How to check if the Dalvik cache has been modified


So there are some tools out there that patch the App's Dalvik cache to remove copy protection - is there actually a way of checking the dalvik cache?

Is it just the DEX file that is copied, and if yes, does it still have the same checksum? And is it actally possible for a non-root app to get the checksum?

The files in the dalvik cache are not the original dex files - they are odex (optimized dex) files. When an application is installed, its dex file is extracted, and then dalvik runs an optimization pass on it and stores the result in the dalvik cache.

The directory permissions on the dalvik cache directory prevent a non-system application from listing the directory contents, but the execute permission is set and the odex files themselves are world readable, so an application can access them if it knows their file name.

However, it would be difficult to check the integrity of an odex file, because they are potentially different on every device. So you wouldn't be able to do a simple checksum check.

I imagine you would have to do a deep comparison of the dex file structures, and compare them against the original dex file. If you wanted to be really sure, you would need to de-odex the odex file first, and then compare the result with the original dex file.