How does packed-switch work on Android as smali produced by apktool?

Question

I'm trying to reverse engineer an apk with apktool d and the smali it produces contains packed-switch statements which I don't fully understand. A method contains:

packed-switch v0, :pswitch_data_0

Followed later in the code with labels like :pswitch_X where X is a number and at the end of the method with:

:pswitch_data_0
.packed-switch 0x7f060395
    :pswitch_4
    :pswitch_5
    :pswitch_1
.end packed-switch

What exactly does this do? It looks like a list of places to jump to, but on what condition? What does it do with 0x7f060395?

Answer 1

Switches are in two parts, as you noticed. The second part you listed is the payload pseudo-instruction, that contains all the switch cases. The first part is a packed-switch instruction, which defines the register containing the value to check, and refers to a payload instruction using a label.

For a packed-switch, the case values in the payload pseudo-instruction are sequential, and only the first value is actually given (in this case, 0x7f060395)

For your example specifically, when the packed-switch instruction is executed, it will check the value of the v0 register against the 3 cases in the payload. If the value is 0x7f060395, it will jump to :pswitch_4, if 0x7f060396, it will jump to :pswitch_5, etc.

If the value of the register didn't match any of the cases, then execution will continue with the next instruction after the packed-switch instruction (the one with the register and label, not the payload pseudo-instruction).

The sparse-switch instruction is similar, except that its payload instruction has an explicit value associated with each case, instead of using sequential key values.

You can find all the nitty-gritty details in the dalvik-bytecode document.