http://pan.baidu.com/s/1hs2kHbm
AndFix热补丁原理就是在 native 动态替换方法 java 层的代码,通过 native 层hook java 层的代码。优点
1. 因为是动态的,所以不需要重启应用就可以生效
2. 支持ART与Dalvik
3. 与multidex方案相比,性能会有所提升(Multi Dex需要修改所有class的class_ispreverified标志位,导致运行时性能有所损失)
4.支持新增加方法
5. 支持在新增方法中新增局部变量
先回顾下前文描述的使用方法:
public class MainApplication extends Application {
private static final String TAG = " andrew";
private static final String APATCH_PATH = "/out.apatch";
private static final String DIR = "apatch";//补丁文件夹
/** * patch manager */
private PatchManager mPatchManager;
@Override
public void onCreate() {
super.onCreate();
// initialize
mPatchManager = new PatchManager(this);
mPatchManager.init("1.0");
Log.d(TAG, "inited.");
// load patch
mPatchManager.loadPatch();
try {
// .apatch file path
String patchFileString = Environment.getExternalStorageDirectory()
.getAbsolutePath() + APATCH_PATH;
mPatchManager.addPatch(patchFileString);
Log.d(TAG, "apatch:" + patchFileString + " added.");
//复制且加载补丁成功后,删除下载的补丁
File f = new File(this.getFilesDir(), DIR + APATCH_PATH);
if (f.exists()) {
boolean result = new File(patchFileString).delete();
if (!result)
Log.e(TAG, patchFileString + " delete fail");
}
} catch (IOException e) {
Log.e(TAG, "", e);
}
}
}
mPatchManager = new PatchManager(this);
SP_VERSION 更多象征app的版本,该值不变时,打补丁;改变时,清空补丁
// patch extension
private static final String SUFFIX = ".apatch";//后缀名
private static final String DIR = "apatch";//补丁文件夹
private static final String SP_NAME = "_andfix_";
private static final String SP_VERSION = "version";//热更新补丁时,版本不变,自动加载补丁;apk完整更新发布时,版本提升,本地会自动删除以前加载在apatch文件夹里的补丁,防止二次载入过时补丁
/** * context */
private final Context mContext;
/** * AndFix manager */
private final AndFixManager mAndFixManager;
/** * patch directory */
private final File mPatchDir;
/** * patchs */
private final SortedSet<Patch> mPatchs;
/** * classloaders */
private final Map<String, ClassLoader> mLoaders;
/** * @param context context */
public PatchManager(Context context) {
mContext = context;
mAndFixManager = new AndFixManager(mContext);//初始化AndFixManager
mPatchDir = new File(mContext.getFilesDir(), DIR);//初始化存放patch补丁文件的文件夹, data/data/包名/files/patch
mPatchs = new ConcurrentSkipListSet<Patch>();//初始化存在Patch类的集合,此类适合大并发
mLoaders = new ConcurrentHashMap<String, ClassLoader>();//初始化存放类对应的类加载器集合
}
大致就是从SharedPreferences读取以前存的版本和你传过来的版本进行比对,如果两者版本不一致就删除本地patch,否则调用initPatchs()这个方法
/** * initialize * * @param appVersion App version */
public void init(String appVersion) {
if (!mPatchDir.exists() && !mPatchDir.mkdirs()) {// make directory fail
Log.e(TAG, "patch dir create error.");
return;
} else if (!mPatchDir.isDirectory()) {//如果遇到同名的文件,则将该同名文件删除
mPatchDir.delete();
return;
}
//在该文件下放入一个名为_andfix_的SharedPreferences文件
SharedPreferences sp = mContext.getSharedPreferences(SP_NAME,
Context.MODE_PRIVATE);//存储关于patch文件的信息
//根据你传入的版本号和之前的对比,做不同的处理
String ver = sp.getString(SP_VERSION, null);
//根据版本号加载补丁文件,版本号不同清空缓存目录
if (ver == null || !ver.equalsIgnoreCase(appVersion)) {
cleanPatch();//删除本地patch文件
