Dalvik instruction Analysis (iii) structure of the Dex file

An example of the Dex file generated in the previous article, explaining the structure of the Dex file, the Dex file structure is very simple, with only one Helloworld.java

The basic format of the file, Dex file, please refer to the official documentation, and we can decompose Dex's content against the various components of the Dex file.

1. File header

Header

Header_item

The header

the contents of the header section of the Dex file above are as follows:

0A 5B D6 D3 44f7 00 E9 D6 9A 3E 6D EF F9 70 00 00 00 78 5----FA98 02 00 6 the 0000 of the XX, XX, 0C, xx, xx, 0006, xx, xx, A0, XX, 00, 00 00 0001 xx D0 xx xx D8 xx 0001 xx xx F8 00 00 00 80 01 00 00 18 01 00 00

now start to break down the contents of the header section:

0A 30 33 35 00

This part is the value of the dex_magic corresponding to the ASCII code value: Dex 035

5B 33 08

This section is checksum, which calculates the logic of checksum as in the following code:

private static void Calcchecksum (Byte bytes[]) {Adler32 A32 = new Adler32 (); a32.update (bytes, bytes.length-12); int s UM = (int) a32.getvalue (); checksum[0] = (byte) sum;checksum[1] = (byte) (sum >> 8); checksum[2] = (byte) (Sum >> ; CHECKSUM[3] = (byte) (sum >>); try {string decoded = new string (checksum, "UTF-8"); System.out.println (decoded);} catch (Unsupportedencodingexception e) {e.printstacktrace ();} BYTES[8] = (byte) sum;bytes[9] = (byte) (sum >> 8), bytes[10] = (byte) (sum >>); bytes[11] = (byte) (Sum > > 24);}

Where parameter bytes[] is the byte stream of the Dex file, the computed value is written to the bytes array, and the subscript is 8-11

D6 D3 F7 E9 D6 9A 3E 6D (EF F992) FA

This section is SHA1 's signature, and the logic for calculating signature is as follows:

private static void Calcsignature (Byte bytes[]) {messagedigest Md;try {MD = messagedigest.getinstance ("SHA-1");} catch (N Osuchalgorithmexception ex) {throw new RuntimeException (ex);} Md.update (bytes, +, bytes.length-32); try {int amt = md.digest (bytes, a), if (amt! =) throw new RuntimeException (( New StringBuilder ()). Append ("Unexpected Digest Write:"). Append (AMT). Append ("bytes"). toString ());} catch (Digestexception ex) {throw new RuntimeException (ex);}}

98 02 00 00

This section is file size: 0x0298=664bytes

70 00 00 00

This part is the size of the head, 112bytes

78 56 34 12

This part is the flag of the size end, Dex file is small end, this dex file is small end, because the corresponding value is 0x12345678, the system

is defined as follows:

UINT Endian_constant = 0x12345678;uint reverse_endian_constant = 0x78563412;

00 00 00 00 00 00 00 00

This full 0 of eight bytes is the Link_size and Link_off fields, mainly used on the static link of the file, the Dex is not a static link file, all 0

04 02 00 00

This section is the Map_off field, and the value is 0x204, which is 516, which is the offset of the position of the map_list relative to the starting position of the file. Map_list

Is the description of the entire Dex file, divided into different types, including headers, strings, types, function prototypes, classes, code, and so on, in fact, and the header of the

Information has some redundancy, mainly in the Dex file after the generation of the file to do some validation work, the DX process after generating the Dex file, according to the Map_list

The content does some validation work with Dex, which is described later in this article on the DX process.

0C 00 00 00 70 00 00 00

This section is string_ids_size and String_ids_off, each accounting for four bytes

Similar to Map_list, String also has a string_list, the above two values are used to identify the number of strings, as well as String_list

of the offset.

The rest of the header section is the length of each list and the corresponding offsets, such as type_ids_size and Type_ids_off, pointing to Type_list,

and Proto_list,field_list,method_list,code_item_list, Class_def_item_list,data_list. These lists contain the characters in the program.

string information, Functions prototypes, fields, function descriptions, class description information, and so on, all of the program's contents are formed.

Dex Header part of the analysis is basically completed, the header part is the entire Dex file description, is also the index of the contents of the file, master the header

section can continue to analyze other parts of the content, such as method_list, such as Code_item_list.

In the process of analysis, to often refer to the Android source code, mainly the definition of data structure, because it involves the size of the elements and members, so it is very cost

and energy, but these are very meaningful, so that you understand the structure of an executable file, but also familiar with the Android source code.

If you are in the analysis of other parts, you can contact me if you encounter problems, in the case of time permitting

Dalvik instruction Analysis (iii) structure of the Dex file