如何检查Dalvik Cache是​​否被修改

Question

So there are some tools out there that patch the App's Dalvik cache to remove copy protection - is there actually a way of checking the dalvik cache?

Is it just the DEX file that is copied, and if yes, does it still have the same checksum? And is it actally possible for a non-root app to get the checksum?

Answer 1

The files in the dalvik cache are not the original dex files - they are odex (optimized dex) files. When an application is installed, its dex file is extracted, and then dalvik runs an optimization pass on it and stores the result in the dalvik cache.

The directory permissions on the dalvik cache directory prevent a non-system application from listing the directory contents, but the execute permission is set and the odex files themselves are world readable, so an application can access them if it knows their file name.

However, it would be difficult to check the integrity of an odex file, because they are potentially different on every device. So you wouldn't be able to do a simple checksum check.

I imagine you would have to do a deep comparison of the dex file structures, and compare them against the original dex file. If you wanted to be really sure, you would need to de-odex the odex file first, and then compare the result with the original dex file.

Answer 2

I think you can call dexopt process (directly in the device) and compare the new generated dex with the one in the dalvik cache, off course if your cached dex is modified the change can disable the check itself. The author of lucky patcher suggested to load external code from assets and then execute in place, but this it's not going to be easy and 100% effective