Smali - Decompiling/[Modifying]/Compiling
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
Opcodes reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Using Visual Studio Code and the APKLab extension, you can automatically decompile, modify, recompile, sign & install the application without executing any command.
Another script that facilitates this task a lot is https://github.com/ax/apk.sh
Using APKTool you can access to the smali code and resources:
If apktool gives you any error, try installing the latest version
Some interesting files you should look are:
res/values/strings.xml (and all xmls inside res/values/*)
AndroidManifest.xml
Any file with extension .sqlite or .db
If apktool
has problems decoding the application take a look to https://ibotpeaches.github.io/Apktool/documentation/#framework-files or try using the argument -r
(Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources).
You can change instructions, change the value of some variables or add new instructions. I change the Smali code using VS Code, you then install the smalise extension and the editor will tell you if any instruction is incorrect. Some examples can be found here:
Or you can check below some Smali changes explained.
After modifying the code you can recompile the code using:
It will compile the new APK inside the dist folder.
If apktool throws an error, try installing the latest version
Then, you need to generate a key (you will be asked for a password and for some information that you can fill randomly):
Finally, sign the new APK:
zipalign is an archive alignment tool that provides important optimisation to Android application (APK) files. More information here.
If you prefer to use apksigner instead of jarsigner, you should sing the apk after applying the optimization with zipaling. BUT NOTICE THAT YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE WITH jarsigner (before zipalign) OR WITH aspsigner (after zipaling).
For the following Hello World Java code:
The Smali code would be:
The Smali instruction set is available here.
Some variables are defined at the beginning of the function using the opcode const, you can modify its values, or you can define new ones:
Recommendations:
If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the .local <number> and the declarations of the variables (const v0, 0x1)
If you want to put the logging code in the middle of the code of a function:
Add 2 to the number of declared variables: Ex: from .locals 10 to .locals 12
The new variables should be the next numbers of the already declared variables (in this example should be v10 and v11, remember that it starts in v0).
Change the code of the logging function and use v10 and v11 instead of v5 and v1.
Remember to add 3 to the number of .locals at the beginning of the function.
This code is prepared to be inserted in the middle of a function (change the number of the variables as necessary). It will take the value of this.o, transform it to String and them make a toast with its value.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)