Let's experiment. Smali file Analysis "Android Reverse starter"

Question URL: http://www.shiyanbar.com/ctf/1871

0x01

First we get a hello.dex file, to decompile it into a Smali file, use the tool Baksmali, cmd command: Java-jar baksmali-2.0.3.jar-o class/ Hello.dex, a folder is generated in the current directory with a Hello.smali code as follows:

. Class public lhello;. Super ljava/lang/object;. source  "Hello.java" # direct methods.method public constructor <init> () V     .registers 1    .prologue    .line 1     invoke-direct {p0}, Ljava/lang/Object;-><init> () v     return-void.end method.method public static main ([ljava/lang/string;) V     .registers 5    .prologue    .line 7     new-instance v0, lhello;    invoke-direct {v0}, lhello;- ><init> () V    .line 8    sget-object v1, ljava /lang/system;->out:ljava/io/printstream;  //v1 the reference     const/4 v2 of the stored out object,  0x5    //5-Symbol extension 32-bit assignment to v2    const/4 v3, 0x3    //3-Symbol extension 32-bit assignment to v3    invoke-virtual  {v0, v2, v3}, lhello;->foo (II) i   //call function foo     move-result v0    //assigns the result of the function to the v0    invoke-virtual {v1,  V0}, ljava/io/printstream;->println (I) v  //print output v0    .line 9     return-void.end method# virtual methods.method public foo (II) I     .registers 5    .prologue    .line 3             add-int v0, p1, p2         // v0=p1+p2    sub-int v1,  p1, p2        // v1=p1+p2    mul-int/ 2addr v0, v1        // v0=v0*v1    return v0.end  Method    so it can be analyzed.

0x02

Here first a little bit of popular science, the Android program is run by the Android virtual machine, Dalvik virtual machine has two different registers representation method, p nomenclature and V nomenclature, if a function fun () using 5 registers, 2 explicit parameters, and this method is a non-static method, So when the call is passed an implicit fun object reference, so there are three parameters, the local variable using the first 2 registers, the parameters used 3, respectively, V0,V1,V2,P0,P1, where p0 the reference to the object.

Then say the type of the Dalvik bytecode, the method also has the field representation method:

1. Type:

V--void z--boolean b--byte s--short c--char i--int f--float

d--double L--java Type [--array type

Where the Java type is generally lpackagename/name/objname to represent the specific object, such as ljava/lang/string equivalent to java.lang.String

2. Method:

Lpackage/name/objname;->methodname (III) Z

The III represents three integer parameters, and z indicates that the return value is Boolea type,

3. Fields:

Fields consist of type, field name, field type, field name and field type: separate

#instance fileds instance Fields

#static fields static field

Some basic syntax:

The. Prologue method starts

Invoke-direct calling function

The Return-void function returns void

The. End method Function ends

New-instance Creating an instance

Assigning values to Iput-object objects

Iget-object Call Object

So the final return result (5+3) * (5-3) =16

Of course, it is much easier to see this directly by deserializing it into a jar and then disassembling it for Java code:

Import Java.io.PrintStream;
public class Hello
{
public static void Main (string[] paramarrayofstring)
{
Hello Localhello = new Hello ();
System.out.println (Localhello.foo (5, 3));
}

public int foo (int paramInt1, int paramInt2)
{
Return (paramInt1 + paramInt2) * (PARAMINT1-PARAMINT2);
}
}

This article is from the "theaurorasec" blog, make sure to keep this source http://aurorasec.blog.51cto.com/9752323/1829570

Let's experiment. Smali file Analysis "Android Reverse starter"