Types not properly identified in VM/Locals. How to change a String?

369 views
Skip to first unread message

Fabian

unread,
Jun 29, 2016, 3:55:49 PM6/29/16
to JEB Decompiler
Hello,

I want to change a String in a local variable of a function.

I set a breakpoint in the function and I can inspect `this`, and see the local variables `v0`-`v13`.
But the local variables are all of type `int`, which is obviously wrong. JEB definitely knows somehow the Object type, because in the decompilation it recognises it as `String v2;` (mouse over during PAUSE'd thread displays `v2 - int (287)`
I tried to simply change the `type` field in the VM/Locals view to `object` or more specific type strings. But this only causes the app to crash and the debugger to loose connection (or something) - not even sure if that should be possible (I just noticed I can type something in).
I also tried to use the Console with `readobj`, but any command I execute also causes the app to crash and debugger to loose connection.

    VM> list
    -1: An error occurred ("list")

    java.io.IOException: The receiver is dead

The .apk is a debug enabled app. And I can set breakpoints without problems, no obfuscation or whatsoever. And stepping through the code works also fine.

thanks!

Nicolas Falliere

unread,
Jun 29, 2016, 5:35:55 PM6/29/16
to Fabian, JEB Decompiler
Fabian,

Are you sure the variable you are trying to set is the right one? What
is its value? ('value' column in VM/Locals View)

((Aside: Variable naming in Dalvik can be a bit confusing. For
instance, vX is a Dalvik notation, in which v0 is *not* the method
first argument. Rather, it is the first local variable. The official
Java numbering does say the the 0 slot is the first parameter
though... let's name that pX. So, p0 does refer to the first argument
(and p1 to the second one, etc.) Converting from vX to pX requires
knowing the number of slots used by the method (indicated in the
metadata directive .registers). The parameters are mapped last in the
variables layout. For instance, a static method foo(x, y) with 5 slots
would have the following mapping:
v0 p2
v1 p3
v2 p4
v3 p0
v4 p1 ))

So, make sure that the variable you are trying to change is the
correct. Let us know if that fixes the problem.

As for the VM interpreter issue: 'list' is not a command. '.list' can
be (list the top-levels unit interpreters). Use 'help' to find a full
list. In any case, if you have attempted to cast a JDWP variable to a
wrong type, it is likely that the underlying Dalvik VM crashed (by
design), and that would explain the lost connection.

Thank you.

Nicolas Falliere
www.pnfsoftware.com
> --
> You received this message because you are subscribed to the Google Groups
> "JEB Decompiler" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jeb-decompile...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Fabian

unread,
Jun 29, 2016, 6:46:47 PM6/29/16
to JEB Decompiler

Ah, I think I didn't explain well enough. I made a screenshot of it.

Sorry for the censoring of some names, but I think the relevant parts are visible.

You can see here the state of the VM/Locals inside of a method. There is some string handling with local variables as well as some other objects.

`this` works well and I can traverse all objects. But the local variables v0-v13 are simply listed as `int`s.

For example two steps further v0 should clearly be a String (return of .substring(9)). But it will still be shown as an `int`.

Is it possible to display it as a String in the VM/Locals view? Or is that not how it works?


One thing I tried was setting the Type field correctly myself. When I double click on it a textbox appears. I don't know if that is a feature or just something weird. But I attempted to change the "int" to "string", etc...


Second question, if it would be displayed correctly as a String object, showing the string value, is it possible to change that value with the UI or Console?


Thanks!



clu...@pnfsoftware.com

unread,
Jun 30, 2016, 6:39:25 AM6/30/16
to JEB Decompiler
Hello,

As ou noticed, vX variable types are not set automatically (all int by default). However, you should be able to force the correct type by modifying the "type" field in the "VM/Locals" window but entering "object" or "string". Do you have the latest version of JEB or can you provide a stacktrace/logs if it still does not work?
The "readobj" command can be used but you need to know the id of your object.

Currently, modifying Dalvik variables is not supported. Only native registers update is supported. This feature will come in future releases.

Thank you

Cedric

Fabian

unread,
Jun 30, 2016, 7:29:29 AM6/30/16
to JEB Decompiler
> As ou noticed, vX variable types are not set automatically (all int by default). However, you should be able to force the correct type by modifying the "type" field in the "VM/Locals" window but entering "object" or "string".

ah perfect. That is all I want :)

Here some examples. 

