Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

dump map_offset vs dump dex_size; WHY MAP_OFFSET? #41

Open
OtterV opened this issue Nov 5, 2021 · 4 comments
Open

dump map_offset vs dump dex_size; WHY MAP_OFFSET? #41

OtterV opened this issue Nov 5, 2021 · 4 comments

Comments

@OtterV
Copy link

OtterV commented Nov 5, 2021

FRIDA-DEXDump use dump(dexptr, map_offset), but I got an uncorrected dex file. When using dex2jar on it, I got an error:
╰─$ sh d2j-dex2jar.sh 0x7ba1f1f01c.dex
dex2jar 0x7ba1f1f01c.dex -> ./0x7ba1f1f01c-dex2jar.jar
java.lang.IllegalArgumentException: newPosition > limit: (1605878 > 427976)
at java.base/java.nio.Buffer.createPositionException(Buffer.java:318)
at java.base/java.nio.Buffer.position(Buffer.java:293)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1094)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:262)
at com.googlecode.d2j.reader.DexFileReader.getString(DexFileReader.java:967)
at com.googlecode.d2j.reader.DexFileReader.getType(DexFileReader.java:981)
at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:654)
at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:625)
at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:88)
at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:280)
at com.googlecode.dex2jar.tools.Dex2jarCmd.doCommandLine(Dex2jarCmd.java:112)
at com.googlecode.dex2jar.tools.BaseCmd.doMain(BaseCmd.java:290)
at com.googlecode.dex2jar.tools.Dex2jarCmd.main(Dex2jarCmd.java:33)
So, I found that the dump size is wrong. After modifying the dump size to fileSize, I got a correct dex file, and successfully run dex2jar on it.

My question is why using map_offset?
and why it can dump correctly when dex_size > map_offset?
@hluwa
Copy link
Owner

hluwa commented Nov 5, 2021

The dex_size is easily be clear or modify, Normally map_offset is last section of dex file.
if you using python, dex_size is already fix in dex_fix

@OtterV
Copy link
Author

OtterV commented Nov 5, 2021

But map_off is not the end of dex file. There is map_item after it.
map_off >= data_off, map_item is in data section, so some of data section can be left in memory without dump.
I think that this way to calculate dump size may be wrong.

@hluwa
Copy link
Owner

hluwa commented Nov 5, 2021

The dump size is already contains map_items, see get_dex_real_size and get_maps_end in agent.js.

@OtterV
Copy link
Author

OtterV commented Nov 5, 2021

Sorry, I forget this. Thank u for answering.
I got a sample that maps_end is not the dex file end and there is some data thing.
Do you know what will cause this? Have you ever met before?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hluwa @OtterV