Smali - Decompiling/[Modifying]/Compiling

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Wakati mwingine inavutia kubadilisha code ya application ili kupata taarifa zilizofichika kwako (pengine passwords zilizofichwa vizuri au flags). Kisha, inaweza kuwa ya kuvutia ku-decompile apk, kubadilisha code na ku-recompile.

Opcodes reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Njia ya Haraka

Kutumia Visual Studio Code na extension ya APKLab, unaweza kwa otomatiki ku-decompile, kubadilisha, ku-recompile, kusaini & kusakinisha application bila kuendesha amri yoyote.

Script nyingine inayorahisisha kazi hii sana ni https://github.com/ax/apk.sh

Split APKs / App Bundles

Programu za kisasa mara nyingi hutolewa kama split APKs (base.apk + split_config.*.apk) badala ya APK moja monolithic. Ikiwa utabadili tu base.apk, resources au native libraries zinaweza kutoka kwa ulinganifu (out of sync) na installation inaweza kushindwa.

Quick triage from a device:

adb shell pm path com.example.app
adb pull /data/app/.../base.apk
adb pull /data/app/.../split_config.arm64_v8a.apk
adb pull /data/app/.../split_config.en.apk

Ikiwa lengo ni split package, jenga upya seti nzima au tumia zana zinazoweza kuunganisha APKs kwanza. apk.sh inamfaa hapa kwa sababu inaweza kuunganisha split APKs kuwa APK moja inayoweza kupatchiwa na kurekebisha public resource identifiers. Kwa workflows za repacking zinazolenga Frida/Objection, pia angalia Android Anti-Instrumentation & SSL Pinning Bypass.

Fanya dekompilishaji ya APK

Kwa kutumia APKTool unaweza kupata smali code and resources:

apktool d APP.apk

If apktool gives you any error, try installing the latest version

Baadhi ya faili za kuvutia unazopaswa kuangalia ni:

  • res/values/strings.xml (and all xmls inside res/values/*)
  • AndroidManifest.xml
  • Any file with extension .sqlite or .db

If apktool has problems decoding the application take a look to https://ibotpeaches.github.io/Apktool/documentation/#framework-files or try using the argument -r (Usitafsiri rasilimali). Kisha, ikiwa tatizo lilikuwa kwenye rasilimali na si kwenye msimbo wa chanzo, hautakuwa na tatizo hilo (pia huta-decompile rasilimali).

Badilisha msimbo wa smali

Unaweza kubadilisha maelekezo, kubadilisha thamani ya baadhi ya variables au kuongeza maelekezo mapya. Ninabadilisha msimbo wa Smali kwa kutumia VS Code, kisha weka smalise extension na mhariri atakuambia ikiwa kuna maelekezo yasiyo sahihi.
Baadhi ya mifano inaweza kupatikana hapa:

Or you can check below some Smali changes explained.

Kompailisha APK tena

Baada ya kubadilisha msimbo unaweza kompailisha msimbo kwa kutumia:

apktool b . #In the folder generated when you decompiled the application

Ita compile APK mpya ndani ya dist folda.

Kama apktool itatoa error, jaribu kusakinisha toleo la hivi karibuni

Saini APK mpya

Kisha, unahitaji kuunda ufunguo (utaulizwa nenosiri na baadhi ya taarifa ambazo unaweza kujaza kwa bahati nasibu):

keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>

Hatimaye, saini APK mpya:

jarsigner -keystore key.jks path/to/dist/* <your-alias>

jarsigner bado inafanya kazi kwa baadhi ya majaribio ya haraka, lakini kwa matoleo ya kisasa ya Android apksigner inapendekezwa kwa sababu inashughulikia skimu mpya za saini za APK.

Boresha programu mpya

zipalign ni chombo cha kuoanisha archive kinachotoa uboreshaji muhimu kwa faili za Android application (APK). More information here.

zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk

Ikiwa APK ina maktaba za asili zilizobundled (lib/*.so), Android sasa inapendekeza kutumia -P 16 ili faili za .so ziwe zimepangwa kwa usawa kwa vifaa vyenye ukubwa wa ukurasa wa 16 KiB na 4 KiB:

zipalign -P 16 -f -v 4 infile.apk outfile.apk

Saini APK mpya (tena?)

