<pre name="code" class="cpp"><pre name="code" class="cpp">
void dumpBytecodes(DexFile* pDexFile, const DexMethod* pDexMethod)
{
const DexCode* pCode = dexGetCode(pDexFile, pDexMethod);
const u2* insns;
int insnIdx;
FieldMethodInfo methInfo;
int startAddr;
char* className = NULL;
assert(pCode->insnsSize > 0);
insns = pCode->insns;
getMethodInfo(pDexFile, pDexMethod->methodIdx, &methInfo);
startAddr = ((u1*)pCode - pDexFile->baseAddr);
className = descriptorToDot(methInfo.classDescriptor);
printf("%06x: |[%06x] %s.%s:%s\n",
startAddr, startAddr,
className, methInfo.name, methInfo.signature);
free((void *) methInfo.signature);
insnIdx = 0;
while (insnIdx < (int) pCode->insnsSize)
{
int insnWidth;
DecodedInstruction decInsn;
u2 instr;
/*
* Note: This code parallels the function
* dexGetWidthFromInstruction() in InstrUtils.c, but this version
* can deal with data in either endianness.
*
* TODO: Figure out if this really matters, and possibly change
* this to just use dexGetWidthFromInstruction().
*/
instr = get2LE((const u1*)insns);
if (instr == kPackedSwitchSignature)
{
insnWidth = 4 + get2LE((const u1*)(insns+1)) * 2;
} else if (instr == kSparseSwitchSignature)
{
insnWidth = 2 + get2LE((const u1*)(insns+1)) * 4;
} else if (instr == kArrayDataSignature)
{
int width = get2LE((const u1*)(insns+1));
int size = get2LE((const u1*)(insns+2)) |
(get2LE((const u1*)(insns+3))<<16);
// The plus 1 is to round up for odd size and width.
insnWidth = 4 + ((size * width) + 1) / 2;
}
else
{
Opcode opcode = dexOpcodeFromCodeUnit(instr);
insnWidth = dexGetWidthFromOpcode(opcode);
if (insnWidth == 0)
{
fprintf(stderr,
"GLITCH: zero-width instruction at idx=0x%04x\n", insnIdx);
break;
}
}
dexDecodeInstruction(insns, &decInsn);
dumpInstruction(pDexFile, pCode, insnIdx, insnWidth, &decInsn);
insns += insnWidth;
insnIdx += insnWidth;
}
free(className);
}简单对代码做下分析:首先,我们先看下 const DexCode* pCode = dexGetCode(pDexFile, pDexMethod); 获取dex 代码结构体。
struct DexCode {
u2 registersSize;
u2 insSize;
u2 outsSize;
u2 triesSize;
u4 debugInfoOff; /* file offset to debug info stream */
u4 insnsSize; /* size of the insns array, in u2 units */
u2 insns[1];
/* followed by optional u2 padding */
/* followed by try_item[triesSize] */
/* followed by uleb128 handlersSize */
/* followed by catch_handler_item[handlersSize] */
