I mentioned the SmartAPKTool application. It can extract, zip and sign modified apk files. Its advantage is the presence of a graphical interface. However, there is also a serious drawback. SmartAPKTool has not been updated for a long time, and the program does not correctly unpack and pack applications for the latest versions of Android. Therefore, here I will try to explain how to use the application for these purposes apktool.

Note 1.
The SmartAPKTool program is still convenient to use for signing collected apk files.
Note 2.
Links to the programs mentioned in the article are ↓

Program apktool does not have a graphical interface. This is a disadvantage for those who are not used to working with the command line. But there is also a plus: unlike SmartAPKTool, we will see all the errors, which means we will know what to fix.

Let's download two archives: one common for all systems, the other for our system (Windows in the example):

Let's unpack both archives into the same empty folder (in our example C:\apktool\ ). Its content should look like this:

From now on we can use the program apktool.

Note 3.
Users of 64-bit versions of Linux will need to install the ia32-libs package:

sudo apt-get install ia32-libs

In the same folder we put the file that we need to unpack. For example, let it be called orig.apk
Press and hold the Shift key and right-click on any empty space in the folder (do not click on files!). After that, select “Open command window”. In the console that appears, type:

apktool decode orig.apk

The file will be unpacked:

Now we have a folder with the unpacked application in the C:\apktool\ directory. It is called the same as the source file, minus the extension: C:\apktool\orig\ . We can change the source files as described in the article Android: how to install two identical applications on one phone. After we've made the changes, let's build a copy of the application by packing the source files into an apk:

apktool build orig result.apk

Here result.apk is the file name that we came up with for the copy build. If there are no errors, the file will be assembled:

The rest is beyond the scope of the article:

1. If there are errors during assembly, you need to find their cause and correct them.
2. All that remains is to sign the resulting result.apk file. This can be done using SmartAPKTool as mentioned above; Everything about it is intuitive. There are also other ways to sign an apk file.
3. Errors may also occur when installing a copy, during its startup or operation. They need to be caught using the adb utility included in the Android SDK.

You must sign the application, otherwise it will not install. Errors do not occur so often, and the most common problems causing them are described in the article

In the process of using various firmware for Android devices, sometimes it becomes necessary to change in one way or another the system applications built into the operating system. In this material we will consider this issue in detail.

Naturally, you need to disassemble and reassemble the system APK file so that it works properly and stably. Let's figure out step by step what needs to be done for this.

First, you need to carry out the process of deodexing system APK files. We will tell you how to do this in.

So, the .apk file was deodexed and decompiled. Let's analyze the application we are interested in, let it have the name, for clarity of example, framework- res. apk. We remember it in our heads as the original application.

Let's say we have made all the necessary changes to the application. We'll talk more about all aspects of APK files in. Now you need to pack it back. Let's remember the finished packaged application in our minds as modified application 2.

Now we will explain why it was necessary to mentally remember the applications as original and modified 2. The application compiled by the ApkTool program (or using a graphical user interface extension like SmartApkTool) will not work, but this is not a problem. We perform the following actions:

From this article you will learn what the Android application consists of, how to open an APK file and with what programs.

What is an APK file?

APK is a format of the Android operating system used for archived executable application files, and the name of the file itself can be anything, but the extension should only look like this.apk. APK analogues in other operating systems are .msi in Windows, .sis in Symbian, .rpm or .deb in Linux.

Let's see what's inside
In fact, .apk is a ZIP archive, so you can look at the internal device using any file manager or archiver, for example WinRAR or the X-plore mobile application.

It is worth remembering that you only get visual access to internal resources; editing capabilities are extremely limited.

