The method of strengthening shelling and extracting code in a Bang Enterprise Edition

A bang reinforcement Enterprise version will still call the system's Dvmdexfileopenpartial interface, so you can add hooks here

51df6008-52cd50__unpackeddex.dmp is the dump out of Dex, dragged to Jeb, and you can see that these functions are empty.

The assembly shows that large tracts of instructions are NOP, and these instructions are removed and restored before they are executed.

It hooks up the dvmresolveclass, and the dynamic plus decryption instructions.

As you can see, it executes two times ___decrypt_dvmresolveclass, and after the original Dvmresolveclass is finished, the command will be cleared out again.         

Prior to the online restoration of the Gamma Code tutorial, is to restore the decryption algorithm, using the algorithm to decrypt, but the ___decrypt_dvmresolveclass function flowchart as shown:

Still quite complicated, the cost of making the algorithm is quite high.

Or find another way. The BLX R3 of line C838 is calling the original Dvmresolveclass function, when the instruction has been restored. So we hook up at this point and restore the code.

First look at the implementation of the Dvmresolveclass function

     The input parameters are classobjectreferrerU4classidx, where the CLASSIDX has been tested and seems to be constantly drifting and not available. You need to get the class name by referrer-descriptor and then navigate to the corresponding Class_data_item

     Dexclsindex is the actual classidx,patchdexmethod that is computed by the class name by referrer the instruction in the method to the corresponding position in Dex where the first step is dump.

       Although the code for most of the classes is restored, there are still such classes:

       There are other classes that are not restored because Dvmresolveclass only restores the loaded classes and is powerless for classes that are not loaded.

The dvmresolveclassis automatically called when loading, and a way to get all classes preloaded is needed.

       Can hook the dalvik_dalvik_system_dexfile_defineclassnative function, when the original Dex is loaded, enumerate all the dexclassdef, on all the class, Call Dvmdefineclass for class loading.

   This will complement the classes that were not previously restored.
   
(created an Android reverse analysis group, welcome interested students to join, group number:376745720)

The method of strengthening shelling and extracting code in a Bang Enterprise Edition