How to use SmaliVM?
siair opened this issue · 3 comments
Where are examples? I read the following post and I am confused.
http://calebfenton.github.io/2016/04/30/dalvik-virtual-execution-with-smalivm/
Where should this code be executed?
VirtualMachineFactory vmFactory = new VirtualMachineFactory(); VirtualMachine vm = vmFactory.build("classes.dex"); String methodSignature = "Lorg/cf/example/Main;->foo(Ljava/lang/String;)V"; ExecutionContext ectx = vm.spawnRootContext(methodSignature); MethodState mState = ectx.getMethodState(); mState.assignParameter(0, "wubalubadubdub", "Ljava/lang/String;"); ExecutionGraph graph = vm.execute(methodSignature, ectx);
I want to find the return value of a function from an apk. Its value is a constant. How can I do it? Can SmaliVM find out the return value of this function?
This seems like a general question on how to write java programs. This isn't the best place for that.
Create a java project, add smalivm as dependency, retrofit the code to point to your dex or apk and the method signature you care about. Then setup any caller state aka method arguments as shown in the example above. Get the graph by executing and get the terminating register consensus. Look at the tests and example app for more info.
I know that this question is not suitable for posting here, but I searched the Internet and found only an article (http://calebfenton.github.io/2016/04/30/dalvik-virtual-execution-with-smalivm/) introducing this tool, and it is totally incomprehensible for beginners. There is no manual, no documentation, how can this be used? I saw the introduction of this project and I always thought it was great. I thought this was the tool I was looking for. It can easily find the return value of a confused function from the apk and remove useless algorithms or functions that deceive people.. But when I was about to start, I realized that I was at a loss and didn't know how to do it. I searched the Internet and couldn't find a complete example. This is really desperate!
I just want to find a constant from an apk. After complicated confusion, I can't find a clue. Because it is a function return value, although layers of confusion, hidden without a trace, I know it is a fixed value. There are no examples for reference, which is frustrating.
It would be good if there was a complete practical example suitable for beginners.
Your root issue seems to be how you approach problems. Did you try my suggestion? Did you read the README? Did you read the demoapp code (mentioned in the readme)? Did you look at any of the tests? Did you read some tutorials on Java? Please try to stick to technical issues -- explain what you tried and what you don't understand specifically.
There are many ways to run a single function.
- Create a stub / driver class with a
main(String... args)function which calls the target method and prints the result. This can be written in java and converted to smali or written in smali directly and combined with the target dex. Then you can push to device and run from the command line. - Try looking at dex-oracle since it basically automates the above process.
- If your target method is native, take a look at native-shim.
- If your target method is native, you can also try just creating an Android app, adding the target native library, loading it yourself (from your Android app) and calling the target function.
- Convert the target dex to a jar, import it into a java project, and run it from java. Good tools for this are dex2jar and enjarify. They aren't perfect so you may need to trim out problematic classes. If your target class fails to decompile, you'll need to work with smali directly.
- Use demoapp / smalivm tests as a template for using smalivm to execute the method yourself. Smalivm may not be the prefect library because it'll take every possible execution path if it gets to an ambiguous predicate, and ambiguity can come from any IO method. E.g. if the app reads a value from the internet or file system and then decides what to do based on that value, smalivm will not know what that value is and will take every possible branch / execution path at switches and if statements.