a deep dive into dex file format
play

A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi - PowerPoint PPT Presentation

Nov 20, 2023 •585 likes •821 views

A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi ABS 2014 Bio Rodrigo Chiossi Android Engineer @ Intel OTC AndroidXRef www.androidxref.com Dexterity https://github.com/rchiossi/dexterity Rodrigo Chiossi

  1. A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi ABS 2014

  2. Bio ● Rodrigo Chiossi – Android Engineer @ Intel OTC – AndroidXRef ● www.androidxref.com – Dexterity ● https://github.com/rchiossi/dexterity Rodrigo Chiossi ABS 2014

  3. Overview ● DEX File Structure – Characteristics – LEB128 – Relative Indexing – MUTF-8 – The “Big” Header and the data. ● DEX Instrumentation – The “String Add” case ● DEX Limitations – Bitness restrictions Rodrigo Chiossi ABS 2014

  4. DEX Structure Rodrigo Chiossi ABS 2014

  5. DEX Properties ● Reduced Memory Footprint – LEB128 encoding – Relative Indexing – Single file for all classes (vs. 1 file per class in .class format) – No duplicate strings ● Modified UTF-8 String Encoding ● Strict requirements for alignment ● Even more strict runtime verifier (DexOpt) Rodrigo Chiossi ABS 2014

  6. LEB128 ● Encoding format from DWARF3. ● Used to encode signed (SLEB128 and ULEB128p1) and unsigned (ULEB128) numbers. ● Used in DEX for encoding 32-bit numbers. ● Numbers are encoded using 1 to 5 bytes. – Depending on the highest ‘1’ -bit Rodrigo Chiossi ABS 2014

  7. LEB128 - Example HEX BIN SLEB128 ULEB128 ULEB128p1 00 00000000 0 0 -1 01 00000001 1 1 0 7f 011111111 -1 127 126 80 7f 10000000 -128 16256 16255 011111111 ● -1 is used to represent the NO_INDEX value. ● Encoded as ULEB128p1, NO_INDEX requires only one byte to be encoded. Rodrigo Chiossi ABS 2014

  8. Relative Indexing ● Many DEX objects are represented by its index into a list. ● Encoded object lists use that index value as representation for the first object and diffs for representing the rest of the list. ● Using the delta usually yields smaller numbers with smaller representation in bytes when LEB128 is used. ● Ex: – In class_data_item structure, static_fields , instance_fields , direct_methods and virtual_methods are all represented by the index delta. Rodrigo Chiossi ABS 2014

  9. Relative Indexing - Example ● Field List: Field ID Field Name ... – Field_1, field_2, field_3 1024 field_1 1025 field_2 ● Encoding: ... 1036 field_3 – 1024, 1, 11 ... Rodrigo Chiossi ABS 2014

  10. Modified UTF-8 ● Used for encoding all strings in the DEX format. ● Characters may have 1, 2 or 3 bytes. ● Strings are terminated by a single null byte. ● When parsing string_data_item, the uft16_size field cannot be used to calculate the size of the following data as it only represents the number of characters in the MUTF-8 string. ● ASCII strings are MUTF-8 legal strings Rodrigo Chiossi ABS 2014

  11. The “Big Header” ● Besides the header_item, we have six other structures that describe the DEX file: – string_id_item list – type_id_item list – proto_id_item list – field_id_item list – method_id_item list – class_def_item list ● This structures define all the functional content of the DEX file. Rodrigo Chiossi ABS 2014

  12. The Map ● The DEX file may contain an optional structure called the Map, composed by map_item structures. ● The Map structure contains information about all the offsets in the file and what is the type of content in that offset. ● Although optional according to the file format specification, the existence and correctness of the map is enforced by DexOpt. Rodrigo Chiossi ABS 2014

  13. The Data ● All the content of the DEX file not in the “big header” goes to the Data area. ● Offsets to structures in the data area must be bigger than the end of the “big header”. This property is enforced by DexOpt. ● It is ok to have gaps in the middle of the data section. ● The map is part of the data area. Rodrigo Chiossi ABS 2014

  14. The Link Data ● Optional area at the end of the Data area. ● Format unspecified. ● Never present in “Normal” apks. Rodrigo Chiossi ABS 2014