sp.edit().putString(SP_VERSION, appVersion).commit();//并把传入的版本号保存
} else {
initPatchs();//初始化patch列表,把本地的patch文件加载到内存
}
}
分析下initPatchs()它做了什么,其实代码很简单,就是把mPatchDir文件夹下的文件作为参数传给了addPatch(File)方法,然后调用addPatch()方法
private void initPatchs() {
File[] files = mPatchDir.listFiles();
for (File file : files) {
addPatch(file);
}
}
/** * add patch file * * @param file * @return patch */
//把扩展名为.apatch的文件传给Patch做参数,初始化对应的Patch,
//并把刚初始化的Patch加入到我们之前看到的Patch集合mPatchs中
private Patch addPatch(File file) {
Patch patch = null;
if (file.getName().endsWith(SUFFIX)) {
try {
patch = new Patch(file);//实例化Patch对象
mPatchs.add(patch);//把patch实例存储到内存的集合中,在PatchManager实例化集合
} catch (IOException e) {
Log.e(TAG, "addPatch", e);
}
}
return patch;
}
可以看到里面有JarFile, JarEntry, Manifest, Attributes,通过它们一层层的从Jar文件中获取相应的值,提到这里大家可能会奇怪,明明是.patch文件,怎么又变成Jar文件了?其实是通过阿里打补丁包工具生成补丁的时候写入相应的值,补丁文件其实就相到于jar包,只不过它们的扩展名不同而已
public class Patch implements Comparable<Patch> {
private static final String ENTRY_NAME = "META-INF/PATCH.MF";
private static final String CLASSES = "-Classes";
private static final String PATCH_CLASSES = "Patch-Classes";
private static final String CREATED_TIME = "Created-Time";
private static final String PATCH_NAME = "Patch-Name";
/** * patch file */
private final File mFile;
/** * name */
private String mName;
/** * create time */
private Date mTime;
/** * classes of patch */
private Map<String, List<String>> mClassesMap;
public Patch(File file) throws IOException {
mFile = file;
init();
}
@SuppressWarnings("deprecation")
private void init() throws IOException {
JarFile jarFile = null;
InputStream inputStream = null;
try {
jarFile = new JarFile(mFile);//使用JarFile读取Patch文件
JarEntry entry = jarFile.getJarEntry(ENTRY_NAME);//获取META-INF/PATCH.MF文件
inputStream = jarFile.getInputStream(entry);
Manifest manifest = new Manifest(inputStream);
Attributes main = manifest.getMainAttributes();
mName = main.getValue(PATCH_NAME);//获取PATCH.MF属性Patch-Name
mTime = new Date(main.getValue(CREATED_TIME));//获取PATCH.MF属性Created-Time
mClassesMap = new HashMap<String, List<String>>();
Attributes.Name attrName;
String name;
List<String> strings;
for (Iterator<?> it = main.keySet().iterator(); it.hasNext();) {
attrName = (Attributes.Name) it.next();
name = attrName.toString();
//判断name的后缀是否是-Classes,并把name对应的值加入到集合中,对应的值就是class类名的列表
if (name.endsWith(CLASSES)) {
strings = Arrays.asList(main.getValue(attrName).split(","));
if (name.equalsIgnoreCase(PATCH_CLASSES)) {
mClassesMap.put(mName, strings);
} else {
mClassesMap.put(
name.trim().substring(0, name.length() - 8),// remove
// "-Classes"
strings);
}
}
}
} finally {
if (jarFile != null) {
jarFile.close();
}
if (inputStream != null) {
inputStream.close();
}
}
}
public String getName() {
return mName;
}
public File getFile() {
return mFile;
}
public Set<String> getPatchNames() {
return mClassesMap.keySet();
}
public List<String> getClasses(String patchName) {
return mClassesMap.get(patchName);
}
public Date getTime() {
