Russian cheat sheet by Smali

Greetings, lovers of reverse engineering Android. Here is a cheat sheet for Smali, an analogue of assembler for Android applications.

The original text in Russian is taken from here . There, the text appeared from a machine translation of official documentation .

As a result, he designed a dry text + corrected small typos and clumsy translation. Regarding comments and suggestions, you can write either to me in the LAN or issue a PR on Gist .

general information

Types

- Dalvik : . — , .

:

V - Void -      
Z - Boolean ()
B - Byte ()
S - Short ()
C - Char
I - Integer ( )
J - Long (64 bits) ()
F - Float ()
D - Double (64 bits) ( )

Lpackage/name/ObjectName; — L , , package/name/ — , , ObjectName — ; .

package.name.ObjectName java. , , Ljava/lang/String; java.lang.String

[I — . .. int[] Java. [ . [[I = int[][], [[[I = int[][][] .. (: , , 255).

, [Ljava/lang/String; .

(Methods)

, , , , . , -

Lpackage/name/ObjectName;->MethodName(III)Z

Lpackage/name/ObjectName; . MethodName — . (III)Z . III — ( 3 ), Z — (bool).

, .

:

Lpackage/name/ObjectName;->MethodName(I[[IILjava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;

Java,

String MethodName(int, int[][], int, String, Object[])

(Fields)

, , , . , , -.
Lpackage/name/ObjectName;->FieldName:Ljava/lang/String;
— ,

(Register)

- dalvik 32 . 2 64- ( — Long — Double).

, :
.registers , .locals . , .

:

, n . 2 5 (v0-v4), 2 — v3 v4.

(non-static methods) , (this )

, , LMyObject;->callMe(II)V. 2 (integer) , LMyObject; , 3 .

, , (v0-v4) 5 , .registers 5, .locals 2 (.. 2 local registers + 3 parameter registers). , , (.. this ), v2, (integer) v3, (integer) v4.

(static methods) , , .

(Register names)

— v# p# . p# .

, 3- 5- . v# , p# (parameter registers)

— .

(parameter registers)

p#
, , , , . : « , , .registers!».

, . , . — , . .registers .

p# , , .

Long/Double

, long double (J D ) 64- 2 . , . , , ( — non-static) LMyObject;->MyMethod(IJZ)V. LMyObject;,int,long,bool. , 5 :

p0 this
p1 I
p2, p3 J
p4 Z

, , invoke.

Array ()

array-length vA, vB

• A: (4 )
• B: reference-bearing (4 )

( ) vB vA

fill-array-data vA+, :target

• A: (pair),
• B: ,

vA+ (target). , . .
vX vX+1. , v1, v2.

:

:target
.array-data 0x2
0x01 0x02
0x03 0x04
.end array-data

new-array vA+, vB, Lclass;->type

• A: (8 )
• B:
• C:

. .

filled-new-array { vA [ vB, v.., vX ]}, Lclass;->type

• vA-vX: ( 4 )
• B:

. . move-result-object, fill-new-array.

filled-new-array/range { vA .. vX }, Lclass;->type

• vA .. vX: , ( 4 )
• B: (16 )

. . move-result-object, fill-new-array/range.

Array Accessors ( )

:

• A(aget):
• A(aput):
• B:
• C:

aget vA, vB, vC

(integer) vC , vB, vA

aput vA, vB, vC

(integer) vA , vB vC

aget/aput, :

• boolean
• byte
• char
• object
• short
• wide

: aget-objec ( (object))

:

• A:
• B:
• C:
• B+: (pair)
• C+: (pair)

cmp-long vA, vB+, vC+

(long) , 0

• vB+ == vC+ 1;
• vB+ < vC+ vB+ > vC+ -1.

cmpg-double vA, vB+, vC+

(double) , 0

• vB+ == vC+ 1;
• vB+ < vC+ vB+ > vC+ -1.
• vB+ vC+ , 1.

cmpg-float vA, vB, vC

(float) , 0;

• vB == vC 1;
• vB < vC vB > vC -1.
• vB vC , 1.

cmpl-double vA, vB+, vC+

double , 0;

• vB+ == vC+ 1;
• vB+ < vC+ vB+ > vC+ -1.
• vB+, vC+ , -1.

cmpl-float vA, vB, vC — (float) , 0;

• vB == vC 1;
• vB < vC vB > vC -1.
• vB vC , -1.

const vAA, #+BBBBBBBB

• A: (8 )
• B: 32-

(integer) vAA.

const/16 vAA, #+BBBB

• A: (8 )
• B: (integer) (16 )

#+BBBB vAA

const/4 vA, #+B

• A: (4 )
• B: (4 )

4- vA.

const/high16 vAA, #+BBBB

• A: (8 )
• B: (16 )

16- vAA. float.

const-class vAA, Lclass

• A: (8 )
• class:

(class), vAA. , , .

const-string vAA, "BBBB"

• A: (8 )
• B: (string)

, vAA

const-string/jumbo vAA, "BBBBBBBB"

• A: (8 )
• B: (string)

, vAA

jumbo — , ""

:

const-wide/16 vA+, #+BBBB

const-wide/high16 vA+, #+BBBB

const-wide vA+, #+BBBBBBBBBBBBBBBB

Go To

goto — :target.

