Sec, blogmal! - rev-eng - patching-android-apps



Dezember '14



Flattr me:

Flattr this

Mon, 14 Mar 2011

Patching Android Apps
How to patch an Android application: First off, some basics. Android applications are delivered in a single =.apk= file. This is simply a differently-named file, so any common zip tool should be able to unpack it. Inside you will usually find all the resources (images, sounds) and (among other things) a file called =classes.dex= which contains the code for that application. This is bytecode for the dalvik VM. You can disassemble this bytecode into something you could call "android assembler". Compared to "real" assembler code, this is pretty high-level, but still nothing like a high-level language like java. As method and member names are preserved, it is usually fairly easy to understand unless the author used an obfuscator before release (In that case, all your methods will be named a, b, c...). To follow this example along, you need a few tools: * Your favourite editor * A simple zip/unzip utility (commandline or [7zip]: or similar gui tool) * An android assembler/disassembler * * The best one currently is [JesusFreke('s]: smali/baksmali which you can get here: * A way to sign your zip file. * * For a quick&dirty hack, [SignApk]: is easy to use, but you can also use [jarsigner]: if you're already familiar with it. * Not to forget a working java installation. Smali/baksmali and signapk/jarsigner both require it. As a simple example, we'll be removing the focus sound from the android camera. -- As we'll be replacing a "builtin" app, you will need root access to your phone. =
  1. = First, get a copy of the =.apk= you intend to change. In our case, we grab it from our phone with: % !cmdx! % adb pull /system/app/Camera.apk =
  2. = Then, we need to get the %classes.dex% file from it % !cmdx! % unzip Camera.apk classes.dex =
  3. = Now we run the disassembler. The output will be in the %out/% subdirectory. % !cmdx! % java -jar baksmali-1.2.6.jar classes.dex You can peek around the %out/% subdir where all the code is. Change whatever you want. =
  4. = In our case, the file we need to edit is: %com/android/camera/Camera$AutoFocusCallback.smali% To remove the focus sound, look for a line containing "%invoke-virtual%" and "%->startTone%". In my version it looks like this: % !cmdout! % invoke-virtual {v0, v1}, Landroid/media/ToneGenerator;->startTone(I)Z" Just delete that line. =
  5. = After you're done, we need to put it all back together into an %.apk%. First we re-assemble the code into a classes.dex: % !cmdx! % java -jar smali-1.2.6.jar out -o classes.dex =
  6. = Put that file back into the %.apk% with % !cmdx! % zip Camera.apk classes.dex =
  7. = Because we changed the contents, we now need to re-sign it. If you're using signapk, do this: % !cmdx! % java -jar signapk.jar testkey.x509.pem testkey.pk8 Camera.apk Camera_signed.apk =
  8. = Last but not least, we need to install our new %.apk%. Because it's a system app, we need to actually replace the file like this: % !cmdx! % adb remount % adb push Camera_signed.apk /system/app/Camera.apk If it were a normal app, you would simply uninstall the original, and then install the %.apk% like any other app. (e.g. with %adb install foo.apk%) =
= After you reboot your phone, your Camera should now be less noisy. Yay! -- Sec P.S.: If you want to remove the "shutter" sound instead, check [this thread]: on Basically it boils down to: % !cmdx! % adb remount % adb shell rm /system/media/audio/ui/camera_click.ogg
posted at: 14:46 | Category: /rev-eng | permanent link to this entry | 5 comments (trackback)

Your Comment
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Save my Name and URL/Email for next time
(Note that comments will be rejected unless you enter 42 in the following box: )

powered by blosxom
in 0.00 s