};insnsSize 表示 <span style="font-family: Arial, Helvetica, sans-serif;">u2 insns[1]; 这个成员有多少个。</span>
Opcode opcode = dexOpcodeFromCodeUnit(inst);
DexCode.insns[0] 计算出opcode. 获取opcode 查表获取对应的指令。
如下:
enum Opcode {
// BEGIN(libdex-opcode-enum); GENERATED AUTOMATICALLY BY opcode-gen
OP_NOP = 0x00,
OP_MOVE = 0x01,
OP_MOVE_FROM16 = 0x02,
OP_MOVE_16 = 0x03,
OP_MOVE_WIDE = 0x04,
OP_MOVE_WIDE_FROM16 = 0x05,
OP_MOVE_WIDE_16 = 0x06,
OP_MOVE_OBJECT = 0x07,
OP_MOVE_OBJECT_FROM16 = 0x08,
OP_MOVE_OBJECT_16 = 0x09,
OP_MOVE_RESULT = 0x0a,
OP_MOVE_RESULT_WIDE = 0x0b,
OP_MOVE_RESULT_OBJECT = 0x0c,
OP_MOVE_EXCEPTION = 0x0d,
OP_RETURN_VOID = 0x0e,
OP_RETURN = 0x0f,
OP_RETURN_WIDE = 0x10,
OP_RETURN_OBJECT = 0x11,
OP_CONST_4 = 0x12,
OP_CONST_16 = 0x13,
OP_CONST = 0x14,
OP_CONST_HIGH16 = 0x15,
OP_CONST_WIDE_16 = 0x16,
OP_CONST_WIDE_32 = 0x17,
OP_CONST_WIDE = 0x18,
OP_CONST_WIDE_HIGH16 = 0x19,
OP_CONST_STRING = 0x1a,
OP_CONST_STRING_JUMBO = 0x1b,
OP_CONST_CLASS = 0x1c,
OP_MONITOR_ENTER = 0x1d,
OP_MONITOR_EXIT = 0x1e,
OP_CHECK_CAST = 0x1f,
OP_INSTANCE_OF = 0x20,
OP_ARRAY_LENGTH = 0x21,
OP_NEW_INSTANCE = 0x22,
OP_NEW_ARRAY = 0x23,
OP_FILLED_NEW_ARRAY = 0x24,
OP_FILLED_NEW_ARRAY_RANGE = 0x25,
OP_FILL_ARRAY_DATA = 0x26,
OP_THROW = 0x27,
OP_GOTO = 0x28,
OP_GOTO_16 = 0x29,
OP_GOTO_32 = 0x2a,
OP_PACKED_SWITCH = 0x2b,
OP_SPARSE_SWITCH = 0x2c,
OP_CMPL_FLOAT = 0x2d,
OP_CMPG_FLOAT = 0x2e,
OP_CMPL_DOUBLE = 0x2f,
OP_CMPG_DOUBLE = 0x30,
OP_CMP_LONG = 0x31,
OP_IF_EQ = 0x32,
OP_IF_NE = 0x33,
OP_IF_LT = 0x34,
OP_IF_GE = 0x35,
OP_IF_GT = 0x36,
OP_IF_LE = 0x37,
OP_IF_EQZ = 0x38,
OP_IF_NEZ = 0x39,
OP_IF_LTZ = 0x3a,
OP_IF_GEZ = 0x3b,
OP_IF_GTZ = 0x3c,
OP_IF_LEZ = 0x3d,
OP_UNUSED_3E = 0x3e,
OP_UNUSED_3F = 0x3f,
OP_UNUSED_40 = 0x40,
OP_UNUSED_41 = 0x41,
OP_UNUSED_42 = 0x42,
OP_UNUSED_43 = 0x43,
OP_AGET = 0x44,
OP_AGET_WIDE = 0x45,
OP_AGET_OBJECT = 0x46,
OP_AGET_BOOLEAN = 0x47,
OP_AGET_BYTE = 0x48,
OP_AGET_CHAR = 0x49,
OP_AGET_SHORT = 0x4a,
OP_APUT = 0x4b,
OP_APUT_WIDE = 0x4c,
OP_APUT_OBJECT = 0x4d,
OP_APUT_BOOLEAN = 0x4e,
OP_APUT_BYTE = 0x4f,
OP_APUT_CHAR = 0x50,
OP_APUT_SHORT = 0x51,
OP_IGET = 0x52,
OP_IGET_WIDE = 0x53,
OP_IGET_OBJECT = 0x54,
OP_IGET_BOOLEAN = 0x55,
OP_IGET_BYTE = 0x56,
OP_IGET_CHAR = 0x57,
OP_IGET_SHORT = 0x58,
OP_IPUT = 0x59,
OP_IPUT_WIDE = 0x5a,
OP_IPUT_OBJECT = 0x5b,
OP_IPUT_BOOLEAN = 0x5c,
OP_IPUT_BYTE = 0x5d,
OP_IPUT_CHAR = 0x5e,
OP_IPUT_SHORT = 0x5f,
