Smali基本语法

Android 反编译 -smali语法前言前面我们有说过android反编译的工具，如何进行反编译。

反编译后可以得到jar或者得到smali文件。

Android采用的是java语言进行开发，但是Android 系统有自己的虚拟机Dalvik,代码编译最终不是采用的java的class，而是使用的smali。

我们反编译得到的代码，jar的话可能很多地方无法正确的解释出来，如果我们反编译的是smali则可以正确的理解程序的意思。

因此，我们有必要熟悉smali语法。

类型的表示java里面包含两种类型，原始类型和引用类型(包括对象)，同时映射到smali也是有这两大类型。

原始类型1.V void (只能用于返回值类型)2.Z boolean3. B byte4.S short5. C char6.I int7.J long8. F float9. D Double对象类型1.Lpackage/name/ObjectName; 相当于java中的.ObjectNameL 表示这是一个对象类型package/name 该对象所在的包ObjectName 对象名称; 标识对象名称的结束数组的表示[I 表示一个int型的一维数组，相当于int[]；增加一个维度增加一个[,如[[I表示int[][]数组每一个维度最多255个;对象数组表示也是类似，如String数组的表示是[Ljava/lang/String寄存器与变量java中变量都是存放在内存中的，android为了提高性能，变量都是存放在寄存器中的，寄存器为32位，可以支持任何类型，其中long和double是64为的，需要使用两个寄存器保存。

寄存器采用v和p来命名v表示本地寄存器，p表示参数寄存器，关系如下如果一个方法有两个本地变量，有三个参数1.v0 第一个本地寄存器2.v1 第二个本地寄存器3.v2 p0 (this)4.v3 p1 第一个参数5.v4 p2 第二个参数6.v5 p3 第三个参数当然，如果是静态方法的话就只有5个寄存器了，不需要存this了。

samil语法
由于“samil”是一种编程语言，因此它有其特定的语法规则。

以下
是“samil”语言的语法特点：
1. 表达式：表达式可以是变量、常量、字符串、函数、操作符和括
号的组合。

例如，“a=1+2”、“b=4*5-6”、“c=fun(a,b)” 等。

2. 变量：变量名必须以字母或下划线开头，可以包含数字、字母和
下划线。

例如，“a”、“var_1”、“myVar” 等。

3. 常量：常量是一些固定的数值或字符串，例如：“3.14159”、
“'hello world'”等。

4. 数据类型：samil支持各种不同的数据类型，包括整数、浮点数、布尔值、字符串、数组、哈希表等。

5. 函数：函数由关键字“func”后跟函数名和参数列表组成。

函数
可以返回一个值或不返回任何值。

例如：“func sum(a, b) { return
a+b; }”、“func print(s) { console.log(s); }”等。

6. 语句：语句是程序中执行某些操作的行为单元。

samil支持循环
语句、条件语句、跳转语句等。

例如：“if (a>b) { print('a is
greater than b'); }”、“for (i=0; i<10; i++) { print(i); }”、“while (i<10) { i++; }”等。

总之，samil语法是比较简单易懂的，但需要注意细节。

程序员需要
认真熟悉语言规范，才能写出高效、健壮的代码。

smali语法之constheight16及⼗六进制转换float前两天简单学了些smali语法，这两天在分析个程序，功能上⼀直出现问题。

由于程序⽐较乱，排查了很久，最终也找到了问题所在。

⼀个很简单的数值问题阻拦了我这么久，也充分暴露了我基础太不扎实了。

const语句其实就是赋值。

const v1 0x0 把0x0赋给v1寄存器。

⽽const/height16不是单纯的赋值，需要将值右边零扩展为32位在赋给寄存器，如：const/height16 v1 0x4120其实是将0x41200000赋给v1.再下来就是float转换，⽐如有这样两句：const/height16 v2 0x4120invoke-interface {v0, v2}, Lcom/test;->getFloat(F)那么getFloat⽅法的参数值到底是多少？这⾥就需要对v2寄存器的⼗六进制数值进⾏转换为float.⾸先将⼗六进制转换为⼆进制：0 10000010 01000000 00000000 0000000其中，第⼀位为符号位，再⼋位为阶码，后23位是尾数。

先计算阶码，10000010⼗进制为130，减去127（偏移）为3；再计算尾数，⾸先在尾数左端添“1.”，这样就是1.01000000 00000000 0000000，阶码为3，⼩数点右移3位，最终为1010.00000 00000000 0000000。

