DEX Template Warning

[kckrinke]

When trying to use the DEX Template, 010 Editor shows a popup dialog and I'm unable to actually click on any option in the dialog. Only option is to force-quit 010 Editor. This happens every time. I cannot share the actual dex files I need to examine but I figured I'd report the issue anyways. Attached is a screenshot of the dialog.

[strazzere]

You say this happens every time - as in on ANY dex file? Or just every time with a specific dex?

Can you give me some details on the dex file at least?

Size of Dex file, maybe a "hexdump -C classes.dex | head" - should give me enough information to at least see the size of the structures the template is trying to work with.

If you could share the dex file privately I'd be happen to sign something saying it won't be distributed :)

[kckrinke]

I've had the template work on a few "standard" dex files but on any of my more difficult dex files (ones with advanced dalvik obfuscations or significant JNI wrapper) seem to fail. I'll ask my higher-ups about the private sharing but I don't think it's something they're willing to entertain.

~3 Mb in size.

00000000  64 65 78 0a 30 33 35 00  96 33 64 ca f7 44 0e c2  |dex.035..3d..D..|
00000010  a2 f1 89 10 05 80 22 ed  44 90 c6 da ac 97 29 6c  |......".D.....)l|
00000020  2c dd 30 00 70 00 00 00  78 56 34 12 00 00 00 00  |,.0.p...xV4.....|
00000030  00 00 00 00 50 dc 30 00  93 5c 00 00 70 00 00 00  |....P.0..\..p...|
00000040  ae 0c 00 00 bc 72 01 00  9b 15 00 00 74 a5 01 00  |.....r......t...|
00000050  e2 1f 00 00 b8 a8 02 00  ef 59 00 00 c8 a7 03 00  |.........Y......|
00000060  93 09 00 00 40 77 06 00  8c 33 29 00 a0 a9 07 00  |....@w...3).....|
00000070  1a b4 1f 00 1c b4 1f 00  a0 b4 1f 00 a9 b4 1f 00  |................|
00000080  ac b4 1f 00 b3 b4 1f 00  df b4 1f 00 e2 b4 1f 00  |................|
00000090  e6 b4 1f 00 eb b4 1f 00  fb b4 1f 00 0b b5 1f 00  |................|

(Public Disclaimer: I am legally allowed to do what I'm needing to do to these files.)

[strazzere]

That's really odd, I've run this script with extremely large dex files (5mb+) with plenty of JNI/"obfuscation" and never had this issue.

Reading up on what 010Editor is actually saying about this, it sounds like you might not have enough memory/cpu power. The suggestion they have could work, but there is no guarantee, it just makes the template more efficient when loading the file. Though it may end up using the same amount of memory in the end.

Without a file to test, and just see if it crashes on my system - I'm not really a 100% sure how to advise. I'll look into doing the proposed changes that 010Editor suggests. Though - like I said, not sure that will actually help?

[kckrinke]

I'm running on a 2012 MacBook Pro, 8Gb ram, 8 core cpu. There should be plenty of running space.

In any case, I wasn't posting this issue looking for a fix, more-or-less just letting you know what I've encountered. Feel free to close this ticket.

If you do end up modifying the template, I'd be happy to test it out for you.

[strazzere]

Right - thanks for reporting it. Hopefully you'll just be able to send me a sample privately ;)

I'd love to fix it, but just hard to see whats going on. Compared the hexdump you provided to a file I have and it works fine. The only thing I can think of is that the way 010Editor is parsing the template/dexfile that the obfuscation is creating obscenely large class defs - and this might cause some type of lock up in the template engine?

Not that big of a deal I guess though.

Thanks for reporting it!

[strazzere]

Found one which also has this issue, working on it -- will post updates if I get anywhere on it.

[strazzere]

Going to close this issue. It appeared to be a faulty structure that was fixed when I went back to clean up the optimized structures.

Unable to confirm that the issue you had was resolved, but the only other dex file I had which caused this issue is now fixed.