OP_SGET = 0x60,
OP_SGET_WIDE = 0x61,
OP_SGET_OBJECT = 0x62,
OP_SGET_BOOLEAN = 0x63,
OP_SGET_BYTE = 0x64,
OP_SGET_CHAR = 0x65,
OP_SGET_SHORT = 0x66,
OP_SPUT = 0x67,
OP_SPUT_WIDE = 0x68,
OP_SPUT_OBJECT = 0x69,
OP_SPUT_BOOLEAN = 0x6a,
OP_SPUT_BYTE = 0x6b,
OP_SPUT_CHAR = 0x6c,
OP_SPUT_SHORT = 0x6d,
OP_INVOKE_VIRTUAL = 0x6e,
OP_INVOKE_SUPER = 0x6f,
OP_INVOKE_DIRECT = 0x70,
OP_INVOKE_STATIC = 0x71,
OP_INVOKE_INTERFACE = 0x72,
OP_UNUSED_73 = 0x73,
OP_INVOKE_VIRTUAL_RANGE = 0x74,
OP_INVOKE_SUPER_RANGE = 0x75,
OP_INVOKE_DIRECT_RANGE = 0x76,
OP_INVOKE_STATIC_RANGE = 0x77,
OP_INVOKE_INTERFACE_RANGE = 0x78,
OP_UNUSED_79 = 0x79,
OP_UNUSED_7A = 0x7a,
OP_NEG_INT = 0x7b,
OP_NOT_INT = 0x7c,
OP_NEG_LONG = 0x7d,
OP_NOT_LONG = 0x7e,
OP_NEG_FLOAT = 0x7f,
OP_NEG_DOUBLE = 0x80,
OP_INT_TO_LONG = 0x81,
OP_INT_TO_FLOAT = 0x82,
OP_INT_TO_DOUBLE = 0x83,
OP_LONG_TO_INT = 0x84,
OP_LONG_TO_FLOAT = 0x85,
OP_LONG_TO_DOUBLE = 0x86,
OP_FLOAT_TO_INT = 0x87,
OP_FLOAT_TO_LONG = 0x88,
OP_FLOAT_TO_DOUBLE = 0x89,
OP_DOUBLE_TO_INT = 0x8a,
OP_DOUBLE_TO_LONG = 0x8b,
OP_DOUBLE_TO_FLOAT = 0x8c,
OP_INT_TO_BYTE = 0x8d,
OP_INT_TO_CHAR = 0x8e,
OP_INT_TO_SHORT = 0x8f,
OP_ADD_INT = 0x90,
OP_SUB_INT = 0x91,
OP_MUL_INT = 0x92,
OP_DIV_INT = 0x93,
OP_REM_INT = 0x94,
OP_AND_INT = 0x95,
OP_OR_INT = 0x96,
OP_XOR_INT = 0x97,
OP_SHL_INT = 0x98,
OP_SHR_INT = 0x99,
OP_USHR_INT = 0x9a,
OP_ADD_LONG = 0x9b,
OP_SUB_LONG = 0x9c,
OP_MUL_LONG = 0x9d,
OP_DIV_LONG = 0x9e,
OP_REM_LONG = 0x9f,
OP_AND_LONG = 0xa0,
OP_OR_LONG = 0xa1,
OP_XOR_LONG = 0xa2,
OP_SHL_LONG = 0xa3,
OP_SHR_LONG = 0xa4,
OP_USHR_LONG = 0xa5,
OP_ADD_FLOAT = 0xa6,
OP_SUB_FLOAT = 0xa7,
OP_MUL_FLOAT = 0xa8,
OP_DIV_FLOAT = 0xa9,
OP_REM_FLOAT = 0xaa,
OP_ADD_DOUBLE = 0xab,
OP_SUB_DOUBLE = 0xac,
OP_MUL_DOUBLE = 0xad,
OP_DIV_DOUBLE = 0xae,
OP_REM_DOUBLE = 0xaf,
OP_ADD_INT_2ADDR = 0xb0,
OP_SUB_INT_2ADDR = 0xb1,
OP_MUL_INT_2ADDR = 0xb2,
OP_DIV_INT_2ADDR = 0xb3,
OP_REM_INT_2ADDR = 0xb4,
OP_AND_INT_2ADDR = 0xb5,
OP_OR_INT_2ADDR = 0xb6,
OP_XOR_INT_2ADDR = 0xb7,
OP_SHL_INT_2ADDR = 0xb8,
OP_SHR_INT_2ADDR = 0xb9,
OP_USHR_INT_2ADDR = 0xba,
OP_ADD_LONG_2ADDR = 0xbb,
OP_SUB_LONG_2ADDR = 0xbc,
OP_MUL_LONG_2ADDR = 0xbd,
OP_DIV_LONG_2ADDR = 0xbe,
OP_REM_LONG_2ADDR = 0xbf,
OP_AND_LONG_2ADDR = 0xc0,
OP_OR_LONG_2ADDR = 0xc1,
OP_XOR_LONG_2ADDR = 0xc2,
OP_SHL_LONG_2ADDR = 0xc3,
OP_SHR_LONG_2ADDR = 0xc4,
OP_USHR_LONG_2ADDR = 0xc5,
