Note: This is a methodology-oriented article.

Q1: What is Smali?

Smali is a loose Jasmin/dedexer syntax.

In simple terms, we write code in Java to compile a class, package it into a dex file and use the Baksmali program to reverse back.

Q2: Why should we learn Smali? First of all, when it comes to Smali, we have to go backwards. Long before There was Android, there was a reverse version for every platform and language. So far, reversing an APK is usually done by security engineers (reverse engineers) and malicious elements like cracking for some benefit (apK repackaging insert ads, cracking paid apps, malicious code insertion, stealing API, etc.).

Technology is a double-edged sword, how to use in people. Not in the technology itself. So why should application developers learn Smali? I can think of the following points for reference.

When we find another app that has a great feature and we don’t know how to do it. Can not get the source can choose the reverse. 2. Security We need to consider the security of our apps, but we may only know about confusion and third-party hardening, so we need to understand how others crack our apps. 3. Adaptation When we find that the API is deprecated on some phones, but other applications or systems can implement it. I’ve written an article on this before about retrofitting millet.

Hey, is that enough? Still can’t impress you to learn? How about a promotion and a raise? 🙂

Poof, bad guy!! I’ll learn, I’ll learn, can’t you?

Q3: Is Smali difficult? It’s not hard to. Maybe you read some articles a long time ago. Or you can use tools to open the decompiled code. Looking at a bunch of instructions, keywords, code formats and styles that you’ve never seen before, you can’t resist turning them off. But the truth is you’re not learning it the right way.

Q4: How to learn MY usual style is that I don’t like to cram knowledge into my head. I am more used to analyzing from practice and then making summary in reverse. Now I recommend a good Smali learning tool plug-in. Let’s open AndroidStudio and find out where the plug-in was installed. The following figure



intellij-java2smali

After this step, we can happily convert any Java code directly into smali in androidStudio to learn. The steps are as follows. 1. Write a simple Java file. Something like this.

Then we click Build->Compile to smali

Wait a few seconds and you’ll get the smali file.

We can then analyze the Smali file line by line against the Java code. If it is the first time to look at it, we may be disturbed by some keywords we have not seen before. There’s actually a very simple solution. Note that the.line keyword is used to describe the number of lines of current code in the Java source file. You can then work backwards by comparing the two sets of code. This will make it easy to learn how to read smali files.

Good below is an example code, for reference.

Example code:

The original Java code

    public AA methodAReturn(AA mAA, AA sAA) {
        returnmAA; } AA aa= new AA(); // Call methodAReturn(aa, aa);Copy the code

Smali code

.method public methodAReturn(Lcom/bolex/AA; Lcom/bolex/AA;) Lcom/bolex/AA; .registers 3 .param p1,"mAA"    # Lcom/bolex/AA;
    .param p2, "sAA"    # Lcom/bolex/AA;

    .prologue
    .line 34
    return-object p1 .end method .line 21 new-instance v0, Lcom/bolex/AA; invoke-direct {v0}, Lcom/bolex/AA; -><init>()V .line 22 invoke-virtual {p0, v0, v0}, Lcom/bolex/seamAct; ->methodAReturn(Lcom/bolex/AA; Lcom/bolex/AA;) Lcom/bolex/AA;Copy the code

.line

  .line 34Copy the code

Represents the number of lines of current code in the source Java file.

method

.method public methodAReturn(Lcom/bolex/AA; Lcom/bolex/AA;) Lcom/bolex/AA;Copy the code

Indicates that the return value from the public method methodAReturn is an object com.bolex.aa

registers

.registers 3Copy the code

Indicates that three registers are required on the function

param

    .param p1, "mAA"    # Lcom/bolex/AA;
    .param p2, "sAA"    # Lcom/bolex/AA;Copy the code

Indicates that both incoming arguments are AA objects and flags registers P1 and P2

.prologue

    .prologueCopy the code

Represents the start flag of execution within a function. Prologue, prologue, prologue

.line

   .line 34Copy the code

Represents line 34 in the source code.

return-object

  return-object p1Copy the code

Returns object P1 on the register

.end method

.end methodCopy the code

Represents a function closing tag

new-instance

 new-instance v0, Lcom/bolex/AA;Copy the code

Create an AA object

invoke-direct

invoke-direct {v0}, Lcom/bolex/AA; -><init>()VCopy the code

Represents a direct call using a parameterless constructor

invoke-virtual

invoke-virtual {p0, v0, v0}, Lcom/bolex/seamAct; ->methodAReturn(Lcom/bolex/AA; Lcom/bolex/AA;) Lcom/bolex/AA;Copy the code

Represented as a virtual method

That’s what it looks like. Is it easy?

These are only some examples of keywords, more keywords can rely on the two groups of files back. In fact, sometimes more exquisite is a method. I think this method is quite good, so I will share it with you, we do not need to deliberately back down. Practice makes perfect, playing too much is not an old driver?

There are many things about Smali that this article does not cover in detail, such as the representation of registers, types (primitive types, object types), and array methods. If the reader needs to dig deeper. Refer to the official documentation. There is a detailed explanation in it, which has been translated into Chinese. Source.android.com/devices/tec…

How do you find me next time?

  • Focus on my nuggets
  • This article synchronizes the Github repository:Github.com/BolexLiu/De…(You can follow)

From the Nugget & Brief – Crispy big chicken steak. The original article is not reproduced without authorization.