This article I spring and autumn writer Hai_zhu
0x00 Preface
Most of the information on the market is based on the Dalvik mode dump, so this is going to be a dump in art mode. hai_ User's Manual (various good Things)
Dalvik mode is Android 4.4 and its following mode, after the Android 5.0 is the art mode, about the details of these two modes, please Baidu, if in the article can not see where the article could be turned over. If you have any questions, you can talk to me privately.
Nonsense not much to say, directly on the operation.
content :demo dynamic dump out dex file
Environment description
1. System Xiaomi 9.0
2.ida 7.0
0x01 demo Dynamic dump out Dex file 1. Start Ida Port Monitoring 1.1 start Android_server Service
1.2 Port forwarding
1.3 Software into debug mode
2.ida down 2.1 Attach additional process
2.2 Break three items
2.3 Select Process
2.4 Opening Modules
Search Art
PS: Small Knowledge
Prior to Android 4.4, system functions were libdvm.so
After Android 5.0 system functions in libart.so
2.5 Open the Openmemory () function
Search for the Openmemory function in libart.so and follow in.
PS: Small Knowledge
In general, the system Dex will load in this function, but there will be a problem, said later.
2.6 Down Breakpoint
3. Run program to down 3.1 jdb forward Run program
3.2 View Ida Run
Succeeded in breaking down and running to the place where we had broken down.
3.3 Viewing the location of Dex
Open the Register window and you can see that R1 is our Dex.
Then open the R1 in the hex window.
It's obvious that you see the binary structure of the Dex file. If you don't understand, you can look at the previous Dex file analysis.
3.4 Extracting key information
First key message: Address offset: 0xf35ca328
The second key message: File offset: 70 35 01 00, a conversion is 0x00013570
Add with 16 adder, f35dd898
4. dump4.1 using a script to dump
StaticMainvoid) {Auto FP,Begin,End, Dexbyte;Open or create a filefp = fopen ("D:\\dump.dex","WB");Dex Base Address begin = 0xf34c6320; //dex base + Dex file size end = begin + 0x00013570; for (Dexbyte = begin Dexbyte < end; dexbyte + +) {//dump it into a local file by byte FPUTC (Byte (dexbyte), FP); }}
4.2 Script Dump Run
Once the script has been completed, click Run.
4.3 Successful dump
0x02 Follow-up
The dump out of the Dex is still a little different from the original Dex, to do some repair can be. About the contents of the repair is still under discussion, if there is a big guy passing advice one or two, grateful.
Android Reverse Step-the art of shelling (dump in the base mode)