手写Andfix热修复（Dalvik篇）

基本流程

将修复好的方法加上一个自定义注解

将所有修复好的class打包成dex

从dex中取出修复好的method

将class中出错的method的引用指向已修复的method

Andfix热修复的优点在于性能高，并且不需要重启APP，但是要注意，一点退出APP（结束dalvik）就需要重新修复。

开始撸码

创建一个新的项目，需要引入c++。创建一个错误的方法

package com.example.chauncey.ndk_lsn15_andfix;

/**
* Created by 45216 on 2017/9/2.
*/

class Calculator {
int calculate() {
int a = 10;
int b = 0;
return a / b;
}
}

创建一个自定义注解类

package com.example.chauncey.ndk_lsn15_andfix;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

/**
* Created by 45216 on 2017/9/2.
*/

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface Replace {
String clazz();

String method();
}

创建一个修复好的method，类名方法名一致

package com.example.chauncey.ndk_lsn15_andfix.Web;

import com.example.chauncey.ndk_lsn15_andfix.Replace;

/**
* Created by 45216 on 2017/9/2.
*/

class Calculator {
//此处的参数分别是待修复的类和方法
@Replace(clazz = "com.example.chauncey.ndk_lsn15_andfix.Calculator", method = "calculate")
int calculate() {
int a = 10;
int b = 1;
return a / b;
}
}

创建一个DexManager工具类

项目结构



build一下项目，提取已经编译好的class文件



将整个com文件夹提取出来，在这里我是放到桌面上的dx文件夹中，将除了Web文件夹以外的class文件全部删除，我们只需要将修复好的class打包成dex就行了。

使用Android sdk\build-tools\版本号\下的dx进行打包（我是偷懒，要不然放到系统环境变量里会好一些），以管理员身份运行cmd

E:\Android\android-sdk\build-tools\26.0.1>dx --dex --output C:\Users\45216\Desktop\dx\out.dex C:\Users\45216\Desktop\dx\

以上命令行中

–dex 打包成dex

–output 输出到指定位置



把dex文件放到设备上（模拟从服务器上下载），我放到了当前程序的cache文件夹下。

接下来是DexManger

public class DexManager {
private static final DexManager ourInstance = new DexManager();
//创建文件时勾选了单例模式，此处懒得改了
public void setContext(Context context) {
mContext = context;
}

private Context mContext;

public static DexManager getInstance() {
return ourInstance;
}

private DexManager() {
}

public void loadFile(File file) {
try {
if(!file.exists()){
return;
}
//专门用来处理Dex文件的类，在dalvik.system包下，毕竟Android4.4开始就已经使用了art虚拟机，所以这个类已经过时了
DexFile dexFile = DexFile.loadDex(file.getAbsolutePath(),
new File(mContext.getCacheDir(), "opt").getAbsolutePath(), Context.MODE_PRIVATE);
Enumeration<String> entries = dexFile.entries();
while (entries.hasMoreElements()) {
String className = entries.nextElement();
Class clazz = dexFile.loadClass(className, mContext.getClassLoader());
if (clazz != null) {
fixClass(clazz);
}
}
} catch (IOException e) {
e.printStackTrace();
}

}

private void fixClass(Class clazz) {
//获取所有类中的所有方法
Method[] methods = clazz.getDeclaredMethods();
for (Method rightMethod : methods) {
Replace replace = rightMethod.getAnnotation(Replace.class);
//只需要带有Replace注解的方法
if (replace == null) {
continue;
}
String wClass = replace.clazz();
String wMethod = replace.method();

try {
//Class.forName只能获取已存在的类，上面的dexFile.loadClass则是获取不存在于当前系统中的类
Class wrongClass = Class.forName(wClass);
Method wrongMethod = wrongClass.getDeclaredMethod(wMethod, rightMethod.getParameterTypes());
replaceMethod(Build.VERSION.SDK_INT, wrongMethod, rightMethod);
} catch (Exception e) {
e.printStackTrace();
}
}
}

private native void replaceMethod(int sdkVersion, Method wrongMethod, Method rightMethod);
}

