This is actually nothing very new, but what probably a lot of people do for a long time already. You can use this technique to do security reviews, to crack license mechanisms of apps, check how easy it is to modify your own app or do malware research. I’m not saying you should or shouldn’t do any of these. As usually tested on Mac OSX only but should work on Linux or other Unix, too.
You need the following folder structure (or simply download the Android-app-disassembling-reassembling.zip):
- Folder called “apks-to-process”
- Folder called “external-tools”
- File “disassemble.sh” (see below)
- File “reassemble.sh” (see below)
- In the “external-tools” put the apktool.jar
- In the “apks-to-process” folder put your Android app apk file
After you run the disassemble.sh file you find the smali code for your app in the “outputs/smali-output” directory. Now you can change the app as you like. Here are three suggestions:
- I recommend to add the android:debuggable=”true” attribute in the AndroidManifest.xml to your application tag. Afterwards you will be able to see the log messages of the application in logcat (“adb logcat” command when your phone is connected via USB).
- Replace one of the png files in the ressources folder
- If your application is making a new instance of a SecreKeySpec for encryption (something like “new-instance v1, Ljavax/crypto/spec/SecretKeySpec” in smali, grep for it), try to dump the contents of the secret key. That’s pretty easy with IGLogger. Download the IGLogger files and put the iglogger.smali file in the folder “outputs/smali-output/
/smali/”. Then open the file where you found the SecreKeySpec intialisation. Add a new instruction after the invoke-direct line which will initialize the SecretKeySpec (e.g. “invoke-direct {v4, v5, v6}, Ljavax/crypto/spec/SecretKeySpec;-> ([BLjava/lang/String;)V”). This is the place where the secret key is passed to the SecretKeySpec constructor. As we know that the first argument is the secret key, we have to log the Dalvik VM’s register v4. Add “invoke-static {v4}, Liglogger;->d([B)I” after the initialisation statement.
After you have done all your modifications, run reassemble.sh. There will be an apk file you can install on your device (see the last message that reassemble.sh will print). If you have added IGLogger, you will see a line in logcat that prints the secret key (for example run “adb logcat|grep -i IGLogger”).
Happy hacking
floyd
Here’s the disassemble.sh that will disassemble your apk file to smali code:
#!/bin/bash ORGWD=`pwd` #Configurable Parameters APKLOCATION=$ORGWD/apks-to-process #where the APK files are stored that should be processed #Disassembling SMALI_TARGET=$ORGWD/outputs/smali-output #Where to save the results APKTOOLSTART="java -jar $ORGWD/external-tools/apktool.jar" #The apktool ######## #Normally you should not need to change anything below here ######## #Look for the files to dissassemble cd $APKLOCATION FILES=`ls *.apk` if [ -e $SMALI_TARGET ] then echo "[ERROR] Please delete/rename $SMALI_TARGET folder first!" exit else mkdir $SMALI_TARGET fi for f in $FILES do echo "[INFO] Disassembling $f" $APKTOOLSTART d $f $SMALI_TARGET/$f done cd $ORGWD
Here’s the reassemble.sh code that will reassemble your app to a signed and ready to be installed Android app apk file:
#!/bin/bash ORGWD=`pwd` #Configurable Parameters APKLOCATION="$ORGWD/outputs/faked-apks" #where the APK files will be stored that should be produced #Reassembling SMALI_TARGET="$ORGWD/outputs/smali-output" #Where to get the apps to reassemble APKTOOLSTART="java -jar $ORGWD/external-tools/apktool.jar" #The apktool ######## #Normally you should not need to change anything below here ######## #Look for the files to dissassemble cd "$SMALI_TARGET" FILES=`ls` if [ -e "$APKLOCATION" ] then echo "[ERROR] Please delete/rename $APKLOCATION folder first!" exit else mkdir "$APKLOCATION" fi for f in $FILES do echo "[INFO] Reassembling $f" $APKTOOLSTART b "$SMALI_TARGET/$f" "$APKLOCATION/$f" if [ ! -f "$APKLOCATION/someone.keystore" ] then keytool -genkey -noprompt -dname "CN=example.ch, OU=floydsReassembling, O=example, L=example, S=example, C=CH" -storepass password -keypass password -alias someone -validity 100000 -keystore "$APKLOCATION/someone.keystore" -keyalg RSA -keysize 2048 fi jarsigner -verbose -storepass password -keypass password -sigalg SHA1withRSA -digestalg SHA1 -keystore "$APKLOCATION/someone.keystore" "$APKLOCATION/$f" someone mv "$APKLOCATION/$f" "$APKLOCATION/$f.unaligned" zipalign -v 4 "$APKLOCATION/$f.unaligned" "$APKLOCATION/$f" done echo "TODO:" echo "adb install \"$APKLOCATION/$f\"" cd "$ORGWD"