Reverse engineering & Rebuilding 3rd party,

closed, binary Android apps (APKs) using APKtool

Welcome to my Second Tutorial,
In this one i will show you how to reverse Engineer Android APKs:

Features:

decoding resources to nearly original form (including resources.arsc, XMLs and 9.png files)
and rebuilding them
smali debugging: SmaliDebugging
helping with some repetitive tasks

Requirements:

JRE 1.7
aapt command in a PATH
basic knowledge regarding Android SDK, aapt, smali and how to use Google may be useful
APK-tool
APK-Signer
Android Application (Example App)
A Brain

Create A Application:
For this Tutorial we will create an Android Application with 3 Activities:
1. Home/Start Activity with one button
2. Activity with sad smiley as Background
3. Activity with smiling smiley as Background
If you push the Button on the first Activity, you will be redirected to the second activity with the
sad smiley.
Because no one likes sad smiley, the goal of our Tutorial is to be redirected to the third activity
after the button has been pushed.

Android Manifest:
<?xmlversion="1.0"encoding="utf-8"?>
<manifestxmlns:android="http://schemas.android.com/apk/res/android"
package="s4mpl3d.nl.reverse">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme">
<activity
android:name=".MainActivity"
android:label="@string/app_name">
<intent-filter>
<actionandroid:name="android.intent.action.MAIN"/>

<categoryandroid:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity
android:name=".Second"
android:label="@string/title_activity_second"
android:parentActivityName=".MainActivity">
<meta-data
android:name="android.support.PARENT_ACTIVITY"
android:value="s4mpl3d.nl.reverse.MainActivity"/>
</activity>
<activity
android:name=".Third"
android:label="@string/title_activity_third" >
</activity>
</application>

</manifest>

First Activity Class:

package s4mpl3d.nl.reverse;
import android.content.Intent;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
publicclassMainActivityextendsActionBarActivity{
@Override
protectedvoidonCreate(BundlesavedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
}
@Override
publicbooleanonCreateOptionsMenu(Menumenu){
// Inflate the menu; this adds items to the action bar if it is present.
getMenuInflater().inflate(R.menu.menu_main,menu);
returntrue;
}
@Override
publicbooleanonOptionsItemSelected(MenuItemitem){
// Handle action bar item clicks here. The action bar will
// automatically handle clicks on the Home/Up button, so long
// as you specify a parent activity in AndroidManifest.xml.
intid=item.getItemId();
//noinspection SimplifiableIfStatement
if(id==R.id.action_settings){
returntrue;

}
returnsuper.onOptionsItemSelected(item);
}
publicvoidnext(Viewview){
Intenti=newIntent(this,Second.class);
startActivity(i);
}

Second Activity Class:

package s4mpl3d.nl.reverse;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
publicclassSecondextendsActionBarActivity{
@Override
protectedvoidonCreate(BundlesavedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_second);
}
@Override
publicbooleanonCreateOptionsMenu(Menumenu){
// Inflate the menu; this adds items to the action bar if it is present.
getMenuInflater().inflate(R.menu.menu_second,menu);
returntrue;
}
@Override
publicbooleanonOptionsItemSelected(MenuItemitem){
// Handle action bar item clicks here. The action bar will
// automatically handle clicks on the Home/Up button, so long
// as you specify a parent activity in AndroidManifest.xml.
intid=item.getItemId();
//noinspection SimplifiableIfStatement
if(id==R.id.action_settings){
returntrue;
}
returnsuper.onOptionsItemSelected(item);
}

Third Activity Class:

package s4mpl3d.nl.reverse;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;

import android.view.MenuItem;
publicclassThirdextendsActionBarActivity{
@Override
protectedvoidonCreate(BundlesavedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_third);
}
@Override
publicbooleanonCreateOptionsMenu(Menumenu){
// Inflate the menu; this adds items to the action bar if it is present.
getMenuInflater().inflate(R.menu.menu_third,menu);
returntrue;
}
@Override
publicbooleanonOptionsItemSelected(MenuItemitem){
// Handle action bar item clicks here. The action bar will
// automatically handle clicks on the Home/Up button, so long
// as you specify a parent activity in AndroidManifest.xml.
intid=item.getItemId();
//noinspection SimplifiableIfStatement
if(id==R.id.action_settings){
returntrue;
}
returnsuper.onOptionsItemSelected(item);
}

First Activity Layout:

<RelativeLayoutxmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
android:paddingBottom="@dimen/activity_vertical_margin"
tools:context=".MainActivity">
<Button
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="Next Activity"
android:id="@+id/button"
android:layout_centerVertical="true"
android:layout_centerHorizontal="true"
android:onClick="next"/>

</RelativeLayout>

Second Activity Layout:

<RelativeLayoutxmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
android:paddingBottom="@dimen/activity_vertical_margin"
tools:context="s4mpl3d.nl.reverse.Second"
android:background="@drawable/sad">
</RelativeLayout>

Third Activity Layout:

<RelativeLayoutxmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
android:paddingBottom="@dimen/activity_vertical_margin"
tools:context="s4mpl3d.nl.reverse.Third"
android:background="@drawable/lol">

</RelativeLayout>

Reversing:
decompiling:

After creating a APK from the Android Source its time to start reversing. First of all download
apktool and extract it into a Folder. Put your apk file in the same Folder as the apktool. After that
open a console & Navigate to the directory. Inside the directory write the command: java -jar
apktoolpath d apkfile to let apktool decompile the Application.