最后将1010.00000 00000000 0000000转换为⼗进制为10.0。

这样参数值实际就是10.0const指令还有很多种形式，扩展也不尽相同。

今后遇到⼀定要⼩⼼啊！！。

安卓逆向（⼀）--Smali基础安卓逆向（⼀）--Smali基础标签（空格分隔）：安卓逆向APK的组成⽂件夹作⽤asset⽂件夹资源⽬录1：asset和res都是资源⽬录但有所区别，见下⾯说明lib⽂件夹so库存放位置，⼀般由NDK编译得到，常见于使⽤游戏引擎或JNI native调⽤的⼯程中META-INF⽂件夹存放⼯程⼀些属性⽂件，例如Manifest.MFres⽂件夹资源⽬录2：asset和res都是资源⽬录但有所区别，见下⾯说明AndroidManifest.xml Android⼯程的基础配置属性⽂件classes.dex Java代码编译得到的DalvikVM能直接执⾏的⽂件，下⾯有介绍resources.arsc对res⽬录下的资源的⼀个索引⽂件，保存了原⼯程中strings.xml等⽂件内容其他⽂件夹etc.asset资源⽬录和res资源⽬录的不同之处：res⽬录下的资源⽂件在编译时会⾃动⽣成索引⽂件（R.java），在Java代码中⽤R.xxx.yyy来引⽤；⽽asset⽬录下的资源⽂件不需要⽣成索引，在Java代码中需要⽤AssetManager来访问；⼀般来说，除了⾳频和视频资源（需要放在raw或asset下），使⽤Java开发的Android⼯程使⽤到的资源⽂件都会放在res下；使⽤C++游戏引擎（或使⽤Lua Unity3D等）的资源⽂件均需要放在asset下。

其中在Davlik字节码中，寄存器都是32位的，能够⽀持任何类型，64位类型（Long/Double）⽤2个寄存器表⽰；Dalvik字节码有两种类型：原始类型；引⽤类型（包括对象和数组）原始类型：B---byteC---charD---doubleF---floatI---intJ---longS---shortV---voidZ---boolean[XXX---arrayLxxx/yyy---object数组的表⽰⽅式是：在基本类型前加上前中括号“[”，例如int数组和float数组分别表⽰为：[I、[F；对象的表⽰则以L作为开头，格式是LpackageName/objectName;（注意必须有个分号跟在最后），例如String对象在smali中为：Ljava/lang/String;，其中java/lang对应ng包，String就是定义在该包中的⼀个对象。

