dex文件结构

DEX文件结构

dex结构定义位置

android-10.0.0_r41\dalvik\libdex\DexFile.h

/*
 * Direct-mapped "header_item" struct.
 */
struct DexHeader {
    u1  magic[8];           /* includes version number */
    u4  checksum;           /* adler32 checksum */
    u1  signature[kSHA1DigestLen]; /* SHA-1 hash */
    u4  fileSize;           /* length of entire file */
    u4  headerSize;         /* offset to start of next section */
    u4  endianTag;
    u4  linkSize;
    u4  linkOff;
    u4  mapOff;
    u4  stringIdsSize;
    u4  stringIdsOff;
    u4  typeIdsSize;
    u4  typeIdsOff;
    u4  protoIdsSize;
    u4  protoIdsOff;
    u4  fieldIdsSize;
    u4  fieldIdsOff;
    u4  methodIdsSize;
    u4  methodIdsOff;
    u4  classDefsSize;
    u4  classDefsOff;
    u4  dataSize;
    u4  dataOff;
};

图解

例子

010editor 加上dex.bt

checksum（校验和）是DEX位于文件头部的一个信息，用来判断DEX文件是否损坏或者被篡改，它位于头部的0x08偏移地址处，占用4个字节，采用小端序存储。
    在DEX文件中，采用Adler-32校验算法计算出校验和，将DEX文件从0x0C处开始读取到文件结束，将读取到的字节数组使用Adler-32校验算法计算出结果即是校验和即checksum字段

字段名	长度（bit）	值	备注
magic	8	64 65 78 0a 30 33 35 00
checksum	4	6c 35 8a d0	0xd08a356c
signature	20	0c 68 37 ef ab 09 36 3e 65 5b 47 24 af 54 75 fa 2e 7f 12 2f
filesize	4	34 3a 20 00	0x203a34,2112052
headsize:	4	70 00 00 00	0x70, 112
endiantag	4	78 56 34 12
linksize	4	00 00 00 00
linkOff	4	00 00 00 00
mapOff	4	78 56 34 12
stringIdsSize	4	2f 52 00 00	0x522f, 21039
stringIdsOff	4	70 00 00 00	0x70, 112
typeIdsSize	4	42 08 00 00	0x0842,2114
typeIdsOff	4	64 39 20 00
protoIdsSize	4	2d 0d 00 00	0x0d2d,3373
protoIdsOff	4	34 6a 01 00
fieldIdsSize	4	b8 2b 00 00	0x2bb8,11192
fieldIdsOff	4	50 08 02 00
methodIdsSize	4	bb 3d 00 00	0x3dbb,15803
methodIdsOff	4	10 66 03 00
classDefsSize	4	53 05 00 00	0x0553,1363
classDefsOff	4	e8 53 05 00
dataSize	4	ec 3b 1a 00	0x1a3bec,1719276
dataOff	4	48 fe 05 00

python计算checksum和signature

import hashlib
import zlib


def getCheckSum(dexfile):
    f = open(filename, 'rb', False)
    f.seek(0x0c)
    chs = f.read()
    f.close()
    return hex(zlib.adler32(chs))


def getSignature(dexfile):
    f = open(filename, 'rb', False)
    f.seek(0x20)
    chs = f.read()
    f.close()
    return hashlib.sha1(chs).hexdigest()


if __name__ == '__main__':
    filename = 'classes.dex'
    checksum = getCheckSum(filename)
    print(f'checksum = {checksum}')
    signature = getSignature(filename)
    print(f'signature = {signature}')

参考

dex文件格式介绍

pythonhash库