lukhio / dexparser Goto Github PK

For now the parser just disassembles the full app and prints the result on stdout. Add some CLI arguments to allow for:

• disassemble only a class
• disassemble only a method in a class
• save disassembly output to a file
• print list of classes in the app (with access flags)
• print list of methods in the app (with access flags)

Some instructions use signed values (e.g., relative offset). Right now in the code we do not properly handle that and only use unsigned values.

It is not needed to use a trait here since there is a finite set of instruction types. Instead we can use an emum, which should simplify things down the road.

List of structures that can appear in a DEX file:

• header_item
• map_list
• map_item
• string_id_item
• string_data_item
• type_id_item
• proto_id_item
• field_id_item
• method_id_item
• class_def_item
• call_site_id_item
• call_site_item
• method_handle_item
• class_data_item
• encoded_field
• encoded_method
• type_list
• type_item
• code_item
• try_item
• encoded_catch_handler_list
• encoded_catch_handler
• encoded_type_addr_pair
• debug_info_item
• Special opcodes
• annotations_directory_item
• field_annotation
• method_annotation
• parameter_annotation
• annotation_set_ref_list
• annotation_set_ref_item
• annotation_set_item
• annotation_off_item
• annotation_item
• Visibility values
• encoded_array_item
• hiddenapi_class_data_item
• dalvik.annotation.AnnotationDefault
• dalvik.annotation.EnclosingClass
• dalvik.annotation.EnclosingMethod
• dalvik.annotation.InnerClass
• dalvik.annotation.MemberClasses
• dalvik.annotation.MethodParameters
• dalvik.annotation.Signature
• dalvik.annotation.Throws

The standard seems to be either anyhow or thiserror. Not sure which one is better for our use case, need to investigate.

If a string cannot be decoded from MUTF-8 to ASCII, it is added "raw" to the lsit of strings (i.e., undecoded). This can lead to issues down the road because the various DEX classes that uses strings expect the list of strings to be ordered "by string contents, using UTF-16 code point values" (see documentation).

There is three possibilities for the source of this bug:

1. we do not correctly decode MUTF-8 strings
2. we do not sort correctly the strings (included undecoded ones)
3. a mix of 1. and 2.

There are still some lesser used instructions that we do not disassemble (we do parse them though). This issue is to keep track of them:

• invoke-polymorphic
• invoke-polymorphic/range
• filled-new-array/range
• invoke-custom
• invoke-custom/range
• const-method-handle
• const-method-type
• packed-switch-payload
• sparse-switch-payload
• fill-array-data-payload

Some apps have multiple DEX files when they have more than 65,536 methods. The code is instead split into multiple DEX files which are then merged by the system when installing the app. Such apps have mutliple DEX files named classes.dex, classes2.dex, etc.

Looks like merging them in our parser is simply a matter of parsing each DEX file individually and merging the lists of parsed data (e.g., strings, prototypes).