The process analysis of anti-compiling of Android program

Source: Internet
Author: User
Tags class definition field table

First, the preface

Anti-compilation means that apk files or Dex files do not function correctly through the Decompile tool, and may cause tool anomalies or crashes, such as Apktool, Baksmali, Dex2jar, Jeb, and so on, as shown in the following figure Dex2jar is not working properly.

Second, DEX file format analysis

At present, most of the anti-compiler tools for Android software are open source, such as Apktool, Dex2jar, Baksamli, you can easily download and source reading code from GitHub, and then find the points available, and then add the interference code in your own software, Allow the Decompile tool to appear abnormally or not read the code properly.

Next, let's familiarize ourselves with the Dex file format, and a Dex file consists of the following parts:

1. DEX Header:dex Structure Header It specifies some basic properties of the Dex file and records the physical offset of some of the data tables in the Dex file.     

2.     String table: A table of strings that stores the index and number of strings of

3.     Type table: The list of types, the index of the storage type, and the number

4.     Proto table: function metamodel, storing function meta index and number

5.     Field table: Fields tables, storing field indexes and number

6.     Methods table: Method tables, storage method indexes, and number

7.     Class def table: Classes definition table, storage class definition index and number

8. Data section: Stores the information, which is found by the index of the above type,

Interested can directly look at the Android source code or refer to the following links:

Http://www.netmite.com/android/mydroid/dalvik/docs/dex-format.html

Now that you want to add interference instructions to your code, then the DEXCLASSDEF structure must be understood very clearly.

The structure contains the class's type offset, access flag, parent class type Index, interface offset, annotation, static type offset information, and the overall structure diagram is defined as follows:

struct Dexclassdef

{

U4 classidx; U4 accessflags; U4 superclassidx

;

U4 interfacesof F;

U4 sourcefileidx; U4 annotationsoff; U4 classdataoff; U4 staticvaluesoff

;

}

The Classidx field is an index value, the type of the class, as the subscript index to find in the Dextypeid structure list
The AccessFlags field is the access flag for the class, and the enumeration value that begins with ACC_
The Superclassidx field is the type of the parent class, which is searched in the Dextypeid structure list as the subscript index
The Interfacesoff field is the interface type, and as the subscript index, look in the dextypelist structure list
The Sourcefileidx field is the source filename, and as the subscript index, look in the dextypelist structure list
The Annotationsoff field is the offset of the annotation information, pointing to the Dexannotationsdirectoryitem structure
The Classdataoff field points to the offset of the dexclassdata structure.
The Staticvaluesoff field is an offset to the dexencodearray structure, recording the information of the static data
Dexclassdata Structure Description:

struct Dexclassdata

{

Dexclassdataheader header;

dexfield* staticfields//static fields, Dexfield structure

dexfield* instancefields;//instance fields, Dexfield structure

dexmethod* dir Ectmethods//Direct method, Dexmethod structure

dexmethod* virtualmethods;//virtual method, Dexmethod structure

}


The Dexmethod type in the DEXCLASSDATA structure describes the prototype, name, Access flag, and code block of the method, and the Codeoff field points to a Dexcode structure that describes the more detailed information about the method and the contents of the instructions in the method.

Dexmethod structure declaration is as follows

struct Dexmethod

{

U4 methodidx;//point to Dexmethodid index

U4 accessflags;//access flag U4 Codeoff

;//point to Dexcode Structure offset

}

struct Dexcode

{ushort registerssize;//the number of

registers used by

ushort inssize;//number of incoming parameters

U Nshort outssize//Calls other methods the number of registers used

Unshort triessize//try/catch The number of exception blocks uint Debuginfooff

;//debug Information bias Move

UINT insnssize//instruction Set number

ushort insns[1];//instruction set array, variable length array

}


Dexclassdata tree structure diagram:

Third, commissioning Dex2jar project

1. Will dex2jar source code into IntelliJ idea, after import IntelliJ idea will automatically find corresponding grable and download, it takes a long time to wait

Source Address: Https://github.com/pxb1988/dex2jar

2. Select the Dex2jar/dex2jar/tasks/other/antlr2java in Grable to compile

3. Click Project Structure on the toolbar, then select Modules-> D2j-smali-> Build, and then click Excluded

4. Select BUILD/GENERATED-SOURCES/ANTLR, then click Sources

5. Finally open the Excluded Gradle Task Pop-up dialog box and run the Clean distzip command

After the Gradl clean distzip command is executed, it is generated in the \dex2jar-2.x\dex-tools\build\distributions directory Dex-tools-2.1-snapshot.zip, the compressed package is compiled after the build of the jar file and some configuration information files. Please refer to the dex2jar.sh file, which shows us that you need to use all the jar files and entry functions under the Lib directory com.googlecode.dex2jar.tools.Dex2jarCmd to convert the Dex file into a jar file

6. Convert a dex file into a jar file requires the conversion command to be executed

The format is as follows:

Java-xms512m-xmx1024m-classpath. \lib\*.jar “com.googlecode.dex2jar.tools.Dex2jarCmd” Classdex.dex

Based on the above commands, configure the debug parameters as follows:

7. After the setup is complete, you can start debugging

Iv. analysis of the reasons for the failure of Dex2jar decompile

1. First, we start from the error of the package failure, locate the code at the crash.

Through the error hint can navigate to the Dex2jar crash code, the source location is as follows:

Dex-ir\src\main\java\com\googlecode\dex2jar\ir\typeclass.java

2. Break down the breakpoint at the collapsed function and start debugging.

A) “cant the not merge I and z&rdquo by the description of the thrown exception, and the entire call stack.

We can see that the reason for this exception is that the type of the argument and the type of the formal parameter do not match when the function is called. Because in Java syntax, the argument is a Boolean type passed to the formal parameter as the int type. This is illegal, so it causes Dex2jar to fail when checking the type of the parameter.

b) Knowing the cause of the crash, then we need to determine how it is specifically used to do so, through the Dex2jar generated error exception information detailed documentation to learn that the Dex file every function in the head add a sentence like this code exit.b (EXIT.A ()) See Ida, It is now possible to guess roughly what the confused person is doing:

1. First parse the Dex file format and locate the Insns member in the DEXCODE structure.

2. Add a class member object to your code named Exit, and then add code exit.b (EXIT.A ())

3. Understand how to add interference code, the next analysis of Dex2jar workflow, Dex2jar conversion into a jar file in the process will verify that the function call the formal parameters and the validity of the argument, please look at the following figure, parsing to the beginning of the Invoke_ instructions, will begin to parse the return value, supply parameters, and actual parameters such as information, specific logic and code you are interested in a detailed study of Dex2jar source.

4.merge is responsible for the validation of parameter types, if two types are the same, return the type of the parameter, the parameter is unkonw return the argument, the argument is a unkonw return parameter, and two types are different, match the exception

5. Finally add the code in the Dex2jar, so that the Dex file can be correctly decompile successfully. Here is a piece of code that can successfully dex2jar the jar file (in fact there are many methods)

The following figure is a successful reverse-compiled JAR file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.