SMALI Cheat Sheet

Little Help with SMALI

Smali is the assembly language used to represent Android's DEX bytecode. This guide organizes the most important instructions and concepts into a comprehensive and easy-to-understand format, providing clarity on the various components of Smali code.

Smali File Structure

Types

Syntax	Meaning
V	Void
Z	Boolean
B	Byte
S	Short
C	Char
F	Float
I	Int
J	Long (64-bit)
D	Double (64-bit)
[	Array (e.g., [B → byte[])
L	Fully qualified class name

Registers / Variables / Assigning

In Dalvik, registers are always 32 bits and can hold any type of value. For 64-bit types like long and double, two registers are used. There are two key types of registers:

• Local registers (Vx): Used for local variables and temporary values.

• Parameter registers (Px): Used for passing parameters in functions, with P0 typically representing the this operator.

Local (Vx)	Param (Px)
V0	P0
V1	P1
V2	P2
V4	P3
V(...)	P(...)

Command	Description	Example (Java/Smali)
move vx,vy	Moves the content of vy into vx.	int a = 12; mov v0, 0xc
const/4 vx,lit4	Puts the 4-bit constant into vx. Max value is 7. For higher values, remove /4 to use const vx, value.	int level = 3; const/4 v0, 0x5
new-array vx,vy,type_id	Generates a new array of type_id type and vy element size, then stores the reference in vx.	byte[] bArr = {0, 1, 2, 3, 4}; const/4 v0, 0x5 new-array v0, v0, [B
const vx, lit32	Puts a 32-bit integer constant into vx.	int level = 10000; const vx, 0x2710
const-string vx,string_id	Puts a reference to a string constant identified by string_id into vx.	String name = "Player"; const-string v5, "Player"
iget vx, vy, field_id	Reads an instance field into vx, where the instance is referenced by vy.	return this.highScore; iget v0, p0, Lde/fgerbig/spacepeng/services/Profile;->highScore:I return v0
iput vx,vy, field_id	Puts vx into an instance field, where the instance is referenced by vy.	this.lastPlayedLevel = lastPlayedLevel2; iput p1, p0, Lde/fgerbig/spacepeng/services/Profile;->lastPlayedLevel:I

Local Registers and Types

Local registers start from v0 and may go up as needed (e.g., v0 to v6). Not all of these correspond directly to variables; some registers are used for internal operations by the decompiler.

The type of local registers often starts with L, indicating a class reference. For example:

• Ljava/lang/String → String class

The decompiled code also shows the use of extra registers, e.g., v5, for handling function outputs (like sget-object).

Operators

Command	Description	Example (Java/Smali)
add-int vx,vy,vz	Calculates vy + vz and puts the result into vx.	score = score + 1; add-int/lit8 v5, v5, 0x1
sub-int vx,vy,vz	Calculates vy - vz and puts the result into vx.	score = score - 1; sub-int/lit8 v5, v5, 0x1
mul-int vx,vy,vz	Multiplies vz with vy and puts the result into vx.	bonus = bonus * 50; mul-int/lit8 v6, v1, 0x32
div-int vx,vy,vz	Divides vy by vz and puts the result into vx.	bonus = bonus / 2; div-int v4, v1, 0x2
rem-int vx,vy,vz	Calculates vy % vz and puts the result into vx.	Math.abs(step2 % 4); rem-int/lit8 v0, p1, 0x4
and-int vx,vy,vz	Calculates vy AND vz and puts the result into vx.	int result = b & 127; and-int/lit8 v1, p3, 0x1f
or-int vx,vy,vz	Calculates vy OR vz and puts the result into vx.	`int result = b
xor-int vx,vy,vz	Calculates vy XOR vz and puts the result into vx.	Key = a ^ b; xor-int v1, v2, v3

IF - ELSE - GOTO

Comparison with 0

Syntax	Description
if-eqz vx, target	Jumps to target if vx == 0
if-nez vx, target	Jumps to target if vx != 0
if-ltz vx, target	Jumps to target if vx < 0
if-gez vx, target	Jumps to target if vx >= 0
if-gtz vx, target	Jumps to target if vx > 0
if-lez vx, target	Jumps to target if vx <= 0

Comparison against a register

Here’s a table summarizing the syntax and descriptions for the conditional comparison commands:

Syntax	Description
if-eq vx, vy, target	Jumps to target if vx == vy
if-ne vx, vy, target	Jumps to target if vx != vy
if-lt vx, vy, target	Jumps to target if vx < vy
if-ge vx, vy, target	Jumps to target if vx >= vy
if-gt vx, vy, target	Jumps to target if vx > vy
if-le vx, vy, target	Jumps to target if vx <= vy

GOTO

Command	Description	Example (Java/Smali)
goto label	Unconditionally jumps to the specified label in the code.	goto :label_1
goto/16 label	Unconditionally jumps to a label, used when the target is far in code.	goto/16 :label_2
goto/32 label	Unconditionally jumps to a label for even farther targets.	goto/32 :label_3

