search

hluwa / frida-dexdump

A frida tool to dump dex in memory to support security engineers analyzing malware.
GNU General Public License v3.0
3.98k stars 899 forks source link

dump map_offset vs dump dex_size; WHY MAP_OFFSET? #41

Open OtterV opened 2 years ago

OtterV commented 2 years ago

FRIDA-DEXDump use dump(dexptr, map_offset), but I got an uncorrected dex file. When using dex2jar on it, I got an error: ╰─$ sh d2j-dex2jar.sh 0x7ba1f1f01c.dex dex2jar 0x7ba1f1f01c.dex -> ./0x7ba1f1f01c-dex2jar.jar java.lang.IllegalArgumentException: newPosition > limit: (1605878 > 427976) at java.base/java.nio.Buffer.createPositionException(Buffer.java:318) at java.base/java.nio.Buffer.position(Buffer.java:293) at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1094) at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:262) at com.googlecode.d2j.reader.DexFileReader.getString(DexFileReader.java:967) at com.googlecode.d2j.reader.DexFileReader.getType(DexFileReader.java:981) at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:654) at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:625) at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:88) at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:280) at com.googlecode.dex2jar.tools.Dex2jarCmd.doCommandLine(Dex2jarCmd.java:112) at com.googlecode.dex2jar.tools.BaseCmd.doMain(BaseCmd.java:290) at com.googlecode.dex2jar.tools.Dex2jarCmd.main(Dex2jarCmd.java:33) So, I found that the dump size is wrong. After modifying the dump size to fileSize, I got a correct dex file, and successfully run dex2jar on it.

My question is why using map_offset? and why it can dump correctly when dex_size > map_offset?

hluwa commented 2 years ago

The dex_size is easily be clear or modify, Normally map_offset is last section of dex file. if you using python, dex_size is already fix in dex_fix

OtterV commented 2 years ago

But map_off is not the end of dex file. There is map_item after it. map_off >= data_off, map_item is in data section, so some of data section can be left in memory without dump. I think that this way to calculate dump size may be wrong.

hluwa commented 2 years ago

The dump size is already contains map_items, see get_dex_real_size and get_maps_end in agent.js.

OtterV commented 2 years ago

Sorry, I forget this. Thank u for answering. I got a sample that maps_end is not the dex file end and there is some data thing. Do you know what will cause this? Have you ever met before?