Decompile Android application: Hack
Hi! Today I am going to show you how to decompile an Android application (.apk): See the code inside the app' and even debug it!
Pr.S: I will be on Windows for this tutorial.
You will need some Android developer tools for this:
- Download and install Android Studio (Optional, but verry recommanded to see the logcat of the application)
- Download and install APK Studio GUI
- Download my special RAR Tools!
- The application we are going to decompile: app
THE GAME: The application is asking for a secret number. Your mission, should you choose to accept it, is to decompile the application, understand the program and find the number. This message won't self-destruct in five seconds.
Decompile the application
The Java executables can be decompiled. As we have an .apk (which is not an executable), we are going to "convert" it into a .jar (which is an executable).
Extract the RAR file downloaded (3) to your desktop, move the .apk into the dex2jar-2.0 folder and open a command line into that folder (Shift + right click in folder > Open a command window here). Type the following:
If everything is okay, you should have a app-dex2jar.jar file created in the folder. Now open that file (executable) with jd-GUI. You should have something like:
Finally we accessed to the code! As you can see, the application print the secret number in the logcat! We know now that it a random number between 0 and 100000 but nothing more!
Good new: we can actually see what is happening in the logcat! We have to make the application debuggable!
We are going to access to the AndroidManifest file which contains all informations about the permissions, the activities, the services etc... But most importantly, it is in this file that the debugging is enabled or disabled.
Open APK Studio, drag and drop the .apk file into the program and confirm.
Note: We don't actually need APK Studio to see the informations (you can simply open the .apk with Winrar for example), but as we are going to do some modifications, we will need to rebuild the app: APK Studio do it for us.
Once opened, it should look like this:
To enable the debugging, add the following in the application tag:
Then click on the little hammer to build the application again with the modification. Once the process completed, the .apk should be modified. In order to debug the application, we have to install it on our phone. Uninstall any previous version of the application and install the new one.
- Open a command line in the extracted folder (Tools)
1adb uninstall me.aflak.test
1adb install dex2jar-2.0/app.apk
If somehow the installation failed
Open a command line in Program Files (x86)\Java\jdk_a_version\bin and type:
jarsigner.exe -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Path\To\Tools\keystore.jks Path\To\app.apk MyKey
A password will be prompted: cys
Try then to reinstall the application.
Open the application on your phone, and go to Android Studio. You should see the package name of the application in the debugging section:
When you click on the button in the application:
We did it! As you can see, it is very simple to access to an application code. Keep in mind all this when you develop an app and be safe!
Important: Never write a password in your .java! Always add sensitive information in the resources files.
I hope it was interesting!
Comment for any question or suggestion!