The return-void instruction is parsed as invoke-static.

[sidra-asa]

Environment

# copypaste this script into your shell and 
$ date; r2 -v; uname -ms
Thu May  4 09:26:39 CST 2023
radare2 5.8.5 30055 @ darwin-x86-64 git.5.8.4-5-g8527abff55
commit: 8527abff556297080539e47f7da88c14183af90e build: 2023-03-16__23:16:32
Darwin x86_64

Description

When analyzing an APK(SHA1: 42b25b60aa7d6d9f0b388c10a45e8a8f8c1fc718),
r2 parses the return-void instructions as other instructions.

Take offset 112952 as an example.
After I run aa command, pdfj command returns an invoke-static instruction.

{
      "offset": 112952,
      "esil": "8,sp,-=,0x1b93e,sp,=[8],0xffffffffffffffff,ip,=",
      "refptr": 0,
      "fcn_addr": 112712,
      "fcn_last": 112986,
      "size": 6,
      "opcode": "invoke-static {}, method+24916",
      "disasm": "invoke-static {}, method+24916",
      "bytes": "71005461a200",
      "family": "cpu",
      "type": "ucall",
      "reloc": false,
      "type_num": 4,
      "type2_num": 0,
      "addrline": {
        "file": "Gps.java",
        "line": 85
      },
      "flags": [
        "method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onProviderEnabled_Ljava_lang_String__V"
      ]
    },

However, it is disassembled as return-void by Jadx.

And the decompiled code shows that onProviderEnabled is a void function.

Please let me know if anything is unclear.

[trufae]

return-void is the byte '0e', the instruction you are showing in aoj starts with 71 which is correctly an invoke-static. so i assume you are analyzing function metadata as code instead. can you share the binary? because from my tests i see the same return-void in dexdump as in r2

[sidra-asa]

@trufae
Yes. You may get the sample from here.

[trufae]

i dont see anything wrong. this method is empty and the first instruction is a return-void.

[sidra-asa]

@trufae

I did some recheck and found the analysis results are different depending on how R2 opens the APK.

If I use r2 apk://14d9f1a92dd984d6040cc41ed06e273e.apk to analyze the sample,
the instruction in 0x0001b938 is invoke-static.

$ r2 apk://14d9f1a92dd984d6040cc41ed06e273e.apk
 -- The door controls time and space.
[0x00021298]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
WARN: set your favourite calling convention in `e anal.cc=?`
INFO: Analyze all functions arguments/locals (afva@@@F)

[0x00021298]> pd $r @ method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onProviderEnabled_Ljava_lang_String__V
│      ;-- method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onProviderEnabled_Ljava_lang_String__V:
│      0x0001b938   71005461a200  invoke-static {}, method+24916 ; Gps.java:85
│      0x0001b93e   6e1060000100  invoke-virtual {v1}, Landroid/media/MediaRecorder.prepare()V ; 0x60
│      0x0001b944   5461a200    iget-object v1, v6, Lcom/google/progress/AndroidClientService;->mr Landroid/media/MediaRecorder;
│      0x0001b948 ~  6e1067000100  invoke-virtual {v1}, Landroid/media/MediaRecorder.start()V ; 0x67
│      ;-- method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onStatusChanged_Ljava_lang_String_ILandroid_os_Bundle__V:

However, if I analyze the dex file with r2 14d9f1a92dd984d6040cc41ed06e273e/classes.dex ,
the result is the same as yours.

$ r2 14d9f1a92dd984d6040cc41ed06e273e/classes.dex 
 -- Please insert disc 2 and press any key to continue...
[0x0001a6a0]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
WARN: set your favourite calling convention in `e anal.cc=?`
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x0001a6a0]> pd $r @ method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onProviderEnabled_Ljava_lang_String__V
      ;-- Lcom/google/progress/Gps$1.method.onProviderEnabled(Ljava/lang/String;)V:
┌ 2: method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onProviderEnabled_Ljava_lang_String__V ();
└     0x0001b938   0e00      return-void         ; Gps.java:85
      0x0001b93a   0000      nop
      0x0001b93c   0400      move-wide v0, v0
      0x0001b93e   0400      move-wide v0, v0
      0x0001b940   0000      nop
      0x0001b942   0000      nop
      0x0001b944   67af0400    sput v175, Landroid/net/wifi/WifiConfiguration;->SSID Ljava/lang/String; ; 0x6424 ; u"'\xc7\u05ec"
      0x0001b948   0100      move v0, v0
      0x0001b94a   0000      nop
      ;-- Lcom/google/progress/Gps$1.method.onStatusChanged(Ljava/lang/String;ILandroid/os/Bundle;)V:
┌ 2: method.public.Lcom_google_progress_Gps_1.Lcom_google_progress_Gps_1.method.onStatusChanged_Ljava_lang_String_ILandroid_os_Bundle__V ();
└      0x0001b94c   0e00      return-void         ; Gps.java:87

Please let me know if anything is unclear.

[trufae]

oook , i just found the root cause of the problem it have nothing to do with the disassembler or the instructions. its just loading the bin in a diffeerent base address and not relocating all the symbols. i have fixed it in a PR, but its still not pleasing all the tests yet.

i added tests, so ill close the ticket when merging.

thanks and sorry for the delay i was busy in many other issues