Ikiwa unapendelea kutumia apksigner badala ya jarsigner, unakabidi kusaini APK baada ya kufanya uboresaji kwa zipaling. LAKINI ZINGATIA KWAMBA UNAHITAJI KUSAINI APP TU MARA MOJA KWA jarsigner (kabla ya zipalign) AU KWA aspsigner (baada ya zipaling).

apksigner sign --ks key.jks ./dist/mycompiled.apk

Mtiririko wa kisasa zaidi na wa vitendo ni:

apktool b . -o dist/app-unsigned.apk
zipalign -P 16 -f -v 4 dist/app-unsigned.apk dist/app-aligned.apk
apksigner sign --ks key.jks --out dist/app-signed.apk dist/app-aligned.apk
apksigner verify --verbose --print-certs dist/app-signed.apk

Important notes:

  • Ikiwa utabadilisha APK baada ya kuiweka saini kwa apksigner, saini itavunjika na utalazimika kui­saini tena.
  • apksigner verify --print-certs ni muhimu kuthibitisha kuwa APK iliyojengwa upya inaweza kusakinishwa na kukagua cheti ambacho lengo litaonyesha wakati wa runtime.

Kubadilisha Smali

Kwa code ifuatayo ya Java ya Hello World:

public static void printHelloWorld() {
System.out.println("Hello World")
}

Msimbo wa Smali ungekuwa:

.method public static printHelloWorld()V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World"
invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method

Seti ya maagizo ya Smali inapatikana here.

Mabadiliko Madogo

Badilisha thamani za awali za variable ndani ya function

Baadhi ya variables zimetangazwa mwanzoni mwa function kwa kutumia opcode const, unaweza kubadilisha thamani zake, au unaweza kuunda mpya:

#Number
const v9, 0xf4240
const/4 v8, 0x1
#Strings
const-string v5, "wins"

Operesheni za Msingi

#Math
add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0
mul-int v0,v2,0x2 #v2*0x2 and save in v0

#Move the value of one object into another
move v1,v2

#Condtions
if-ge #Greater or equals
if-le #Less or equals
if-eq #Equals

#Get/Save attributes of an object
iget v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save this.o inside v0
iput v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save v0 inside this.o

#goto
:goto_6 #Declare this where you want to start a loop
if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
goto :goto_6 #Always go to: :goto_6

Mabadiliko Makubwa

Mambo ya Smali yanayoweza kuvunja ujenzi upya

  • Pendelea kuongeza .locals unapohitaji tu rejista za muda ndani ya mwili wa method iliyopo. Parameter registers (p0, p1…) zimepangwa kwenye rejista za juu za method, hivyo kubadilisha bila kufikiri hadi .registers mara nyingi huvunja mpangilio wa hoja.
  • move-result, move-result-wide, and move-result-object zinapaswa kuonekana mara moja baada ya invoke-* inayolingana. Kuingiza logging au opcode nyingine yoyote kati yao hufanya method isiyo halali.
  • long na double values ni thamani wide na hutumia jozi ya rejista. Ikiwa utarejea kutumia rejista hizo baadaye, kumbuka kwamba v10 pia inachukua v11.
  • Ikiwa unahitaji kupitisha rejista nyingi, au zile zenye nambari za juu sana, tumia variants za /range kama invoke-virtual/range.

Logging

#Log win: <number>
iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
invoke-static {v5}, Ljava/lang/String;->valueOf(I)Ljava/lang/String; #Transform number to String
move-result-object v1 #Move to v1
const-string v5, "wins" #Save "win" inside v5
invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: <num>"

Mapendekezo:

  • Ikiwa utatumia declared variables ndani ya function (declared v0,v1,v2…) weka mistari hii kati ya .local na maelezo ya variables (const v0, 0x1)
  • Ikiwa unataka kuweka logging code katikati ya code ya function:
  • Ongeza 2 kwenye idadi ya declared variables: Mfano: kutoka .locals 10 hadi .locals 12
  • Variables mpya zinapaswa kuwa nambari zinazofuata za variables zilizotangazwa tayari (katika mfano huu zitakuwa v10 na v11, kumbuka inaanza kwa v0).
  • Badilisha code ya logging function na tumia v10 na v11 badala ya v5 na v1.

Kurekebisha ukaguzi wa anti-tamper wa kawaida

Wakati app inapofanyiwa repacked, mojawapo ya vitu vya kwanza vinavyoweza kuvunjika ni ukaguzi ndani ya app wa signature / installer / integrity. Mifano mizuri ya strings ya kutafuta katika JADX au katika msitu wa smali ni:

  • GET_SIGNATURES
  • GET_SIGNING_CERTIFICATES
  • apkContentsSigners
  • MessageDigest
  • SHA-256
  • Base64
  • getInstallerPackageName
  • com.android.vending

Apps za kisasa mara nyingi huita PackageManager.getPackageInfo(..., GET_SIGNING_CERTIFICATES), hash the signer bytes with MessageDigest, na kulinganisha matokeo na konstant iliyowekwa moja kwa moja. Kivitendo, kawaida ni rahisi zaidi ku-patch the final boolean / branch kuliko kuandika upya msimbo wote unaoshughulikia signature.

