Introduction to Smali
Before we proceed let we talk about what is an android app? Mostly we Create applications in android are java/kotin based.But android apps are not all about java or kotin.These are just front end,used by developers for coding.If you Check out inside an apk you will see (.dex) extension files there ,which are also know as Android Bytecode.(Note: There are many resources inside an apk but I am talking about java/kotin files which are converted into .dex )
So in android we have Dalvik VM which is an old virtual machine used in past and ART(Android Run Time ) which is used in latest devices, both are used by android operating system to execute Android Bytecode(.dex).
(Hint : Most people confused on Dalvik bytecode. So basically it is subset of AndroidBytecode used by Dalvik VM which used by android in past. )
The process of generating Java/kotin to Android bytecode.
1)-( .java ) Used by developer to code an apk in sdks.
2)-( .class ) Then Java compiler compiles java code into .class extension.
3)-( .dex ) This process is done by android sdk using tools like dx tool (used to convert .class into Androidbytecode ).
Similarly for kotin.
Now a question might comes in your mind, where is smali then.Our android device never generate smali during execution of an apk as we learn previously android direct converts (.class) into (.dex) .
What is Smali ?
Smali is Android Bytecode in a readable format which can be read and modified by humans.Smali language is like assembly language , with operands & instructions.
Process of generating smali code
(Note : we can only decompile .dex files into smali )
We can decompile .dex into smali code by using baksmali and dexedit disassemblers and for recompiling we have smali assembler.To use them we have various tools like Apktool , Mt manager and many more.
What is the use of Smali ?
Smali used in various fields like in malware analysis it can helps us to understand the working of malicious applications and we can used it for reverse engineering of android application and for code modification which help for us in patching and fixing of bugs in any application because modification of smali mean modification of AndroidBytecode.
Registers in Smali
Registers are use to store values temporarily while a program execute.In other words they are same as variables in high level programming.
A 4-bit registers can store the value range 0-15.
A 8-bit registers can store the value range 0-255.
A 16-bit registers can store the value range 0-65535.
Usages to Registers
1)-Store arguments of a method
2)-Store method return type
3)-Store literal values
Types of Registers
There are 2 type of registers :
1). Local Register (vA.....n) : These are temporary storage used to hold value inside a method.These registers are denoted with 'v' followed by numbers.Example v0,v1......vN.
2).Parameter Registers (pA....n): These are used to store the parameters which are passed to a method.These registers are denoted with 'p' followed by numbers.Example p0 ,p1....p5.
Data Types in smali :
Boolean = Denoted by Z.
Integer = Denoted by I.
Char = Denoted by C.
Float = Denoted by F.
Long = Denoted by J.
Short = Denoted by S.
Double = Denoted by D.
Void = Denoted by V.
String = Denoted by Ljava/lang/String;
Learn to Read Smali Language
Let's us try to understand this smali code.
Smali Code
First line
Always keep in your mind, L indicates class.
If you observe first line in image.The LMain means Main is the class name and it is public class because we have public access modifier before class name.
Second line
.super L/lang/Object; it means L/lang/Object class is parent class of LMain class.
Third line
.source "Main.java" it means the smali code was generated from this java file.
Methods in Smali
.method indicates method in smali and .end method indicates where the method ends.
First Line
.method from where a method starts, public and static indicates method is public and static and h is the name of method which takes 2 parameters ,inside round braces you can observe I and Z.It means first parameter is integer indicates by I where second is Boolean indicates by Z.And the I in last indicates the return type of method which is an integer for this method.
Second Line
.registers 2 indicates method is using 2 registers.
Third Line
.line 9 is not important.
return p0 it mean the return value is stored in p0 register.And at last line .end method.
Call method in Smali.
1). Invoke-super - Runs virtual method with it's parameters directly from the parent class.
2).Invoke-direct - Runs direct method with parameters of a class. Direct methods are same as constructor in C++ or python.
3).Invoke-interface - used to call an interface method with its parameters.
4).Invoke-static - calls a static method with it's parameters.
5).Invoke-virtual- class a virtual method with its parameter from a class.
Conditional Formatting in Smali.
Allows you to control code based on conditions.Now try to understand snippet c ode in given blow image.
2nd Line
(Hint: eqz is stands for Equals to Zero)
If-eqz p1 :cond_3 =
It means if p1 value is equal to 0.Then the program will jumps to :cond_3b label and the program after :cond_3b label will execute. Otherwise the program will be continue.
More labels of conditional Formatting
if-eq v0 , p1 :cond_x =
(Hint : eq is stands for Not Equals)
It mean if v0 value is equal to p1 value.Then the program will jumps to :cond_x.Otherwise program will be continues.v0 and p1 both hold integer values.
if-ne vX, vY, :cond_N =
(Hint : ne is stands for Not Equals)
Jumps to the :cond_N label if the value of vX is not equals to value of vY. vX and vY both hold integer values.
if-nez vX, :cond_N =
(Hint : nez is stands for Not Equals to Zero)
Jumps to the :cond_N label if vX not equals to 0. vX holds an integer value.
if-lt vX, vY, :cond_N =
(Hint : lt is stands for Less Than)
Jumps to the cond_N label if vX value is lesser than the value of vY. vX and vY both hold integer values.
if-le vX, vY, :cond_N=
(Hint : le indicates less than or Equal)
Jumps to the :cond_N label if vX value is less or Equals to the value of vY. vX and vY both hold integer values.
if-gt vX, vY, :cond_N =
(Hint : gt is stands for Greater Than)
Jumps to the :cond_N label if vX value is greater than value of vY. vX and vY both hold integer values.
if-ge vX, vY, :cond_N =
(Hint : ge indicates Greater than or Equal)
Jumps to the :cond_N label if vX value is greater than and equals to the value of vY. vX and vY both hold integer values.
if-ltz vX, :cond_N =
(Hint : ltz is shands for Less Than Zero)
Jumps to the :cond_N label if vX is lesser than 0. vX holds an integer value.
if-lez vX, :cond_N =
(Hint : lez indicates Less than or Equal to Zero)
Jumps to the :cond_N label if vX is less than and equal to 0. vX holds an integer value.
if-gtz vX, :cond_N =
(Hint : gtz is stands for Greater Than Zero)
Jumps to the :cond_N label if vX greater than 0. vX holds an integer value.
if-gez vX, :cond_N =
(Hint : gez indicates Greater than or Equal to Zero)
Jumps to the : cond_N label if vX is greater than or Equals to 0. vX holds an integer value.
Goto in Smali
Goto doesn't need any condition.It will direct jumps a program to the label.As you can observe in above image goto in pink colour is
smali keyword and followed by :goto_3c , is the label where the program will jump . And the second :goto_3c is the destination and the program after it will execute.
Array in Smali
FRIST LINE :
(Hint : [[ it indicates array is 2 dimensional ) [[Ljava/lang/String; the two [[ indicates it was 2 dimensional array and Ljava/lang/String which mean it is storing string type data.
SECOND LINE :
(Hint: [ it indicates array is 1 dimensional )
[Ljava/lang/String; the single [ indicates it was one dimensional array and Ljava/lang/String which mean it is string string type data.
#smali #android #reverseengineering
No comments:
Post a Comment