Methods - Objects

Here’s a table summarizing the commands and descriptions for invoking methods in Java/Smali:

Command	Description	Example (Java/Smali)
invoke-virtual {parameters}, methodtocall	Invokes a virtual method with parameters.	this.ds.increaseScore(value); invoke-virtual {v5, v6}, Lde/fgerbig/spacepeng/systems/DirectorSystem;->increaseScore(I)V
invoke-direct {parameters}, methodtocall	Invokes a method with parameters without virtual method resolution.	DoubleShot doubleShot = new DoubleShot(); invoke-direct {v0}, Lde/fgerbig/spacepeng/components/powerup/DoubleShot;-><init>()V
invoke-static {parameters}, methodtocall	Invokes a static method with parameters.	MathUtils.random((float) MIN_DELAY, (float) MAX_DELAY); invoke-static {v0, v1}, Lcom/example/MathUtils;->random(FF)F
invoke-interface {parameters}, methodtocall	Invokes an interface method.	itrt.hasNext(); invoke-interface {v3}, Ljava/util/Iterator;->hasNext()Z
Sget-object	Retrieves the value of a static object field and puts it into a register	String name = MyClass.staticField; sget-object v0, Lcom/example/MyClass;->staticField:Ljava/lang/String;

Method Invocation

Different instructions are used depending on whether you are invoking a method statically, virtually, or on an interface.

• invoke-virtual: Calls a method on an object instance(public method).

• invoke-static: Calls a static method.

• invoke-direct: Calls a method on the current object directly (private)(typically constructors).

Example:

invoke-static {}, Ljava/lang/System;->gc()V  # Invokes the static method 'gc' from System class

invoke-virtual {v0}, Ljava/lang/String;->length()I   # Call the length() method on a String object stored in v0

Method Definitions

A method in Smali starts with a .method directive and is followed by the method signature, return type, and parameters.

Example:

.method public myMethod(I)V  # A method named 'myMethod' that takes an integer and returns void
    .locals 1                    # Defines 1 local register
    return-void                  # Return from the method
.end method

---

Constants and Assignments

Smali allows assigning constant values to registers using the const family of instructions.

• const/4: Load a 4-bit constant into a register.

• const/16: Load a 16-bit constant.

• const/high16: Load a high 16-bit constant.

Example:

    const/4 v0, 0x1   # Assign the constant 1 to register v0
    const-string v1, "Hello"  # Assign the string "Hello" to register v1

---

Arrays

In Smali, arrays are handled with the new-array instruction, which creates an array and stores it in a register. Elements are accessed via the aget and aput instructions.

Example:

    const/4 v0, 3             # Define array length
    new-array v1, v0, [I      # Create an integer array of length 3
    aput v0, v1, 0            # Assign value v0 to array index 0
    aget v2, v1, 1            # Load the value from index 1 into v2

---

Other Instructions

• move: Moves the value from one register to another.

• return-void: Returns from a method with no value.

• return: Returns a value from a method.

Example:

    move v0, v1    # Move the value of v1 to v0
    return-void    # End the method with no return value

Useful SMALI snippets

Printing Variables/Return Values Using System.out.println

This is a simple and effective way to print variables such as passwords, secrets, or comparison values to logcat. By injecting a System.out.println statement into the Smali code, you can monitor the output of specific values in the application logs.

Java Code:

String password = "Pa%%w0rd!";
System.out.println(password);

Smali Equivalent:

You can print the value of a variable by loading it into a register (e.g., v0), then using sget-object and invoke-virtual to print it.

.line 14
const-string v0, "Pa%%w0rd!"
.line 15
.local v0, "password":Ljava/lang/String;
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v0}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

After inserting this code into the Smali file, you can run the app and check the logcat output to see the printed value, which can be useful for debugging or extracting sensitive data.

Printing Byte Values as Base64 Encoded Strings

Often, cryptographic functions store sensitive data like keys or initialization vectors (IVs) as byte arrays. To print these byte arrays in a readable format, you can encode them as Base64 strings and output them.

Java Code:

System.out.println(Base64.encodeToString(<byte array>, Base64.DEFAULT));

Smali Equivalent:

Insert the following code into the existing Smali code. Ensure that the register (v5 in this case) refers to the correct byte array.

.line 14
const-string v0, "Pa%%w0rd!"
.line 15
.local v0, "password":Ljava/lang/String;
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v0}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

# Base64 encoding of byte array
const/4 v5, 0x0   # Reference to your byte array
invoke-static {v2, v5}, Landroid/util/Base64;->encodeToString([BI)Ljava/lang/String;
move-result-object v5

# Print the encoded string
sget-object v1, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v1, v5}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

This will print the byte array as a Base64-encoded string, making it easier to inspect and understand cryptographic data. You can insert this snippet into any Smali file where byte arrays are processed.

References

Dalvik opcodes