OP_ADD_FLOAT_2ADDR = 0xc6,
OP_SUB_FLOAT_2ADDR = 0xc7,
OP_MUL_FLOAT_2ADDR = 0xc8,
OP_DIV_FLOAT_2ADDR = 0xc9,
OP_REM_FLOAT_2ADDR = 0xca,
OP_ADD_DOUBLE_2ADDR = 0xcb,
OP_SUB_DOUBLE_2ADDR = 0xcc,
OP_MUL_DOUBLE_2ADDR = 0xcd,
OP_DIV_DOUBLE_2ADDR = 0xce,
OP_REM_DOUBLE_2ADDR = 0xcf,
OP_ADD_INT_LIT16 = 0xd0,
OP_RSUB_INT = 0xd1,
OP_MUL_INT_LIT16 = 0xd2,
OP_DIV_INT_LIT16 = 0xd3,
OP_REM_INT_LIT16 = 0xd4,
OP_AND_INT_LIT16 = 0xd5,
OP_OR_INT_LIT16 = 0xd6,
OP_XOR_INT_LIT16 = 0xd7,
OP_ADD_INT_LIT8 = 0xd8,
OP_RSUB_INT_LIT8 = 0xd9,
OP_MUL_INT_LIT8 = 0xda,
OP_DIV_INT_LIT8 = 0xdb,
OP_REM_INT_LIT8 = 0xdc,
OP_AND_INT_LIT8 = 0xdd,
OP_OR_INT_LIT8 = 0xde,
OP_XOR_INT_LIT8 = 0xdf,
OP_SHL_INT_LIT8 = 0xe0,
OP_SHR_INT_LIT8 = 0xe1,
OP_USHR_INT_LIT8 = 0xe2,
OP_IGET_VOLATILE = 0xe3,
OP_IPUT_VOLATILE = 0xe4,
OP_SGET_VOLATILE = 0xe5,
OP_SPUT_VOLATILE = 0xe6,
OP_IGET_OBJECT_VOLATILE = 0xe7,
OP_IGET_WIDE_VOLATILE = 0xe8,
OP_IPUT_WIDE_VOLATILE = 0xe9,
OP_SGET_WIDE_VOLATILE = 0xea,
OP_SPUT_WIDE_VOLATILE = 0xeb,
OP_BREAKPOINT = 0xec,
OP_THROW_VERIFICATION_ERROR = 0xed,
OP_EXECUTE_INLINE = 0xee,
OP_EXECUTE_INLINE_RANGE = 0xef,
OP_INVOKE_OBJECT_INIT_RANGE = 0xf0,
OP_RETURN_VOID_BARRIER = 0xf1,
OP_IGET_QUICK = 0xf2,
OP_IGET_WIDE_QUICK = 0xf3,
OP_IGET_OBJECT_QUICK = 0xf4,
OP_IPUT_QUICK = 0xf5,
OP_IPUT_WIDE_QUICK = 0xf6,
OP_IPUT_OBJECT_QUICK = 0xf7,
OP_INVOKE_VIRTUAL_QUICK = 0xf8,
OP_INVOKE_VIRTUAL_QUICK_RANGE = 0xf9,
OP_INVOKE_SUPER_QUICK = 0xfa,
OP_INVOKE_SUPER_QUICK_RANGE = 0xfb,
OP_IPUT_OBJECT_VOLATILE = 0xfc,
OP_SGET_OBJECT_VOLATILE = 0xfd,
OP_SPUT_OBJECT_VOLATILE = 0xfe,
OP_UNUSED_FF = 0xff,
// END(libdex-opcode-enum)
};根据 insns 获取
DecodedInstruction 指令结构void dexDecodeInstruction(const u2* insns, DecodedInstruction* pDec)
{
u2 inst = *insns;
Opcode opcode = dexOpcodeFromCodeUnit(inst);
InstructionFormat format = dexGetFormatFromOpcode(opcode);
pDec->opcode = opcode;
pDec->indexType = dexGetIndexTypeFromOpcode(opcode);
switch (format)
{
case kFmt10x: // op
/* nothing to do; copy the AA bits out for the verifier */
pDec->vA = INST_AA(inst);
break;
case kFmt12x: // op vA, vB
pDec->vA = INST_A(inst);
pDec->vB = INST_B(inst);
break;
case kFmt11n: // op vA, #+B
pDec->vA = INST_A(inst);
pDec->vB = (s4) (INST_B(inst) << 28) >> 28; // sign extend 4-bit value
break;
case kFmt11x: // op vAA
pDec->vA = INST_AA(inst);
break;
case kFmt10t: // op +AA
