# SMALI Cheat Sheet
Smali is the assembly language used to represent Android's DEX bytecode. This guide organizes the most important instructions and concepts into a comprehensive and easy-to-understand format, providing clarity on the various components of Smali code.
## Smali File Structure
## Types
| **Syntax** | **Meaning** |
| ---------- | ----------------------------- |
| V | Void |
| Z | Boolean |
| B | Byte |
| S | Short |
| C | Char |
| F | Float |
| I | Int |
| J | Long (64-bit) |
| D | Double (64-bit) |
| \[ | Array (e.g., `[B` → `byte[]`) |
| L | Fully qualified class name |
## Registers / Variables / Assigning
In Dalvik, registers are always 32 bits and can hold any type of value. For 64-bit types like `long` and `double`, two registers are used. There are two key types of registers:
* **Local registers (`Vx`)**: Used for local variables and temporary values.
* **Parameter registers (`Px`)**: Used for passing parameters in functions, with `P0` typically representing the `this` operator.
| **Local (Vx)** | **Param (Px)** |
| -------------- | -------------- |
| V0 | P0 |
| V1 | P1 |
| V2 | P2 |
| V4 | P3 |
| V(...) | P(...) |
| **Command** | **Description** | **Example (Java/Smali)** |
| --------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `move vx,vy` | Moves the content of vy into vx. |
int a = 12; mov v0, 0xc
|
| `const/4 vx,lit4` | Puts the 4-bit constant into vx. Max value is 7. For higher values, remove `/4` to use `const vx, value`. |
int level = 3; const/4 v0, 0x5
|
| `new-array vx,vy,type_id` | Generates a new array of `type_id` type and `vy` element size, then stores the reference in `vx`. |
|
## Local Registers and Types
Local registers start from `v0` and may go up as needed (e.g., `v0` to `v6`). Not all of these correspond directly to variables; some registers are used for internal operations by the decompiler.
The type of local registers often starts with `L`, indicating a class reference. For example:
* `Ljava/lang/String` → String class
The decompiled code also shows the use of extra registers, e.g., `v5`, for handling function outputs (like `sget-object`).
## Operators
| **Command** | **Description** | **Example (Java/Smali)** |
| ------------------ | -------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `add-int vx,vy,vz` | Calculates `vy + vz` and puts the result into `vx`. |
score = score + 1; add-int/lit8 v5, v5, 0x1
|
| `sub-int vx,vy,vz` | Calculates `vy - vz` and puts the result into `vx`. |
score = score - 1; sub-int/lit8 v5, v5, 0x1
|
| `mul-int vx,vy,vz` | Multiplies `vz` with `vy` and puts the result into `vx`. |
bonus = bonus \* 50; mul-int/lit8 v6, v1, 0x32
|
| `div-int vx,vy,vz` | Divides `vy` by `vz` and puts the result into `vx`. |
bonus = bonus / 2; div-int v4, v1, 0x2
|
| `rem-int vx,vy,vz` | Calculates `vy % vz` and puts the result into `vx`. |
Math.abs(step2 % 4); rem-int/lit8 v0, p1, 0x4
|
| `and-int vx,vy,vz` | Calculates `vy AND vz` and puts the result into `vx`. |
int result = b & 127; and-int/lit8 v1, p3, 0x1f
|
| `or-int vx,vy,vz` | Calculates `vy OR vz` and puts the result into `vx`. | \`int result = b |
| `xor-int vx,vy,vz` | Calculates `vy XOR vz` and puts the result into `vx`. |
Key = a ^ b; xor-int v1, v2, v3
|
## IF - ELSE - GOTO
### Comparison with 0
| **Syntax** | **Description** |
| ------------------- | ------------------------------ |
| `if-eqz vx, target` | Jumps to `target` if `vx == 0` |
| `if-nez vx, target` | Jumps to `target` if `vx != 0` |
| `if-ltz vx, target` | Jumps to `target` if `vx < 0` |
| `if-gez vx, target` | Jumps to `target` if `vx >= 0` |
| `if-gtz vx, target` | Jumps to `target` if `vx > 0` |
| `if-lez vx, target` | Jumps to `target` if `vx <= 0` |
### Comparison against a register
Here’s a table summarizing the syntax and descriptions for the conditional comparison commands:
| **Syntax** | **Description** |
| ---------------------- | ------------------------------- |
| `if-eq vx, vy, target` | Jumps to `target` if `vx == vy` |
| `if-ne vx, vy, target` | Jumps to `target` if `vx != vy` |
| `if-lt vx, vy, target` | Jumps to `target` if `vx < vy` |
| `if-ge vx, vy, target` | Jumps to `target` if `vx >= vy` |
| `if-gt vx, vy, target` | Jumps to `target` if `vx > vy` |
| `if-le vx, vy, target` | Jumps to `target` if `vx <= vy` |
### GOTO
| **Command** | **Description** | **Example (Java/Smali)** |
| --------------- | ---------------------------------------------------------------------- | ------------------------ |
| `goto label` | Unconditionally jumps to the specified label in the code. | `goto :label_1` |
| `goto/16 label` | Unconditionally jumps to a label, used when the target is far in code. | `goto/16 :label_2` |
| `goto/32 label` | Unconditionally jumps to a label for even farther targets. | `goto/32 :label_3` |
## Methods - Objects
Here’s a table summarizing the commands and descriptions for invoking methods in Java/Smali:
### **Method Invocation**
Different instructions are used depending on whether you are invoking a method statically, virtually, or on an interface.
