【Android安全】Dalvik字节码含义查询表

最新推荐文章于 2023-02-28 17:20:57 发布
VIP文章 最新推荐文章于 2023-02-28 17:20:57 发布
阅读量5.6k 收藏 8
点赞数 1
分类专栏: Network Security
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/jiayanhui2877/article/details/41008985
版权

        下表中的Vx代表Dalvix寄存器,根据说明我们可以访问Vx-Vxxxx种类型的寄存器范围为Vx为V0-16,Vxx为V17-256,Vxxxx为V257-65535,如果存储Long或者Double值,则需要2个寄存器,如double值可以存储在V0和V1寄存器中。
Boolean值用1和0存储,对Boolean值的操作需要转换为整形操作。
所有例子都是大字节序,例如0F00 0A00是按0F, 00, 0A, 00顺序编码的。

注意:有一些没有解释,那意味着我们没有找到任何公开的信息,这些信息来自
Android opcode constant list.

Opcode (hex)

Opcode name

Explanation

Example

00

nop

No operation

0000 - nop

01

move vx,vy

Moves the content of vy into vx. Both registers must be in the first 256 register range.

0110 - move v0, v1
Moves v1 into v0.

02

move/from16 vx,vy

Moves the content of vy into vx. vy may be in the 64k register range while vx is one of the first 256 registers.

0200 1900 - move/from16 v0, v25
Moves v25 into v0.

03

move/16

 

 

04

move-wide

 

 

05

move-wide/from16 vx,vy

Moves a long/double value from vy to vx. vy may be in the 64k register range while wx is one of the first 256 registers.

0516 0000 - move-wide/from16 v22, v0
Moves v0 into v22.

06

move-wide/16

 

 

07

move-object vx,vy

Moves the object reference from vy to vx.

0781 - move-object v1, v8
Moves the object reference in v8 to v1.

08

move-object/from16 vx,vy

Moves the object reference from vy to vx, vy can address 64k registers and vx can address 256 registers.

0801 1500 - move-object/from16 v1, v21
Move the object reference in v21 to v1.

09

move-object/16

 

 

0A

move-result vx

Move the result value of the previous method invocation into vx.

0A00 - move-result v0
Move the return value of a previous method invocation into v0.

0B

move-result-wide vx

Move the long/double result value of the previous method invocation into vx,vx+1.

0B02 - move-result-wide v2
Move the long/double result value of the previous method invocation into v2,v3.

0C

move-result-object vx

Move the result object reference of the previous method invocation into vx.

0C00 - move-result-object v0

0D

move-exception vx

Move the exception object reference thrown during a method invocation into vx.

0D19 - move-exception v25

0E

return-void

Return without a return value

0E00 - return-void

0F

return vx

Return with vx return value

0F00 - return v0
Returns with return value in v0.

10

return-wide vx

Return with double/long result in vx,vx+1.

1000 - return-wide v0
Returns with a double/long value in v0,v1.

11

return-object vx

Return with vx object reference value.

1100 - return-object v0
Returns with object reference value in v0

12

const/4 vx,lit4

Puts the 4 bit constant into vx

1221 - const/4 v1, #int2
Moves literal 2 into v1. The destination register is in the lower 4 bit in the second byte, the literal 2 is in the higher 4 bit.

13

const/16 vx,lit16

Puts the 16 bit constant into vx

1300 0A00 - const/16 v0, #int 10
Puts the literal constant of 10 into v0.

14

const vx, lit32

Puts the integer constant into vx

1400 4E61 BC00 - const v0, #12345678 // #00BC614E
Moves literal 12345678 into v0.

15

const/high16 v0, lit16

Puts the 16 bit constant into the topmost bits of the register. Used to initialize float values.

1500 2041 - const/high16 v0, #float 10.0 // #41200000
Moves the floating literal of 10.0 into v0. The 16 bit literal in the instruction carries the top 16 bits of the floating point number.

16

const-wide/16 vx, lit16

Puts the integer constant into vx and vx+1 registers, expanding the integer constant into a long constant..

1600 0A00 - const-wide/16 v0, #long 10
Moves literal 10 into v0 and v1 registers.

17

const-wide/32 vx, lit32

Puts the 32 bit constant into vx and vx+1 registers, expanding the integer constant into a long constant.

1702 4e61 bc00 - const-wide/32 v2, #long 12345678 // #00bc614e
Puts #12345678 into v2 and v3 registers.

18

const-wide vx, lit64

Puts the 64 bit constant into vx and vx+1 registers.

1802 874b 6b5d 54dc 2b00- const-wide v2, #long 12345678901234567 // #002bdc545d6b4b87
Puts #12345678901234567 into v2 and v3 registers.