• goto :target
• goto/16 :target #16bit
• goto/32 :target #32bit

: goto ± . APKTool . , 16- , goto/16, 32- , goto/32. , goto/16 goto/32 ( ). , goto/16 goto, goto/32 goto/16 goto.

: goto goto/16, goto/32.

if — ,

:

• A: (integer)
• B: (integer)
• target:

: != —

:

Invoke

:

• vA-vX: ,
• class: ,
• method:
• R: .

(non-static) direct ( , , private instance, ):

invoke-direct { vA, v.., vX }, Lclass;->method()R

(interface method) ( , , , ):

invoke-interface { vA, v.., vX }, Lclass;->method()R

(static method) ( ):

invoke-static { vA, v.., vX }, Lclass;->method()R

(virtual method) :

invoke-super { vA, v.., vX }, Lclass;->method()R

(virtual method) (, , ):

invoke-virtual { vA, v.., vX }, Lclass;->method()R

:
(R «V» Void), move-result .

- vA-vX, (Range of arguments) /range. :

invoke-direct/range { vA .. vX }, Lclass;->method()R 

invoke:

• invoke-direct { v1, v2, v3 } invoke-direct/range { v1 .. v3 }
• invoke-direct { v0 } invoke-direct/range { v0 .. v0 }

invoke-virtual{ vX } invoke-virtual/range{ vX .. vX } (v1, v2, v22)

check-cast vAA, Lclass

• A: (8 bits)
• B: (16 bits)

, vAA , .
ClassCastException, , .

instance-of vA, vB, Lclass

• A: (4 bits)
• B: (4 bits)
• C: (16 bits)

new-instance vAA, Lclass

• A: (8 bits)
• B:

vAA.
non-array.

nop

/

throw vAA

. (object) vAA.

• A: Exception-bearing register (8 bits)

Move

:

• A: (4, 8, 16 bits)
• B: (4, 16 bits)

: A: x bits. B: x bits .

move vA, vB

A: 4 bits. B: 4 bits

- (non-object) .

move/16 vAAAA, vBBBB

A: 16 bits. B: 16 bits

, move. 16 bits

move/from16 vAA, vBBBB

A: 8 bits. B: 16 bits

, move/16. 8 bits

move-exception vAA

A: 8 bits

vAA. , , - . P.S: )

move-object vA, vB

A: 4 bits. B: 4 bits

, .

move-object/16 vAAAA, vBBBB

A: 16 bits. B: 16 bits

, move-object. 16 bits

move-object/from16 vAA, vBBBB

A: 8 bits. B: 16 bits

, move-object/from16. 8 bits

move-result vAA

A: 8 bits.

(non-object) invoke vAA. invoke, (, ) .

move-result-object vAA

A: 8 bits.

invoke vAA. invoke- fill-new-array, () .

:

• move-result-wide vA+ — A: 8 bits
• move-wide vA+, vB+ — A: 4 bits. B: 16 bits
• move-wide/16 vA+, vB+ — A: 16 bits. B: 16 bits
• move-wide/from16 vA+, vBBBB — A: 8 bits. B: 16 bits

ADD

C

add-double vA+, vB+, vC+

• A: (8 )
• B: 1 (8 )
• C: 2 (8 )

vB+ + vC+ vA+

add-double/2addr vA+, vB+

• A: 1 / (8 )
• B: 2 (8 )

vA + vB vA+

add-float vA, vB, vC

• A: (4 )
• B: 1 (4 )
• C: 2 (4 )

vB + vC vA

add-float/2addr vA, vB

• A: 1 / (4 )
• B: 2 (4 )

vA + vB vA

add-int vA, vB, vC

• A: (4 )
• B: 1 (4 )
• C: 2 (4 )

vB + vC vA

add-int/lit8 vA, vB, 0xC

• A: (8 )
• B: (8 )
• C: (8 )

vB + 0xC vA

add-int/lit16 vA, vB, 0xC

• A: (4 )
• B: (4 )
• C: (16 )

vB + 0xC vA

add-int/2addr vA, vB

• A: 1 / (4 )
• B: 2 (4 )

vA + vB vA

AND

, .

DIV

MUL

OR

, .

REM

SHL

, .

SHR

, .

SUB

USHR

XOR

, , .

Return

return . , . return . , return . .

return vAA

• A: (8 bits)

non-object vAA.

return-object vAA

• A: (8 bits)

object-returning object-reference vAA.

return-void

void .

return-wide vA+

• A: (8 bits)

double/long (64-bit) vA+.

Switch-

packed-switch vAA, :target
:

• A:
• target: packed-switch()

switch, case . ( ) . vAA , . vAA , ( ). pack-switch , vAA .
:

:target
.packed-switch 0x1 # 0x1 =  /  vAA
:pswitch_0 #   pswitch_0  vAA == 0x1
:pswitch_1 #   pswitch_1  vAA == 0x2
.end packed-switch

sparse-switch vAA, :target

Implements a switch statement where case constants are not sequential. The instruction uses a lookup table with constants caseand offsets for each case constant. If there is no match in the table, execution continues in the next command (default case).

:target
.sparse-switch
0x3 -> :sswitch_1 #   sswitch_1  vAA == 0x3
0x65 -> :sswitch_2 #   sswitch_2  vAA == 0x65
.end sparse-switch