Smali - Decompiling/[Modifying]/Compiling

Reading time: 8 minutes

Wakati mwingine inavutia kubadilisha msimbo wa programu ili kufikia taarifa zilizofichwa kwako (labda well obfuscated passwords au flags). Kisha, inaweza kuwa ya kuvutia decompile the apk, modify the code na recompile it.

Opcodes reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Njia ya Haraka

Kwa kutumia Visual Studio Code na extension ya APKLab, unaweza automatically decompile, modify, recompile, sign & install the application bila kutekeleza amri yoyote.

Script nyingine inayorahisisha kazi hii sana ni https://github.com/ax/apk.sh

Decompile the APK

Kwa kutumia APKTool unaweza kupata smali code and resources:

apktool d APP.apk

Ikiwa apktool inakupa kosa lolote, jaribu kusakinisha toleo la karibuni

Baadhi ya faili za kuvutia unazopaswa kuangalia:

• res/values/strings.xml (na xml zote ndani ya res/values/*)
• AndroidManifest.xml
• Faili yoyote yenye nyongeza .sqlite au .db

Ikiwa apktool ina matatizo katika kufasiri programu angalia https://ibotpeaches.github.io/Apktool/documentation/#framework-files au jaribu kutumia hoja -r (Usifasiri resources). Kisha, ikiwa tatizo lilikuwa kwenye resource na si kwenye source code, hautakuwa na tatizo hilo (pia hauta-decompile resources).

Change smali code

Unaweza kubadilisha maelekezo, kubadilisha thamani ya baadhi ya vigezo au kuongeza maelekezo mapya. Ninabadilisha Smali code kwa kutumia VS Code, kisha usakinishe smalise extension na mhariri atakuambia ikiwa kuna maelekezo yasiyo sahihi.
Baadhi ya mifano inaweza kupatikana hapa:

• Smali changes examples
• Google CTF 2018 - Shall We Play a Game?

Au unaweza angalia hapa chini mabadiliko ya Smali yaliyofafanuliwa.

Kompaila tena APK

Baada ya kubadilisha msimbo unaweza ku-kompaila tena msimbo kwa kutumia:

apktool b . #In the folder generated when you decompiled the application

Hii itafanya compile APK mpya ndani ya dist folda.

Ikiwa apktool itatoa hitilafu, jaribu installing the latest version

Saini APK mpya

Kisha, unahitaji kutengeneza ufunguo (utakaulizwa nywila na baadhi ya taarifa ambazo unaweza kujaza kwa nasibu):

keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>

Hatimaye, saini APK mpya:

jarsigner -keystore key.jks path/to/dist/* <your-alias>

Boresha programu mpya

zipalign ni chombo cha kulinganisha archive kinachotoa uboreshaji muhimu kwa faili za programu za Android (APK). Taarifa zaidi hapa.

zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk

Saini APK mpya (tena?)

Ukipendelea kutumia apksigner badala ya jarsigner, unapaswa kusaini apk baada ya kutumia uboresho na zipaling. LAKINI KUMBUKA KWAMBA UNATUMIA TU KUSAINI PROGRAMU MARA MOJA NA jarsigner (kabla ya zipalign) AU NA aspsigner (baada ya zipaling).

apksigner sign --ks key.jks ./dist/mycompiled.apk

Kubadilisha Smali

Kwa msimbo ufuatao wa Hello World wa Java:

public static void printHelloWorld() {
System.out.println("Hello World")
}

Msimbo wa Smali utakuwa:

.method public static printHelloWorld()V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World"
invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method

Seti ya maelekezo ya Smali inapatikana here.

Mabadiliko Madogo

Badilisha initial values za variable inside a function

Baadhi ya variables zimetangazwa mwanzoni mwa function kwa kutumia opcode const, unaweza kubadilisha thamani zake, au unaweza kuanzisha mpya:

#Number
const v9, 0xf4240
const/4 v8, 0x1
#Strings
const-string v5, "wins"

Operesheni za Msingi

#Math
add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0
mul-int v0,v2,0x2 #v2*0x2 and save in v0

#Move the value of one object into another
move v1,v2

#Condtions
if-ge #Greater or equals
if-le #Less or equals
if-eq #Equals

#Get/Save attributes of an object
iget v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save this.o inside v0
iput v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save v0 inside this.o

#goto
:goto_6 #Declare this where you want to start a loop
if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
goto :goto_6 #Always go to: :goto_6

Mabadiliko Makubwa

Uandishi wa logi

#Log win: <number>
iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
invoke-static {v5}, Ljava/lang/String;->valueOf(I)Ljava/lang/String; #Transform number to String
move-result-object v1 #Move to v1
const-string v5, "wins" #Save "win" inside v5
invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: <num>"

Mapendekezo:

• Ikiwa utatumia variables zilizotangazwa ndani ya function (zimetangazwa v0,v1,v2...) weka mistari hii kati ya .local na tamko la variables (const v0, 0x1)
• Ikiwa unataka kuweka code ya logging katikati ya code ya function:
• Ongeza 2 kwenye idadi ya variables zilizotangazwa: Mfano: kutoka .locals 10 hadi .locals 12
• Variables mpya zinapaswa kuwa nambari zinazofuata za variables zilizotangazwa tayari (katika mfano huu zinapaswa kuwa v10 na v11, kumbuka inaanzia v0).
• Badilisha code ya logging function na tumia v10 na v11 badala ya v5 na v1.

Kuonyesha toast

Kumbuka kuongeza 3 kwenye idadi ya .locals mwanzoni mwa function.

Msimbo huu umetayarishwa kuingizwa katika katikati ya function (badilisha idadi ya variables kadri inavyohitajika). Utachukua thamani ya this.o, ibadilishe kuwa String kisha fanya toast na thamani yake.

const/4 v10, 0x1
const/4 v11, 0x1
const/4 v12, 0x1
iget v10, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I
invoke-static {v10}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v11
invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V

Kupakia Maktaba ya Native wakati wa Uanzishaji (System.loadLibrary)

Wakati mwingine unahitaji kuipakia kabla maktaba ya native ili ianze kabla ya maktaba nyingine za JNI (mfano, ili kuwezesha telemetry/logging ya ndani ya mchakato). Unaweza inject wito wa System.loadLibrary() katika static initializer au mapema katika Application.onCreate(). Mfano smali kwa static class initializer ():

.class public Lcom/example/App;
.super Landroid/app/Application;

.method static constructor <clinit>()V
.registers 1
const-string v0, "sotap"         # library name without lib...so prefix
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
return-void
.end method

Kwa mbadala, weka maagizo hayo mawili mwanzoni mwa Application.onCreate() ili kuhakikisha maktaba inapakia mapema iwezekanavyo:

.method public onCreate()V
.locals 1

const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

invoke-super {p0}, Landroid/app/Application;->onCreate()V
return-void
.end method

Vidokezo:

• Hakikisha toleo sahihi la ABI la maktaba lipo chini ya lib// (mfano, arm64-v8a/armeabi-v7a) ili kuepuka UnsatisfiedLinkError.
• Kupakia mapema sana (class static initializer) kunahakikisha native logger inaweza kushuhudia shughuli za JNI zinazofuata.

Marejeo

• SoTap: logger mwepesi wa tabia za JNI (.so) ndani ya app – github.com/RezaArbabBot/SoTap