XhstormR


On a dark desert highway Cool wind in my hair


Android DEX Unpack

Updated on 2019-05-31

https://source.android.google.cn/devices/tech/dalvik/dex-format

frida-trace -U -i *SizeOfClassWithoutEmbeddedTables* com.saicmotor.tocapp
frida -U com.saicmotor.tocapp -l 123.js
var module = Module.getExportByName('libart.so',
    '_ZN3art11ClassLinker32SizeOfClassWithoutEmbeddedTablesERKNS_7DexFileERKNS1_8ClassDefE')

Interceptor.attach(module, {
    onEnter: function (args) {
        var dex_file = args[1].add(0x04).readPointer() // 由于类中含有虚函数,跳过 vfptr
        var dex_file_size = dex_file.add(0x20).readUInt()
        var dex_header_size = dex_file.add(0x24).readUInt()

        // console.log(JSON.stringify(this.context))
        // console.log(hexdump(dex_file, {length: 16}))
        console.log(dex_file.readCString())
        console.log(dex_file_size)
        console.log(dex_header_size)
        console.log('---------')

        var file = new File('/mnt/sdcard/Download/' + dex_file_size + '.dex', 'wb')
        file.write(dex_file.readByteArray(dex_file_size))
        file.flush()
        file.close()
    },
    onLeave: function (retval) {
    }
})
/*
   C: args[0-n] = arguments
 C++: args[0] = this, args[1-n] = arguments
ObjC: args[0] = self, args[1] = selector, args[2-n] = arguments
*/

进制转换
----
busybox printf %x 32 # decimal -> hex
busybox printf %d 0x20 # hex -> decimal

查看符号表
----
nm.exe libart.so

解码 C++ 函数名
----
c++filt.exe _ZN3art11ClassLinker32SizeOfClassWithoutEmbeddedTablesERKNS_7DexFileERKNS1_8ClassDefE
----
art::ClassLinker::SizeOfClassWithoutEmbeddedTables(art::DexFile const&, art::DexFile::ClassDef const&)

Reference

TOP