Smali - Decompiling/[Modifying]/Compiling

Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.

Opcodes reference:

Fast Way

Using Visual Code and the extension you can automatically decompile, modify and recompile the application without executing any command.

Decompile the APK

Using APKTool you can access to the smali code and resources:

apktool d APP.apk

If apktool gives you any error, try

Some interesting files you should look are:

• res/values/strings.xml (and all xmls inside res/values/*)

• AndroidManifest.xml

• Any file with extension .sqlite or .db

If apktool has problems decoding the application take a look to or try using the argument -r (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources).

Change smali code

Recompile the APK

After modifying the code you can recompile the code using:

apktool b . #In the folder generated when you decompiled the application

It will compile the new APK inside the dist folder.

Sing the new APK

Then, you need to generate a key (you will be asked for a password and for some information that you can fill randomly):

keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>

Finally, sign the new APK:

jarsigner -keystore key.jks path/to/dist/* <your-alias>

Optimize new application

zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk

Sign the new APK (again?)

apksigner sign --ks key.jks ./dist/mycompiled.apk

Modifying Smali

For the following Hello World Java code:

public static void printHelloWorld() {
    System.out.println("Hello World")
}

The Smali code would be:

.method public static printHelloWorld()V
    .registers 2
    sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
    const-string v1, "Hello World"
    invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
    return-void
.end method

Light Changes

Modify initial values of a variable inside a function

Some variables are defined at the beginning of the function using the opcode const, you can modify its values, or you can define new ones:

#Number
const v9, 0xf4240
const/4 v8, 0x1
#Strings
const-string v5, "wins"

Basic Operations

#Math
add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0
mul-int v0,v2,0x2 #v2*0x2 and save in v0

#Move the value of one object into another
move v1,v2

#Condtions
if-ge #Greater or equals
if-le #Less or equals
if-eq #Equals

#Get/Save attributes of an object
iget v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save this.o inside v0
iput v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save v0 inside this.o

#goto
:goto_6 #Declare this where you want to start a loop
if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
goto :goto_6 #Always go to: :goto_6

Bigger Changes

Logging

#Log win: <number>
iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
invoke-static {v5}, Ljava/lang/String;->valueOf(I)Ljava/lang/String; #Transform number to String
move-result-object v1 #Move to v1
const-string v5, "wins" #Save "win" inside v5
invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: <num>"

Recommendations:

• If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the .local <number> and the declarations of the variables (const v0, 0x1)

• If you want to put the logging code in the middle of the code of a function:

  • Add 2 to the number of declared variables: Ex: from .locals 10 to .locals 12

  • The new variables should be the next numbers of the already declared variables (in this example should be v10 and v11, remember that it starts in v0).

  • Change the code of the logging function and use v10 and v11 instead of v5 and v1.

Toasting

Remember to add 3 to the number of .locals at the begging of the function.

This code is prepared to be inserted in the middle of a function (change the number of the variables as necessary). It will take the value of this.o, transform it to String and them make a toast with its value.

const/4 v10, 0x1
const/4 v11, 0x1
const/4 v12, 0x1
iget v10, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I
invoke-static {v10}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v11
invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V