android - Injecting code into APK -


i know can decompile code using apktool , recompile again, question how able inject large amounts of code apk , execute it.

i see amazon's appstore drm doing im assuming, since wrapping apk own code, , once decompile apk see have added there own class com.amazon etc.

how acheving this?

just fun of it, downloaded apk amazon store (i never used before tonight) , decompiled it. won't find in manifest, there's whole folder of amazon classes inside smali tree. mechanisms amazon uses largely exceed limited understanding, can point data.

update: apps require amazon appstore apk installed in order function, classes below uses amazon activity check drm.

method:

$apktool d xxx.apk $cd xxx/smali $grep -rhin 'amazon' *

findings:

first, might want take @ 

.class public lcom/amazon/mas/kiwi/util/apkhelpers;

with methods:

.method public static getapksignature(ljava/lang/string;)[b .method private static getcodesigners(ljava/util/jar/jarfile;)[ljava/security/codesigner; .method public static getcontentid(ljava/util/jar/jarfile;)ljava/lang/string; .method public static getcontentidfromname(ljava/lang/string;)ljava/lang/string; .method private static getfirstsigningcert(ljava/util/jar/jarfile;)ljava/security/cert/certificate; .method public static issigned(ljava/util/jar/jarfile;)z .method private static scanjar(ljava/util/jar/jarfile;)v

in same com/amazon/mas/kiwi/util folder there few more classes, such developerinfo (not interesting), base64 , bc1 (for checksums).

in folder com/amazon/android/, find class kiwi

.class public final lcom/amazon/android/kiwi;

with quite obvious field:

.field private final drmfull:z

that class kiwi references in every original smali file in app. example:

.method public oncreate(landroid/os/bundle;)v     .locals 1      invoke-virtual {p0, p1}, lxxx/xxxx/xxxx;->xxxxxxxxx(landroid/os/bundle;)v      const/4 v0, 0x1      invoke-static {p0, v0}, lcom/amazon/android/kiwi;->oncreate(landroid/app/activity;z)v      return-void .end method

conclusions:

the method involves injecting code in every class of apk, through decompiling apk, parsing each file, adding necessary classes, , recompiling using same key.


Comments

Post a Comment