smali注入常用代码

注入代码需要注意寄存器个数。
1.插入log信息
const-string v2,"SN"
invoke-static {v2,v0}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

 

2.弹出消息框
new AlertDialog.Builder(self).setTitle("普通对话框").setMessage("你好，Android!").show();
new-instance v1,Landroid/app/AlertDialog$Builder;
invoke-direct {v1,p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)Vconst-string v2,"\u666e\u901a\u5bf9\u8bdd\u6846"
invoke-virtual {v1,v2}, Landroid/app/AlertDialog$Builder;->setTitle(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;

const-string v2,"\u4f60\u597d\uff0cAndroid!"
invoke-virtual {v1,v2},Landroid/app/AlertDialog$Builder;->setMessage(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;
invoke-virtual {v1},Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog;
move-result-object v2

invoke-virtual {v2},Landroid/app/AlertDialog;->show()V


将上述smali代码插入MainActivity.smali中的create函数的return-void语句前面





3.卡住程序运行

方法一：

try
{

  Thread.sleep(60*1000);
}

catch(InterruptedException e){

      e.printStackTrace();

}

 

.line 69

const-wide/32  v1,0xeff0

:try_start_0

#v1=(LongLo);v2=(LongHi);

invoke-static {v1,v2},Ljava/lang/Thread;->Sleep(J)V

:try_end_0

.catch Ljava/lang/InterruptedException; {:try_start_0 .. try_end_0} :catch_0

.line 87

:goto_0

#v0=(Conflicted);

#此后面是try后的内容

return-void

.line 70

:catch_0

#v0=(Uninit);

move-exception v0

.line 72

.local v0, e:Ljava/lang/InterruptedException;

#v0=(Reference);

invoke-virtual {v0}, Ljava/lang/InterruptedException;->printStackTrace()V

goto :goto_0

 

 

方法二:
android.os.SystemClock.sleep(60*1000);

const-wide/32 v0, 0xea60   
invoke-static {v0, v1}, Landroid/os/SystemClock;->sleep(J)V

 

 

4.栈跟踪(调用关系)
#new Exception("print trace").printStackTrace();

new-instance v0,Ljava/lang/Exception;
const-string v1,"print trace"
invoke-direct {v0,v1}, Ljava/lang/Exception;-><init>(Ljava/lang/String;)V
invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V

栈跟踪信息记录了程序从启动到printStackTrace()被执行期间所有被调用过的方法。从下往上查看栈跟踪信息，
找到第一条以com.android.stackTrace开头的信息。

栈跟踪信息是WARN级别，而且Tag名称被系统命令为System.err. 命令行：adb logcat -s System.err:V *:W

5.Method Profiling(调用关系)
#android.os.Debug.startMethodTracing("123");  "123"为文件名
#a();
#android.os.Debug.stopMethodTracing();

Android-Manifest.xml添加SD卡写入权限
<user-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

#android.os.Debug.startMethodTracing("123");
const-string v0, "123"
invoke-static {v0}, Landroid/os/Debug;->startMethodTracing(Ljava/lang/String;) V

#android.os.Debug.stopMethodTracing();
invoke-static {}, Landroid/os/Debug;->stopMethodTracing() V

 

SD卡的根目录生成123.trace
分析命令：
adb pull /mnt/sdcard/123.trace
traceview 123.trace

 

 5.添加BroadcastReceiver

.# static fields

.field private intentFilter:Landroid/content/IntentFilter;

.field private reciver:Lcom/example/mytest/MyReciver;


method protected onCreate(Landroid/os/Bundle;)V


   new-instance v0, Landroid/content/IntentFilter;


    invoke-direct {v0}, Landroid/content/IntentFilter;-><init>()V


    iput-object v0, p0, Lcom/test/SearchActivity;->intentFilter:Landroid/content/IntentFilter;


    iget-object v0, p0, Lcom/test/SearchActivity;->intentFilter:Landroid/content/IntentFilter;


    const-string v1, "android.intent.action.search"


    invoke-virtual {v0, v1}, Landroid/content/IntentFilter;->addAction(Ljava/lang/String;)V


    new-instance v0, Lcom/example/mytest/MyReciver;


    invoke-direct {v0, p0}, Lcom/example/mytest/MyReciver;-><init>(Landroid/app/Activity;)V


    iput-object v0, p0,Lcom/test/SearchActivity;->reciver:Lcom/example/mytest/MyReciver;


    iget-object v0, p0, Lcom/test/SearchActivity;->reciver:Lcom/example/mytest/MyReciver;


    iget-object v1, p0, Lcom/test/SearchActivity;->intentFilter:Landroid/content/IntentFilter;


    invoke-virtual {p0, v0, v1}, Lcom/test/SearchActivity;->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;


..method public onDestroy()V


iget-object v0, p0, Lcom/test/SearchActivity;->reciver:Lcom/example/mytest/MyReciver;


invoke-virtual {p0, v0}, Lcom/test/SearchActivity;->unregisterReceiver(Landroid/content/BroadcastReceiver;)V

6.等待调试器附加

  invoke-static {}, Landroid/os/Debug;->waitForDebugger()V

7.加载so

const-string/jumbo v0, "native-lib"

invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V