pDec->vA = (s1) INST_AA(inst); // sign-extend 8-bit value
break;
case kFmt20t: // op +AAAA
pDec->vA = (s2) FETCH(1); // sign-extend 16-bit value
break;
case kFmt20bc: // [opt] op AA, thing@BBBB
case kFmt21c: // op vAA, thing@BBBB
case kFmt22x: // op vAA, vBBBB
pDec->vA = INST_AA(inst);
pDec->vB = FETCH(1);
break;
case kFmt21s: // op vAA, #+BBBB
case kFmt21t: // op vAA, +BBBB
pDec->vA = INST_AA(inst);
pDec->vB = (s2) FETCH(1); // sign-extend 16-bit value
break;
case kFmt21h: // op vAA, #+BBBB0000[00000000]
pDec->vA = INST_AA(inst);
/*
* The value should be treated as right-zero-extended, but we don't
* actually do that here. Among other things, we don't know if it's
* the top bits of a 32- or 64-bit value.
*/
pDec->vB = FETCH(1);
break;
case kFmt23x: // op vAA, vBB, vCC
pDec->vA = INST_AA(inst);
pDec->vB = FETCH(1) & 0xff;
pDec->vC = FETCH(1) >> 8;
break;
case kFmt22b: // op vAA, vBB, #+CC
pDec->vA = INST_AA(inst);
pDec->vB = FETCH(1) & 0xff;
pDec->vC = (s1) (FETCH(1) >> 8); // sign-extend 8-bit value
break;
case kFmt22s: // op vA, vB, #+CCCC
case kFmt22t: // op vA, vB, +CCCC
pDec->vA = INST_A(inst);
pDec->vB = INST_B(inst);
pDec->vC = (s2) FETCH(1); // sign-extend 16-bit value
break;
case kFmt22c: // op vA, vB, thing@CCCC
case kFmt22cs: // [opt] op vA, vB, field offset CCCC
pDec->vA = INST_A(inst);
pDec->vB = INST_B(inst);
pDec->vC = FETCH(1);
break;
case kFmt30t: // op +AAAAAAAA
pDec->vA = FETCH_u4(1); // signed 32-bit value
break;
case kFmt31t: // op vAA, +BBBBBBBB
case kFmt31c: // op vAA, string@BBBBBBBB
pDec->vA = INST_AA(inst);
pDec->vB = FETCH_u4(1); // 32-bit value
break;
case kFmt32x: // op vAAAA, vBBBB
pDec->vA = FETCH(1);
pDec->vB = FETCH(2);
break;
case kFmt31i: // op vAA, #+BBBBBBBB
pDec->vA = INST_AA(inst);
pDec->vB = FETCH_u4(1); // signed 32-bit value
break;
case kFmt35c: // op {vC, vD, vE, vF, vG}, thing@BBBB
case kFmt35ms: // [opt] invoke-virtual+super
case kFmt35mi: // [opt] inline invoke
{
/*
* Note that the fields mentioned in the spec don't appear in
* their "usual" positions here compared to most formats. This
* was done so that the field names for the argument count and
* reference index match between this format and the corresponding
* range formats (3rc and friends).
*
* Bottom line: The argument count is always in vA, and the
* method constant (or equivalent) is always in vB.