19

const-wide/high16 vx,lit16

Puts the 16 bit constant into the highest 16 bit of vx and vx+1 registers. Used to initialize double values.

1900 2440 - const-wide/high16 v0, #double 10.0 // #402400000
Puts the double constant of 10.0 into v0 register.

1A

const-string vx,string_id

Puts reference to a string constant identified by string_id into vx.

1A08 0000 - const-string v8, "" // string@0000
Puts reference to string@0000 (entry #0 in the string table) into v8.

1B

const-string-jumbo

 

 

1C

const-class vx,type_id

Moves the class object of a class identified by type_id (e.g. Object.class) into vx.

1C00 0100 - const-class v0, Test3 // type@0001
Moves reference to Test3.class (entry#1 in the type id table) into

1D

monitor-enter vx

Obtains the monitor of the object referenced by vx.

1D03 - monitor-enter v3
Obtains the monitor of the object referenced by v3.

1E

monitor-exit

Releases the monitor of the object referenced by vx.

1E03 - monitor-exit v3
Releases the monitor of the object referenced by v3.

1F

check-cast vx, type_id

Checks whether the object reference in vx can be cast to an instance of a class referenced by type_id. Throws ClassCastException if the cast is not possible, continues execution otherwise.

1F04 0100 - check-cast v4, Test3 // type@0001
Checks whether the object reference in v4 can be cast to type@0001 (entry #1 in the type id table)

20

instance-of vx,vy,type_id

Checks whether vy is instance of a class identified by type_id. Sets vx non-zero if it is, 0 otherwise.

2040 0100 - instance-of v0, v4, Test3 // type@0001
Checks whether the object reference in v4 is an instance of type@0001 (entry #1 in the type id table). Sets v0 to non-zero if v4 is instance of Test3, 0 otherwise.

21

array-length vx,vy

Calculates the number of elements of the array referenced by vy and puts the length value into vx.

2111 - array-length v1, v1
Calculates the number of elements of the array referenced by v1 and puts the result into v1.

22

new-instance vx,type

Instantiates an object type and puts the reference of the newly created instance into vx.

2200 1500 - new-instance v0, java.io.FileInputStream // type@0015
Instantiates type@0015 (entry #15H in the type table) and puts its reference into v0.

23

new-array vx,vy,type_id

Generates a new array of type_id type and vy element size and puts the reference to the array into vx.

2312 2500 - new-array v2, v1, char[] // type@0025
Generates a new array of type@0025 type and v1 size and puts the reference to the new array into v2.

24

filled-new-array {parameters},type_id

Generates a new array of type_id and fills it with the parameters5. Reference to the newly generated array can be obtained by a move-result-object instruction, immediately following the filled-new-array instruction.

2420 530D 0000 - filled-new-array {v0,v0},[I // type@0D53
Generates a new array of type@0D53. The array's size will be 2 and both elements will be filled with the contents of v0 register.

25

filled-new-array-range {vx..vy},type_id

Generates a new array of type_id and fills it with a range of parameters. Reference to the newly generated array can be obtained by a move-result-object instruction, immediately following the filled-new-array instruction.

2503 0600 1300 - filled-new-array/range {v19..v21}, [B // type@0006
Generates a new array of type@0D53. The array's size will be 3 and the elements will be filled using the v19,v20 and v21 registers4.

26

fill-array-data vx,array_data_offset

Fills the array referenced by vx with the static data. The location of the static data is the sum of  the position of the current instruction and the offset

2606 2500 0000 - fill-array-data v6, 00e6 // +0025
Fills the array referenced by v0 with the static data at current instruction+25H words location. The offset is expressed as a 32-bit number. The static data is stored in the following format:
0003 // Table type: static array data
0400 // Byte per array element (in this case, 4 byte integers)
0300 0000 // Number of elements in the table
0100 0000  // Element #0: integer 1
0200 0000 // Element #1: integer 2
0300 0000 // Element #2: integer3

27

throw vx

Throws an exception object. The reference of the exception object is in vx.

2700 - throw v0
Throws an exception. The exception object reference is in v0.

28

goto target

Unconditional jump by short offset2.

28F0 - goto 0005 // -0010
Jumps to current position-16 words (hex 10). 0005 is the label of the target instruction.

29

goto/16 target

Unconditional jump by 16 bit offset2.

2900 0FFE - goto/16 002f // -01f1
Jumps to the current position-1F1H words. 002F is the label of the target instruction.