Dalvik opcodesAuthor: Gabor PallerVx values in the table denote a Dalvik register. Depending on the instruction, 16, 256 or 64kregisters can be accessed. Operations on long and double values use two registers, e.g. a doublevalue addressed in the V0 register occupies the V0 and V1 registers.Boolean values are stored as 1 for true and 0 for false. Operations on booleans are translated into integer operations.All the examples are in hig-endian format, e.g. 0F00 0A00 is coded as0F, 00, 0A, 00 sequence.Note there are no explanation/example at some instructions. This means that I have not seen thatinstruction "in the wild" and its presence/name is only known from Android opcode constant list.Opcode(hex)Opcode name Explanation Example00 nop No operation 0000 - nop01 move vx,vy Moves the content of vy into vx. Bothregisters must be in the first 256register range. 0110 - move v0, v1 Moves v1 into v0.02 move/from16vx,vy Moves the content of vy into vx. vymay be in the 64k register range whilevx is one of the first 256 registers.0200 1900 - move/from16 v0, v25Moves v25 into v0.03 move/1604 move-wide05 move-wide/from16vx,vy Moves a long/double value from vy tovx. vy may be in the 64k registerrange while wx is one of the first 256registers.0516 0000 - move-wide/from16 v22, v0Moves v0 into v22.06 move-wide/1607 move-object vx,vy Moves the object reference from vy tovx. 0781 - move-object v1, v8Moves the object reference in v8 to v1.08 move-object/from16 vx,vy Moves the object reference from vy tovx, vy can address 64k registers andvx can address 256 registers.0801 1500 - move-object/from16 v1, v21Move the object reference in v21 to v1.09 move-object/160 A move-result vx Move the result value of the previousmethod invocation into vx.0A00 - move-result v0Move the return value of a previous method invocationinto v0.0 B move-result-widevxMove the long/double result value ofthe previous method invocation intovx,vx+1.0B02 - move-result-wide v2Move the long/double result value of the previousmethod invocation into v2,v3.0 C move-result-objectvxMove the result object reference ofthe previous method invocation intovx.0C00 - move-result-object v00 D move-exception vx Move the exception object referencethrown during a method invocationinto vx.0D19 - move-exception v25Ereturn-void Return without a return value 0E00 - return-void0F return vx Return with vx return value 0F00 - return v0Returns with return value in v0.10 return-wide vx Return with double/long result invx,vx+1. 1000 - return-wide v0Returns with a double/long value in v0,v1.11 return-object vx Return with vx object reference value. 1100 - return-object v0Returns with object reference value in v012 const/4 vx,lit4 Puts the 4 bit constant into vx 1221 - const/4 v1, #int2Moves literal 2 into v1. The destination register is in thelower 4 bit in the second byte, the literal 2 is in thehigher 4 bit.13 const/16 vx,lit16 Puts the 16 bit constant into vx 1300 0A00 - const/16 v0, #int 10Puts the literal constant of 10 into v0.14 const vx, lit32 Puts the integer constant into vx 1400 4E61 BC00 - const v0, #12345678 // #00BC614EMoves literal 12345678 into v0.15 const/high16 v0,lit16 Puts the 16 bit constant into thetopmost bits of the register. Used toinitialize float values.1500 2041 - const/high16 v0, #float 10.0 // #41200000Moves the floating literal of 10.0 into v0. The 16 bitliteral in the instruction carries the top 16 bits of thefloating point number.16 const-wide/16 vx,lit16 Puts the integer constant into vx andvx+1 registers, expanding the integerconstant into a long constant..1600 0A00 - const-wide/16 v0, #long 10Moves literal 10 into v0 and v1 registers.17 const-wide/32 vx,lit32 Puts the 32 bit constant into vx andvx+1 registers, expanding the integerconstant into a long constant.1702 4e61 bc00 - const-wide/32 v2, #long 12345678 //#00bc614ePuts #12345678 into v2 and v3 registers.18 const-wide vx,lit64 Puts the 64 bit constant into vx andvx+1 registers.1802 874b 6b5d 54dc 2b00- const-wide v2, #long12345678901234567 // #002bdc545d6b4b87Puts #12345678901234567 into v2 and v3 registers.19 const-wide/high16 Puts the 16 bit constant into the 1900 2440 - const-wide/high16 v0, #double 10.0 //vx,lit16 highest 16 bit of vx and vx+1registers. Used to initialize doublevalues. #402400000Puts the double constant of 10.0 into v0 register.1 A const-stringvx,string_idPuts reference to a string constantidentified by string_id into vx.1A08 0000 - const-string v8, "" // string@0000Puts reference to string@0000 (entry #0 in the stringtable) into v8.1Bconst-string-jumbo1 C const-classvx,type_idMoves the class object of a classidentified by type_id (e.g.Object.class) into vx.1C00 0100 - const-class v0, Test3 // type@0001Moves reference to Test3.class (entry#1 in the type idtable) into1 D monitor-enter vx Obtains the monitor of the objectreferenced by vx.1D03 - monitor-enter v3Obtains the monitor of the object referenced by v3.1 E monitor-exit Releases the monitor of the objectreferenced by vx.1E03 - monitor-exit v3Releases the monitor of the object referenced by v3.1F check-cast vx,type_id Checks whether the object referencein vx can be cast to an instance of aclass referenced by type_id. ThrowsClassCastException if the cast is notpossible, continues executionotherwise.1F04 0100 - check-cast v4, Test3 // type@0001Checks whether the object reference in v4 can be castto type@0001 (entry #1 in the type id table)20 instance-ofvx,vy,type_id Checks whether vy is instance of aclass identified by type_id. Sets vxnon-zero