return mTime;
}
@Override
public int compareTo(Patch another) {
return mTime.compareTo(another.getTime());
}
}
这个方法就是遍历mPatchs中每个patch的每个类,mPatchs就是上文介绍的存储patch的一个集合。根据补丁名找到对应的类,做为参数传给fix()
/** * load patch,call when application start */
public void loadPatch() {
mLoaders.put("*", mContext.getClassLoader());// wildcard
Set<String> patchNames;
List<String> classes;
for (Patch patch : mPatchs) {
patchNames = patch.getPatchNames();
for (String patchName : patchNames) {
classes = patch.getClasses(patchName);
mAndFixManager.fix(patch.getFile(), mContext.getClassLoader(),
classes);
}
}
}
总结 一下, java 层的功能就是找到补丁文件,根据补丁中的注解找到将要替换的方法然后交给jni层去处理替换方法的操作
遍历dexFile文件中所有的类, 如果有需要修改的类集合中在这个Dex文件中找到了一样的类,则使用loadClass(String, ClassLoader)加载这个类, 然后调用fixClass(String, ClassLoader)修复这个类
/** * fix * * @param file * patch file * @param classLoader * classloader of class that will be fixed * @param classes * classes will be fixed */
public synchronized void fix(File file, ClassLoader classLoader,
List<String> classes) {
if (!mSupport) {
return;
}
//判断patch文件的签名
if (!mSecurityChecker.verifyApk(file)) {// security check fail
return;
}
try {
File optfile = new File(mOptDir, file.getName());
boolean saveFingerprint = true;
if (optfile.exists()) {
// need to verify fingerprint when the optimize file exist,
// prevent someone attack on jailbreak device with
// Vulnerability-Parasyte.
// btw:exaggerated android Vulnerability-Parasyte
// http://secauo.com/Exaggerated-Android-Vulnerability-Parasyte.html
if (mSecurityChecker.verifyOpt(optfile)) {
saveFingerprint = false;
} else if (!optfile.delete()) {
return;
}
}
//加载patch文件中的dex
final DexFile dexFile = DexFile.loadDex(file.getAbsolutePath(),
optfile.getAbsolutePath(), Context.MODE_PRIVATE);
if (saveFingerprint) {
mSecurityChecker.saveOptSig(optfile);
}
ClassLoader patchClassLoader = new ClassLoader(classLoader) {
@Override
protected Class<?> findClass(String className)
throws ClassNotFoundException {
Class<?> clazz = dexFile.loadClass(className, this);
if (clazz == null
&& className.startsWith("com.alipay.euler.andfix")) {
return Class.forName(className);// annotation’s class
// not found
}
if (clazz == null) {
throw new ClassNotFoundException(className);
}
return clazz;
}
};
Enumeration<String> entrys = dexFile.entries();
Class<?> clazz = null;
while (entrys.hasMoreElements()) {
String entry = entrys.nextElement();
if (classes != null && !classes.contains(entry)) {
continue;// skip, not need fix
}
clazz = dexFile.loadClass(entry, patchClassLoader);//获取有bug的类文件
if (clazz != null) {
fixClass(clazz, classLoader);
}
}
} catch (IOException e) {
Log.e(TAG, "pacth", e);
}
}
/** * fix class * * @param clazz * class */
private void fixClass(Class<?> clazz, ClassLoader classLoader) {
//使用反射获取这个类中所有的方法
Method[] methods = clazz.getDeclaredMethods();
//MethodReplace是这个库自定义的Annotation,标记哪个方法需要被替换
MethodReplace methodReplace;
String clz;
String meth;
for (Method method : methods) {
//获取此方法的注解,因为有bug的方法在生成的patch的类中的方法都是有注解的