After APKtool
has finished, a new directory with the name of the Application is created, inside this there are
some subdirectories: Original (unmodified files), res (Reversed Application resources) & smali
(Reversed classes in smali format). The smali folder holds the java packages. The folder

apktool\Application\smali\s4mpl3d\nl\reverse looks like this:

Smali
Smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Androids Java
VM implementation. The syntax is loosely based on Jasmins/dedexers syntax, and supports the
full functionality of the dex format (annotations, debug info, line info, etc.). The names smali
and baksmali are the Icelandic equivalents of assembler and disassembler respectively.
Why Icelandic you ask? Because dalvik was named for an Icelandic fishing village.

Editing:
We want to edit the Intent which starts the second Activity, to start the third with the smiling
smiley and not the second with a sad smiley. The Intent was stored & started from the
MainActivity, so lets have a look inside MainActivity.smali.
rere
.classpublicLs4mpl3d/nl/reverse/MainActivity;
.superLandroid/support/v7/app/ActionBarActivity;
.source"MainActivity.java"
#directmethods
.methodpublicconstructor<init>()V
.locals0
.prologue
.line11
invoke-direct{p0},Landroid/support/v7/app/ActionBarActivity;-><init>()V
return-void
.endmethod

#virtualmethods
.methodpublicnext(Landroid/view/View;)V
.locals2
.paramp1,"view"#Landroid/view/View;

.prologue
.line43
new-instancev0,Landroid/content/Intent;
const-classv1,Ls4mpl3d/nl/reverse/Second;
invoke-direct{v0,p0,v1},Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
.line44
.localv0,"i":Landroid/content/Intent;
invoke-virtual{p0,v0},Ls4mpl3d/nl/reverse/MainActivity;->startActivity(Landroid/content/Intent;)V
.line45
return-void
.endmethod

.methodprotectedonCreate(Landroid/os/Bundle;)V
.locals1
.paramp1,"savedInstanceState"#Landroid/os/Bundle;
.prologue
.line15
invoke-super{p0,p1},Landroid/support/v7/app/ActionBarActivity;->onCreate(Landroid/os/Bundle;)V
.line16
constv0,0x7f040017
invoke-virtual{p0,v0},Ls4mpl3d/nl/reverse/MainActivity;->setContentView(I)V
.line17
return-void
.endmethod

.methodpubliconCreateOptionsMenu(Landroid/view/Menu;)Z
.locals2
.paramp1,"menu"#Landroid/view/Menu;
.prologue
.line23
invoke-virtual{p0},Ls4mpl3d/nl/reverse/MainActivity;->getMenuInflater()Landroid/view/MenuInflater;
move-result-objectv0
const/high16v1,0x7f0d0000
invoke-virtual{v0,v1,p1},Landroid/view/MenuInflater;->inflate(ILandroid/view/Menu;)V
.line24
const/4v0,0x1
returnv0
.endmethod

.methodpubliconOptionsItemSelected(Landroid/view/MenuItem;)Z
.locals2
.paramp1,"item"#Landroid/view/MenuItem;
.prologue
.line32
invoke-interface{p1},Landroid/view/MenuItem;->getItemId()I
move-resultv0
.line35
.localv0,"id":I
constv1,0x7f090040
if-nev0,v1,:cond_0

.line36
const/4v1,0x1
.line39
:goto_0
returnv1
:cond_0
invoke-super{p0,p1},Landroid/support/v7/app/ActionBarActivity;>onOptionsItemSelected(Landroid/view/MenuItem;)Z
move-resultv1
goto:goto_0
.endmethod

Here Is the Snippet which we are interested in:

Now just change Ls4mpl3d/nl/reverse/Second to Ls4mpl3d/nl/reverse/Third and save the file.

Rebuilding:
Now it is time to rebuild an APK and test the patched Application.
To rebuild an APK run the command: java -jar apktoolpath b ApplicationFolder
The APK will be written into Application\dist

Signing:
Download APK-Signer into the same directory as apktool & launch the application. Fill in the
required Information & click generate Keyfile:

Goto the next tab Signer, load the keyfile, insert the passwords, load the apk from the dist
folder & Click Sign.
After this the file is named : Application_SIGNED_UNALIGNED.apk

N
ow we need to Align the APK. Goto the Tab APK Alignment, load the APK & click Align.
After that a new File called Application_SIGNED_ALIGNED.apk is created.
Load this file into the APK Alignment tab & click Verify.

That was all the magic, now install it on your android device to test & enjoy the Patch :).