if it is, 0 otherwise.2040 0100 - instance-of v0, v4, Test3 // type@0001Checks whether the object reference in v4 is aninstance of type@0001 (entry #1 in the type id table).Sets v0 to non-zero if v4 is instance of Test3, 0otherwise.21 array-length vx,vy Calculates the number of elements ofthe array referenced by vy and putsthe length value into vx. 2111 - array-length v1, v1Calculates the number of elements of the array referenced by v1 and puts the result into v1.22 new-instancevx,type Instantiates an object type and putsthe reference of the newly createdinstance into vx.2200 1500 - new-instance v0, java.io.FileInputStream //type@0015Instantiates type@0015 (entry #15H in the type table)and puts its reference into v0.23 new-arrayvx,vy,type_id Generates a new array of type_id typeand vy element size and puts thereference to the array into vx.2312 2500 - new-array v2, v1, char[] // type@0025Generates a new array of type@0025 type and v1 sizeand puts the reference to the new array into v2.24 filled-new-array{parameters},type_id Generates a new array of type_id andfills it with the parameters5. Referenceto the newly generated array can beobtained by a move-result-objectinstruction, immediately following thefilled-new-array instruction.2420 530D 0000 - filled-new-array {v0,v0},[I //type@0D53Generates a new array of type@0D53. The array's sizewill be 2 and both elements will be filled with thecontents of v0 register.25 filled-new-array-range Generates a new array of type_id andfills it with a range of parameters.2503 0600 1300 - filled-new-array/range {v19..v21}, [B// type@0006{vx..vy},type_id Reference to the newly generatedarray can be obtained by amove-result-object instruction,immediately following thefilled-new-array instruction. Generates a new array of type@0D53. The array's size will be 3 and the elements will be filled using thev19,v20 and v21 registers4.26 fill-array-datavx,array_data_offset Fills the array referenced by vx withthe static data. The location of thestatic data is the sum of the positionof the current instruction and theoffset2606 2500 0000 - fill-array-data v6, 00e6 // +0025Fills the array referenced by v0 with the static data atcurrent instruction+25H words location. The offset isexpressed as a 32-bit number. The static data is storedin the following format:0003 // Table type: static array data0400 // Byte per array element (in this case, 4 byteintegers)0300 0000 // Number of elements in the table0100 0000 // Element #0: integer 10200 0000 // Element #1: integer 20300 0000 // Element #2: integer327 throw vx Throws an exception object. Thereference of the exception object is invx. 2700 - throw v0Throws an exception. The exception object reference is in v0.28 goto target Unconditional jump by short offset2. 28F0 - goto 0005 // -0010Jumps to current position-16 words (hex 10). 0005 isthe label of the target instruction.29 goto/16 target Unconditional jump by 16 bit offset2. 2900 0FFE - goto/16 002f // -01f1Jumps to the current position-1F1H words. 002F is thelabel of the target instruction.2Agoto/32 target2 B packed-switchvx,tableImplements a switch statement wherethe case constants are close to eachother. The instruction uses an indextable. vx indexes into this table to findthe offset of the instruction for aparticular case. If vx falls out of theindex table, the execution continueson the next instruction (default case).2B02 0C00 0000 - packed-switch v2, 000c // +000cExecute a packed switch according to the switchargument in v2. The position of the index table is atcurrent instruction+0CH words. The table looks like thefollowing:0001 // Table type: packed switch table0300 // number of elements0000 0000 // element base0500 0000 0: 00000005 // case 0: +000000050700 0000 1: 00000007 // case 1: +000000070900 0000 2: 00000009 // case 2: +000000092 C sparse-switchvx,tableImplements a switch statement withsparse case table. The instructionuses a lookup table with caseconstants and offsets for each caseconstant. If there is no match in the2C02 0c00 0000 - sparse-switch v2, 000c // +000cExecute a sparse switch according to the switchargument in v2. The position of the lookup table is atcurrent instruction+0CH words. The table looks like thefollowing.table, execution continues on the next instruction (default case). 0002 // Table type: sparse switch table0300 // number of elements9cff ffff // first case: -100fa00 0000 // second case constant: 250e803 0000 // third case constant: 10000500 0000 // offset for the first case constant: +5 0700 0000 // offset for the second case constant: +7 0900 0000 // offset for the third case constant: +92 D cmpl-float Compares the float values in vy andvz and sets the integer value in vxaccordingly32D00 0607 - cmpl-float v0, v6, v7Compares the float values in v6 and v7 then sets v0accordingly. NaN bias is less-than, the instruction willreturn -1 if any of the parameters is NaN.2 E cmpg-float vx, vy,vzCompares the float values in vy andvz and sets the integer value in vxaccordingly3.2E00 0607 - cmpg-float v0, v6, v7Compares the float values in v6 and v7 then sets v0accordingly. NaN bias is greater-than, the instructionwill return 1 if any of the parameters is NaN.2F cmpl-doublevx,vy,vz Compares the double values in vy andvz2 and sets the integer value in vxaccordingly3.2F19 0608 - cmpl-double v25, v6, v8Compares the double values in v6,v7 and v8,v9 andsets v25 accordingly. NaN bias is less-than, theinstruction will return -1 if any of the parameters is NaN.30 cmpg-double vx,vy, vz Compares the double values in vy andvz2 and sets the integer value in vxaccordingly3.3000 080A - cmpg-double v0, v8, v10Compares the double values in v8,v9 and v10,v11 thensets v0 accordingly. NaN bias is greater-than, theinstruction will return 1 if any of the parameters is NaN.31 cmp-long vx, vy, vz Compares the long values in vy andvz and sets the integer value in vxaccordingly3. 