Dalvik instruction Analysis (i) byte code converted to Smali code

With Android apps that have been recompiled or repackaged by friends who have used apktool experience, Apktool can put Dex files

bytecode is converted to Smali code, How does this tool parse and generate Smali code for DEX? This will require the

the format of the Dex file is familiar and requires mastering the Dalvik Directive byte code format, and can be translated into the corresponding Smali code.

I'm going to write a series of articles to analyze the format of the Dex file, the format of the Dalvik bytecode, and the method of Dex to Smali,

based on this can do a lot applications, such as security scanning, application hardening, and so on!

Dalvik Instructions Please refer to the official documentation: General Design If the reader has a certain understanding of the X86 or arm instruction set ,

Learn Dalvik Instructions It's still easy. If you have mastered the Dalvik instruction set, you can convert the Dex file to the Smali code, which

is the basic skill of many Android security developers.

Let's start with an example to explain the Dalvik instruction set:

Example 1: Translate the following hex instruction into a Davik byte code, from high to low byte:2C

Translation steps: (described in program language)

step1: Assigns 2C 69 10 70 to the variable instr

step2: Low 8bits for opcode, op = instr & 0xFF get 0x70, corresponding command invoke-direct, query official documents

It is known that the instruction format of the 0x70 instruction is 35c, which is 6 bytes in length and has a maximum of 5 registers;

Format 35c instruction: length is 6bytes,

A:argument Word count, number of registers (4bits)

B:method Reference Index (16bits)

C.. G:argument registers (4bits each=20bits)

step3: Gets the value of the A-g bit, G = (instr >> 8) & 0xf = 0, a = (InStr >> 1) & 0xf = 1, that is, a is equal to, and the document learns:

           [A=1 ] op  {VC},  kind @BBBB   

step4: Get values for C and BBBB: c = (instr >> +) & 0xf = 2, so register is v2,bbbb = (instr >> +) & 0xffff = 0x2c69 = 11369

BBBB is the method index, with 11369 as the subscript, query methods table to obtain the corresponding description of the approach is as follows:

struct Method_id_item method_id[11369]

void Java.lang.object.<init> () 33a04h8hfg:bg:0x008080method id</span>

So the Dalvik instruction for the above 16 binary code is:

Invoke-direct       v2, ljava/lang/object;-><init> () v</span>

Summary: The 35C instruction is a more complex instruction in the Dalvik instruction set, the reader can compare the above steps, and then carefully divided the conversion process,

If you can analyze the instructions of 35C, it is not difficult to analyze other instructions.

Reference URL:

1. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html

2. https://source.android.com/devices/tech/dalvik/instruction-formats.html

Dalvik instruction Analysis (i) byte code converted to Smali code