const-str | Compile-time string operations | Hashing library

baksmali's --register-info flag is your friend. It will add comments for each instruction with the details about the register types. It should show you exactly where the register type is becoming conflicted, including the incoming edges and the incoming types from each edge.

baksmali d --off --register-info ARGS,DEST,FULLMERGE -b "" blah.dex

e.g. here is the comment regarding p0 from your original source, where it becomes conflicted at the catch block, after adding an instruction (e.g. invoke-static {v4}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I) just before the try_end.

#p0=(Conflicted):merge{0x3:(Reference,Ljava/lang/String;),0x4:(Reference,Ljava/lang/String;),0x9:(Reference,Ljava/lang/String;),0xd:(Reference,Ljava/lang/String;),0x12:(Reference,Ljava/lang/String;),0x1d:(Reference,Ljava/lang/String;),0x22:(Reference,Ljava/lang/String;),0x23:(Reference,Ljava/lang/String;),0x2c:(Reference,Ljava/lang/String;),0x31:(Reference,Ljava/lang/String;),0x32:(Reference,Ljava/lang/String;),0x3a:(Reference,Ljava/lang/String;),0x3e:(Reference,Ljava/lang/String;),0x3f:(Reference,Ljava/lang/String;),0x44:(Integer)}

Each of those incoming edges are from instructions within the try block that could potentially throw an exception. By adding the new instruction that can throw an exception after the move-result p0 instruction at the end of the try block, you're adding a new incoming edge to the catch block, and the value of p0 from that edge (Integer) is not compatible with the types from all the other edges, and so the merged type is considered CONFLICTED.

The numbers in the merge comment refer to the code offset of the incoming edge. When you disassemble with the --code-offsets option (--off is a shortcut for that), baksmali will add a comment with the code offset for each instruction, so you can match up the code offset from the register info comment back to the actual instruction.

It's worth noting that the code offset in a merge comment refers to the instruction just prior to the one that can actually throw. The instruction that throws can't have affected any registers if it throws an exception, so the incoming types are from the post-instruction types from the instruction just prior.

The issue is that by adding the call to the tracing function in the try block, you're adding an edge from that location to the catch-all exception handler.

Some instructions are able to throw exceptions and some are not. e.g. return instructions cannot throw an exception, while invoke instructions can. So for any instruction in a try block that can throw, an edge is added to any exception handlers for that try block.

In the original method, the conditional near the beginning of the method (if-eqz v0, :cond_0) jumped directly to a return statement, so there is no edge to the exception handler since it can't throw an exception. So the only way to get to that exception handler is via an execution path in which v1 has been set.

However, by adding the invoke instruction, you added an edge from there to the exception handler, so that there is now an execution path to the exception handler in which v1 is unset.

So basically, consider the case when v0 is null at the conditional (so the jump is taken) and then the trace function throws an exception. The exception handler will be called but v1 has not been set.

This call in Java:
.\u0971("www.google.com", new String[] {"sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs=" })
is found in smali at:
invoke-virtual {v1, v2, v3}, Lo/bdq$if;->ॱ(Ljava/lang/String;[Ljava/lang/String;)Lo/bdq$if;

The Java class is o.bdq$if (class if is nested inside o.bdq). The method name is ॱ

When merging registers at the start of a catch block, there is an incoming edge from every instruction in the try block that can throw. Only certain instructions can throw - as determined by the CAN_THROW opcode flag.

In your particular example, the invoke-static instruction after the const-string instruction can throw, and so there's an edge from just before that instruction to the start of the catch block.

If you take a step back, execution can jump from any instruction in the try block that can throw to the start of the catch block. And so the code in the catch block must be prepared for the registers to be in a state that is consistent with the register contents just before any of those instructions that can throw.

So, for example, if there is one possible "jump" from the try block to the catch block where the register contains an primitive int type, and another possible jump where it contains an object, that register is considered "conflicted", because the the register may contain either type at that point in the code, and the two types are not compatible with each other. E.g. a primitive int can never be passed to something expecting a reference type and vice versa. And there's no mechanism in the bytecode for static register type checking.

One possible solution might be to split the try block at the point where you insert your instrumentation, so that the instrumentation itself is not covered by a try block, but both "sides" of the original code is. And keep in mind that in the bytecode, the same catch block can be used by multiple try blocks, so you can split the original try block into two, and have both reference the original catch block.

Otherwise, you'll just have to figure out some way to manage the registers appropriately to avoid this problem.

As for 6), see MethodImplementation.getTryBlocks(), which will give you a list of try blocks in that method. Each try block specifies where it starts, how many instructions it covers, and all of the catch blocks associated with it (different catch blocks for different exceptions).

The problem is with this instruction

You can add a call to Intent.setPackage. e.g.

When you're editing smali code you should carefully take care of registers. my_code's main method has 5 registers (i.e. 4 local and 1 param) and original_file's main method has 2 registers (i.e. 1 local and 1 param). Before adding the my_code to original_file, you should decide how may registers you would need. In this example, 5 registers (i.e. 4 local and 1 param) is enough.

The final main method (without .line and .param directives):

The best way I've seen to deal with the issues you noticed when increasing register count is to add a prologue that moves all post-increase parameter register back to their pre-increase locations, and then use the last register/registers as the new "scratch" registers.

e.g. if the parameters were at v14-v20, and you increase the register count by one, you would add code that would move v15 back to v14, v16 back to v15, etc. and use v21 as the new scratch register.

Alternately, you can try not to allocate any registers. e.g. create a new method, and pass in the value from the target method that you want to instrument. You can use invoke-*/range to pass in any single register. But in your case, this doesn't seem too feasible, since you want to pass in an additional string to identify the branch. You could theoretically create a new method for every branch, but you'll run into method limits in no time that way.

.end/.restart./start local are purely for debugging information. They tell the debugger which register is associated with which local variable in the original java code. The easiest thing would be to just strip them. See https://source.android.com/devices/tech/dalvik/dex-format#debug-info-item for more information.

Yes, move-object must be used for reference types, move-wide for primitive longs/doubles, and move for other primitives. Also, don't forget that wide types take up 2 registers. So if you may need to allocate 2 extra scratch registers if you happen to need to move a wide value (a long or double primitive)

dexlib2 has an api for performing type analysis on registers, if needed. See https://github.com/JesusFreke/smali/blob/master/dexlib2/src/main/java/org/jf/dexlib2/analysis/MethodAnalyzer.java

This method has 5 registers total, 1 local register, and 4 parameter registers. v0 is the local register, of course, and v1-v4 are parameter registers, and can also be accessed as p0-p3. i.e. v1 is the same as p0, v2 is the same as p1, etc.

Just before the call to Log.d, you set v1 to a string. But as I mentioned above, v1 is an alias for p0, so you've just clobbered the this reference. And so, when you try to call Lcom/a/a/a/a;->a(...)Lcom/a/a/a/j;, the verifier sees that p0 contains a string, not a Lcom/a/a/a/a;, and it fails verification.