So you got an Android application and you would like to temper with its configuration files? Nothing easier than that as long as you have a rooted Android phone, a sqlite editor and a text editor.
I only wanted to temper with the databases of the app. I used this script (pull-databases.sh) to get the databases:
APP=com.example.theNameInYourAndroidManifest TMP=/data/local/tmp APP_UID=`adb shell dumpsys package $APP|grep userId=|cut -d " " -f 5|cut -d "=" -f 2` #after first run, maybe hardcode, so you can also push files when Android is still starting up and before the app started: #APP_UID=10000 echo "[+] Removing local folder" rm -r ./$APP-databases echo "[+] The applications UID and GID is:" echo $APP_UID echo "[+] Copying database to tmp dir" adb shell "su -c cp -r /data/data/$APP/databases $TMP/$APP-databases" echo "[+] chmoding tmp dir to 777" adb shell "su -c chmod -R 777 $TMP/$APP-databases" echo "[+] Pulling database" adb pull $TMP/$APP-databases $APP-databases echo "[+] Removing database in tmp" adb shell "su -c rm -r $TMP/$APP-databases"
You might need to change the cut commands, as they might not work in every case. Then, to upload the databases back to the phone, use this script (push-databases.sh):
APP=com.example.theNameInYourAndroidManifest TMP=/data/local/tmp APP_UID=`adb shell dumpsys package $APP|grep userId=|cut -d " " -f 5|cut -d "=" -f 2` #after first run, maybe hardcode, so you can also push files when Android is still starting up and before the app started: #APP_UID=10000 echo "[+] The applications UID and GID is:" echo $APP_UID echo "[+] Pushing to tmp dir" adb push $APP-databases $TMP/$APP-databases echo "[+] Copying from tmp to app dir" adb shell "su -c cp -pr $TMP/$APP-databases/* /data/data/$APP/databases/" #cp -p doesn't seem to preserver mode, but sets it to 666 echo "[+] chmoding app dir" #attention: 777, easy way out, but databases might have different flags... adb shell "su -c chmod -R 777 /data/data/$APP/databases" adb shell "su -c chmod 771 /data/data/$APP/databases" echo "[+] removing tmp database" adb shell "su -c rm -r $TMP/$APP-databases" #cp -p doesn't seem to preserve owner, but sets it to shell echo "[+] chowning app dir" adb shell "su -c chown $APP_UID.$APP_UID /data/data/$APP/databases" adb shell "su -c chown $APP_UID.$APP_UID /data/data/$APP/databases/*"
If you want to get the entire configuration of the app, you can use this script (pull-all.sh):
APP=com.example.theNameInYourAndroidManifest TMP=/data/local/tmp APP_UID=`adb shell dumpsys package $APP|grep userId=|cut -d " " -f 5|cut -d "=" -f 2` #after first run, maybe hardcode, so you can also push files when Android is still starting up and before the app started: #APP_UID=10000 echo "[+] Removing local folder" rm -r ./$APP echo "[+] The applications UID and GID is:" echo $APP_UID echo "[+] Copying app dir to tmp dir" adb shell "su -c cp -r /data/data/$APP $TMP/$APP" echo "[+] chmoding tmp dir to 777" adb shell "su -c chmod -R 777 $TMP/$APP" echo "[+] Pulling app dir from tmp" adb pull $TMP/$APP $APP echo "[+] Removing app dir in tmp" adb shell "su -c rm -r $TMP/$APP"
As I didn’t need to push the entire app configuration, I didn’t write a push-all.sh script. That could get messy with the permissions and I didn’t want to do a chmod 777. But of course you can do that if you like.
These simple scripts got me some really nice results during pentests. Activate apps that I only had in the free version. Reset the app’s PIN lock count. Disable ads showing in the application.