在c++中进行方法的替换

首先要引入dalvik.h，但是引入时发现dalvik.h又引入了很多其它的头文件，所以在这里自己创建一个dalvik.h，因为Android4.4以下版本都是dalvik虚拟机，所以具体的实现已经集成好了。



以下是dalvik.h的具体内容

#include <string.h>
#include <jni.h>
#include <stdio.h>
#include <fcntl.h>
#include <dlfcn.h>

#include <stdint.h>    /* C99 */

typedef uint8_t u1;
typedef uint16_t u2;
typedef uint32_t u4;
typedef uint64_t u8;
typedef int8_t s1;
typedef int16_t s2;
typedef int32_t s4;
typedef int64_t s8;

/*
* access flags and masks; the "standard" ones are all <= 0x4000
*
* Note: There are related declarations in vm/oo/Object.h in the ClassFlags
* enum.
*/
enum {
ACC_PUBLIC = 0x00000001,       // class, field, method, ic
ACC_PRIVATE = 0x00000002,       // field, method, ic
ACC_PROTECTED = 0x00000004,       // field, method, ic
ACC_STATIC = 0x00000008,       // field, method, ic
ACC_FINAL = 0x00000010,       // class, field, method, ic
ACC_SYNCHRONIZED = 0x00000020,       // method (only allowed on natives)
ACC_SUPER = 0x00000020,       // class (not used in Dalvik)
ACC_VOLATILE = 0x00000040,       // field
ACC_BRIDGE = 0x00000040,       // method (1.5)
ACC_TRANSIENT = 0x00000080,       // field
ACC_VARARGS = 0x00000080,       // method (1.5)
ACC_NATIVE = 0x00000100,       // method
ACC_INTERFACE = 0x00000200,       // class, ic
ACC_ABSTRACT = 0x00000400,       // class, method, ic
ACC_STRICT = 0x00000800,       // method
ACC_SYNTHETIC = 0x00001000,       // field, method, ic
ACC_ANNOTATION = 0x00002000,       // class, ic (1.5)
ACC_ENUM = 0x00004000,       // class, field, ic (1.5)
ACC_CONSTRUCTOR = 0x00010000,       // method (Dalvik only)
ACC_DECLARED_SYNCHRONIZED = 0x00020000,       // method (Dalvik only)
ACC_CLASS_MASK = (ACC_PUBLIC | ACC_FINAL | ACC_INTERFACE | ACC_ABSTRACT
| ACC_SYNTHETIC | ACC_ANNOTATION | ACC_ENUM),
ACC_INNER_CLASS_MASK = (ACC_CLASS_MASK | ACC_PRIVATE | ACC_PROTECTED
| ACC_STATIC),
ACC_FIELD_MASK = (ACC_PUBLIC | ACC_PRIVATE | ACC_PROTECTED | ACC_STATIC
| ACC_FINAL | ACC_VOLATILE | ACC_TRANSIENT | ACC_SYNTHETIC
| ACC_ENUM),
ACC_METHOD_MASK = (ACC_PUBLIC | ACC_PRIVATE | ACC_PROTECTED | ACC_STATIC
| ACC_FINAL | ACC_SYNCHRONIZED | ACC_BRIDGE | ACC_VARARGS
| ACC_NATIVE | ACC_ABSTRACT | ACC_STRICT | ACC_SYNTHETIC
| ACC_CONSTRUCTOR | ACC_DECLARED_SYNCHRONIZED),
};

typedef struct DexProto {
u4* dexFile; /* file the idx refers to */
u4 protoIdx; /* index into proto_ids table of dexFile */
} DexProto;

typedef void (*DalvikBridgeFunc)(const u4* args, void* pResult,
const void* method, void* self);

struct Field {
void* clazz; /* class in which the field is declared */
const char* name;
const char* signature; /* e.g. "I", "[C", "Landroid/os/Debug;" */
u4 accessFlags;
};

struct Method;
struct ClassObject;

typedef struct Object {
/* ptr to class object */
struct ClassObject* clazz;

