dex文件结构
DEX文件结构
dex结构定义位置
android-10.0.0_r41\\dalvik\\libdex\\DexFile.h
/ Direct-mapped "header_item" struct.*/
struct DexHeader {u1 magic[8]; /* includes version number */u4 checksum; /* adler32 checksum */u1 signature[kSHA1DigestLen]; /* SHA-1 hash */u4 fileSize; /* length of entire file */u4 headerSize; /* offset to start of next section */u4 endianTag;u4 linkSize;u4 linkOff;u4 mapOff;u4 stringIdsSize;u4 stringIdsOff;u4 typeIdsSize;u4 typeIdsOff;u4 protoIdsSize;u4 protoIdsOff;u4 fieldIdsSize;u4 fieldIdsOff;u4 methodIdsSize;u4 methodIdsOff;u4 classDefsSize;u4 classDefsOff;u4 dataSize;u4 dataOff;
};
图解
例子
010editor 加上dex.bt
checksum(校验和)是DEX位于文件头部的一个信息,用来判断DEX文件是否损坏或者被篡改,它位于头部的0x08偏移地址处,占用4个字节,采用小端序存储。
在DEX文件中,采用Adler-32校验算法计算出校验和,将DEX文件从0x0C处开始读取到文件结束,将读取到的字节数组使用Adler-32校验算法计算出结果即是校验和即checksum字段
| 字段名 | 长度(bit) | 值 | 备注 |
|---|---|---|---|
| magic | 8 | 64 65 78 0a 30 33 35 00 | |
| checksum | 4 | 6c 35 8a d0 | 0xd08a356c |
| signature | 20 | 0c 68 37 ef ab 09 36 3e 65 5b 47 24 af 54 75 fa 2e 7f 12 2f | |
| filesize | 4 | 34 3a 20 00 | 0x203a34,2112052 |
| headsize: | 4 | 70 00 00 00 | 0x70, 112 |
| endiantag | 4 | 78 56 34 12 | |
| linksize | 4 | 00 00 00 00 | |
| linkOff | 4 | 00 00 00 00 | |
| mapOff | 4 | 78 56 34 12 | |
| stringIdsSize | 4 | 2f 52 00 00 | 0x522f, 21039 |
| stringIdsOff | 4 | 70 00 00 00 | 0x70, 112 |
| typeIdsSize | 4 | 42 08 00 00 | 0x0842,2114 |
| typeIdsOff | 4 | 64 39 20 00 | |
| protoIdsSize | 4 | 2d 0d 00 00 | 0x0d2d,3373 |
| protoIdsOff | 4 | 34 6a 01 00 | |
| fieldIdsSize | 4 | b8 2b 00 00 | 0x2bb8,11192 |
| fieldIdsOff | 4 | 50 08 02 00 | |
| methodIdsSize | 4 | bb 3d 00 00 | 0x3dbb,15803 |
| methodIdsOff | 4 | 10 66 03 00 | |
| classDefsSize | 4 | 53 05 00 00 | 0x0553,1363 |
| classDefsOff | 4 | e8 53 05 00 | |
| dataSize | 4 | ec 3b 1a 00 | 0x1a3bec,1719276 |
| dataOff | 4 | 48 fe 05 00 |
python计算checksum和signature
import hashlib
import zlibdef getCheckSum(dexfile):f = open(filename, 'rb', False)f.seek(0x0c)chs = f.read()f.close()return hex(zlib.adler32(chs))def getSignature(dexfile):f = open(filename, 'rb', False)f.seek(0x20)chs = f.read()f.close()return hashlib.sha1(chs).hexdigest()if __name__ == '__main__':filename = 'classes.dex'checksum = getCheckSum(filename)print(f'checksum = {checksum}')signature = getSignature(filename)print(f'signature = {signature}')
参考
dex文件格式介绍
pythonhash库
