search

dana-at-cp / backdoor-apk

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.
Apache License 2.0
2.21k stars 702 forks source link

Locating smali file to hook logic fails when onCreate method is in a super class #91

Closed peterpt closed 7 years ago

peterpt commented 7 years ago

for some reason , backdoor-apk stays stuck in same place in most apks .

last pasrt of the log : http://pastebin.com/uc04kRtU apk file inside zip file . facebook.zip

peterpt commented 7 years ago

here it is another apk with same error , my guess is that is not searching strings code but when the backdoor-apk tries to locate the smali files of original apk , is pointed to a wrong path . and then this error happens . mtk.zip

dana-at-cp commented 7 years ago

@peterpt There is a fix on the develop branch. Can you check out that code and retest?

dana-at-cp commented 7 years ago

@peterpt I just tested both and got failures as well.

The MTK APK appears to not follow developer guidelines. Specifically, around the 'android:name' value for activity elements:

From the manifest for mtk.apk:

...
        <activity android:name="StartActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
...
android:name
The name of the class that implements the activity, a subclass of Activity. The attribute value should be a fully qualified class name (such as, "com.example.project.ExtracurricularActivity"). However, as a shorthand, if the first character of the name is a period (for example, ".ExtracurricularActivity"), it is appended to the package name specified in the <manifest> element.
Once you publish your application, you should not change this name (unless you've set android:exported="false").

There is no default. The name must be specified.

https://developer.android.com/guide/topics/manifest/activity-element.html#nm

The Facebook APK appears to have uncovered another edge case for AndroidManifest.xml processing. This looks like a real bug.

peterpt commented 7 years ago

is there a way to implement a list with possibles entries to look ? example : script will work as default until it does not find the default android entry in android manifest . When it gets to that part , will consult a filename with a list of possibles names to look in android manifest , and when finds a pattern that coincides with the list then apply automatically the rat smali file there .

Do you think it is possible to create something similar to this ?

In fatrat ruby script , the ruby script have the same issue , however instead quitting it gives you a list of possible hook points for you to choose , if the hook is processed correctly is another story .

The way i told you about creating a new file in lists directory , could be used also in future because as long as android builders develop other names for start point , we just need to update the file list names .

just an idea witch i do not know if it is possible to do .

dana-at-cp commented 7 years ago

@peterpt The Facebook APK seems like an oddball case but I think the solution is to present options for hooking when the AndroidManifest.xml processing path yields no results (as you suggested). I will likely implement that as an enhancement.

dana-at-cp commented 7 years ago

Fixed in version 0.2.1 now on master.