"Android SDK program reverse analysis and cracking series" of the second: Android executable dex analysis (a)

Source: Internet
Author: User

Guo Jia
Email: [Email protected]
Blog: http://blog.csdn.net/allenwells
Github:https://github.com/allenwells

"Android SDK program reverse analysis and Hack series" chapter index one DEX file data structure

The data types that Dex uses are shown in the following table:

U1~u8: Represents the unsigned number of 1~8 bytes.
The LEB128 data types that are unique to sleb128, uled128, and Uled128pl:dex files. Each LEB128 consists of a single byte, all of which are grouped together to represent a 32-bit data.

The LEB128 data types are shown in the following table:

There are only 7 significant bits per byte, and if the highest bit of the first byte is 1, it indicates that LEB128 needs to use the 2nd byte, and if the 2nd byte is the highest bit 1, then LEB128 needs to use the 3rd byte, and so on, to know that the last byte is the highest bit 0. LEB128 uses up to 5 bytes, and if the highest bit of the next byte after reading 5 bytes is still 1, then the Dex file is invalid, and the Dalvik virtual machine fails to return after validating that Dex.

The implementation of the read unsigned LEB128 in the source code of the Android system is as follows:

Source location : dalvik\libdex\leb128.h

/ * * Reads an unsigned LEB128 value, updating the given pointer to point * just past the end of the read value. This function tolerates * Non-zero High-order bits in the fifth encoded byte. */Dex_inlineintreadUnsignedLeb128 (Constu1** PStream) {Constu1* ptr = *pstream;intresult = * (ptr++);if(Result >0x7f) {//greater than 0x77f means the 1th byte highest bit is 1        intCur = * (ptr++);//2nd byteresult = (Result &0x7f) | ((Cur &0x7f) <<7);//First 2 byte combination        if(Cur >0x7f) {//greater than 0x77f means the 2nd byte highest bit is 1Cur = * (ptr++);//3rd byteResult |= (cur &0x7f) << -;combination of//first 3 bytes            if(Cur >0x7f) {cur = * (ptr++);//4th byteResult |= (cur &0x7f) << +;combination of//first 4 bytes                if(Cur >0x7f) {/ * * note:we don ' t check to see if cur are out of * range here, meaning We tol                     Erate Garbage in the * high four-order bits. */Cur = * (ptr++);//5th byteResult |= cur << -;combination of//First 5 bytes}}}} *pstream = ptr;returnResult;}

The implementation of the read signed LEB128 in the source code of the Android system is as follows (the notation is the same as the unsigned method, except that the most significant bit of the last byte of the signed LEB128 is signed ):

Source location : dalvik\libdex\leb128.h

/ * * Reads a signed LEB128 value, updating the given pointer to point * just past the end of the read value. This function tolerates * Non-zero High-order bits in the fifth encoded byte. */Dex_inlineintreadSignedLeb128 (Constu1** PStream) {Constu1* ptr = *pstream;intresult = * (ptr++);if(Result <=0x7f) {result = (Result << -) >> -; }Else{intCur = * (ptr++); result = (Result &0x7f) | ((Cur &0x7f) <<7);if(cur <=0x7f) {result = (Result << -) >> -; }Else{cur = * (ptr++); Result |= (cur &0x7f) << -;if(cur <=0x7f) {result = (Result << One) >> One; }Else{cur = * (ptr++); Result |= (cur &0x7f) << +;if(cur <=0x7f) {result = (Result <<4) >>4; }Else{/ * * note:we don ' t check to see if cur are out of * range here, meaning We tol                     Erate Garbage in the * high four-order bits. */Cur = * (ptr++); Result |= cur << -; }}}} *pstream = ptr;returnResult;}
Two Dex file overall structure

The Dex file is composed of multiple structures, as shown in the following structure:

-Dex Header:dex file header, specifying some properties of the Dex file, and recording the physical offset of the other 6 parts in the Dex file.
-String_ids
-Type_ids
-Proto_ids
-Field_ids
-Method_ids
-Class_def
-Data: The real storage area.
-Link_data: Static link Data area.

The definition of Dexfile structure in Android source code is as follows:

The dexfile structure is a DEX file that is mapped to an in-memory structure, holds pointers to each structure, and also includes data appended to the Dexoptheader and dexfile tails.

Source location : dalvik\libdex\dexfile.h

/* * Structure representing a DEX file. * Code should regard Dexfile as opaque, using the API calls provided here * To access specific structures. */structDexfile {/ * directly-mapped "opt" header * /    Constdexoptheader* Poptheader;/ * pointers to directly-mapped structs and arrays in base DEX * /    Constdexheader* Pheader;Constdexstringid* Pstringids;Constdextypeid* Ptypeids;Constdexfieldid* Pfieldids;Constdexmethodid* Pmethodids;Constdexprotoid* Pprotoids;Constdexclassdef* pclassdefs;ConstDexlink* Plinkdata;/ * * These is mapped out of the ' auxillary ' section, and is not being * included in the file. */    Constdexclasslookup* Pclasslookup;Const void* PREGISTERMAPPOOL;//Registermapclasspool    / * points to start of DEX file data * /    ConstU1* baseaddr;/ * Track memory overhead for auxillary structures * /    intOverhead/ * Additional APP-SPECIFIC data structures associated with the DEX * /    //void* Auxdata;};

"Android SDK program reverse analysis and cracking series" of the second: Android executable dex analysis (a)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.