如何读懂新的Dex格式

瞅了瞅上次写文章竟然还是六年前，这些年都是在不断的攻克问题，很少整理，还是来继续偶尔整理下吧。

这一篇基于当时自己做的内部指导：如何读懂安卓下新的Dex格式。

Here are two references on the official site:

https://source.android.com/devices/tech/dalvik/dalvik-bytecode                        

-   site1 : Introduce the correspondence between mnemonics in dalvik-bytecode and actual mnemonics/syntax

https://source.android.com/devices/tech/dalvik/instruction-formats?hl=en      

-   site2 : Introduce the format in dalvik-bytecode

Take the new instruction code 45cc as example.

From site1, you will find info below:

From table above, we know the op code is 'fa', and the format/id is '45cc'. (if you want to know more about '45cc', you can find details in site1 at the beginning)

    

And '45cc' is the ID we use to find the instruction formats in site2, the matched info is below:

For us, the above table is useful as we would use it to read the bytecode in dex file.

As we can see from the format below, each array in one dex file, if the operation is invoke-polymorphic, the data would follow the format below:

Explanation：

A represents the number of parameter in this method.

BBBB represents the index of the method in this dex file

HHHH represents the index of the proto type in this dex file

C represents the method return value

 

Explanation：

In this column, it explains if different number of parameters, which of the parameter is used.

In other words, although G, F, E and D represents the arguments, but not all used.

That is the two sites tell. 

So in dex file, if we think it use the method of invoke-polymorphic, for sure, the format is like:

A|G|op BBBB F|E|D|C HHHH

Let's take a look at in real dex file.

You can download some libraries to read the dex file.

         (Smali Libraries download: JesusFreke / smali / Downloads — Bitbucket )

Use command below to make the dex file readable.

java -jar baksmali-2.5.2.jar dump  [dex file] > [output file]

Then we got info very clearly:

In line64396, we got some bytes which is invoke-polymorphic: fa30 cb00 0301 0e00

The byte codes follow the format we introduce before. 

But we should not read as what we see!

Normally, if you read site2 document, in bitwise descriptions chapter:

It consists of one or more space-separated "words" each of which describes a 16-bit code unit. Each character in a word represents four bits, read from high bits to low, with vertical bars ("|") interspersed to aid in reading.

So, we should read as : 30fa 00cb 0103 000e

That is the right data matched the format: A|G|op BBBB F|E|D|C HHHH

So the analysis result is :

A: 3

G: 0 unused

Op code: 0xfa

BBBB: 0x00cb (method section index)

F: 0 unused

E: 1

D: 0

C: 3

HHHH: 0x000e (protocol section index)

That is all for this part, hope you have ability read from dex file now.

Ref: Android O and DEX 38: Dalvik Opcodes for Dynamic Invocation – JEB in Action