Challenge

Task 1 Introduction

When you create an application code, the apk file contains a .dex file, which contains binary Dalvik bytecode. Smali is an assembly language that runs on Dalvik VM, which is Android’s JVM.

When looking at Smali code it is important to understand the variable types.

var

There are two naming schemes for registers - the normal v naming scheme and the p naming scheme for parameter registers. P naming scheme is the default one, since it provides more flexibility when adding new registers.

register

Long/Double values

Long/Double are 64 bit values, and require 2 registers. For example, let’s say you have a (non-static) method LMyObject;->MyMethod(IJZ)V. The parameters to the method are LMyObject;, int, long, bool. So this method would require 5 registers for all of its parameters.

long

Application Structure

apk

AndroidManifest.xml: the manifest file in binary XML format.
classes.dex: application code compiled in the dex format.
resources.arsc: file containing precompiled application resources, in binary XML.
res/: folder containing resources not compiled into resources.arsc.
assets/: optional folder containing applications assets, which can be retrieved by AssetManager.
lib/: optional folder containing compiled code - i.e. native code libraries.
META-INF/: folder containing the MANIFEST.MF file, which stores meta data about the contents of the JAR. which sometimes will be store in a folder named original.The signature of the APK is also stored in this folder.

Here are some important attributes that can be founed in an AndroidManifest.

Manifest tag: contains android installation mode, package name, build versions
Permissions: custom permission and protection level
uses-permissions: requests a permission that must be granted in order for it to operate, full list of permission api can refer here.
uses-feature: Declares a single hardware or software feature that is used by the application.
Application: The declaration of the application. Will contains all the activity
Activity: Declares an activity that implements part of the application visual user interface.
intent-filter: Specifies the types of intents that an activity, service, or broadcast receiver can respond to.
service: Declare a service as one of the application components.
receiver: Broadcast receivers enable applications to receive intents that are broadcast by the system or by other applications, even when other components of the application are not running.
provider: Declares a content provider component. A content provider is a subclass of ContentProvider that supplies structured access to data managed by the application.

Task 2 Setup the Environment

Install genymotion and download a test device, it is recommended to use 6.0 as the android version.
Now enable USB Debugging, for this go into Settings then About Phone and tap Build number 7 times to become developer. Now go back to Settings then Developer Options and toggle USB Debugging.

Task 3 Methodology

methodology

We will now go in further detail in each of the sections.

Task 4 Information Gathering

Head over to this link and find the package name at the end of the URL.

Task 5 Reversing

Here we will talk about some important tools to reverse an apk.

Android Debug Bridge (ADB)

Command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. Install here.

jadx

jadx is a tool used to get the source code from an apk. jADX is decompiling the APK to smali and then converting the smali back to Java.

Usage:

jadx -d [path-output-folder] [path-apk-or-dex-file]

There is also a version of jadx with a GUI called jadx-gui located in ‘jadx\bin\jadx-gui’

Dex2Jar

Dex2Jar is a tool used to convert an APK to a JAR file. Once you have the JAR file, you can open it with JD-GUI and you’ll see its Java code.

Apktool

Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.

Usage:

apktool d file.apk