2A

goto/32 target

 

 

2B

packed-switch vx,table

Implements a switch statement where the case constants are close to each other. The instruction uses an index table. vx indexes into this table to find the offset of the instruction for a particular case. If vx falls out of the index table, the execution continues on the next instruction (default case).

2B02 0C00 0000 - packed-switch v2, 000c // +000c
Execute a packed switch according to the switch argument in v2. The position of the index table is at current instruction+0CH words. The table looks like the following:
0001 // Table type: packed switch table
0300 // number of elements
0000 0000 // element base
0500 0000  0: 00000005 // case 0: +00000005
0700 0000  1: 00000007 // case 1: +00000007
0900 0000  2: 00000009 // case 2: +00000009

2C

sparse-switch vx,table

Implements a switch statement with sparse case table. The instruction uses a lookup table with case constants and offsets for each case constant. If there is no match in the table, execution continues on the next instruction (default case).

2C02 0c00 0000 - sparse-switch v2, 000c // +000c
Execute a sparse switch according to the switch argument in v2. The position of the lookup table is at current instruction+0CH words. The table looks like the following.
0002 // Table type: sparse switch table
0300 // number of elements
9cff ffff // first case: -100
fa00 0000 // second case constant: 250
e803 0000 // third case constant: 1000
0500 0000 // offset for the first case constant: +5
0700 0000 // offset for the second case constant: +7
0900 0000 // offset for the third case constant: +9

2D

cmpl-float

Compares the float values in vy and vz and sets the integer value in vx accordingly3

2D00 0607 - cmpl-float v0, v6, v7
Compares the float values in v6 and v7 then sets v0 accordingly. NaN bias is less-than, the instruction will return -1 if any of the parameters is NaN.