*/
u2 regList;
int i, count;
pDec->vA = INST_B(inst); // This is labeled A in the spec.
pDec->vB = FETCH(1);
regList = FETCH(2);
count = pDec->vA;
/*
* Copy the argument registers into the arg[] array, and
* also copy the first argument (if any) into vC. (The
* DecodedInstruction structure doesn't have separate
* fields for {vD, vE, vF, vG}, so there's no need to make
* copies of those.) Note that cases 5..2 fall through.
*/
switch (count) {
case 5: {
if (format == kFmt35mi) {
/* A fifth arg is verboten for inline invokes. */
printf("Invalid arg count in 35mi (5)");
goto bail;
}
/*
* Per note at the top of this format decoder, the
* fifth argument comes from the A field in the
* instruction, but it's labeled G in the spec.
*/
pDec->arg[4] = INST_A(inst);
}
case 4: pDec->arg[3] = (regList >> 12) & 0x0f;
case 3: pDec->arg[2] = (regList >> 8) & 0x0f;
case 2: pDec->arg[1] = (regList >> 4) & 0x0f;
case 1: pDec->vC = pDec->arg[0] = regList & 0x0f; break;
case 0: break; // Valid, but no need to do anything.
default:
printf("Invalid arg count in 35c/35ms/35mi (%d)", count);
goto bail;
}
}
break;
case kFmt3rc: // op {vCCCC .. v(CCCC+AA-1)}, meth@BBBB
case kFmt3rms: // [opt] invoke-virtual+super/range
case kFmt3rmi: // [opt] execute-inline/range
pDec->vA = INST_AA(inst);
pDec->vB = FETCH(1);
pDec->vC = FETCH(2);
break;
case kFmt51l: // op vAA, #+BBBBBBBBBBBBBBBB
pDec->vA = INST_AA(inst);
pDec->vB_wide = FETCH_u4(1) | ((u8) FETCH_u4(3) << 32);
break;
default:
printf("Can't decode unexpected format %d (op=%d)", format, opcode);
assert(false);
break;
}
bail:
;
}//根据 opcode 调用 dexGetFormatFromOpcode(opcode); 获取指令格式信息,然后就是一个switch 根据 InstructionFormat 填写
DecodedInstruction 结构体,这个结构就是最终指令信息了。
struct DecodedInstruction {
u4 vA;
u4 vB;
u8 vB_wide; /* for kFmt51l */
u4 vC;
u4 arg[5]; /* vC/D/E/F/G in invoke or filled-new-array */
Opcode opcode;
InstructionIndexType indexType;
};enum InstructionFormat {
kFmt00x = 0, // unknown format (also used for "breakpoint" opcode)
kFmt10x, // op
kFmt12x, // op vA, vB
kFmt11n, // op vA, #+B
kFmt11x, // op vAA
kFmt10t, // op +AA
kFmt20bc, // [opt] op AA, thing@BBBB
kFmt20t, // op +AAAA
kFmt22x, // op vAA, vBBBB
kFmt21t, // op vAA, +BBBB
kFmt21s, // op vAA, #+BBBB
kFmt21h, // op vAA, #+BBBB00000[00000000]
kFmt21c, // op vAA, thing@BBBB
kFmt23x, // op vAA, vBB, vCC
kFmt22b, // op vAA, vBB, #+CC
kFmt22t, // op vA, vB, +CCCC
kFmt22s, // op vA, vB, #+CCCC
kFmt22c, // op vA, vB, thing@CCCC
kFmt22cs, // [opt] op vA, vB, field offset CCCC
kFmt30t, // op +AAAAAAAA
kFmt32x, // op vAAAA, vBBBB
kFmt31i, // op vAA, #+BBBBBBBB
kFmt31t, // op vAA, +BBBBBBBB
kFmt31c, // op vAA, string@BBBBBBBB
kFmt35c, // op {vC,vD,vE,vF,vG}, thing@BBBB
kFmt35ms, // [opt] invoke-virtual+super
kFmt3rc, // op {vCCCC .. v(CCCC+AA-1)}, thing@BBBB
kFmt3rms, // [opt] invoke-virtual+super/range
kFmt51l, // op vAA, #+BBBBBBBBBBBBBBBB
kFmt35mi, // [opt] inline invoke
kFmt3rmi, // [opt] inline invoke/range
};最后就是在 dumpInstruction 根据 DecodedInstruction format 格式化转到smali 汇编的样子了。
扫一扫
1851
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
