Home Blogs Profile Contribution Policies Contact About

Smali debug Cheatsheet

What is smali debugging?

When you create an application code, the apk file contains a .dex file, which contains binary Dalvik bytecode. This is the format that the platform actually understands. However, it's not easy to read or modify binary code, so there are tools out there to convert to and from a human readable representation. The most common human readable format is known as Smali.
. For more click here.

Smali/Baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The names "Smali" and "Baksmali" are the Icelandic equivalents of "assembler" and "disassembler" respectively.

Android apps are usually written in Java and compiled to Dalvik bytecode. Dalvik bytecode is created by first compiling the Java code to .class files, then converting the JVM bytecode to the Dalvik .dex format with the dx tool.

Basic commands for decompile and signing the apk:

Without signing the apk file we can not able to install the file into an Android device. There are multiple ways to sign apk file but here I will show you the simplest way to do the same long process.

# Below commands for downloading the Uber signer app and sign example.apk
wget https://github.com/patrickfav/uber-apk-signer/releases/download/v1.2.1/uber-apk-signer-1.2.1.jar -O  uber_apk_signer.jar
java -jar uber_apk_signer.jar --apks example.apk

# Troubleshooting Linux
sudo apt update && sudo apt install default-jre

Decompiling the apk we need tool named "apktool". For installing visit here.

For extracting the java code from apk file we need to install Jadx tool. For downloading and install visit here.

# Install in kali / Ubantu
sudo apt install adb
sudo apt install jadx
sudo apt install apktool

Jadx, Apktool and Zip:

We will can decompile apk file via jadx, apktool and zip file.

# Apktool
apktool d example.apk

# Jadx
jadx -d [path-output-folder] [path-apk-or-dex-file]
jadx -d output example.apk

# Zip
unzip example.apk

After Decompiling we can observe the difference between them.

With the help of Jadx tool we can analysis java files code and understand the app source code.
With the help of Zip we can get dex file and other app build file.
With the help of Apktool we get the smali files and we can recompile it after necessary changes

Compiling, sign and install via single line command

apktool b apk_folder/ -o example.apk && echo "compiled!" && java -jar uber_apk_signer.jar --apk example.apk && adb install -r example_debugsigned.apk

Smali code Cheatsheet:

Add the frida-gadget file. Read about frida-gadget https://frida.re/docs/gadget/. Download frida-gadget from https://github.com/frida/frida/releases.

# Add any library via frida !!!
const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

# Troubleshooting 
add ".locals" value which is starting of function.
Example: ".locals 0"  --> ".locals 1" 
add frida-gadget.so file at "/lib/arm64-v8a" folder.
After decompiling you via apktool navigate to the folder and paste the frida-gadget file to exactly above location.

Now the most important smali code might be for you to print into logcat.

# Print own message
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "This is message"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/System;)V

# add .locals value by 1/2


# Print value of the variable
# Assume we are printing v7 variable value into logs

sget-object v7, Lnet/appname/folder/b;->c:Ljava/lang/String;
const-string v8, "Printing value : "
invoke-static {v8, v7}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I


# Print simple message

const-string v3, "App started functionality" 
invoke-static {v3, v3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

$ TIP: Use Visual Studio Code for smali editing. It helps you to increase writing speed.

Observe below smali syntaxes which might help you to understand the code more specifically.

    |  code          |     value                              |
    |  D             |     double                             |
    |  J             |     long                               |
    |  V             |     void (only for return value)       |
    |  I             |     int                                |
    |  Z             |     bool                               |
    |  Lclassname;   |     instance of classname              |
    |  B             |     byte                               |
    |  S             |     short                              |
    |  C             |     char                               |
    |  F             |     float                              |

Reference: http://pages.cpsc.ucalgary.ca/~joel.reardon/mobile/smali-cheat.pdf

Java to Smali:

Writing in smali with such an efficiency is tough !!
Learning smali editing can take years but there is another way where you can directly convert your java code to smali with the help of some basic commands.

javac JavaCode.java
dx --dex --output=classes.dex JavaCode.class
baksmali classes.dex

Ending notes:

To complete the cheatsheet I still have not write enogh code and tips yet. I am also creating tool to automate this proccess.

Debugging smali files helps a lot to improve the static analysis and dynamic analysis of the application penetration testing. However, In a future updates, I will add more code tips to this page.

Thanks For Reading
Husseni Muzkkir



Comment Section:

Writer: You can write a comment to help me to improve this blog or ask below

Write a Comment

I also think you'll like..

More Blogs
Back to top ↑