2E

cmpg-float vx, vy, vz

Compares the float values in vy and vz and sets the integer value in vx accordingly3
最低0.47元/天 解锁文章
Walter_Jia
关注
  • 1
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Android中修改运行时内存Dalvik字节码
12-25
Android中修改运行时内存Dalvik字节码,andorid studio 工程代码
Android之Intent的使用
a0097的博客
04-04 146
Android的信使——“Intent” “Intent”的详细用法请移步——点击这里 本文主要介绍一个实现多页面带参返回跳转的项目。 项目结构展示: #mermaid-svg-DhC8NG3pXobZn8wb .label{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);fill:#333;color:#333}#mermaid-svg-DhC8NG3pXobZn8wb .label t
Android 仿美女撕衣服效果
打渔还是晒网 —— stone
01-28 2716
因为我写demo的时候不是用一整屏幕来放置当前图片View的,且资源图也不小,所以用到了bitmap缩放 代码注释比较详尽,直接上了 package com.stone.guaguaka.view; import android.content.Context; import android.graphics.Bitmap; import android.graphics.Bitma
Android xml资源文件中@、@android:type、@*、?、@+含义和区别
小M的专栏
12-27 1万+
Android  资源文件中@、@android:type、@*、?、@+含义和区别 一.@代引用资源 1.引用自定义资源。格式:@[package:]type/name android:text="@string/hello"   2.引用系统资源。格式:@android:type/name     android:textColor="@android:color/opaque_
一个关于binder的debug技巧
omnispace的博客
08-26 1836
android的C/S IPC通信框架中,常会遇到binder通信异常的问题(其实不是太经常会遇到,主要在煲机和压测等极限测试的情况下才会出现),binder的driver基本不用去怀疑其出bug的可能性,基本为0,如果binder通信出现问题,那么十有八九都是app或者service本身写的有问题造成的。 这里介绍一个通过kernel的sys文件系统去debug binder的方法,我遇
git command tips: big files and remove in all branches (搜索大文件并在所有branch删除 git filter-branch -f !!)
hushui的专栏
12-03 308
git rev-list --all | xargs -rL1 git ls-tree -r --long | sort -uk3 | sort -rnk4 | head -10 lake@localhost: aosp_git_android$ git rev-list --all | xargs -rL1 git ls-tree -r --long | sort -uk3 | sort -...
Dalvik可执行格式和字节码规范
z1nk的博客
06-17 954
<<Android软件安全权威指南>>笔记 第三章 Dalvik可执行格式与字节码规范 早期AndroidDalvik虚拟机,Android4.4以后,引入ART(Android Runtime)虚拟机 JIT(Just-In-Time)即时编译,AOT(Ahead-Of-Time)预先编译 ART提供对Dalvik的可执行格式与字节码的支持 Dalvik虚拟机 特点 专有DEX(Dalvik Executable)可执行文件格式 常量池32位索引 基于寄存器架构,完整指令系统 D
关于Dalvik指令操作码和指令格式的对应关系,以及指令格式中的"kind@"的含义
u012684933的专栏
02-02 1169
Dalvik指令一条操作码对应一条唯一的指令格式,而一条指令格式可能对应多个操作码。 例如,7010 0400 0000 0e00 opCode为0x70的操作码,它对应的指令格式是35c,格式35c对应如下几个指令: [A=5]  op  {vC, vD, vE, vF, vG},  meth@BBBB .........…… [A=1] op  {vC},  kind@BBB
Android面试之---Android的虚拟机Dalvik 介绍
Android_Tutor的专栏
02-28 1万+
Dalvik和标准Java虚拟机(JVM)之间的首要差别之一,就是Dalvik基于寄存器,而JVM基于栈。一直以来都有人在猜测,选择基于寄存器的方式是因为它对提前优化(ahead-of-time optimization)提供了更好的支持,而这对类似于移动电话这样的受限环境是颇有裨益的。另一份针对基于寄存器虚拟机和基于栈虚拟机更深入的比较分析指出,基于寄存器的虚拟机对于更大的程序来说,在它们编译的
安卓逆向_3 --- Dalvik 字节码、Smali 详解
freeking101的博客
02-28 6238
Dalvik 字节码、Smali 详解
Dalvik是什么
owindows10的博客
11-16 2638
Dalvik是Java 虚拟机
Dalvik 字节码
12-01
dalvik字节码有两种类型,原始类型和引用类型。 该文档出自android 4.0
Android中修改运行时内存Dalvik字节码.rar
07-30
Android中修改运行时内存Dalvik字节码.rar,太多无法一一验证是否可用,程序如果跑不起来需要自调,部分代码功能进行参考学习。
Dalvik字节码编辑器
04-22
Dalvik字节码编辑器是一个强大安卓程序修改器,它运行在手机上,并且免费,主要用来汉化破解。 【基本介绍】 使用本工具需要基本编程经验和安卓的程序知识,我们知道安卓上的程序,大部分是用java开发的,编译生成字节...
Metasploit下载地址及使用
热门推荐
Walter的专栏
09-07 3万+
1、主页下载地址:http://www.metasploit.com/download/ windows版本下载地址:http://downloads.metasploit.com/data/releases/metasploit-latest-windows-installer.exe 2、安装完成后直接访问https://127.0.0.1:3790/,第一次启动非常慢请耐心等待,提示如下
【加密与解密】C#如何读取pem的KEY文件
Walter的专栏
08-01 2万+
1、第一步先用openssl将pem的key转换为der的key //E:\01Doc\bin>openssl.exe rsa -in rsakeydec.pem -outform der -out pri.der 2、调用下面的程序直接读取der转换为c#所需要的xml Key,之后进行密文解密 3、openssl下载地址 http://download.csdn.net/d
【IPS分析】Snort语法规则说明及实例讲解
Walter的专栏
11-07 2万+
Snort使用一种简单的,轻量级的规则描述语言,这种语言灵活而强大。在开发snort规则时要记住几个简单的原则。     第一, 大多数snort规则都写在一个单行上,或者在多行之间的行尾用/分隔。Snort规则被分成两个逻辑部分:规则头和规则选项。规则头包含规则的动作,协议,源和目标ip地址与网络掩码,以及源和目标端口信息;规则选项部分包含报警消息内容和要检查的包的具体部分。 下面是一个规则
Android Sandbox(沙箱)开源工具介绍
Walter的专栏
10-28 2万+
android sandbox 通过利用开源工具动态分析、静态分析android的相关应用,发现应用的具体行为,从而进行判断android应用的危险程度,本文重点介绍几款常用工具。 1、droidbox是基于TaintDroid系统构建的Sandbox,通过hook系统api对apk程序进行监控,随着android SDK的不断更新,其也要随之适配。 droidbox:http://c
控制平面与数据平面定义
Walter的专栏
03-17 1万+
管理平面/控制平面(统称控制平面) 管理平面是提供给网络管理人员使用TELNET、WEB、SSH、SNMP、RMON 等方式来管理设备,并支持、理解和执行管理人员对于网络设备各种网络协议的设置命令。管理平面提供了控制平面正常运行的前提,管理平面必须预先设置好控制平面中各种协议的相关参数,并支持在必要时刻对控制平面的运行进行干预。 控制平面用于控制和管理所有网络协议的运行,例如生成树协议、VLA
android 运行时修改字节码
最新发布
07-30
Android运行时修改字节码是指在Android应用...总之,Android运行时修改字节码是一种高级的技术手段,可以帮助开发者实现一些灵活而强大的功能,但也需要慎重使用,因为错误的字节码修改可能导致应用崩溃或者安全风险。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值