{"id":346,"date":"2013-03-04T21:58:37","date_gmt":"2013-03-05T02:58:37","guid":{"rendered":"http:\/\/sunapi386.ca\/wordpress\/?p=346"},"modified":"2015-10-28T16:51:14","modified_gmt":"2015-10-28T21:51:14","slug":"hacking_android_apk","status":"publish","type":"post","link":"https:\/\/sunapi386.ca\/wordpress\/hacking_android_apk\/","title":{"rendered":"Hacking Android APK Tutorial"},"content":{"rendered":"

Hacking Android APK Tutorial<\/h1>\n

Tutorial on hacking an Android APK file, which is an android app file, we decompile, hack it, and recompile. I will go through the setup and basic commands.<\/p>\n

Introduction to APK format<\/b><\/h2>\n

Apps in Android have an extension of .apk format – which is basically a special .zip container that is signed with a certificate. The signer could be somebody like Google Apps Store. The idea is that modifying the .apk file means the signature is invalidated, to prevent installation of\u00a0modified\u00a0apps.<\/p>\n

The main line of defence from installing malicious APK files is to make sure they are downloaded from the Google Apps Store. But once the APK (app) is in the users\u2019 hands, it is unprotected. Most premium apps can be rooted, so ripping apps is easy.<\/p>\n

<\/p>\n

Introduction to modifications<\/b><\/h2>\n

Modifying an APK file is somewhat difficult, depending on the quality of the app. The Dalvik (Android\u2019s virtual machine), prevents code obfuscation – which is the deliberate act of creating hard to understand code. Since the Dalvik supports reflection<\/i>, and the virtual machine has to be able to interpret the byte code, no obfuscation can ever hope to compete. Note, reflection <\/i>is the ability of a computer program to examine and modify the structure and behavior – specifically the values, meta-data, properties and functions of an object at runtime. Obfuscation products like ProGuard may become more advanced with time but intense obfuscation will likely have a very negative impact on performance.<\/p>\n

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or for Java Micro Edition.<\/p>\n

High level overview:<\/b><\/h2>\n
    \n
  1. Suppose I have an APK file<\/i><\/li>\n
  2. I want to decompile it into something like assembly language<\/i><\/li>\n
  3. We can do that using the APK Tool, which turns decompiles it into a folder with smali files.<\/li>\n
  4. You should know what a smali file is \u2013 basically assembly code.
    \nSee https:\/\/code.google.com\/p\/smali\/<\/a><\/li>\n
  5. Then we dig through the smali code and make change to get our desired results.<\/li>\n
  6. I will cover this lightly. Exactly what to change and how to find it is beyond my scope of knowledge, I only understand basic ideas. Also, there textbooks on how to analyse decompiled code.<\/li>\n
  7. We recompile the smali file into APK file<\/li>\n
  8. Install and test it on the emulator<\/li>\n
  9. Done.<\/li>\n<\/ol>\n

    The Setup<\/b><\/h2>\n

    To start playing with your own modifications, you need several tools.<\/p>\n

      \n
    1. Eclipse, to code your own apps (optional again, but the package manager is nice to use)
      \n      http:\/\/www.eclipse.org\/downloads\/<\/a><\/li>\n
    2. Java SDK, to do Java development (optional really \u2013 but get it anyways)
      \n      http:\/\/www.oracle.com\/technetwork\/java\/javase\/downloads\/index.html<\/a><\/li>\n
    3. Android SDK, for the Android emulator
      \n      http:\/\/developer.android.com\/sdk\/index.html<\/a><\/li>\n
    4. APK Tool, to reverse engineer APK files and create smali files
      \n      http:\/\/code.google.com\/p\/android-apktool\/<\/a><\/li>\n
    5. Notepad++, a great program that has syntax highlighting addon pack for smali
      \n      http:\/\/notepad-plus-plus.org\/<\/a><\/li>\n
    6. Addon syntax highlighting for Smali
      \n      http:\/\/androidcracking.blogspot.com\/2011\/02\/smali-syntax-highlighting-for-notepad.html<\/a><\/li>\n
    7. Amon_RA\u2019s Testsign tool, for signing the recompiled APK file
      \n      https:\/\/sites.google.com\/site\/chall32\/general\/testsign.jar<\/a><\/li>\n<\/ol>\n

      The Usage<\/b><\/h2>\n

      This will be a walkthrough on how to start your hack.<\/p>\n

      There\u2019s a nice guide on how to setup everything on the Android SDK website; http:\/\/developer.android.com\/sdk\/installing\/index.html<\/a><\/p>\n

      To run the Android emulator, use their Android Virtual Devices Manager. Make a choice in what you want your device to be; just keep in mind the higher the resolution the slower it\u2019ll be. Expect the emulator to run with heavy lag. My manager is located at:<\/p>\n

      C:\\Program Files (x86)\\Android\\android-sdk\\AVD Manager.exe<\/pre>\n
      Open up a terminal, cmd. Most of the tools you require are in the ..\\android-sdk\\platform-tools<\/i> folder. Some of them may be in ..\\android-sdk\\tools<\/i><\/p>\n
      In this terminal, there are some commands you want to be familiar with.<\/p>\n\n\n\n\n\n\n\n\n
      \n
      Command<\/b><\/p>\n<\/td>\n
      		\n
      Effect<\/b><\/p>\n<\/td>\n<\/tr>\n
      abd install [..\\location\\someapp.apk]<\/td>\nInstalls to emulator. Make sure emulator is on!<\/td>\n<\/tr>\n
      adb uninstall [com.someapp]<\/td>\nExactly what to type requires a bit of work, it\u2019s basically the path the android uses. I\u2019ll describe it more later.<\/td>\n<\/tr>\n
      apktool.bat d someapp.apk dump- someapp<\/td>\nDecompiles your APK to smali files<\/td>\n<\/tr>\n
      apktool.bat b dump- someapp someapp-new.apk<\/td>\nRebuild the edited smali files<\/td>\n<\/tr>\n
      java \u2013classpath testsign.jar testsign someapp-new.apk<\/td>\nFake sign the file with some certificate, so that when we install, emulator goes \u201coh ok here\u2019s the signature, and it matches the file, we can proceed\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
       <\/p>\n
      Digging through the decompiled smali code<\/b><\/h2>\n
      I\u2019m going to cover this vaguely, because I myself am not that familiar with it. Basically you look at the smali files, the xml files, and find interesting stuff that you think is relevant to what you want to do.<\/p>\n
      Start at a point, such an error message, and work backwords. Say the message \u201cInvalid serial key entered!\u201d \u2013 trace that back to where the key gets checked.<\/p>\n
      When bypassing things like serial key checks, look for check conditions:<\/p>\n