* **`invoke-virtual`**: Calls a method on an object instance(public method).
* **`invoke-static`**: Calls a static method.
* **`invoke-direct`**: Calls a method on the current object directly (private)(typically constructors).
**Example**:
{% code overflow="wrap" %}
```smali
invoke-static {}, Ljava/lang/System;->gc()V # Invokes the static method 'gc' from System class
```
{% endcode %}
{% code overflow="wrap" %}
```smali
invoke-virtual {v0}, Ljava/lang/String;->length()I # Call the length() method on a String object stored in v0
```
{% endcode %}
### Method Definitions
A method in Smali starts with a `.method` directive and is followed by the method signature, return type, and parameters.
**Example**:
```smali
.method public myMethod(I)V # A method named 'myMethod' that takes an integer and returns void
.locals 1 # Defines 1 local register
return-void # Return from the method
.end method
```
***
## **Constants and Assignments**
Smali allows assigning constant values to registers using the `const` family of instructions.
* **const/4**: Load a 4-bit constant into a register.
* **const/16**: Load a 16-bit constant.
* **const/high16**: Load a high 16-bit constant.
**Example**:
```smali
const/4 v0, 0x1 # Assign the constant 1 to register v0
const-string v1, "Hello" # Assign the string "Hello" to register v1
```
***
## **Arrays**
In Smali, arrays are handled with the `new-array` instruction, which creates an array and stores it in a register. Elements are accessed via the `aget` and `aput` instructions.
**Example**:
```smali
const/4 v0, 3 # Define array length
new-array v1, v0, [I # Create an integer array of length 3
aput v0, v1, 0 # Assign value v0 to array index 0
aget v2, v1, 1 # Load the value from index 1 into v2
```
***
## **Other Instructions**
* **`move`**: Moves the value from one register to another.
* **`return-void`**: Returns from a method with no value.
* **`return`**: Returns a value from a method.
**Example**:
```smali
move v0, v1 # Move the value of v1 to v0
return-void # End the method with no return value
```
## Useful SMALI snippets
### **Printing Variables/Return Values Using `System.out.println`**
This is a simple and effective way to print variables such as passwords, secrets, or comparison values to logcat. By injecting a `System.out.println` statement into the Smali code, you can monitor the output of specific values in the application logs.
**Java Code:**
```java
String password = "Pa%%w0rd!";
System.out.println(password);
```
**Smali Equivalent:**
You can print the value of a variable by loading it into a register (e.g., `v0`), then using `sget-object` and `invoke-virtual` to print it.
```smali
.line 14
const-string v0, "Pa%%w0rd!"
.line 15
.local v0, "password":Ljava/lang/String;
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v0}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
```
After inserting this code into the Smali file, you can run the app and check the logcat output to see the printed value, which can be useful for debugging or extracting sensitive data.
### **Printing Byte Values as Base64 Encoded Strings**
Often, cryptographic functions store sensitive data like keys or initialization vectors (IVs) as byte arrays. To print these byte arrays in a readable format, you can encode them as Base64 strings and output them.
**Java Code:**
```java
System.out.println(Base64.encodeToString(, Base64.DEFAULT));
```
**Smali Equivalent:**
Insert the following code into the existing Smali code. Ensure that the register (`v5` in this case) refers to the correct byte array.
```smali
.line 14
const-string v0, "Pa%%w0rd!"
.line 15
.local v0, "password":Ljava/lang/String;
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v0}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
# Base64 encoding of byte array
const/4 v5, 0x0 # Reference to your byte array
invoke-static {v2, v5}, Landroid/util/Base64;->encodeToString([BI)Ljava/lang/String;
move-result-object v5
# Print the encoded string
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v5}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
```
This will print the byte array as a Base64-encoded string, making it easier to inspect and understand cryptographic data. You can insert this snippet into any Smali file where byte arrays are processed.
## References
{% embed url="" %}