3100 0204 - cmp-long v0, v2, v4Compares the long values in v2 and v4 then sets v0 accordingly.32 if-eq vx,vy,target Jumps to target if vx==vy2. vx and vyare integer values. 32b3 6600 - if-eq v3, v11, 0080 // +0066Jumps to the current position+66H words if v3==v11. 0080 is the label of the target instruction.33 if-ne vx,vy,target Jumps to target if vx!=vy2. vx and vyare integer values. 33A3 1000 - if-ne v3, v10, 002c // +0010Jumps to the current position+10H words if v3!=v10. 002c is the label of the target instruction.34 if-lt vx,vy,target Jumps to target is vx<vy2. vx and vyare integer values. 3432 CBFF - if-lt v2, v3, 0023 // -0035Jumps to the current position-35H words if v2<v3. 0023 is the label of the target instruction.35 if-ge vx, vy,target Jumps to target if vx>=vy2. vx and vyare integer values. 3510 1B00 - if-ge v0, v1, 002b // +001bJumps to the current position+1BH words if v0>=v1. 002b is the label of the target instruction.36 if-gt vx,vy,target Jumps to target if vx>vy2. vx and vyare integer values. 3610 1B00 - if-ge v0, v1, 002b // +001bJumps to the current position+1BH words if v0>v1. 002b is the label of the target instruction.37 if-le vx,vy,target Jumps to target if vx<=vy2. vx and vyare integer values. 3756 0B00 - if-le v6, v5, 0144 // +000bJumps to the current position+0BH words if v6<=v5.0144 is the label of the target instruction.38 if-eqz vx,target Jumps to target if vx==02. vx is aninteger value. 3802 1900 - if-eqz v2, 0038 // +0019Jumps to the current position+19H words if v2==0. 0038 is the label of the target instruction.39 if-nez vx,target Checks vx and jumps if vx isnonzero2. 3902 1200 - if-nez v2, 0014 // +0012Jumps to current position+18 words (hex 12) if v2 is nonzero. 0014 is the label of the target instruction.3 A if-ltz vx,target Checks vx and jumps if vx<02. 3A00 1600 - if-ltz v0, 002d // +0016Jumps to the current position+16H words if v0<0. 002dis the label of the target instruction.3 B if-gez vx,target Checks vx and jumps if vx>=02. 3B00 1600 - if-gez v0, 002d // +0016Jumps to the current position+16H words if v0 >=0.002d is the label of the target instruction.3 C if-gtz vx,target Checks vx and jumps if vx>02. 3C00 1D00 - if-gtz v0, 004a // +001dJumps to the current position+1DH words if v0>0. 004Ais the label of the target instruction.3 D if-lez vx,target Checks vx and jumps if vx<=02. 3D00 1D00 - if-lez v0, 004a // +001dJumps to the current position+1DH words if v0<=0.004A is the label of the target instruction.3Eunused_3E 3F unused_3F40 unused_4041 unused_4142 unused_4243 unused_4344 aget vx,vy,vz Gets an integer value of an objectreference array into vx. The array isreferenced by vy and is indexed by vz. 4407 0306 - aget v7, v3, v6Gets an integer array element. The array is referenced by v3 and the element is indexed by v6. The element will be put into v7.45 aget-wide vx,vy,vz Gets a long/double value oflong/double array into vx,vx+1. Thearray is referenced by vy and isindexed by vz. 4505 0104 - aget-wide v5, v1, v4Gets a long/double array element. The array is referenced by v1 and the element is indexed by v4. The element will be put into v5,v6.46 aget-objectvx,vy,vz Gets an object reference value of anobject reference array into vx. Thearray is referenced by vy and isindexed by vz.4602 0200 - aget-object v2, v2, v0Gets an object reference array element. The array isreferenced by v2 and the element is indexed by v0. Theelement will be put into v2.47 aget-booleanvx,vy,vz Gets a boolean value of a booleanarray into vx. The array is referencedby vy and is indexed by vz.4700 0001 - aget-boolean v0, v0, v1Gets a boolean array element. The array is referencedby v0 and the element is indexed by v1. The elementwill be put into v0.48 aget-byte vx,vy,vz Gets a byte value of a byte array into 4800 0001 - aget-byte v0, v0, v1vx. The array is referenced by vy and is indexed by vz. Gets a byte array element. The array is referenced by v0 and the element is indexed by v1. The element will be put into v0.49 aget-char vx, vy,vz Gets a char value of a characterarray into vx. The element is indexedby vz, the array object is referencedby vy 4905 0003 - aget-char v5, v0, v3Gets a character array element. The array is referenced by v0 and the element is indexed by v3. The element will be put into v5.4 A aget-short vx,vy,vz Gets a short value of a short arrayinto vx. The element is indexed by vz,the array object is referenced by vy.4A00 0001 - aget-short v0, v0, v1Gets a short array element. The array is referenced byv0 and the element is indexed by v1. The element willbe put into v0.4 B aput vx,vy,vz Puts the integer value in vx into anelement of an integer array. Theelement is indexed by vz, the arrayobject is referenced by vy.4B00 0305 - aput v0, v3, v5Puts the integer value in v2 into an integer arrayreferenced by v0. The target array element is indexedby v1.4 C aput-wide vx,vy,vz Puts the double/long value in vx,vx+1into a double/long array. The array isreferenced by vy, the element isindexed by vz.4C05 0104 - aput-wide v5, v1, v4Puts the double/long value in v5,v6 into a double/longarray referenced by v1. The target array