/*
* 类的加载过程
* A word containing either a "thin" lock or a "fat" monitor.  See
* the comments in Sync.c for a description of its layout.
*/
u4 lock;
} Object;

struct InitiatingLoaderList {
/* a list of initiating loader Objects; grown and initialized on demand */
void** initiatingLoaders;
/* count of loaders in the above list */
int initiatingLoaderCount;
};

enum PrimitiveType {
PRIM_NOT = 0, /* value is a reference type, not a primitive type */
PRIM_VOID = 1,
PRIM_BOOLEAN = 2,
PRIM_BYTE = 3,
PRIM_SHORT = 4,
PRIM_CHAR = 5,
PRIM_INT = 6,
PRIM_LONG = 7,
PRIM_FLOAT = 8,
PRIM_DOUBLE = 9,
}typedef PrimitiveType;

enum ClassStatus {
CLASS_ERROR = -1,

CLASS_NOTREADY = 0, CLASS_IDX = 1, /* loaded, DEX idx in super or ifaces */
CLASS_LOADED = 2, /* DEX idx values resolved */
CLASS_RESOLVED = 3, /* part of linking */
CLASS_VERIFYING = 4, /* in the process of being verified */
CLASS_VERIFIED = 5, /* logically part of linking; done pre-init */
CLASS_INITIALIZING = 6, /* class init in progress */
CLASS_INITIALIZED = 7, /* ready to go */
}typedef ClassStatus;

typedef struct ClassObject {
struct Object o; // emulate C++ inheritance, Collin

/* leave space for instance data; we could access fields directly if we
freeze the definition of java/lang/Class */
u4 instanceData[4];

/* UTF-8 descriptor for the class; from constant pool, or on heap
if generated ("[C") */
const char* descriptor;
char* descriptorAlloc;

/* access flags; low 16 bits are defined by VM spec */
u4 accessFlags;

/* VM-unique class serial number, nonzero, set very early */
u4 serialNumber;

/* DexFile from which we came; needed to resolve constant pool entries */
/* (will be NULL for VM-generated, e.g. arrays and primitive classes) */
void* pDvmDex;

/* state of class initialization */
ClassStatus status;

/* if class verify fails, we must return same error on subsequent tries */
struct ClassObject* verifyErrorClass;

/* threadId, used to check for recursive <clinit> invocation */
u4 initThreadId;

/*
* Total object size; used when allocating storage on gc heap.  (For
* interfaces and abstract classes this will be zero.)
*/
size_t objectSize;

/* arrays only: class object for base element, for instanceof/checkcast
(for String[][][], this will be String) */
struct ClassObject* elementClass;

/* arrays only: number of dimensions, e.g. int[][] is 2 */
int arrayDim;
PrimitiveType primitiveType;

/* superclass, or NULL if this is java.lang.Object */
struct ClassObject* super;

/* defining class loader, or NULL for the "bootstrap" system loader */
struct Object* classLoader;

struct InitiatingLoaderList initiatingLoaderList;

/* array of interfaces this class implements directly */
int interfaceCount;
struct ClassObject** interfaces;

/* static, private, and <init> methods */
int directMethodCount;
struct Method* directMethods;

/* virtual methods defined in this class; invoked through vtable */
int virtualMethodCount;
struct Method* virtualMethods;

/*
* Virtual method table (vtable), for use by "invoke-virtual".  The
* vtable from the superclass is copied in, and virtual methods from
* our class either replace those from the super or are appended.
*/
int vtableCount;
struct Method** vtable;

} ClassObject;

typedef struct Method {
struct ClassObject *clazz;
u4 accessFlags;
//u2 methodIndex   方法表里面的索引
u2 methodIndex;

u2 registersSize; /* ins + locals */
u2 outsSize;
u2 insSize;

/* method name, e.g. "<init>" or "eatLunch" */
const char* name;