Let's look at the structure
Inside the .apk we see a number of files and folders, let's find out what they are for:

• AndroidManifest.xml is a kind of “passport” of the application from which you can find out all the main points, requirements, version, permissions, etc.
• META-INF this file contains metadata, that is, data about data, checksums, paths to data, paths and checksums of resources, certificates. You can open this file with any text editor, but it is recommended to use Notepad++.
• The res folder contains all the program resources, graphic, such as icons, pictures, text, and graphical interface elements. You can also easily access the folder.
• classes.dex is the direct application program code executed by the Dalvik VM virtual machine; you can see what’s inside this file only by decompiling the .apk; we’ll talk about this in other articles. resources.arsc - compiled XML file, this file contains data about all resources involved in the program.
• lib - a folder with native libraries, the resources of which can only be accessed when using specialized programs. The APK may also contain files and folders such as com, org, udk, but not always.

Now let's look at the internal structure in more detail; for this we need a decompilation program, Java and an APK file. The main tool for disassembling .apk is Apktool, but this program only works from the line, which is not very convenient. For faster and more convenient analysis, you can use APKing, this is still the same Apktool, but with the ability to work from the context menu.

And so we install APKing like any application for Windows and, having selected .apk, click on it with the right mouse button and Shift at the same time, after which we will see the following:

And select the required action, for example, decompile completely, then the program will complete the operation and create a folder with the same name.

By opening the folder we will have access to all resources of the APK file.

Now all text files can be edited, while observing the basic rules, you can use the popular Notepad++ program, for example, consider AndroidManifest.xml

Collecting such files back into APK is quite simple. To do this, you need to run apktool with the appropriate build flag and pass it the path to the folder with the decompiled application inside. For example, if we have an app folder that is located in the same directory as apktool, then the command would look like this:

Shell

java -jar apktool.jar b app

java - jar apktool .jar b app

After assembly, the finished APK file will be located in the directory app/build. Next, you need to sign the APK. This is done to ensure that the application works on devices where debugging is prohibited. That is, launching unsigned applications on such devices is prohibited. You can read more about digital certificates and the file signing procedure here.

Signing a file is very simple: there is a special utility for this called signapk. It must be launched by first passing certificates as arguments, then the path to the application, and finally the path for the signed application (the result, where to save it). It looks something like this:

Shell

java -jar signapk.jar testkey.x509.pem testkey.pk8 *.apk apk_signed.apk

java - jar signapk .jar testkey .x509 .pem testkey .pk8 * .apk apk_signed .apk

Where can you get such a certificate, you ask? Certificates can be found on the Internet. Or generate it yourself. Detailed instructions on setting up and generating all the necessary files can be found, for example, .

Conclusion

As you can see, decompiling and assembling APK files is a fairly simple process, which, in addition, can be automated, making the researcher’s work easier. The Dalvik virtual machine itself is also easy to learn and open, which, on the one hand, reduces the barrier to entry for developers, on the other hand, is the main reason for such a large percentage of piracy on the Android platform. This is partly why game developers, for example, are generally not interested in releasing interesting games with a plot. It is much more profitable, given the current attitude of users, to rivet farms with donations that are strikingly similar to each other. Therefore, we buy applications, support developers and, as a result, get interesting content. But there is absolutely no need to donate!

Thank you all, see you again.

Sometimes some applications on Android do not suit the user in some way. An example is intrusive advertising. And it also happens that the program is good for everyone, but the translation in it is either crooked or completely absent. Or, for example, the program is a trial, but there is no way to get the full version. How to change the situation?

Introduction

In this article we will talk about how to disassemble an APK package with an application, look at its internal structure, disassemble and decompile the bytecode, and also try to make several changes to the applications that can bring us one benefit or another.

To do all this yourself, you will need at least basic knowledge of the Java language, in which Android applications are written, and the XML language, which is used everywhere in Android - from describing the application itself and its access rights to storing strings that will be displayed on the screen. You will also need the ability to use specialized console software.

So, what is an APK package in which absolutely all Android software is distributed?

Application decompilation

In this article, we only worked with disassembled application code, but if more serious changes are made to large applications, understanding the smali code will be much more difficult. Fortunately, we can decompile the dex code into Java code, which, although not original and not compiled back, is much easier to read and understand the logic of the application. To do this, we will need two tools:

• dex2jar is a translator of Dalvik bytecode into JVM bytecode, on the basis of which we can obtain code in the Java language;
• jd-gui is a decompiler itself that allows you to get readable Java code from JVM bytecode. As an alternative, you can use Jad (www.varaneckas.com/jad); Although it is quite old, in some cases it generates more readable code than Jd-gui.