element isindexed by v4.4 D aput-objectvx,vy,vzPuts the object reference value in vxinto an element of an object referencearray. The element is indexed by vz,the array object is referenced by vy.4D02 0100 - aput-object v2, v1, v0Puts the object reference value in v2 into an objectreference array referenced by v0. The target arrayelement is indexed by v1.4 E aput-booleanvx,vy,vzPuts the boolean value in vx into anelement of a boolean array. Theelement is indexed by vz, the arrayobject is referenced by vy.4E01 0002 - aput-boolean v1, v0, v2Puts the boolean value in v1 into an object referencearray referenced by v0. The target array element isindexed by v2.4F aput-byte vx,vy,vz Puts the byte value in vx into anelement of a byte array. The elementis indexed by vz, the array object isreferenced by vy. 4F02 0001 - aput-byte v2, v0, v1Puts the boolean value in v2 into a byte array referenced by v0. The target array element is indexed by v1.50 aput-char vx,vy,vz Puts the char value in vx into anelement of a character array. Theelement is indexed by vz, the arrayobject is referenced by vy. 5003 0001 - aput-char v3, v0, v1Puts the character value in v3 into a character array referenced by v0. The target array element is indexed by v1.51 aput-short vx,vy,vz Puts the short value in vx into anelement of a short array. The elementis indexed by vz, the array object isreferenced by vy. 5102 0001 - aput-short v2, v0, v1Puts the short value in v2 into a character array referenced by v0. The target array element is indexed by v1.52 iget vx, vy, field_id Reads an instance field into vx. Theinstance is referenced by vy. 5210 0300 - iget v0, v1, Test2.i6:I // field@0003 Reads field@0003 into v0 (entry #3 in the field id table). The instance is referenced by v1.53 iget-widevx,vy,field_id Reads an instance field into vx1. Theinstance is referenced by vy.5320 0400 - iget-wide v0, v2, T est2.l0:J // field@0004Reads field@0004 into v0 and v1 registers (entry #4 inthe field id table). The instance is referenced by v2.54 iget-objectvx,vy,field_id Reads an object reference instancefield into vx. The instance isreferenced by vy.iget-object v1, v2,LineReader.fis:Ljava/io/FileInputStream; // field@0002Reads field@0002 into v1 (entry #2 in the field idtable). The instance is referenced by v2.55 iget-booleanvx,vy,field_id Reads a boolean instance field intovx. The instance is referenced by vy.55FC 0000 - iget-boolean v12, v15, Test2.b0:Z //field@0000Reads the boolean field@0000 into v12 register (entry#0 in the field id table). The instance is referenced byv15.56 iget-bytevx,vy,field_id Reads a byte instance field into vx.The instance is referenced by vy.5632 0100 - iget-byte v2, v3, Test3.bi1:B // field@0001Reads the char field@0001 into v2 register (entry #1 inthe field id table). The instance is referenced by v3.57 iget-charvx,vy,field_id Reads a char instance field into vx.The instance is referenced by vy.5720 0300 - iget-char v0, v2, Test3.ci1:C // field@0003Reads the char field@0003 into v0 register (entry #3 inthe field id table). The instance is referenced by v2.58 iget-shortvx,vy,field_id Reads a short instance field into vx.The instance is referenced by vy.5830 0800 - iget-short v0, v3, Test3.si1:S // field@0008Reads the short field@0008 into v0 register (entry #8 inthe field id table). The instance is referenced by v3.59 iput vx,vy, field_id Puts vx into an instance field. Theinstance is referenced by vy. 5920 0200 - iput v0,v2, Test2.i6:I // field@0002Stores v0 into field@0002 (entry #2 in the field id table). The instance is referenced by v2.5 A iput-wide vx,vy,field_idPuts the wide value located in vx andvx+1 registers into an instance field.The instance is referenced by vy.5A20 0000 - iput-wide v0,v2, Test2.d0:D // field@0000Stores the wide value in v0, v1 registers intofield@0000 (entry #0 in the field id table). The instanceis referenced by v2.5 B iput-objectvx,vy,field_idPuts the object reference in vx into aninstance field. The instance isreferenced by vy.5B20 0000 - iput-object v0, v2,LineReader.bis:Ljava/io/BufferedInputStream; //field@0000Stores the object reference in v0 into field@0000 (entry#0 in the field table). The instance is referenced by v2.5 C iput-boolean vx,vy,field_idPuts the boolean value located in vxinto an instance field. The instance isreferenced by vy.5C30 0000 - iput-boolean v0, v3, Test2.b0:Z //field@0000Puts the boolean value in v0 into field@0000 (entry #0in the field id table). The instance is referenced by v3.5 D iput-bytevx,vy,field_idPuts the byte value located in vx intoan instance field. The instance isreferenced by vy.5D20 0100 - iput-byte v0, v2, T est3.bi1:B // field@0001Puts the boolean value in v0 into field@0001 (entry #1in the field id table). The instance is referenced by v2.5 E iput-charvx,vy,field_idPuts the char value located in vx intoan instance field. The instance isreferenced by vy.5E20 0300 - iput-char v0, v2, T est3.ci1:C // field@0003Puts the char value in v0 into field@0003 (entry #3 inthe field id table). The instance is referenced by v2.5F iput-shortvx,vy,field_id Puts the short value located in vx intoan instance field. The instance isreferenced by vy.5F21 0800 - iput-short v1, v2, Test3.si1:S // field@0008Puts the short value in v1 into field@0008 (entry #8 inthe field id table). The instance is referenced by v2.60 sget vx,field_id Reads the integer field identified bythe field_id into vx. 6000 0700 - sget v0, Test3.is1:I // field@0007Reads field@0007 (entry #7 in the field id table) into