DEX文件结构
dex结构定义位置
android-10.0.0_r41\dalvik\libdex\DexFile.h
/*
* Direct-mapped "header_item" struct.
*/
struct DexHeader {
u1 magic[8]; /* includes version number */
u4 checksum; /* adler32 checksum */
u1 signature[kSHA1DigestLen]; /* SHA-1 hash */
u4 fileSize; /* length of entire file */
u4 headerSize; /* offset to start of next section */
u4 endianTag;
u4 linkSize;
u4 linkOff;
u4 mapOff;
u4 stringIdsSize;
u4 stringIdsOff;
u4 typeIdsSize;
u4 typeIdsOff;
u4 protoIdsSize;
u4 protoIdsOff;
u4 fieldIdsSize;
u4 fieldIdsOff;
u4 methodIdsSize;
u4 methodIdsOff;
u4 classDefsSize;
u4 classDefsOff;
u4 dataSize;
u4 dataOff;
};
图解
例子
010editor 加上dex.bt
checksum(校验和)是DEX位于文件头部的一个信息,用来判断DEX文件是否损坏或者被篡改,它位于头部的0x08偏移地址处,占用4个字节,采用小端序存储。
在DEX文件中,采用Adler-32校验算法计算出校验和,将DEX文件从0x0C处开始读取到文件结束,将读取到的字节数组使用Adler-32校验算法计算出结果即是校验和即checksum字段
字段名 | 长度(bit) | 值 | 备注 |
---|---|---|---|
magic | 8 | 64 65 78 0a 30 33 35 00 | |
checksum | 4 | 6c 35 8a d0 | 0xd08a356c |
signature | 20 | 0c 68 37 ef ab 09 36 3e 65 5b 47 24 af 54 75 fa 2e 7f 12 2f | |
filesize | 4 | 34 3a 20 00 | 0x203a34,2112052 |
headsize: | 4 | 70 00 00 00 | 0x70, 112 |
endiantag | 4 | 78 56 34 12 | |
linksize | 4 | 00 00 00 00 | |
linkOff | 4 | 00 00 00 00 | |
mapOff | 4 | 78 56 34 12 | |
stringIdsSize | 4 | 2f 52 00 00 | 0x522f, 21039 |
stringIdsOff | 4 | 70 00 00 00 | 0x70, 112 |
typeIdsSize | 4 | 42 08 00 00 | 0x0842,2114 |
typeIdsOff | 4 | 64 39 20 00 | |
protoIdsSize | 4 | 2d 0d 00 00 | 0x0d2d,3373 |
protoIdsOff | 4 | 34 6a 01 00 | |
fieldIdsSize | 4 | b8 2b 00 00 | 0x2bb8,11192 |
fieldIdsOff | 4 | 50 08 02 00 | |
methodIdsSize | 4 | bb 3d 00 00 | 0x3dbb,15803 |
methodIdsOff | 4 | 10 66 03 00 | |
classDefsSize | 4 | 53 05 00 00 | 0x0553,1363 |
classDefsOff | 4 | e8 53 05 00 | |
dataSize | 4 | ec 3b 1a 00 | 0x1a3bec,1719276 |
dataOff | 4 | 48 fe 05 00 |
python计算checksum和signature
import hashlib
import zlib
def getCheckSum(dexfile):
f = open(filename, 'rb', False)
f.seek(0x0c)
chs = f.read()
f.close()
return hex(zlib.adler32(chs))
def getSignature(dexfile):
f = open(filename, 'rb', False)
f.seek(0x20)
chs = f.read()
f.close()
return hashlib.sha1(chs).hexdigest()
if __name__ == '__main__':
filename = 'classes.dex'
checksum = getCheckSum(filename)
print(f'checksum = {checksum}')
signature = getSignature(filename)
print(f'signature = {signature}')