/*
* Method prototype descriptor string (return and argument types).
*
* TODO: This currently must specify the DexFile as well as the proto_ids
* index, because generated Proxy classes don't have a DexFile.  We can
* remove the DexFile* and reduce the size of this struct if we generate
* a DEX for proxies.
*/
DexProto prototype;

/* short-form method descriptor string */
const char* shorty;

/*
* The remaining items are not used for abstract or native methods.
* (JNI is currently hijacking "insns" as a function pointer, set
* after the first call.  For internal-native this stays null.)
*/

/* the actual code */
u2* insns;

/* cached JNI argument and return-type hints */
int jniArgInfo;

/*
* Native method ptr; could be actual function or a JNI bridge.  We
* don't currently discriminate between DalvikBridgeFunc and
* DalvikNativeFunc; the former takes an argument superset (i.e. two
* extra args) which will be ignored.  If necessary we can use
* insns==NULL to detect JNI bridge vs. internal native.
*/
DalvikBridgeFunc nativeFunc;

#ifdef WITH_PROFILER
bool inProfile;
#endif
#ifdef WITH_DEBUGGER
short debugBreakpointCount;
#endif

bool fastJni;

/*
* JNI: true if this method has no reference arguments. This lets the JNI
* bridge avoid scanning the shorty for direct pointers that need to be
* converted to local references.
*
* TODO: replace this with a list of indexes of the reference arguments.
*/
bool noRef;

} Method;

接下来是replace方法的具体实现

#include <jni.h>
#include "dalvik.h"

typedef Object *(*FindObject)(void *thread, jobject obj);

typedef void *(*FindThread)();

FindObject findObject;
FindThread findThread;

extern "C" {
JNIEXPORT void JNICALL
Java_com_example_chauncey_ndk_1lsn15_1andfix_DexManager_replaceMethod
(JNIEnv *env,                                                                 jobject instance,                                                                jint sdk,                                                                jobject wrongMethod,                                                               jobject rightMethod) {

//将传入的方法转换层JNI的Method结构体
Method *wrong = (Method *) env->FromReflectedMethod(wrongMethod);

Method *right = (Method *) env->FromReflectedMethod(rightMethod);

//下一步  把right 对应Object   第一个成员变量ClassObject   status

//获取dalvik句柄
void *dvm_handle = dlopen("libdvm.so", RTLD_NOW);
//sdk 10前后需要不同的名字，具体原因不明。注意：这里编译器会报错，要求传三个参数，其实只要两个，不必理会
findObject = (FindObject) dlsym(dvm_hand, sdk > 10 ?
"_Z20dvmDecodeIndirectRefP6ThreadP8_jobject":
"dvmDecodeIndirectRef");

findThread = (FindThread) dlsym(dvm_handle , sdk > 10 ? "_Z13dvmThreadSelfv" :
"dvmThreadSelf");

//获取 java中的Method类
jclass methodClazz = env->FindClass("java/lang/reflect/Method");
jmethodID rightMethodId = env->GetMethodID(methodClazz, "getDeclaringClass",
"()Ljava/lang/Class;");

jobject ndkObject = env->CallObjectMethod(rightMethod, rightMethodId);
//上面所有的操作都是为了下面做铺垫，只有将status 赋值为CLASS_INITIALIZED时才表示类已经加载完毕，其中的方法才可以调用
firstFiled->status = CLASS_INITIALIZED;

//将错误方法的引用全部替换成正确的方法
wrong->accessFlags |= ACC_PUBLIC;
wrong->methodIndex = right->methodIndex;
wrong->jniArgInfo = right->jniArgInfo;
wrong->registersSize = right->registersSize;
wrong->outsSize = right->outsSize;
wrong->prototype = right->prototype;
wrong->insns = right->insns;
wrong->nativeFunc = right->nativeFunc;
}

}

最后只需要

File file = new File(this.getCacheDir(), "out.dex");
if (file.exists()) {
DexManager.getInstance().loadFile(file);
}

修复完成。