search

luoyesiqiu / DexRepair

Android dex文件修复程序
Apache License 2.0
210 stars 85 forks source link

code_item ins 方法体写入 #8

Open AduosPiggy opened 3 hours ago

AduosPiggy commented 3 hours ago

com/android/dex/Dex.java: read hanlders first ---> and then skip 8byties ---> read tries by hanlders; don't know why, but this seems success fixed try-catch; modify follow:

private Code readCode() { int registersSize = readUnsignedShort(); int insSize = readUnsignedShort(); int outsSize = readUnsignedShort(); int triesSize = readUnsignedShort(); int debugInfoOffset = readInt(); int instructionsSize = readInt(); short[] instructions = readShortArray(instructionsSize); Try[] tries; CatchHandler[] catchHandlers; if (triesSize > 0) { if (instructions.length % 2 == 1) { readShort(); // padding }

            /*
             * We can't read the tries until we've read the catch handlers.
             * Unfortunately they're in the opposite order in the dex file
             * so we need to read them out-of-order.
             */
            // old

// Section triesSection = open(data.position()); // skip(triesSize * SizeOf.TRY_ITEM); // catchHandlers = readCatchHandlers(); // tries = triesSection.readTries(triesSize, catchHandlers);

            catchHandlers = readCatchHandlers();
            Section triesSection = open(data.position());
            skip(triesSize * SizeOf.TRY_ITEM);
            tries = triesSection.readTries(triesSize, catchHandlers);

        } else {
            tries = new Try[0];
            catchHandlers = new CatchHandler[0];
        }
        return new Code(registersSize, insSize, outsSize, debugInfoOffset, instructions,
                        tries, catchHandlers);
    }
AduosPiggy commented 3 hours ago

也可以直接在获取code off的时候,把ins 全部覆盖写入

AduosPiggy commented 1 hour ago

read hanlders first ---> and then skip 8byties ---> read tries by hanlders; 这个方法是一个巧合;这样子会因为阅读的偏移地址超出dex文件,然后抛出异常,然后就不对dex文件做修改。这就意味着 在framework层dump下来的dex文件就需要是包含完整方法体且有try-catch的方法,这里相当于没有处理bin文件中的ins。

总的还是建议在 com/luoye/util/DexUtils.java 的 patch方法中复写这一段:
bytes是bin文件中的ins 方法;从寄存器到最后的tries handlers都直接覆盖写入。 代码参考如下:

for (int i = 0; i < methods.length; i++) { ClassData.Method method = methods[i]; int methodCodeOffset = method.getCodeOffset(); byte[] bytes = map.get(method.getMethodIndex()); mRandomOutAccessFile.seek(methodCodeOffset); mRandomOutAccessFile.write(bytes, 0, bytes.length); patchCount++;