This is how they should be used. First, we launch dex2jar, specifying the path to the apk package as an argument:

% dex2jar.sh mail.apk

As a result, the Java package mail.jar will appear in the current directory, which can already be opened in jd-gui to view the Java code.

Arrangement of APK packages and receiving them

An Android app package is essentially a regular ZIP file that doesn't require any special tools to view its contents or extract it. It is enough to have an archiver - 7zip for Windows or console unzip on Linux. But that's about the wrapper. What's inside? In general, we have the following structure inside:

• META-INF/- contains a digital certificate of the application, identifying its creator, and checksums of the package files;
• res/ - various resources that the application uses in its work, such as images, declarative description of the interface, as well as other data;
• AndroidManifest.xml- description of the application. This includes, for example, a list of required permissions, the required Android version and the required screen resolution;
• classes.dex- compiled application bytecode for the Dalvik virtual machine;
• resources.arsc- also resources, but of a different kind - in particular, strings (yes, this file can be used for Russification!).

The listed files and directories are, if not in all, then, perhaps, in the vast majority of APKs. However, there are a few more not so common files/directories worth mentioning:

• assets- analogue of resources. The main difference is that to access a resource you need to know its identifier, but the list of assets can be obtained dynamically using the AssetManager.list() method in the application code;
• lib- native Linux libraries written using NDK (Native Development Kit).

This directory is used by game producers who place their game engines written in C/C++ there, as well as by creators of high-performance applications (for example, Google Chrome). We figured out the device. But how do you get the package file of the application you are interested in? Since it is not possible to pick up APK files from the device without root (they are located in the /data/app directory), and rooting is not always advisable, there are at least three ways to get the application file to your computer:

• APK Downloader extension for Chrome;
• Real APK Leecher app;
• various file hosting and Varezniks.

Which one to use is a matter of taste; we prefer to use separate applications, so we will describe the use of Real APK Leecher, especially since it is written in Java and, accordingly, will work in either Windows or Nix.

After starting the program, you need to fill in three fields: Email, Password and Device ID - and select a language. The first two are the e-mail and password of your Google account that you use on the device. The third is the device identifier, and can be obtained by typing the code on the dialer # #8255## and then finding the Device ID line. When filling out, you only need to enter the ID without the android- prefix.

After filling out and saving, the message “Error while connecting to server” often pops up. It has nothing to do with Google Play, so feel free to ignore it and look for packages that interest you.

View and Modify

Let's say you found a package that interests you, downloaded it, unpacked it... and when you tried to view some XML file, you were surprised to discover that the file was not text. How to decompile it and how to work with packages in general? Is it really necessary to install the SDK? No, it is not necessary to install the SDK at all. In fact, all the steps to extract, modify and package APK packages require the following tools:

• ZIP archiver for unpacking and packing;
• smali- Dalvik virtual machine bytecode assembler/disassembler (code.google.com/p/smali);
• aapt- a tool for packaging resources (by default, resources are stored in binary form to optimize application performance). Included in the Android SDK, but can be obtained separately;
• signer- a tool for digitally signing a modified package (bit.ly/Rmrv4M).

You can use all these tools separately, but this is inconvenient, so it is better to use higher-level software built on their basis. If you work on Linux or Mac OS X, there is a tool called apktool. It allows you to unpack resources in their original form (including binary XML and arsc files), rebuild a package with changed resources, but it does not know how to sign packages, so you will have to run the signer utility manually. Despite the fact that the utility is written in Java, its installation is quite non-standard. First you need to get the jar file itself:

$ cd /tmp $ wget http://bit.ly/WC3OCz $ tar -xjf apktool1.5.1.tar.bz2

$ wget http://bit.ly/WRjEc7 $ tar -xjf apktool-install-linux-r05-ibot.tar.bz2

$ mv apktool.jar ~/bin $ mv apktool-install-linux-r05-ibot/* ~/bin $ export PATH=~/bin:$PATH

If you work on Windows, then there is an excellent tool for it called Virtuous Ten Studio, which also accumulates all these tools (including apktool itself), but instead of a CLI interface it provides the user with an intuitive graphical interface with which you can perform operations for unpacking, disassembling and decompiling in a few clicks. This tool is Donation-ware, that is, sometimes windows appear asking you to get a license, but in the end this can be tolerated. There is no point in describing it, because you can understand the interface in a few minutes. But apktool, due to its console nature, should be discussed in more detail.