v0.61 sget-wide vx,field_id Reads the static field identified by thefield_id into vx and vx+1 registers.6100 0500 - sget-wide v0, Test2.l1:J // field@0005Reads field@0005 (entry #5 in the field id table) into v0and v1 registers.62 sget-objectvx,field_id Reads the object reference fieldidentified by the field_id into vx.6201 0C00 - sget-object v1,Test3.os1:Ljava/lang/Object; // field@000cReads field@000c (entry #CH in the field id table) intov1.63 sget-booleanvx,field_id Reads the boolean static fieldidentified by the field_id into vx.6300 0C00 - sget-boolean v0, Test2.sb:Z // field@000cReads boolean field@000c (entry #12 in the field idtable) into v0.64 sget-bytevx,field_id Reads the byte static field identifiedby the field_id into vx.6400 0200 - sget-byte v0, Test3.bs1:B // field@0002Reads byte field@0002 (entry #2 in the field id table)into v0.65 sget-charvx,field_id Reads the char static field identifiedby the field_id into vx.6500 0700 - sget-char v0, Test3.cs1:C // field@0007Reads byte field@0007 (entry #7 in the field id table)into v0.66 sget-shortvx,field_id Reads the short static field identifiedby the field_id into vx.6600 0B00 - sget-short v0, Test3.ss1:S // field@000bReads short field@000b (entry #BH in the field id table)into v0.67 sput vx, field_id Puts vx into a static field. 6700 0100 - sput v0, Test2.i5:I // field@0001Stores v0 into field@0001 (entry #1 in the field id table).68 sput-wide vx,field_id Puts vx and vx+1 into a static field. 6800 0500 - sput-wide v0, Test2.l1:J // field@0005Puts the long value in v0 and v1 into the field@0005static field (entry #5 in the field id table).69 sput-objectvx,field_id Puts object reference in vx into astatic field.6900 0c00 - sput-object v0,Test3.os1:Ljava/lang/Object; // field@000cPuts the object reference value in v0 into thefield@000c static field (entry #CH in the field id table).6 A sput-booleanvx,field_idPuts boolean value in vx into a staticfield.6A00 0300 - sput-boolean v0, Test3.bls1:Z //field@0003Puts the byte value in v0 into the field@0003 static field(entry #3 in the field id table).6 B sput-bytevx,field_idPuts byte value in vx into a static field. 6B00 0200 - sput-byte v0, Test3.bs1:B // field@0002Puts the byte value in v0 into the field@0002 static field(entry #2 in the field id table).6 C sput-charvx,field_idPuts char value in vx into a static field. 6C01 0700 - sput-char v1, Test3.cs1:C // field@0007Puts the char value in v1 into the field@0007 static field(entry #7 in the field id table).6 D sput-shortvx,field_idPuts short value in vx into a staticfield.6D00 0B00 - sput-short v0, Test3.ss1:S // field@000bPuts the short value in v0 into the field@000b staticfield (entry #BH in the field id table).6 E invoke-virtual{ parameters },methodtocallInvokes a virtual method withparameters.6E53 0600 0421 - invoke-virtual { v4, v0, v1, v2, v3},Test2.method5:(IIII)V // method@0006Invokes the 6th method in the method table with thefollowing arguments: v4 is the "this" instance, v0, v1,v2, and v3 are the method parameters. The methodhas 5 arguments (4 MSB bits of the second byte)5.6F invoke-super{parameter},methodtocall Invokes the virtual method of theimmediate parent class.6F10 A601 0100 invoke-super{v1},java.io.FilterOutputStream.close:()V //method@01a6Invokes method@01a6 with one parameter, v1.70 invoke-direct{ parameters },methodtocall Invokes a method with parameterswithout the virtual method resolution.7010 0800 0100 - invoke-direct {v1},ng.Object.<init>:()V // method@0008Invokes the 8th method in the method table with justone parameter, v1 is the "this" instance5.71 invoke-static{parameters},methodtocall Invokes a static method withparameters.7110 3400 0400 - invoke-static {v4},ng.Integer.parseInt:( Ljava/lang/String;)I //method@0034Invokes method@34 static method. The method iscalled with one parameter, v45.72 invoke-interface{parameters},methodtocall Invokes an interface method. 7240 2102 3154 invoke-interface {v1, v3, v4, v5},mwfw.IReceivingProtocolAdapter.receivePackage:(ILjava/lang/String;Ljava/io/InputStream;)Z //method@0221Invokes method@221 interface method usingparameters in v1,v3,v4 and v55.73 unused_7374 invoke-virtual/range{vx..vy},methodtocall Invokes virtual method with a range ofregisters. The instruction specifies thefirst register and the number ofregisters to be passed to the method.7403 0600 1300 - invoke-virtual {v19..v21},Test2.method5:(IIII)V // method@0006Invokes the 6th method in the method table with thefollowing arguments: v19 is the "this" instance, v20 andv21 are the method parameters.75 invoke-super/range Invokes the virtual method of theimmediate parent class. Theinstruction specifies the first registerand the number of registers to bepassed to the method.7501 A601 0100 invoke-super{v1},java.io.FilterOutputStream.close:()V //method@01a6Invokes method@01a6 with one parameter, v1.76 invoke-direct/range{vx..vy},methodtocall Invokes direct method with a range ofregisters. The instruction specifies thefirst register and the number ofregisters to be passed to the method.7603 3A00 1300 - invoke-direct/range{v19..21},ng.Object.<init>:()V // method@003aInvokes method@3A with 1 parameters (second byte ofthe instruction=03). The parameter is stored in v19(5th,6th bytes of the instruction).77 invoke-static/range{vx..vy},methodtoc Invokes static method with a range ofregisters. The instruction specifies thefirst register and the number of7703 3A00 1300 - invoke-static/range{v19..21},ng.Integer.parseInt:( Ljava/lang/String;)I // method@0034。