//还记得对比过程中生成的Annotation注解吗
//这里通过注解找到需要替换掉的方法
methodReplace = method.getAnnotation(MethodReplace.class);
if (methodReplace == null)
continue;
clz = methodReplace.clazz();//获取注解中clazz的值,标记的类
meth = methodReplace.method();//获取注解中method的值,需要替换的方法
if (!isEmpty(clz) && !isEmpty(meth)) {
//所有找到的方法,循环替换
replaceMethod(classLoader, clz, meth, method);
}
}
}
/** * replace method * * @param classLoader classloader * @param clz class * @param meth name of target method * @param method source method */
private void replaceMethod(ClassLoader classLoader, String clz,
String meth, Method method) {
try {
String key = clz + "@" + classLoader.toString();
Class<?> clazz = mFixedClass.get(key);//判断此类是否被fix
if (clazz == null) {// class not load
Class<?> clzz = classLoader.loadClass(clz);
// initialize target class
clazz = AndFix.initTargetClass(clzz);//初始化class
}
if (clazz != null) {// initialize class OK
mFixedClass.put(key, clazz);
Method src = clazz.getDeclaredMethod(meth,
method.getParameterTypes());//根据反射获取到有bug的类的方法(有bug的apk)
AndFix.addReplaceMethod(src, method);//src是有bug的方法,method是补丁方法
}
} catch (Exception e) {
Log.e(TAG, "replaceMethod", e);
}
}
调用jni替换,src是有bug的方法,method是补丁方法
private static native boolean setup(boolean isArt, int apilevel);
private static native void replaceMethod(Method dest, Method src);
private static native void setFieldFlag(Field field);
public static void addReplaceMethod(Method src, Method dest) { try { replaceMethod(src, dest);//调用了native方法,next code initFields(dest.getDeclaringClass()); } catch (Throwable e) { Log.e(TAG, "addReplaceMethod", e); } }
总结 一下, java 层的功能就是找到补丁文件,根据补丁中的注解找到将要替换的方法然后交给jni层去处理替换方法的操作
替换原来方法的处理方式我们看起来会有点熟悉,一般的java hook差不多都是这样的套路,在jni中找到要替换方法的Method对象,修改它的一些属性,让它指向新方法的Method对象。
以上所有的过程是在应用MainApplication的onCreate中被调用,所以当应用重启后,原方法和补丁方法都被加载到内存中,并完成了替换,在后面的运行中就会执行补丁中的方法了。
AndFix的优点是像正常修复bug那样来生成补丁包,但可以看出无论是dexposed还是AndFix,都利用了java hook的技术来替换要修复的方法,这就需要我们理解dalvik虚拟机加载、运行java方法的机制,并要掌握libdvm中一些关键的数据结构和函数的使用。
static jboolean setup(JNIEnv* env, jclass clazz, jboolean isart,
jint apilevel) {
isArt = isart;
LOGD("vm is: %s , apilevel is: %i", (isArt ? "art" : "dalvik"),
(int )apilevel);
if (isArt) {
return art_setup(env, (int) apilevel);
} else {
return dalvik_setup(env, (int) apilevel);
}
}
static void replaceMethod(JNIEnv* env, jclass clazz, jobject src,
jobject dest) {
if (isArt) {
art_replaceMethod(env, src, dest);
} else {
dalvik_replaceMethod(env, src, dest);
}
}
根据上层传过来的 isArt 判断调用 Dalvik 还是 Art 的方法。
以 Dalvik 为例,继续往下分析,代码在 dalvik_method_replace.cpp 中
dalvik_setup 方法
extern jboolean __attribute__ ((visibility ("hidden"))) dalvik_setup(
JNIEnv* env, int apilevel) {
jni_env = env;
void* dvm_hand = dlopen("libdvm.so", RTLD_NOW);
if (dvm_hand) {
...
//使用dlsym方法将dvmCallMethod_fnPtr函数指针指向libdvm.so中的 //dvmCallMethod方法,也就是说可以通过调用该函数指针执行其指向的方法
//下面会用到dvmCallMethod_fnPtr
dvmCallMethod_fnPtr = dvm_dlsym(dvm_hand,
apilevel > 10 ?
"_Z13dvmCallMethodP6ThreadPK6MethodP6ObjectP6JValuez" :
"dvmCallMethod");
...