Let's look at the apktool options. In short, there are three basic commands: d (decode), b (build) and if (install framework). If everything is clear with the first two commands, then what does the third, conditional statement, do? It unpacks the specified UI framework, which is necessary in cases where you dissect any system package.

Let's look at the most interesting options of the first command:

• -s- do not disassemble dex files;
• -r- do not unpack resources;
• -b- do not insert debugging information into the results of disassembling the dex file;
• --frame-path- use the specified UI framework instead of the one built into apktool. Now let's look at a couple of options for the b command:
• -f- forced assembly without checking changes;
• -a- indicate the path to aapt (a tool for building an APK archive), if for some reason you want to use it from another source.

Using apktool is very simple; to do this, just specify one of the commands and the path to the APK, for example:

$ apktool d mail.apk

After this, all extracted and disassembled files of the package will appear in the mail directory.

Preparation. Disabling advertising

Theory is, of course, good, but why is it needed if we don’t know what to do with the unpacked package? Let's try to apply the theory to our benefit, namely, modify some software so that it does not show us advertising. For example, let it be Virtual Torch - a virtual torch. This software is ideal for us, because it is filled to capacity with annoying advertising and, moreover, is simple enough not to get lost in the jungle of code.

So, using one of the above methods, download the application from the market. If you decide to use Virtuous Ten Studio, simply open the APK file in the application and unzip it, create a project (File -> New project), then select Import File in the project context menu. If your choice fell on apktool, then just run one command:

$ apktool d com.kauf.particle.virtualtorch.apk

After this, a file tree similar to that described in the previous section will appear in the com.kauf.particle.virtualtorch directory, but with an additional smali directory instead of dex files and an apktool.yml file. The first contains disassembled code of the application's executable dex file, the second contains service information necessary for apktool to assemble the package back.

The first place we should look is, of course, AndroidManifest.xml. And here we immediately encounter the following line:

It is not difficult to guess that it is responsible for granting the application permissions to use the Internet connection. In fact, if we just want to get rid of advertising, we will most likely just need to block the application from the Internet. Let's try to do this. We delete the specified line and try to build the software using apktool:

$ apktool b com.kauf.particle.virtualtorch

The resulting APK file will appear in the com.kauf.particle.virtualtorch/build/ directory. However, it will not be possible to install it, since it does not have a digital signature and file checksums (it simply does not have a META-INF/ directory). We must sign the package using the apk-signer utility. Launched. The interface consists of two tabs - on the first (Key Generator) we create keys, on the second (APK Signer) we sign. To create our private key, fill in the following fields:

• Target File- keystore output file; it usually stores one pair of keys;
• Password And Confirm- password for the storage;
• Alias- name of the key in the storage;
• Alias ​​password And Confirm- secret key password;
• Validity- validity period (in years). The default value is optimal.

The remaining fields are, in general, optional - but at least one must be filled in.

WARNING

To sign an application using apk-signer, you must install the Android SDK and specify the full path to it in the application settings.

All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

Now you can sign the APK with this key. On the APK Signer tab, select the newly generated file, enter the password, key alias and password, then find the APK file and boldly click the “Sign” button. If everything goes well, the package will be signed.

INFO

Since we signed the package with our own key, it will conflict with the original application, which means that when we try to update the software through the market, we will receive an error.

A digital signature is only required for third-party software, so if you are modifying system applications that are installed by copying them to the /system/app/ directory, then you do not need to sign them.