由爱加密小编整理
使用工具：
APKTool
提醒：能够正常安装到手机上的APK都是带有签名的(不了解签名的可以百度)，APK在破解重新打包后是已经不再拥有签名的，如果想要你破解后的APK能够正常运行请重新签名。

apk其实也就是一个压缩包。

我们来看看里边都有什么吧？如下图：
META-INF 是存放签名的文件夹，这里我们不做过头的解释
Res是存放xml配置文件和图片文件，这些文件都是经过加密无法直接查看
Classes.dex和resources.arc是源码的加密文件，它的具体操作流程如下图：
注意：回编译后的apk是没有签名的，需要签名后才能正常安装。

OK！接下来就是利用apktool工具来反编译和回编译了。

它的基本语法如下：
反编译apk：
编译成功之后会生成对于的文件夹，文件夹内部的smali就是源码文件了，如果会
davlik(.smail)语法就能动态注入代码了
回编译成apk:
回编译后的apk会是在test/dist目录下。

注意：回编译后的apk是没有签名的，需要签名后才能正常安装。

Smali基本语法Smali基本语法.field private isFlag:z定义变量.method方法.parameter方法参数.prologue方法开始.line 12此方法位于第12行invoke-super调用父函数const/high16 v0, 0x7fo3把0x7fo3赋值给v0 invoke-direct调用函数return-void函数返回void.end method函数结束new-instance创建实例iput-object对象赋值iget-object调用对象invoke-static调用静态函数条件跳转分支："if-eq vA, vB, :cond_**" 如果vA等于vB则跳转到:cond_**"if-ne vA, vB, :cond_**" 如果vA不等于vB则跳转到:cond_**"if-lt vA, vB, :cond_**" 如果vA小于vB则跳转到:cond_**"if-ge vA, vB, :cond_**" 如果vA大于等于vB则跳转到:cond_**"if-gt vA, vB, :cond_**" 如果vA大于vB则跳转到:cond_**"if-le vA, vB, :cond_**" 如果vA小于等于vB则跳转到:cond_**"if-eqz vA, :cond_**" 如果vA等于0则跳转到:cond_** "if-nez vA, :cond_**" 如果vA不等于0则跳转到:cond_** "if-ltz vA, :cond_**" 如果vA小于0则跳转到:cond_** "if-gez vA, :cond_**" 如果vA大于等于0则跳转到:cond_**"if-gtz vA, :cond_**" 如果vA大于0则跳转到:cond_** "if-lez vA, :cond_**" 如果vA小于等于0则跳转到:cond_**＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝if函数的java代码：private boolean ifSense(){boolean tempFlag = ((3-2)==1)? true : false;if (tempFlag) {return true;}else{return false;}}if函数分析：.method private ifSense()Z.locals 2 .prologue.line 22const/4 v0, 0x1 // v0赋值为1 .line 24.local v0, tempFlag:Zif-eqz v0, :cond_0 // 判断v0是否等于0, 不符合条件向下走, 符合条件执行cond_0分支.line 25 const/4 v1, 0x1 // 符合条件分支.line 27:goto_0return v1 :cond_0const/4 v1, 0x0 // cond_0分支goto :goto_0.end method###文字描述：如果符合if分支则程序往下走，最终return ; 而如果条件不符合则会走到:cond_0分支, 最终执行goto :goto_0走回:goto_0返回＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝for函数java代码：private void forSense(){listStr = new ArrayList&lt;String&gt;(COUNT);for (int i = 0; i &lt; COUNT; i++) {listStr.add("现在轮到我上场乐");}}for函数分析：.line 40const/4 v0, 0x0 .local v0, i:I:goto_0if-lt v0, v3, :cond_0 // if-lt判断数值v0小于v3 , 如不符合往下走, 符合执行分支:cond_0 .line 43return-void .line 41:cond_0 // 标签iget-object v1, p0,Lcom/example/smalidemo/MainActivity;-&gt;listStr:Ljava/util/ List; // 引用对象const-string v2,"\u73b0\u5728\u8f6e\u5230\u6211\u4e0a\u573a\u4e50" invoke-interface {v1, v2},Ljava/util/List;-&gt;add(Ljava/lang/Object;)Z // List是接口, 所以执行接口方法add .line 40add-int/lit8 v0, v0, 0x1// 将第二个v0寄存器中的值，加上0x1的值放入第一个寄存器中, 实现自增长goto :goto_0 // 回去:goto_0标签＃＃＃文字描述：设定一个标签goto_0, 判断v0小于v3, 符合执行分支:cond_0 ,然后又跑回:goto_0做继续判断＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝读完这篇链接文章，就基本入门了。