Example patterns:

# Force a boolean result to "valid"
const/4 v0, 0x1

# Or invert the branch that sends execution to the tamper handler
if-eqz v0, :tamper_detected   # original
if-nez v0, :tamper_detected   # patched

Ikiwa msimbo wa uthibitisho una kelele, tafuta linganisho la mwisho kabla ya dirisha la kosa / finish() / System.exit() / telemetry call na patch hapo badala ya kugusa utaratibu mzima.

Toasting

Kumbuka kuongeza 3 kwenye idadi ya .locals mwanzoni mwa function.

Msimbo huu umeandaliwa kuingizwa katika katikati ya function (badilisha idadi ya variables inapohitajika). Utachukua thamani ya this.o, ibadilishe kuwa String kisha tengeneza toast yenye thamani yake.

const/4 v10, 0x1
const/4 v11, 0x1
const/4 v12, 0x1
iget v10, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I
invoke-static {v10}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v11
invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V

Kupakia Native Library wakati wa Uanzishaji (System.loadLibrary)

Wakati mwingine unahitaji kupakia awali native library ili ianze kabla ya JNI libs nyingine (kwa mfano, ili kuwezesha process-local telemetry/logging). Unaweza kuingiza wito wa System.loadLibrary() katika static initializer au mapema katika Application.onCreate(). Mfano wa smali kwa static class initializer ():

.class public Lcom/example/App;
.super Landroid/app/Application;

.method static constructor <clinit>()V
.registers 1
const-string v0, "sotap"         # library name without lib...so prefix
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
return-void
.end method

Kwa mbadala, weka maagizo mawili yale yale mwanzoni mwa Application.onCreate() yako ili kuhakikisha maktaba inapakiwa mapema iwezekanavyo:

.method public onCreate()V
.locals 1

const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

invoke-super {p0}, Landroid/app/Application;->onCreate()V
return-void
.end method

Notes:

  • Hakikisha toleo sahihi la ABI la maktaba lipo chini ya lib// (mfano, arm64-v8a/armeabi-v7a) ili kuepuka UnsatisfiedLinkError.
  • Kunyanyua mapema sana (class static initializer) kunahakikisha native logger anaweza kuona shughuli za JNI zinazofuata.

Uchambuzi wa statiki wa Smali / Uwindaji wa Kulingana na Kanuni

Baada ya ku-decompile kwa kutumia apktool, unaweza kusoma Smali mstari kwa mstari kwa sheria za regex ili kugundua haraka mantiki za anti-analysis (root/emulator checks) na siri zinazoweza kuwa hardcoded. Hii ni mbinu ya fast triage: chukulia hits kama leads ambazo lazima uthibitishe katika Smali zinazozunguka au Java/Kotlin iliyojengwa upya.

Mawazo muhimu:

  • Library filtering: ficha au kuweka tagu kwa matokeo chini ya namespaces za pande za tatu za kawaida ili uweze kuzingatia njia za msimbo zinazomilikiwa na app.
  • Context hints: hitaji kwamba strings zenye shaka zionekane karibu na APIs zinazozivitumia (ndani ya method ile ile, ndani ya mistari N).
  • Confidence: tumia viwango rahisi (high/medium) kuorodhesha leads na kupunguza false positives.

Example library prefixes to suppress by default:

Landroidx/
Lkotlin/
Lkotlinx/
Lcom/google/
Lcom/squareup/
Lokhttp3/
Lokio/
Lretrofit2/

Mifano ya sheria za kugundua (regex + heuristics za muktadha):

{
"category": "root_check",
"regex_patterns": [
"(?i)invoke-static .*Runtime;->getRuntime\\(\\).*->exec\\(.*\\"(su|magisk|busybox)\\"",
"(?i)const-string [vp0-9, ]+\\"(/system/xbin/su|/system/bin/su|/sbin/su)\\""
],
"context_hint": "Only report when the same method also calls File;->exists/canExecute or Runtime;->exec."
}

Mbinu za ziada zinazofanya kazi vizuri kwa vitendo:

  • Root package/path checks: hitaji wito karibu wa PackageManager;->getPackageInfo au File;->exists kwa strings kama com.topjohnwu.magisk au /data/local/tmp.
  • Emulator checks: unganisha literals zenye shaka (mfano, ro.kernel.qemu, generic, goldfish) na Build.* getters walio karibu na ulinganifu wa strings (->equals, ->contains, ->startsWith).
  • Hardcoded secrets: alamarisha const-string tu wakati kitambulisho karibu cha .field au move-result kinajumuisha maneno muhimu kama password, token, api_key. Puuza waziwazi alama za UI pekee kama AutofillType, InputType, EditorInfo.

Skana zinazotegemea sheria kama PulseAPK Core zinautekeleza mfano huu ili kuonyesha haraka mantiki za anti-analysis na siri zinazoweza kuwepo katika Smali.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks