安卓smali语法.docx

1、安卓smali语法Opcode (hex)Opcode nameExplanationExample00nopNo operation0000 - nop 01move vx,vyMoves the content of vy into vx. Both registers must be in the first 256 register range.0110 - move v0, v1Moves v1 into v0.02move/from16 vx,vyMoves the content of vy into vx. vy may be in the 64k register range

2、 while vx is one of the first 256 registers.0200 1900 - move/from16 v0, v25Moves v25 into v0.03move/1604move-wide 05move-wide/from16 vx,vyMoves a long/double value from vy to vx. vy may be in the 64k register range while wx is one of the first 256 registers.0516 0000 - move-wide/from16 v22, v0Moves

3、v0 into v22.06move-wide/1607move-object vx,vyMoves the object reference from vy to vx.0781 - move-object v1, v8Moves the object reference in v8 to v1.08move-object/from16 vx,vyMoves the object reference from vy to vx, vy can address 64k registers and vx can address 256 registers.0801 1500 - move-obj

4、ect/from16 v1, v21Move the object reference in v21 to v1.09move-object/160Amove-result vxMove the result value of the previous method invocation into vx.0A00 - move-result v0Move the return value of a previous method invocation into v0.0Bmove-result-wide vxMove the long/double result value of the pr

5、evious method invocation into vx,vx+1.0B02 - move-result-wide v2Move the long/double result value of the previous method invocation into v2,v3.0Cmove-result-object vxMove the result object reference of the previous method invocation into vx.0C00 - move-result-object v00Dmove-exception vxMove the exc

6、eption object reference thrown during a method invocation into vx. 0D19 - move-exception v250Ereturn-voidReturn without a return value0E00 - return-void0Freturn vxReturn with vx return value0F00 - return v0Returns with return value in v0.10return-wide vxReturn with double/long result in vx,vx+1.1000

7、 - return-wide v0Returns with a double/long value in v0,v1.11return-object vxReturn with vx object reference value.1100 - return-object v0Returns with object reference value in v012const/4 vx,lit4Puts the 4 bit constant into vx1221 - const/4 v1, #int2Moves literal 2 into v1. The destination register

8、 is in the lower 4 bit in the second byte, the literal 2 is in the higher 4 bit.13const/16 vx,lit16Puts the 16 bit constant into vx1300 0A00 - const/16 v0, #int 10Puts the literal constant of 10 into v0.14const vx, lit32Puts the integer constant into vx1400 4E61 BC00 - const v0, #12345678 / #00BC614

9、EMoves literal 12345678 into v0.15const/high16 v0, lit16Puts the 16 bit constant into the topmost bits of the register. Used to initialize float values.1500 2041 - const/high16 v0, #float 10.0 / #41200000Moves the floating literal of 10.0 into v0. The 16 bit literal in the instruction carries the to

10、p 16 bits of the floating point number.16const-wide/16 vx, lit16Puts the integer constant into vx and vx+1 registers, expanding the integer constant into a long constant.1600 0A00 - const-wide/16 v0, #long 10Moves literal 10 into v0 and v1 registers.17const-wide/32 vx, lit32Puts the 32 bit constant

11、into vx and vx+1 registers, expanding the integer constant into a long constant.1702 4e61 bc00 - const-wide/32 v2, #long 12345678 / #00bc614ePuts #12345678 into v2 and v3 registers.18const-wide vx, lit64Puts the 64 bit constant into vx and vx+1 registers.1802 874b 6b5d 54dc 2b00- const-wide v2, #lon

12、g 12345678901234567 / #002bdc545d6b4b87Puts #12345678901234567 into v2 and v3 registers.19const-wide/high16 vx,lit16Puts the 16 bit constant into the highest 16 bit of vx and vx+1 registers. Used to initialize double values.1900 2440 - const-wide/high16 v0, #double 10.0 / #402400000Puts the double c

13、onstant of 10.0 into v0 register.1Aconst-string vx,string_idPuts reference to a string constant identified by string_id into vx.1A08 0000 - const-string v8, / string0000Puts reference to string0000 (entry #0 in the string table) into v8.1Bconst-string-jumbo1Cconst-class vx,type_idMoves the class obj

14、ect of a class identified by type_id (e.g. Object.class) into vx.1C00 0100 - const-class v0, Test3 / type0001Moves reference to Test3.class (entry#1 in the type id table) into 1Dmonitor-enter vxObtains the monitor of the object referenced by vx.1D03 - monitor-enter v3Obtains the monitor of the objec

15、t referenced by v3.1Emonitor-exitReleases the monitor of the object referenced by vx.1E03 - monitor-exit v3Releases the monitor of the object referenced by v3.1Fcheck-cast vx, type_idChecks whether the object reference in vx can be cast to an instance of a class referenced by type_id. Throws ClassCa

16、stException if the cast is not possible, continues execution otherwise.1F04 0100 - check-cast v4, Test3 / type0001Checks whether the object reference in v4 can be cast to type0001 (entry #1 in the type id table)20instance-of vx,vy,type_idChecks whether vy is instance of a class identified by type_id

17、. Sets vx non-zero if it is, 0 otherwise.2040 0100 - instance-of v0, v4, Test3 / type0001Checks whether the object reference in v4 is an instance of type0001 (entry #1 in the type id table). Sets v0 to non-zero if v4 is instance of Test3, 0 otherwise.21array-length vx,vyCalculates the number of elem

18、ents of the array referenced by vy and puts the length value into vx.2111 - array-length v1, v1Calculates the number of elements of the array referenced by v1 and puts the result into v1.22new-instance vx,typeInstantiates an object type and puts the reference of the newly created instance into vx.22

19、00 1500 - new-instance v0, java.io.FileInputStream / type0015Instantiates type0015 (entry #15H in the type table) and puts its reference into v0.23new-array vx,vy,type_idGenerates a new array of type_id type and vy element size and puts the reference to the array into vx.2312 2500 - new-array v2, v1

20、, char / type0025Generates a new array of type0025 type and v1 size and puts the reference to the new array into v2.24filled-new-array parameters,type_idGenerates a new array of type_id and fills it with the parameters5. Reference to the newly generated array can be obtained by a move-result-object

21、instruction, immediately following the filled-new-array instruction.2420 530D 0000 - filled-new-array v0,v0,I / type0D53Generates a new array of type0D53. The arrays size will be 2 and both elements will be filled with the contents of v0 register.25filled-new-array-range vx.vy,type_idGenerates a new

22、 array of type_id and fills it with a range of parameters. Reference to the newly generated array can be obtained by a move-result-object instruction, immediately following the filled-new-array instruction. 2503 0600 1300 - filled-new-array/range v19.v21, B / type0006Generates a new array of type0D5

23、3. The arrays size will be 3 and the elements will be filled using the v19,v20 and v21 registers4.26fill-array-data vx,array_data_offsetFills the array referenced by vx with the static data. The location of the static data is the sum of the position of the current instruction and the offset2606 2500

24、 0000 - fill-array-data v6, 00e6 / +0025Fills the array referenced by v0 with the static data at current instruction+25H words location. The offset is expressed as a 32-bit number. The static data is stored in the following format:0003 / Table type: static array data0400 / Byte per array element (in

25、 this case, 4 byte integers)0300 0000 / Number of elements in the table0100 0000 / Element #0: integer 10200 0000 / Element #1: integer 20300 0000 / Element #2: integer327throw vxThrows an exception object. The reference of the exception object is in vx.2700 - throw v0Throws an exception. The except

26、ion object reference is in v0.28goto targetUnconditional jump by short offset2. 28F0 - goto 0005 / -0010Jumps to current position-16 words (hex 10). 0005 is the label of the target instruction.29goto/16 targetUnconditional jump by 16 bit offset2.2900 0FFE - goto/16 002f / -01f1Jumps to the current p

27、osition-1F1H words. 002F is the label of the target instruction.2Agoto/32 target2Bpacked-switch vx,tableImplements a switch statement where the case constants are close to each other. The instruction uses an index table. vx indexes into this table to find the offset of the instruction for a particul

28、ar case. If vx falls out of the index table, the execution continues on the next instruction (default case).2B02 0C00 0000 - packed-switch v2, 000c / +000cExecute a packed switch according to the switch argument in v2. The position of the index table is at current instruction+0CH words. The table lo

29、oks like the following:0001 / Table type: packed switch table0300 / number of elements0000 0000 / element base0500 0000 0: 00000005 / case 0: +000000050700 0000 1: 00000007 / case 1: +000000070900 0000 2: 00000009 / case 2: +000000092Csparse-switch vx,tableImplements a switch statement with sparse c

30、ase table. The instruction uses a lookup table with case constants and offsets for each case constant. If there is no match in the table, execution continues on the next instruction (default case).2C02 0c00 0000 - sparse-switch v2, 000c / +000cExecute a sparse switch according to the switch argument

31、 in v2. The position of the lookup table is at current instruction+0CH words. The table looks like the following.0002 / Table type: sparse switch table0300 / number of elements9cff ffff / first case: -100fa00 0000 / second case constant: 250e803 0000 / third case constant: 10000500 0000 / offset for the first case constant: +50700 0000 / offset for the second case constant: +70900 0000 / offset for the third case constant: +92Dcmpl-floa