Extract Byte Array from a FilledNewArrayNode

[RealOkabe]

Hello,

I have been trying to extract the Byte Array from a FilledNewArrayNode and I cannot figure out how to do that. Looking at the example scripts, I can see that Strings can be extracted by just using the .string property of the ConstStringNode, but that doesn't seem to be the case for FilledNewArrayNode. Any ideas?

[skylot]

@RealOkabe FilledNewArrayNode stores array elements in instruction arguments, so you can get them by iterating arguments.
But args can store data in different way: const literal in LiteralArg, a variable in RegisterArg or a wrapped intruction in InsnWrapArg.
For simple constant values, here an example script:

import jadx.core.dex.instructions.InsnType
import jadx.core.dex.instructions.args.LiteralArg

val jadx = getJadxInstance()

jadx.replace.insns { _, insn ->
	if (insn.type == InsnType.FILLED_NEW_ARRAY) {
		val byteArr = ByteArray(insn.argsCount)
		var i = 0
		insn.arguments.forEach { arg ->
			if (arg is LiteralArg) {
				byteArr[i++] = arg.literal.toByte()
			}
		}
		jadx.log.info { "Array: ${byteArr.asList()}" }
	}
	null
}

For this smali sample:

.class public final Ltest/Example;
.super Ljava/lang/Object;

.method public test()[B
    .registers 10
    const/4 v1, 0x1
    const/4 v2, 0x2
    const/4 v3, 0x3

    filled-new-array {v1, v2, v3}, [B
    move-result-object v1
    return-object v1
.end method

Output will be:

Array: [1, 2, 3]

[RealOkabe]

Thank you for the answer. That works for literals in a byte array.
Can you also give an example code for when the arguments are like [1, var1, 2, var2] in the byte array? Those are very tricky to work with.

[skylot]

@RealOkabe you can try this method

jadx/jadx-core/src/main/java/jadx/core/utils/InsnUtils.java

Line 62 in 681f8a9

public static Object getConstValueByArg(RootNode root, InsnArg arg) {

like this:

import jadx.core.dex.instructions.InsnType
import jadx.core.dex.instructions.args.LiteralArg
import jadx.core.utils.InsnUtils

val jadx = getJadxInstance()

jadx.replace.insns { mth, insn ->
	if (insn.type == InsnType.FILLED_NEW_ARRAY) {
		val byteArr = ByteArray(insn.argsCount)
		var i = 0
		insn.arguments.forEach { arg ->
			val constVal = InsnUtils.getConstValueByArg(mth.root(), arg)
			if (constVal is LiteralArg) {
				byteArr[i++] = constVal.literal.toByte()
			}
		}
		jadx.log.info { "Array: ${byteArr.asList()}" }
	}
	null
}

It should handle most cases of moved constants

[RealOkabe]

@skylot thank you for all your help. The code you provided works for almost all cases. I appreciate it.