Sometimes I even get a stacktrace when I try attach (I think only after the app crashed before during debugging). But this doesn't seem to affect debugging too much. I still can see the threads in VM/Threads updating and changing. And it pauses on breakpoint:

java.io.IOException: The receiver is dead

at com.pnfsoftware.jebglobal.nt.DC(SourceFile:587)

at com.pnfsoftware.jebglobal.nt.Cx(SourceFile:505)

at com.pnfsoftware.jebglobal.nt.jE(SourceFile:7487)

at com.pnfsoftware.jebglobal.nt.hU(SourceFile:154)

at com.pnfsoftware.jebglobal.Hv.attach(SourceFile:441)

at com.pnfsoftware.jeb.corei.debuggers.android.vm.Uu.attach(SourceFile:463)

at com.pnfsoftware.jeb.rcpclient.handlers.debugger.DebuggerAttachHandler$1.call(DebuggerAttachHandler.java:90)

at com.pnfsoftware.jeb.rcpclient.handlers.debugger.DebuggerAttachHandler$1.call(DebuggerAttachHandler.java:87)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)


The debugger could not connect to the target


So when I "Start..." and attach to the application process. I have a breakpoint set inside of a function. I step two steps forward, and values change - so debugger seems to work. In this case the result of `substring` is moved into v11. And I try to change the Type from v11 from `int` to `string`. Then I get the follow stacktrace:

Version: 2.2.5.201606291630

Attatched to a rooted Nexus 7 with Android version 4.3 (JWR66Y) if this information matters.

java.io.IOException: The receiver is dead

at com.pnfsoftware.jebglobal.Gs.OG(SourceFile:320)

at com.pnfsoftware.jebglobal.Gs.Cx(SourceFile:346)

at com.pnfsoftware.jebglobal.cq.YV(SourceFile:407)

at com.pnfsoftware.jeb.corei.debuggers.android.vm.Uu.Cx(SourceFile:1216)

at com.pnfsoftware.jeb.corei.debuggers.android.vm.yB.Cx(SourceFile:337)

at com.pnfsoftware.jeb.corei.debuggers.android.vm.yB.getVariables(SourceFile:203)

at com.pnfsoftware.jeb.rcpclient.parts.units.DbgVariablesView$TreeContentProvider.getElements(DbgVariablesView.java:227)

at org.eclipse.jface.viewers.StructuredViewer.getRawChildren(StructuredViewer.java:999)

at org.eclipse.jface.viewers.ColumnViewer.getRawChildren(ColumnViewer.java:699)

at org.eclipse.jface.viewers.AbstractTreeViewer.getRawChildren(AbstractTreeViewer.java:1349)

at org.eclipse.jface.viewers.TreeViewer.getRawChildren(TreeViewer.java:353)

at org.eclipse.jface.viewers.StructuredViewer.getFilteredChildren(StructuredViewer.java:905)

at org.eclipse.jface.viewers.AbstractTreeViewer.getSortedChildren(AbstractTreeViewer.java:617)

at org.eclipse.jface.viewers.AbstractTreeViewer.updateChildren(AbstractTreeViewer.java:2649)

at org.eclipse.jface.viewers.AbstractTreeViewer.internalRefreshStruct(AbstractTreeViewer.java:1918)

at org.eclipse.jface.viewers.TreeViewer.internalRefreshStruct(TreeViewer.java:684)

at org.eclipse.jface.viewers.AbstractTreeViewer.internalRefresh(AbstractTreeViewer.java:1893)

at org.eclipse.jface.viewers.AbstractTreeViewer.internalRefresh(AbstractTreeViewer.java:1850)

at org.eclipse.jface.viewers.AbstractTreeViewer.internalRefresh(AbstractTreeViewer.java:1836)

at org.eclipse.jface.viewers.StructuredViewer$7.run(StructuredViewer.java:1500)

at org.eclipse.jface.viewers.StructuredViewer.preservingSelection(StructuredViewer.java:1436)

at org.eclipse.jface.viewers.TreeViewer.preservingSelection(TreeViewer.java:366)

at org.eclipse.jface.viewers.StructuredViewer.preservingSelection(StructuredViewer.java:1397)

at org.eclipse.jface.viewers.StructuredViewer.refresh(StructuredViewer.java:1497)

at org.eclipse.jface.viewers.ColumnViewer.refresh(ColumnViewer.java:521)

at org.eclipse.jface.viewers.StructuredViewer.refresh(StructuredViewer.java:1456)

at com.pnfsoftware.jeb.rcpclient.parts.units.DbgVariablesView$ValueEditingSupport.setValue(DbgVariablesView.java:455)

at org.eclipse.jface.viewers.EditingSupport.saveCellEditorValue(EditingSupport.java:113)

at org.eclipse.jface.viewers.ColumnViewerEditor.saveEditorValue(ColumnViewerEditor.java:463)

at org.eclipse.jface.viewers.ColumnViewerEditor.applyEditorValue(ColumnViewerEditor.java:319)

at org.eclipse.jface.viewers.ColumnViewerEditor$2.applyEditorValue(ColumnViewerEditor.java:158)

at org.eclipse.jface.viewers.CellEditor$1.run(CellEditor.java:336)

at org.eclipse.jface.util.SafeRunnable$1.run(SafeRunnable.java:131)

at org.eclipse.jface.util.SafeRunnable.run(SafeRunnable.java:178)

