In this post I wanted to demonstrate a simple code injection example in Android. As indicated in previous posts about reversing java, the method of code execution is same in Android. Whereas Java, the BYTE CODE are SMALI codes here and the executor is Dalvik (recently ART) in Android (not JVM). Here in this post, I will describe shortly how to reverse and inject code in SMALI.
The main steps for code injection are:
- Decompile APK to Smali Code
- Find the right place to inject the code
- Use safe (or unsafe) local variables to inject
- Recompile the Smali Code to APK
- Generate Signature Key
- Sign the Recompiled APK
Decompile APK to Smali Code
Using the tool named APK Tool you can easily decompile APK to its elements. Actually APK is a ZIP compressed file. Which contains Manifest (permissions, activities, services, etc.), all source codes compiled inside DEX (classes.dex), resources (all images, xml elements of UI, sounds, etc.), Libraries (generally native ones), META-INF (public key of the signature).
You can download apk tool from this link. Using the following command you can get the APK decompiled.
java -jar apktool.jar d YOUR_APK.apk
Find right place to inject the code
After successful decompilation, a folder will be generated beside the APK. There is a folder named smali there which contains all the classes inside the main DEX file. All of the classes are in Smali format over there. You can use each of them for injecting the code. Smali is the code like here:
In the above example, I put a simple Toast message after the setContentView() method of an Activity.
For making the smali code you can use two methods:
- Use smali code instructions. You can use this link for more details.
- TRICK: Write your code in a separate Android project and make its APK. The use apktool for finding out the smali code of your {injection} code!
Use safe (or unsafe) local variables to inject
As you see in the above example, I have used v1,v2,v3, … for smali code injection. are the local variables. Android has 16 registers for this purpose which contains the inside the class variables (v) and the parameters (p) of the method we are injecting inside. for example onCreate has two parameters (p0 for this, p1 for Bundle) and some variables (vs). You should use vs for your purpose while do not compromise other vs. If you can add extra locals to your file, then you can use safe variables, if not you should use the defined local variables without compromise other variables.
Recompile the Smali Code to APK
If the injection is correct, you can use the following command to recompile the injected code.
java -jar apktool.jar b THE_DECOMPILED_FOLDER
This will generate an APK inside THE_DECOMPILED_FOLDER/dist folder.
Generate Signature Key
Sign the Recompiled APK
Hello Mir Saman,
I am the origin author of SCI (smali code injector) I can see that your whole post is based on my work. I do not mind and in opposite encourage such initiatives but you could have gave me credits at least.
Kind regards,
Alexandre Teyar
Dear Alexandre,
I did not know your project and it is a good one. But I did not copied or rebuild your project. I just simply described the process of smali code injection. It is not a tool (as yours are) it is a training post. I’ve only used the content from slides of http://www.syssec-project.eu
You may post this comment because of the main photo of the post. Actually I just searched for smali code injection in Google Images and chose the image which is the image of your project.
However, I suggest to all the readers of this post to check your project at the following link:
https://github.com/AresS31/SCI
I lost my laptop and i only have apk of my application on the phone and i need to ad add admob ads so i can monetize it
is it possible to add it to the decompiled apk ?
As I realized from your question, you want to inject ad codes to your APKs and monetize. Correct? For the part of injecting, it is possible. But I cannot assure that the ad can give you the money. Maybe the ad has its own API key or Authentication mechanism that it is needed more than injecting. But generally, YES. You can add advertisement codes to yous APKs.
Hi, I’m looking for an expert to help me with reverse engineering apk. Please contact me if you are able to help me out in a small project
Thanks
I will go to publish a video but do not know when! If you have any question, feel free to ask here.