}
}
替换方法的关键在于 native 层怎么影响内存里的java代码,我们知道 java 代码里将一个方法声明为 native 方法时,对此函数的调用就会到 native 世界里找,AndFix原理就是将一个不是native的方法修改成native方法,然后在 native 层进行替换,通过 dvmCallMethod_fnPtr 函数指针来调用 libdvm.so 中的 dvmCallMethod() 来加载替换后的新方法,达到替换方法的目的。 Jni 反射调用 java 方法时要用到一个 jmethodID 指针,这个指针在 Dalvik 里其实就是 Method 类,通过修改这个类的一些属性就可以实现在运行时将一个方法修改成 native 方法。
看下 dalvik_replaceMethod(env, src, dest);
extern void __attribute__ ((visibility ("hidden"))) dalvik_replaceMethod(
JNIEnv* env, jobject src, jobject dest) {
jobject clazz = env->CallObjectMethod(dest, jClassMethod);
ClassObject* clz = (ClassObject*) dvmDecodeIndirectRef_fnPtr(
dvmThreadSelf_fnPtr(), clazz);
//设置为初始化完毕
clz->status = CLASS_INITIALIZED;
//meth是将要被替换的方法
Method* meth = (Method*) env->FromReflectedMethod(src);
//target是新的方法
Method* target = (Method*) env->FromReflectedMethod(dest);
LOGD("dalvikMethod: %s", meth->name);
meth->jniArgInfo = 0x80000000;
//修改method的属性,将meth设置为native方法
meth->accessFlags |= ACC_NATIVE;
int argsSize = dvmComputeMethodArgsSize_fnPtr(meth);
if (!dvmIsStaticMethod(meth))
argsSize++;
meth->registersSize = meth->insSize = argsSize;
//将新的方法信息保存到insns
meth->insns = (void*) target;
//绑定桥接函数,java方法的跳转函数
meth->nativeFunc = dalvik_dispatcher;
}
static void dalvik_dispatcher(const u4* args, jvalue* pResult,
const Method* method, void* self) {
Method* meth = (Method*) method->insns;
meth->accessFlags = meth->accessFlags | ACC_PUBLIC;
if (!dvmIsStaticMethod(meth)) {
Object* thisObj = (Object*) args[0];
ClassObject* tmp = thisObj->clazz;
thisObj->clazz = meth->clazz;
argArray = boxMethodArgs(meth, args + 1);
if (dvmCheckException_fnPtr(self))
goto bail;
dvmCallMethod_fnPtr(self, (Method*) jInvokeMethod,
dvmCreateReflectMethodObject_fnPtr(meth), &result, thisObj,
argArray);
thisObj->clazz = tmp;
} else {
argArray = boxMethodArgs(meth, args);
if (dvmCheckException_fnPtr(self))
goto bail;
dvmCallMethod_fnPtr(self, (Method*) jInvokeMethod,
dvmCreateReflectMethodObject_fnPtr(meth), &result, NULL,
argArray);
}
bail: dvmReleaseTrackedAlloc_fnPtr((Object*) argArray, self);
通过 dalvik_dispatcher 这个跳转函数完成最后的替换工作,到这里就完成了两个方法的替换,有问题的方法就可以被修复后的方法取代。ART的替换方法就不讲了,原理上差别不大。
// 缓存目录data/data/package/file/apatch/会缓存补丁文件
// 即使原目录被删除也可以打补丁
/** * add patch at runtime * * @param path patch path * @throws IOException */
public void addPatch(String path) throws IOException {
File src = new File(path);
File dest = new File(mPatchDir, src.getName());
if (!src.exists()) {
throw new FileNotFoundException(path);
}
if (dest.exists()) {
Log.d(TAG, "patch [" + src.getName() + "] has be loaded.");
boolean deleteResult = dest.delete();
if (deleteResult)
Log.e(TAG, "patch [" + dest.getPath() + "] has be delete.");
else {
Log.e(TAG, "patch [" + dest.getPath() + "] delete error");
return;
}
}
//拷贝文件
FileUtil.copyFile(src, dest);// copy to patch's directory
Patch patch = addPatch(dest);
if (patch != null) {
loadPatch(patch);
}
}