  15. DEX Instrumentation ● Case Study: String add – String manipulation is required for most obfuscation/deobfuscation techniques. – Can be extended for replacing and removing strings. ● Objective: – Keep the DEX valid after adding the new string. – Pass DexOpt checking. Rodrigo Chiossi ABS 2014

  16. String Structure ● Represented by the pair ( string_id_item , string_data_item ) ● string_id_item list must be sorted Sorted by the utf16 code points of the string – ● Strings are referenced by its index position in the string_id_item list. Rodrigo Chiossi ABS 2014

  17. Adding a string_id_item ● Must be added in the position of the list that will keep the list sorted. ● Header adjustments: – Data ofgset. – File size. ● Maps adjustments: – string_id_item map size. ● Entire fjle adjustments: – Ofgsets references in data area must be shifted 4 bytes. – String references equal or bigger than the added string must be increased by 1. Rodrigo Chiossi ABS 2014

  18. LEB128 Expansion ● Some ofgsets are encoded as ULEB128. – E.g. code_of inside encoded_method object. ● Some string_id_item references are encoded as ULEB128. – E.g. name_idx inside annotation_element object. ● After shifting ofgsets or increasing string_id_item references, the size of the LEB128 in bytes may increase. ● If the expansion occurs, further shifting of ofgsets is needed in the fjle. ● Maps size and ofgset must be updated. Rodrigo Chiossi ABS 2014

  19. Alignment ● Some structures in the DEX fjle must be 4-byte aligned. – E.g., code_item . ● string_id_item is 4-byte in size, so adding a new object will not misalign the DEX. ● LEB128 expansion will often add 1 byte shifting, which will break alignment. ● If realignment is required, ofgset references must be updated. ● Maps size and ofgset must be updated. Rodrigo Chiossi ABS 2014

  20. Adding a string_data_item ● Must be inside the data area. ● Header adjustments: – Data size. – File size. ● Maps adjustments: – string_data_item map size. ● Entire fjle adjustments: – Ofgsets references after the ofgset of the new string_data_item must be shifted by the size of the added object. – String references equal or bigger than the added string must be increased by 1. ● Check for LEB128 expansion and apply shifting. ● Check for alignment and apply shifting. Rodrigo Chiossi ABS 2014

  21. DEX Bit Restrictions ● 32 bits encoding – Static fields with fixed 32 bit size (E.g. string_id_item). – Offsets expected to be within 32 bit range. ● Less than 32 bits encoding – Class, type, proto and other lists alike are limited to 16 bits in size. Rodrigo Chiossi ABS 2014

  22. ? Rodrigo Chiossi r.chiossi@androidxref.com @rchiossi Rodrigo Chiossi ABS 2014

Recommend

DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC.

DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC.

DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC. MEET THE SPEAKERS TEYA TUCCIO-FLICK CHRISTINA DAVES Partner, Search and Analytics Founder Whereoware PR for Anyone DEEP DIVE INTO SEO 2

729 views • 54 slides
Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition binary format: array format of config. U(3,3,X,,,) numerical format (precision,IEEE,byte-order) file format: format of a file

88 views • 8 slides
DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin

DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin

DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin Wiley Training) Capitalware's MQ Technical Conference v2.0.1.6 Your Presenter: Robin Wiley Senior Instructor, IBM Messaging Products MQ

457 views • 35 slides
CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File

CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File

CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File Interchange Format is a minimal file format which enables JPEG bitstreams to be exchanged

344 views • 6 slides
RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff

RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff

RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff Section 1 INTRODUCTION: RTGEN (AGC) AND ICCP DISCUSSION TOPICS 3 RTGEN (AGC) and ICCP Deep Dive for CBA This Deep Dive will provide details for

784 views • 27 slides
Deep Dive Into PostgreSQL Indexes Ibrar Ahmed Senior Database Architect - Percona LLC May 2019

Deep Dive Into PostgreSQL Indexes Ibrar Ahmed Senior Database Architect - Percona LLC May 2019

Deep Dive Into PostgreSQL Indexes Ibrar Ahmed Senior Database Architect - Percona LLC May 2019 Table Characteristics Rows / Tuples stored in a table Every table in PostgreSQL has physical disk file(s) postgres=# CREATE TABLE foo(id

