The source code of Android applications is mainly divided into Java and C/C++. The compiled file of Java is DEX file, which is also the program run by The Android Dalvik VIRTUAL machine. Therefore, it is also a file format that is difficult to bypass for virtual machine applications based on the Android platform.
In the Android hardening solution of top image technology, there are DEX shell protection, instruction virtualization (running DEX files in a self-implemented virtual machine environment) and other technologies. To understand how Top Image’s Android hardening solution can help Android apps combat reverse engineering and cracking, you first need to understand what a DEX file actually looks like.
File structure Display
DEX File Format
DEX file representation in 010
Detailed explanation of file structure
Structure definition
File header (dex_header).
-
Magic [8] : indicates the dex version identifier. Such bytes must appear at the beginning of the.dex file for the system to recognize them as they are. This value purposely contains a newline character (“\n” or 0x0a) and a null byte (“\0” or 0x00) to assist in detecting some form of corruption. This value can also encode the format version number as three decimal digits; This value is expected to increase monotonically as the format evolves.
-
Checksum: AdLER32 checksum that can be used for the rest of the file (everything except magic and this field). In addition, it can be used to detect file corruption.
-
Signature [kSha1DigestSize] : sha-1 signature (hash) of the remaining contents of the file except magic, checksum, and this field; Uniquely identifies a file.
-
File_size: Size of the entire file, including the header, in bytes.
-
Header_size: Size of the header (entire extent), in bytes. This allows for at least a degree of backward/forward compatibility without having to invalidate the format.
-
Endian_tag: byte order tag. ENDIAN_CONSTANT: indicates the small endian byte order.
-
REVERSE_ENDIAN_CONSTANT specifies the big-endian byte order. The default value is
-
ENDIAN_CONSTANT.
-
Link_size and link_OFF: link section size and file offset. If the file is not statically linked, both values are 0.
-
Map_off: file offset from the beginning of the file to the list of mapping items.
-
String_ids_size and string_IDs_OFF: the number of strings in the string identifier list and the file offset.
-
Type_ids_size vs. type_IDS_OFF: number of elements and file offsets in the type identifier list. The maximum number of elements is 65535.
-
Proto_ids_size and proto_IDs_OFF: number of elements and file offsets in the prototype identifier list. The maximum number of elements is 65535.
-
Field_ids_size and field_IDs_OFF: the number of elements in the field identifier list and the file offset.
-
Method_ids_size and method_IDs_OFF: number of elements and file offsets in the method identifier list.
-
Class_defs_size and class_defs_OFF: the number of elements and file offsets in the class definition list.
-
Data_size and datA_OFF: Data section size and file offset.
The list of string identifiers (dex_string_ids) exists in the DEX file in the form of DexStringId[]. Its structure is as follows.
The type identifier list (dex_type_IDS) exists in the DEX file in the form of DexTypeId[]. Its structure is as follows.
The list of method prototype identifiers (dex_proto_ids) exists in the DEX file as DexProtoId[], where the structure of DexProtoId is as follows.
The structure of DexTypeList is as follows.
The list of field identifiers (dex_field_ids) exists in the DEX file in the form of DexFieldId[], where the structure of DexFieldId is as follows.
The list of method identifiers (dex_method_ids) exists in the DEX file as DexMethodId[], where the structure of DexMethodId is as follows.
The list of class definition columns (dex_class_defs) exists in the DEX file as DexClassDef[], where the structure of DexClassDef is as follows.
The list of mapping items (dex_map_list) exists in the DEX file in the form of DexMapItem[], where the structure of DexMapItem is as follows.
The type code table is shown in the figure.
Due to space limitations, the elephant will continue in the second article parsed DexAnnotationsDirectoryItem, DexClassData and DexEncodeArray structure of DEX file, please continue to pay attention.