Search code examples
androiddalvikoverlappingbytecode-manipulation

Java.lang.verifyError : Does dalvik support overlapping bycodes?

I try to modify a dex files in my apk in order to obfuscate my code.

I compile the following code on eclipse : 

boolean test = false; 
SmsManager sm = SmsManager.getDefault();

if (test){ // always false
    test = true;  // this branch is never taken 
} else {
    String messageBody = "sms";
    sm.sendTextMessage("5556", null, messageBody, null, null);
}

So only the "else branch" is execute. The other branch is dead code. Then I export my code into an apk with eclipse.

After that, I open the apk with apktools, I pick up the dex file and so I have the following bytescodes : 

CODE:3EE80                      const/4                    v2, 0
CODE:3EE82 206F 001C 0087       invoke-super               {this, p0}, <void Activity.onCreate(ref) imp. @ _def_Activity_onCreate@VL>
CODE:3EE88 0115 7F03            const/high16               v1, 0x7F030000
CODE:3EE8C 206E 12C9 0017       invoke-virtual             {this, v1}, <void MainActivity.setContentView(int) imp. @ _def_MainActivity_setContentView@VI>
CODE:3EE92 0612                 const/4                    v6, 0
CODE:3EE94 0071 0FD3 0000       invoke-static              {}, <ref SmsManager.getDefault() imp. @ _def_SmsManager_getDefault@L>
CODE:3EE9A 000C                 move-result-object         v0
CODE:3EE9C 0638 0003            if-eqz                     v6, loc_3EEA2
CODE:3EEA0 1612                 const/4                    v6, 1
CODE:3EEA2
CODE:3EEA2 031A 143A            const-string               v3, aSmsI # "sms"
CODE:3EEA6 011A 00BE             const-string              v1, a5556 # "5556"
CODE:3EEAA 2407                  move-object               v4, v2
CODE:3EEAC 2507                  move-object               v5, v2
CODE:3EEAE 0674 0FD4 0000        invoke-virtual/range      {v0..v5}, <void SmsManager.sendTextMessage(ref, ref, ref, ref, ref) imp. @ _def_SmsManager_sendTextMessage@VLLLLL>
CODE:3EEB4 000E                  return-void
CODE:3EEB4                       Method End

I change dead code in my if/else construct at 0x3eea0 to have overlapping and to hide some of my code in the "else branch ": 

CODE:3EEA0 0218 031A 143A 011A+ const-wide               v2:v3, 0xBE011A143A031A
CODE:3EEAA 2407                 move-object                v4, v2
CODE:3EEAC 2507                 move-object                v5, v2
CODE:3EEAE 0674 0FD4 0000       invoke-virtual/range       {v0..v5}, <void SmsManager.sendTextMessage(ref, ref, ref, ref, ref) imp. @ _def_SmsManager_sendTextMessage@VLLLLL>
CODE:3EEB4 000E                 return-void
CODE:3EEB4                      Method End

Then I change the checksum and the hash of the dex file. I close my apk with apktools and I sign it with jarsigner.

With adb I install the apk on my emulated device. All is sucessfull.

But when I try to launch the application, it crashes and I have the following error on my device : "Unfortunately, myApps has stopped".

The logcat give me this : 

09-06 08:31:13.126: E/AndroidRuntime(874): FATAL EXCEPTION: main
09-06 08:31:13.126: E/AndroidRuntime(874): java.lang.VerifyError: trust/vuln/myApps/MainActivity
09-06 08:31:13.126: E/AndroidRuntime(874):  at java.lang.Class.newInstanceImpl(Native Method)
09-06 08:31:13.126: E/AndroidRuntime(874):  at java.lang.Class.newInstance(Class.java:1130)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.Instrumentation.newActivity(Instrumentation.java:1061)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2128)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2261)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.ActivityThread.access$600(ActivityThread.java:141)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1256)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.os.Handler.dispatchMessage(Handler.java:99)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.os.Looper.loop(Looper.java:137)
09-06 08:31:13.126: E/AndroidRuntime(874):  at android.app.ActivityThread.main(ActivityThread.java:5103)
09-06 08:31:13.126: E/AndroidRuntime(874):  at java.lang.reflect.Method.invokeNative(Native Method)
09-06 08:31:13.126: E/AndroidRuntime(874):  at java.lang.reflect.Method.invoke(Method.java:525)
09-06 08:31:13.126: E/AndroidRuntime(874):  at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:737)
09-06 08:31:13.126: E/AndroidRuntime(874):  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:553)
09-06 08:31:13.126: E/AndroidRuntime(874):  at dalvik.system.NativeStart.main(Native Method)
09-06 08:31:13.226: W/ActivityManager(288):   Force finishing activity com.vuln.myApps/.MainActivity

Is the java.lang.VerifyError because of overlapping bytescodes in my apps ? And is anyway to implements overlapping bytescode in an Android Application ?

Solution

  • The Dalvik verifier will not allow you to branch into the middle of an instruction. What you're attempting is specifically disallowed.

    If you look in the logcat output a few lines above the exception shown in your question, you should see a bunch of "VFY" messages that indicate the specific point of concern.