658 views • 29 slides
THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format (Linux) Executable and Linkable Format Standard unified binary format for: Relocatable object files (.o), Shared object files (.so)

421 views • 16 slides
A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019

A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019

A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019 Coen Schuijt (UvA OS3) A Deep Dive into the Dark Web 1 / 28 Outline 1 Introduction Related work Research Questions 2 Methodologies Surface

473 views • 28 slides
An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01 http://www.ietf.org/internet-drafts/draft-trammell-ipfix-file-01.txt Brian Trammell, Elisa Boschi, Lutz Mark, Tanja Zseby Tuesday, July 11, 2006 IETF 66 - Montral, Qubec, Canada The

318 views • 6 slides
Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and

Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and

Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and interactivity. Vector based format allows for smaller file sizes and scalability. Designed for web delivery. Interactive when used with ActionScript.

650 views • 6 slides
Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda Preliminary Financial Timeline Financial Model Deep Dive Benchmark Prospective Benchmark Example Example Discount Calculations Risk

917 views • 28 slides
3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with

3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with

3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with ASME Y14.41 Need to Publish/Approve Readily Readable Format Compatible with JEDMICS Long Term Archiving and CAM compatibility

106 views • 7 slides
A Deep Dive into the kude@ga.co Shi Oku

A Deep Dive into the kude@ga.co Shi Oku

Stes Bais sen.bais@ga.co Kut el A Deep Dive into the kude@ga.co Shi Oku Interprocedural

1.48k views • 91 slides
Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of terrorism in the Middle East + Interactive Data Visualization + Interactive Data Deep Dive Prior Work Static visualization No interactivity

242 views • 6 slides
2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs,

2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs,

2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs, University of Chicago Data Deep Dive System Goal 2: Reduce the time people remain homeless. System Goal 3: Homeless dedicated units should all be

419 views • 13 slides
Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015

Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015

NO PLACE FOR KIDS Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015 Prepared with Support From: Juvenile Justice Strategy Group INTERVIEWS & SURVEYS DATA ANALYSES

593 views • 42 slides
Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch

Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch

Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch Canadian Intellectual Property Office IPIC Conference October 12, 2018 Fairmont Chateau Laurier, Ottawa, Ontario (Source: Brand Canada) Building a

769 views • 43 slides
2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to

2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to

2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to End Homelessness Carmelo Barbaro, Executive Director, Poverty Lab, University of Chicago 2019 CoC System Goals Deep-Dive for Goal 1 Goal 1

285 views • 7 slides
The Web ARChive (WARC) File Format Sawood Alam Web Science and Digital Libraries Research Group

The Web ARChive (WARC) File Format Sawood Alam Web Science and Digital Libraries Research Group

The Web ARChive (WARC) File Format Sawood Alam Web Science and Digital Libraries Research Group Old Dominion University Norfolk, Virginia, USA @ibnesayeed CS 531 Web Server Design November 28, 2018 Web ARChive (WARC): ISO 28500 File Format

977 views • 15 slides
Creation of a load module Load Module Interleaved from Object Module A source object

Creation of a load module Load Module Interleaved from Object Module A source object

Reminder: compiling & linking Linux object file format \177ELF .text .rodata ELF stands for Executable and source object file 1 file 1 Linking Format .data A 4-byte magic number followed by a series

68 views • 5 slides
offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE

offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE

offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE CLAPPERTON BRITTANY NAUMAN CLARISSA TORRES Objectives: Develop Strategies to Grow Readership Based on an understanding of industry standards and

360 views • 17 slides
SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole

SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole

SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole inspection, assessment, maintenance, and replacement continue to be a major focus for SCE given: Their impact on public and worker safety Their

841 views • 32 slides
Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank

Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank

Impact Measurement & Management Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank you for joining us today! Please note: All participants are muted. Use the chat function to submit

432 views • 32 slides
Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo

Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo

Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo White 2 , Jeremy Yallop 1,3 , Armal Guneau 4 , Anil Madhavapeddy 1,3 1 2 3 4 Concurrency Parallelism Concurrency Programming technique

859 views • 52 slides

More recommend