apk程序查找方法调用

有android killer，现在ida对android的支持等一些方便工具，此篇（关于搜索和修改代码）废弃。

没有好的调试工具下

常用插代码（如果怕影响寄存器值，可以将.locals xxx改多几个或者合适的地方，如返回前添加）：
1.

const-string v7, "log.v(xx, yy);"

invoke-static {v7, v7}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

## v0 来自原有代码String，可能为空需要检查，类似这样使用，万无一失

const-string v7, "log.v(xx, yy);"

if-nez v0, :cond_3

const-string v0, "null"

:cond_3

invoke-static {v7, v0}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

invoke-static {v1, v2, v0}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;Ljava/lang/Throwable;)I

const-string v0, "Must ensure vx is Context class, then Toast.makeText(vx, xxx, 1).show();" # CharSequence对象类型

const/4 v1, 0x1 # I int类型

invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; # p0 是一个Context

move-result-object v0

invoke-virtual {v0}, Landroid/widget/Toast;->show()V

3. 不需要这个，一般很多。Activity启动关键字：如Landroid/content/Intent;-><init>(全局搜索很多，一般不会继承Intent调用）
如startActivity[ForResult(](Landroid/content/Intent;)V
Landroid/content/Context;->startActivity(Landroid/content/Intent;Landroid/os/Bundle;)V
new-instance ??, Landroid/content/ComponentName;

4. 打印堆栈到标准流或Logcat，使用局部变量：v0（new Exception）和v1（字符串）

#new Exception("print trace").printStackTrace();

new-instance v0,Ljava/lang/Exception;

const-string v1,"print trace"

invoke-direct {v0,v1}, Ljava/lang/Exception;-><init>(Ljava/lang/String;)V

invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V

栈跟踪信息是WARN级别，而且Tag名称被系统命令为System.err. 命令行：adb logcat -s System.err:V *:W

.method private a(Lcom/netease/mobimail/m/c/c;Z)V
.locals 11

Log.e(v9, v2, (v10=new Exception(v9)));

    const-string v9,"PrintTrace"

    new-instance v10,Ljava/lang/Exception;

    invoke-direct {v10,v9}, Ljava/lang/Exception;-><init>(Ljava/lang/String;)V

    invoke-static {v9, v2, v10}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;Ljava/lang/Throwable;)I

5. 一般耗时操作需要线程里执行，关注新增线程和线程堆栈变化

1.静态查看

方法搜索需要扩展到父类的方法搜索，如

.class public Lcom/dataviz/dxtg/common/android/launcher/TabbedLauncherActivity;

.super Lcom/dataviz/dxtg/common/android/ApplicationActivity;

# interfaces

.implements Landroid/view/GestureDetector$OnGestureListener;

.implements Lcom/dataviz/dxtg/common/android/ar;

.implements Lcom/dataviz/dxtg/common/android/bt;

.implements Lcom/dataviz/dxtg/common/android/cs;

.implements Lcom/dataviz/dxtg/common/android/dv;

.implements Lcom/dataviz/dxtg/common/android/iap/d;

.implements Lcom/dataviz/dxtg/common/android/iap/z;

.method public c()V

.end method

搜索方法
Lcom/dataviz/dxtg/common/android/launcher/TabbedLauncherActivity;->c()V

也许搜索没有结果，就有可能是父类或接口。

这里是Lcom/dataviz/dxtg/common/android/dv;->c()V

.class public interface abstract Lcom/dataviz/dxtg/common/android/dv;

.super Ljava/lang/Object;

# virtual methods

.method public abstract a(Ljava/lang/String;)V

.end method

.method public abstract a(Z)V

.end method

.method public abstract c()V

.end method

结果

Searching 7287 files for "Lcom/dataviz/dxtg/common/android/dv;->c()V"

D:\com.dataviz.docstogo\smali\com\dataviz\dxtg\common\android\do.smali:

   91:     invoke-interface {v0}, Lcom/dataviz/dxtg/common/android/dv;->c()V

  289:     invoke-interface {v0}, Lcom/dataviz/dxtg/common/android/dv;->c()V

2 matches in 1 file

然后看看调用这个方法的所在方法有没有判断跳转语句，如果没有可能还要继续查看谁调用。

2. 动态/运行时查看

制造异常查看函数调用堆栈

在查看方法调用时，制造空指针异常。回溯方法调用堆栈

.method public c()V

    .locals 1 ## .locals 1 romove desktop tab

    const/4 v0, 0x0

    #new-instance v0, Lcom/dataviz/dxtg/common/android/bl;

    #invoke-direct {v0}, Lcom/dataviz/dxtg/common/android/bl;-><init>()V

    invoke-direct {p0, v0}, Lcom/dataviz/dxtg/common/android/launcher/TabbedLauncherActivity;->a(Landroid/support/v4/app/Fragment;)Z

    return-void

.end method

堆栈截图