为了一些中文环境进行了修改。
- 添加了参数gadget_abi.解决腾讯加固包找不到lib问题。一般设置为
--gadget_abi armeabi
设置为32位。 - 添加了短信发送权限.
- 解决了中文环境下keytool找不到问题. - apktool添加了
--only-main-classes
参数解决加密加固dex的apktool报错问题。
gadget_abi
apkpatcher -a base.apk --gadget_abi armeabi
完整示范命令
apkpatcher -a du.apk --autoload-script autoload.js -e -o du_output1.apk --gadget_abi armeabi
错误:
-
- java.lang.UnsatisfiedLinkError: "/data/app/xxxx/lib/arm64/libmmkv.so"
-
- Exception in thread "main" org.jf.util.ExceptionWithContext: Encountered small uint that is out of range at offset
This tool was developed mainly to automatically insert Frida Gadget inside APKs, but helps also in other common tasks while reversing Android apps.
Frida Website: https://frida.re/
Frida Github: https://github.com/frida/frida
- Automatically insert Frida gadget library in APK, so you can use Frida without root - Reference
- Configure Frida Gadget to automatically load hooks javascript file, without requiring to use frida client
- Insert a network configuration in APK that allows the application to use User Certificate Authorities - Reference
- Help during the tedious tasks of decompile, modify code, repackage, resign, zipalign
The only Python dependency is requests
, that is used to parse Github API in order to download Frida Gadgets.
But in order to make the script work properly, some other tools are required.
Make sure the following tools are installed and properly configured in your PATH environment variable:
- frida and frida-tools:
pip3 install frida frida-tools
- apktool - https://ibotpeaches.github.io/Apktool/install/
- unxz
- aapt
- zipalign
- adb
- keytool
- jarsigner
If you have Android Studio installed, you will find aapt, zipalign and adb inside ~/Android/Sdk/build-tools/
or ~/Android/Sdk/build-tools/platform-tools/
A lot of tools used by APK Patcher require Java, so I suppose you will have it installed. Both jarsigner
and keytool
will probably come with your java installation. In my case I can find both tools in /usr/lib/jvm/default/bin/
Clone the repository:
cd ~/Tools/
git clone https://github.com/badadaf/apkpatcher
Add the script to your PATH variable in .bashrc
export PATH=$PATH:/home/user/Tools/apkpatcher
Reopen your terminal to load .bashrc
For all usages, the output file will be something like _patched.apk.
Before using apkpatcher, make sure you have the latest version of apktool
-
Before using APK Patcher, download frida gadgets running the following command
apkpatcher --update-gadgets
-
In order to insert Frida library in APK, enable USB debugging in your device and connect it in your PC. APK Patcher will identify your device architecture and insert the right gadget.
apkpatcher -a base.apk
If you can't connect the device in USB or if you want to select a custom gadget, see the gadgets folder and use the following syntax:
apkpatcher -a base.apk -g ~/Tools/apkpatcher/gadgets/12.5.9/frida-gadget-12.5.9-android-arm.so
When you open the app, the Android screen will stay freezed. The frida gadget has started and is waiting for connection. Connect with the command
frida -U -n Gadget
-
You can insert the hook script inside the apk and make it load automatically, without requiring to use frida client.
Create the hook script:
Java.perform(function(){ var Log = Java.use('android.util.Log'); Log.w("FRIDAGADGET", "Hello World"); });
Then use the following command to embed the script in APK:
apkpatcher -a base.apk --autoload-script hook.js
When you open the app, it will automatically load the hook script.
-
When analyzing android apps, you may want to intercept it's HTTPS traffic with some proxy like Burp Suite. Since Android 7 - Nougat, apps that the target API Level is 24 and above no longer trust in user-added CAs. In order to bypass this restriction, you can patch the APK to insert a network configuration. APK Patcher can do this automatically for you. Use the following command
apkpatcher --enable-user-certificates --prevent-frida-gadget -a base.apk
Note that we used the option
--prevent-frida-gadget
, so the frida gadget library is not inserted in applicationCaution: If the network_security_config.xml file already exists, apkpatcher will delete it, and this may cause some bug. APK Patcher will show you the original file content before deleting it.
-
APK Patcher will try the most it can to avoid extracting resource files, since this task may fail sometimes. So if you just want to insert frida gadget and the app already declares the usage of
android.permission.INTERNET
, apkpatcher will not extract AndroidManifest.xml and resource files. It will modify only some smali code.If you want to force APK Patcher to extract resources even when it its not required, use the following command
apkpatcher -a base.apk --force-extract-resources
-
Every time you have to modify an APK, it is a tedious task to decompile, modify, repackage, sign (and generate a key if you don't have one) and zipalign it. APK Patcher will help you during this task. You can use the
--wait-before-repackage
, and APK Patcher will wait you make any change you want. Then you just instruct APK Patcher to continue, and it will automatically repack the APK, sign it with a random generated key and zipalign it. You can use this option with combination of other APK Patcher flags.- Just decompile and wait for me:
apkpatcher -a base.apk --prevent-frida-gadget --force-extract-resources -w
The output will be something like the following:
[*] Extracting base.apk (with resources) to /tmp/apkptmp/base [*] Some errors may occur while decoding resources that have framework dependencies [*] Apkpatcher is waiting for your OK to repackage the apk... [*] Are you ready? (y/N):
Now you can keep calm, go to
/tmp/apkptmp/base
, modify everything you want and only when you typey
the APK Patcher will continue:[*] Are you ready? (y/N): y [*] Repackaging apk to /tmp/patcher/base_patched.apk [*] This may take some time...
-
You can automate some tasks before repackaging the APK. You can do this with
-x
.apkpatcher -a base.apk -x 'find TMP_PATH_HERE -name *.so' --pass-temp-path
And the result will be something similar to this:
apkpatcher -a base.apk -x 'find TMP_PATH_HERE -name *.so' --pass-temp-path [*] Extracting base.apk (without resources) to /tmp/apkptmp/base [*] Copying gadget to /tmp/apkptmp/base/lib/arm64-v8a/libfrida-gadget.so [!] Provided shell command: find /tmp/apkptmp/base -name *.so [!] Are you sure you want to execute it? (y/N) y [*] Executing -> find /tmp/apkptmp/base -name *.so /tmp/apkptmp/base/lib/arm64-v8a/libfrida-gadget.so /tmp/apkptmp/base/lib/arm64-v8a/libvlcjni.so /tmp/apkptmp/base/lib/arm64-v8a/libvlc.so /tmp/apkptmp/base/lib/arm64-v8a/libmla.so /tmp/apkptmp/base/lib/arm64-v8a/libc++_shared.so [*] Repackaging apk to /tmp/patcher/base_patched_15590132979717808.apk
Note that you can optionally use the flag
--pass-temp-path
and APK Patcher will replace every instance ofTMP_PATH_HERE
in your command with the path to the temporary directory where the APK was decompiled