Skip to content

How to search what you need?

charles2gan edited this page Sep 11, 2023 · 1 revision

The GDA decompiler has powerful and fast search capabilities. In addition to the search capabilities for strings, classes, methods, and members, it also provides capabilities such as resource search and binary search. Currently, the search capabilities of the latest version include four major parts: one is our commonly used search window (S); One is searching in the code page (CTR+F); One is the class search in the tree box (activated by the mouse pointer); Another is the global file search in file forensics. This article provides a centralized introduction to the search function. Meet different search requirement.

1. The search window is as follows:

Search types are divided into two categories (complete and precise matching can be achieved through double quotation marks ""), such as base search and extends search. base search is the default search term, which is searched by checking items. Note that there is a check-box x-ref on the right side. If checked, it indicates that the search result is a reference position for class, method, field, and string (usually a caller method, which means that the search content is used at a certain position in the code); If unchecked, the search results are just the class, method, field, and string themselves.

It should also be noted that if class is checked here, the matching target is the full name of the class (with package name), while for methodand field, it matches content without package name. For example, if you search for 'com', then 'com.base.mysevice;' And 'javax.mail.search.xcommon;' will be matched. Of course, you can also bring '.' to search for the package name of the class, the search result can be the class 'javax.mail.search.xcommon;' with matching 'mail.search.'.

If you need to only match the class name, you can enable extended searche or search within the search box at the bottom of the tree box. As shown in the figure:

Extended search can also search for resources, binary bytecode, and packages with methods. Search for package names with methods:

Search for the names/IDs of resources, and the result is the caller method of the resource.

Search for binary code, and the search result is the method containing matched bytecode. You can search for a single instruction or multiple instructions through binary search (similar to '10e201' or '10 e2 01'), but you cannot directly search for smalis. After double-clicking the result, GDA will change the code display mode to smali mode and enable the bytecode show.

Double-click to view the code.

2. On page search:

All code pages support CTR+F for searching the current code.

3. Tree box search:

You need to move the mouse pointer over below the bottom of the tree box, and the search box will be displayed. The search results will be displayed in a tree box. Click on the result to directly jump to the class node and display the decompiled code of the class.

4. Document forensics analysis:

Before starting the file forensics analysis windows, GDA will automatically extract all files in the APK file and display them in the list box. When performing a search, GDA will search for all files in the APKs. The matched file will be background highlighted, and output in the list box in the bottom left of files list. Double clicking can view the file content (supporting hexadecimal, ascii, and unicode display).

Note that when double clicking to view the file, GDA will directly navigate to the offset being matched. you can press F3 to view the next match.