds that the commands with op = 0x62 occupy two 16-bit data records, the format is AA | op BBBB, where AA = 00 and BBBB = 0.

The command is as follows:

sget-object v0, Ljava/lang/System;.out:Ljava/io/PrintStream;

Continue

(1) In Dalvik VM Instruction Format, the op operator is located at the first low 8 bit of 16 bit Data and starts with op = 0x1A (2) find the Syntax and format in Bytecode for Dalvik VM. Syntax = const-string vAA, string @ bbbbbbformat = 0x21c (3) Search for 21c in Dalvik VM Instruction Format and find that the commands with op = 0x1A occupy 2 16 bit data, the format is onst-string vAA, string @ BBBB, where AA = 01 and BBBB = 1.

The command is as follows:

const-string v1, "Hello World！"

Continue

(1) In Dalvik VM Instruction Format, the op operator is located at the first low 8 bit of 16 bit Data and starts with op = 0x6E (2) find the Syntax and format in Bytecode for Dalvik VM. Syntax = invoke-virtualformat = 0x35c (3) searches for 21c in Dalvik VM Instruction Format. It is found that the commands with op = 0x6E occupy two 16-bit data records, the format is B | A | op cccc g | F | E | D, where, B = 2, CCCC = 2, E = 1, D = 0. Format: [B = 2] op {vD, vE}, kind @ CCCC

The command is as follows:

invoke-virtual {v0, v1}, Ljava/io/PrintStream; -> println(Ljava/lang/String;)Vreturn-void

Final Analysis of core code

invoke-direct {v0}, Ljava/lang/Object;.<init>:()V sget-object v0, Ljava/lang/System;.out:Ljava/io/PrintStream;const-string v1, "Hello World！"invoke-virtual {v0, v1}, Ljava/io/PrintStream; -> println(Ljava/lang/String;)Vreturn-void

Comparison between baksmali file generation and smali file generation

.class public LHello;.super Ljava/lang/Object;.source "Hello.java"# direct methods.method public constructor <init>()V    .registers 1    .prologue    .line 1    invoke-direct {p0}, Ljava/lang/Object;-><init>()V    return-void.end method.method public static main([Ljava/lang/String;)V    .registers 3    .prologue    .line 3    sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;    const-string v1, "Hello world！"    invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V    .line 4    return-void.end method

The core code is the same and the analysis is correct.

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.