After that, download the package to your smartphone, install it and launch it. Voila, the ad is gone! Instead, however, a message appeared that we do not have the Internet or do not have the appropriate permissions. In theory, this might be enough, but the message looks annoying, and, to be honest, we just got lucky with a stupid application. Normally written software will most likely clarify its credentials or check for an Internet connection and otherwise simply refuse to launch. How to be in this case? Of course, edit the code.

Typically, application authors create special classes for displaying advertisements and call methods of these classes when the application or one of its “activities” (in simple terms, application screens) is launched. Let's try to find these classes. We go to the smali directory, then com (org contains only the open graphic library cocos2d), then kauf (this is where it is, because this is the name of the developer and all his code is there) - and here it is, the marketing directory. Inside we find a bunch of files with the smali extension. These are classes, and the most notable of them is the Ad.smali class, from the name of which it is easy to guess that it is the one that displays advertising.

We could change the logic of its operation, but it would be much easier to simply remove calls to any of its methods from the application itself. Therefore, we leave the marketing directory and go to the adjacent particle directory, and then to virtualtorch. The MainActivity.smali file deserves special attention here. This is a standard Android class that is created by the Android SDK and installed as the entry point to the application (analogous to the main function in C). Open the file for editing.

Inside there is smali code (local assembler). It is quite confusing and difficult to read due to its low-level nature, so we will not study it, but will simply find all references to the Ad class in the code and comment them out. We enter the line “Ad” in the search and get to line 25:

Field private ad:Lcom/kauf/marketing/Ad;

Here an ad field is created to store an Ad class object. We comment by placing a ### sign in front of the line. We continue the search. Line 423:

New-instance v3, Lcom/kauf/marketing/Ad;

This is where the object creation occurs. Let's comment. We continue the search and find in lines 433, 435, 466, 468, 738, 740, 800 and 802 calls to methods of the Ad class. Let's comment. Look like that's it. Save. Now the package needs to be put back together and checked for functionality and the presence of advertising. For the purity of the experiment, we return the line removed from AndroidManifest.xml, assemble the package, sign and install.

Our guinea pig. Advertising visible

Oops! The advertising disappeared only while the application was running, but remained in the main menu, which we see when we launch the software. So, wait, but the entry point is the MainActivity class, and the advertisement disappeared while the application was running, but remained in the main menu, so the entry point is different? To identify the true entry point, reopen the AndroidManifest.xml file. And yes, it contains the following lines:

They tell us (and, more importantly, the android) that an activity named Start should be launched in response to the generation of an intent (event) android.intent.action.MAIN from the android.intent.category.LAUNCHER category. This event is generated when you tap on the application icon in the launcher, so it determines the entry point, namely the Start class. Most likely, the programmer first wrote an application without a main menu, the entry point to which was the standard MainActivity class, and then added a new window (activity) containing the menu and described in the Start class, and manually made it the entry point.

Open the Start.smali file and again look for the line “Ad”, we find in lines 153 and 155 a mention of the FirstAd class. It is also in the source code and, judging by the name, it is responsible for displaying ads on the main screen. Let's look further, there is the creation of an instance of the FirstAd class and an intent that, according to the context, is related to this instance, and then the cond_10 label, the conditional transition to which is carried out exactly before creating an instance of the class:

If-ne p1, v0, :cond_10 .line 74 new-instance v0, Landroid/content/Intent; ... :cond_10

Most likely, the program somehow randomly calculates whether advertising should be shown on the main screen, and, if not, jumps directly to cond_10. Ok, let’s simplify her task and replace the conditional transition with an unconditional one:

#if-ne p1, v0, :cond_10 goto:cond_10

There are no more mentions of FirstAd in the code, so we close the file and reassemble our virtual torch using apktool. Copy it to your smartphone, install it, launch it. Voila, all advertising has disappeared, for which we congratulate all of us.

Results

This article is just a brief introduction to the methods of hacking and modifying Android applications. Many issues remained behind the scenes, such as removing protection, parsing obfuscated code, translating and replacing application resources, as well as modifying applications written using the Android NDK. However, having basic knowledge, it’s only a matter of time to figure it all out.

Additionally