frida-dexdump icon indicating copy to clipboard operation
frida-dexdump copied to clipboard

Published 20 hours ago verified publisher icon hluwa

dump map_offset vs dump dex_size; WHY MAP_OFFSET?

Open OtterV opened this issue 3 years ago • 4 comments

FRIDA-DEXDump use dump(dexptr, map_offset), but I got an uncorrected dex file. When using dex2jar on it, I got an error: ╰─$ sh d2j-dex2jar.sh 0x7ba1f1f01c.dex dex2jar 0x7ba1f1f01c.dex -> ./0x7ba1f1f01c-dex2jar.jar java.lang.IllegalArgumentException: newPosition > limit: (1605878 > 427976) at java.base/java.nio.Buffer.createPositionException(Buffer.java:318) at java.base/java.nio.Buffer.position(Buffer.java:293) at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1094) at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:262) at com.googlecode.d2j.reader.DexFileReader.getString(DexFileReader.java:967) at com.googlecode.d2j.reader.DexFileReader.getType(DexFileReader.java:981) at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:654) at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:625) at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:88) at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:280) at com.googlecode.dex2jar.tools.Dex2jarCmd.doCommandLine(Dex2jarCmd.java:112) at com.googlecode.dex2jar.tools.BaseCmd.doMain(BaseCmd.java:290) at com.googlecode.dex2jar.tools.Dex2jarCmd.main(Dex2jarCmd.java:33) So, I found that the dump size is wrong. After modifying the dump size to fileSize, I got a correct dex file, and successfully run dex2jar on it.

My question is why using map_offset? and why it can dump correctly when dex_size > map_offset?

OtterV avatar Nov 05 '21 03:11 OtterV

The dex_size is easily be clear or modify, Normally map_offset is last section of dex file. if you using python, dex_size is already fix in dex_fix

hluwa avatar Nov 05 '21 11:11 hluwa

But map_off is not the end of dex file. There is map_item after it. map_off >= data_off, map_item is in data section, so some of data section can be left in memory without dump. I think that this way to calculate dump size may be wrong.

OtterV avatar Nov 05 '21 14:11 OtterV

The dump size is already contains map_items, see get_dex_real_size and get_maps_end in agent.js.

hluwa avatar Nov 05 '21 14:11 hluwa

Sorry, I forget this. Thank u for answering. I got a sample that maps_end is not the dex file end and there is some data thing. Do you know what will cause this? Have you ever met before?

OtterV avatar Nov 05 '21 17:11 OtterV