at org.eclipse.jface.viewers.CellEditor.fireApplyEditorValue(CellEditor.java:333)

at org.eclipse.jface.viewers.TextCellEditor.handleDefaultSelection(TextCellEditor.java:298)

at org.eclipse.jface.viewers.TextCellEditor$1.widgetDefaultSelected(TextCellEditor.java:147)

at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:119)

at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)

at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4199)

at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1467)

at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1490)

at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1475)

at org.eclipse.swt.widgets.Widget.notifyListeners(Widget.java:1279)

at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4042)

at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3669)

at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$9.run(PartRenderingEngine.java:1151)

at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)

at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1032)

at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:148)

at org.eclipse.e4.ui.internal.workbench.swt.E4Application.start(E4Application.java:164)

at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)

at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)

at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)

at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:380)

at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:235)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:483)

at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:648)

at org.eclipse.equinox.launcher.Main.basicRun(Main.java:603)

at org.eclipse.equinox.launcher.Main.run(Main.java:1465)



adb log (only a short excerpt):

I/DEBUG   (  124): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 99aea411
I/DEBUG   (  124):     r0 99aea401  r1 00000162  r2 000000a4  r3 00000162
I/DEBUG   (  124):     r4 4095fbd1  r5 656ce1f0  r6 656ce1f0  r7 645028f0
I/DEBUG   (  124):     r8 00000008  r9 625b7467  sl 00000000  fp 0000000a
I/DEBUG   (  124):     ip 99aea401  sp 67209d88  lr 4095fbe3  pc 409520a2  cpsr 40070030
[...]
I/DEBUG   (  124): backtrace:
I/DEBUG   (  124):     #00  pc 000550a2  /system/lib/libdvm.so (dvmCreateCstrFromString(StringObject const*)+7)
I/DEBUG   (  124):     #01  pc 00062bdf  /system/lib/libdvm.so
I/DEBUG   (  124):     #02  pc 00063737  /system/lib/libdvm.so (dvmJdwpProcessRequest(JdwpState*, JdwpReqHeader const*, unsigned char const*, int, ExpandBuf*)+110)
I/DEBUG   (  124):     #03  pc 00061019  /system/lib/libdvm.so
I/DEBUG   (  124):     #04  pc 00063959  /system/lib/libdvm.so
I/DEBUG   (  124):     #05  pc 000543ad  /system/lib/libdvm.so
I/DEBUG   (  124):     #06  pc 0000ca58  /system/lib/libc.so (__thread_entry+72)
I/DEBUG   (  124):     #07  pc 0000cbd4  /system/lib/libc.so (pthread_create+208)


I also tried to use the Console. The app sometimes "has stopped" (crashes) when I try to readvar with `string` - not everytime though. Sometimes just causing a NullPointerException. And I don't see a stacktrace for that in the Logger view:

VM> info

Debuggee is running on ?

VM information: JDWP:"Android DalvikVM 1.6.0" v1.5 (VM:DalvikVM v1.5.0)

VM identifier sizes: f=4,m=4,o=8,rt=8,fr=8

VM> threads

- 830027359608/C1417C6578h "<1> main" [PAUSED] @ Linfo/xxx/xxx;->setXXX(Lcom/xxx/xxx/xxx;)V+66h

- ...

VM> readvar v11 int

1112793576(4253E1E8h)

VM> readvar v11 string

-1: java.lang.NullPointerException ("readvar v11 string")


VM/Locals view shows:

v11 int 1128168576 (433E7C80h)

clu...@pnfsoftware.com

unread,
Jun 30, 2016, 8:02:52 AM6/30/16
to JEB Decompiler
Unfortunately, the stacktrace does not bring much information unless there is a communication problem between your device and JEB.
Devices under Android 5.0 may experience some problems, so maybe you can test on a much recent device (or install an emulator on your system).
Do not hesitate to tell us if it works better with a more recent device. On our side, we will check this and come back to you once we get more.

Thank you


Le mercredi 29 juin 2016 21:55:49 UTC+2, Fabian a écrit :

Fabian

unread,
Jun 30, 2016, 8:12:27 AM6/30/16
to JEB Decompiler
Thank you!
I'm just learning right now how to use JEB properly and it's not a project blocker right now. So thank you very much for your input, this provided me already a lot of insight.

clu...@pnfsoftware.com

unread,
Jun 30, 2016, 1:32:48 PM6/30/16
to JEB Decompiler
Hello,

I just wanted to confirm you that your problem is due to the Android version.
Please, consider using an Android device running at least version 5.0.
We opened a bug report on our side to fix the issue in the future.


Thank you


Le mercredi 29 juin 2016 21:55:49 UTC+2, Fabian a écrit :

Fabian

unread,
Jul 1, 2016, 9:13:11 AM7/1/16
to JEB Decompiler
I can also confirm from my side, setting the type to `string` with android 5.1.1 works like a charm.
Thanks again.
Reply all
Reply to author
Forward
0 new messages