Introduction to Android App Patching and Reverse Engineering

Android applications, while primarily written in Java or Kotlin, are compiled into Dalvik Executable (DEX) bytecode, which is then bundled into an APK (Android Package) file. This compilation process makes direct source code viewing difficult. However, with tools like APKTool, we can decompile APKs into an intermediate assembly-like language called Smali. Smali allows us to understand the application’s logic at a low level, modify it, and then recompile the app. This “patching” process is invaluable for security researchers, ethical hackers, and even developers debugging third-party libraries or analyzing malware. This lab will guide you through identifying specific application logic, modifying its Smali representation, and rebuilding a functional, patched APK.

Prerequisites and Environment Setup

Before we dive into the practical steps, ensure you have the following tools installed and configured on your system:

• Java Development Kit (JDK): Required for running APKTool and signing applications.
• Android SDK Build-Tools: Essential for `zipalign` and `apksigner`. Ensure `adb` is also configured for installing apps.
• APKTool: The primary tool for decompiling and recompiling APKs. Download the `apktool.jar` and `apktool` wrapper script (Linux/macOS) or `apktool.bat` (Windows) from its official GitHub repository and place it in your system’s PATH.
• A Target APK: For this lab, we’ll use a hypothetical simple app named PremiumApp.apk. Imagine it has a premium feature unlockable only if a certain boolean flag is true, which is initially hardcoded to false.

Installing APKTool (Example for Linux/macOS)

wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar -O apktool.jar
mv apktool.jar /usr/local/bin/apktool.jar
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/apktool -O /usr/local/bin/apktool
chmod +x /usr/local/bin/apktool

Step 1: Decompiling the Target APK

The first step in our patching journey is to decompile the target APK. This process extracts all resources, including the `AndroidManifest.xml` and, most importantly, converts the DEX bytecode into Smali files, organizing them into a structured directory.

apktool d PremiumApp.apk -o PremiumApp_decompiled

After executing this command, a new directory named `PremiumApp_decompiled` will be created. Inside, you’ll find:

• `AndroidManifest.xml`: The application’s manifest file.
• `res/`: Application resources (layouts, strings, drawables).
• `smali/`: Contains the decompiled Smali code, organized by package structure. This is where our focus will be.

Step 2: Understanding Smali Basics and Locating Target Logic

Smali is a human-readable representation of Dalvik bytecode. While it looks complex, understanding a few key concepts will greatly aid our modification efforts:

• `.class`, `.super`, `.source`: Define class, superclass, and source file.
• `.method`: Defines a method, including its signature (parameters and return type).
• `.locals N`: Declares `N` local registers (`v0`, `v1`, etc.) for the method.
• `.param`: Declares method parameters.
• `const/4 v0, 0x0`: Loads a 4-bit constant (here, `0x0` which is `false`) into register `v0`.
• `const/4 v0, 0x1`: Loads `0x1` (which is `true`) into register `v0`.
• `invoke-virtual`, `invoke-static`, `invoke-direct`: Call methods.
• `if-eqz`, `if-nez`: Conditional jumps based on whether a register is zero or non-zero.
• `goto`: Unconditional jump.
• `return v0`: Returns the value in register `v0`.

Our goal is to bypass a hypothetical premium check. We can start by looking for keywords like