AhMyth
AhMyth copied to clipboard
Stopwatch Timer Original v2.1 | Binding Failed
This is an issue with
- [x] Binding On Launch
- [x] Binding On Boot
APK Name & Origin
APK Name: Stopwatch Timer v2.1
APK Origin: APK Pure || Stopwatch Timer
To Reproduce
Steps to reproduce the behavior:
- Open
APK Builder
- Type in server IP and Port
- Customisation of permissions
- Browse for the APK
- Bind with original APK
- Building Failed
Logs
Error: Command failed: java -jar "/home/kali/AhMyth/AhMyth-Server/app/app/Factory/apktool.jar" b "/home/kali/Desktop/APKs/Stopwatch Timer Original_v2.1_apkpure.com" -o "/home/kali/AhMyth/Output/Ahmyth.apk"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Exception in thread "main" org.jf.util.ExceptionWithContext: Exception occurred while writing code_item for method L$r8$java8methods$utility$Boolean$hashCode$IZ;->hashCode(Z)I
at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1047)
at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:346)
at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:301)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:58)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:37)
at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:430)
at brut.androlib.Androlib.buildSources(Androlib.java:361)
at brut.androlib.Androlib.build(Androlib.java:313)
at brut.androlib.Androlib.build(Androlib.java:280)
at brut.apktool.Main.cmdBuild(Main.java:255)
at brut.apktool.Main.main(Main.java:82)
Caused by: org.jf.util.ExceptionWithContext: Error while writing instruction at code offset 0x0
at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1320)
at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1043)
... 10 more
Caused by: org.jf.util.ExceptionWithContext: Unsigned short value out of range: 65725
at org.jf.dexlib2.writer.DexDataWriter.writeUshort(DexDataWriter.java:116)
at org.jf.dexlib2.writer.InstructionWriter.write(InstructionWriter.java:356)
at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1280)
... 11 more
OS Info
please complete the following information:
- OS: Debian
- OS Version: Kali 2022.4
First command
apt-cache policy openjdk-11-jdk
Second command
apt-cache policy aapt android-framework-res
Run these both in your terminal & print their outputs here
┌──(kali㉿kali)-[~]
└─$ apt-cache policy openjdk-11-jdk
openjdk-11-jdk:
Installed: 11.0.15+10-1
Candidate: 11.0.15+10-1
Version table:
*** 11.0.15+10-1 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
100 /var/lib/dpkg/status
┌──(kali㉿kali)-[~]
└─$ apt-cache policy aapt android-framework-res
aapt:
Installed: 1:10.0.0+r36-5
Candidate: 1:10.0.0+r36-5
Version table:
*** 1:10.0.0+r36-5 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
100 /var/lib/dpkg/status
android-framework-res:
Installed: 1:10.0.0+r36-5
Candidate: 1:10.0.0+r36-5
Version table:
*** 1:10.0.0+r36-5 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
100 /var/lib/dpkg/status
Alright so it's the APK itself, can you please print the contents of the original APK's manifest file please and we will see from there what the problem is.
<uses-permission android:name="android.permission.VIBRATE" android:required="false"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-feature android:name="android.hardware.screen.landscape" android:required="false"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>
<application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:name="stopwatch.timer.app.StopwatchTimerApplication" android:supportsRtl="true" android:theme="@style/AppTheme" android:usesCleartextTraffic="true">
<activity android:launchMode="singleTop" android:name="stopwatch.timer.app.activities.MainActivity" android:screenOrientation="portrait" android:theme="@style/AppTheme.NoActionBar">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<meta-data android:name="com.inappertising.ads.PUBLISHER_ID" android:value="@string/user_id"/>
<meta-data android:name="com.inappertising.ads.APPLICATION_KEY" android:value="@string/user_id"/>
<meta-data android:name="com.inappertising.ads.AFFILIATE_ID" android:value="@string/aff_id"/>
<meta-data android:name="com.inappertising.ads.FLURRY_KEY" android:value="M86TJFWP4Z84WCXSTZMY"/>
<meta-data android:name="com.inappertising.ads.APPMETRIC_KEY" android:value="38ab6e95-94b0-48cf-b319-0f20ad0534ac"/>
<service android:name="stopwatch.timer.app.services.StopwatchService"/>
<service android:name="stopwatch.timer.app.services.TimerService"/>
<activity android:name="com.startapp.android.publish.ads.list3d.List3DActivity" android:theme="@android:style/Theme"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.startapp.android.publish.adsCommon.activities.OverlayActivity" android:theme="@android:style/Theme.Translucent"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.startapp.android.publish.adsCommon.activities.FullScreenActivity" android:theme="@android:style/Theme"/>
<service android:name="com.startapp.android.publish.common.metaData.PeriodicMetaDataService"/>
<service android:name="com.startapp.android.publish.common.metaData.InfoEventService"/>
<service android:name="com.startapp.android.publish.common.metaData.PeriodicJobService" android:permission="android.permission.BIND_JOB_SERVICE"/>
<receiver android:name="com.startapp.android.publish.common.metaData.BootCompleteListener">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
</intent-filter>
</receiver>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.mopub.mobileads.MoPubActivity" android:theme="@style/MoPubFullscreenTheme"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.mopub.mobileads.MoPubFullscreenActivity" android:theme="@style/MoPubFullscreenTheme"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.mopub.common.MoPubBrowser" android:theme="@style/MoPubFullscreenTheme"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.mopub.mobileads.MraidVideoPlayerActivity" android:theme="@style/MoPubFullscreenTheme"/>
<activity android:configChanges="keyboardHidden|orientation|screenSize" android:name="com.mopub.common.privacy.ConsentDialogActivity" android:theme="@style/MoPubFullscreenTheme"/>
<activity android:configChanges="keyboard|keyboardHidden|orientation|screenLayout|screenSize|smallestScreenSize|uiMode" android:exported="false" android:name="com.google.android.gms.ads.AdActivity" android:theme="@android:style/Theme.Translucent"/>
<meta-data android:name="com.google.android.gms.version" android:value="@integer/google_play_services_version"/>
<service android:enabled="true" android:exported="true" android:name="com.yandex.metrica.MetricaService" android:process=":Metrica">
<intent-filter>
<category android:name="android.intent.category.DEFAULT"/>
<action android:name="com.yandex.metrica.IMetricaService"/>
<data android:scheme="metrica"/>
</intent-filter>
<meta-data android:name="metrica:api:level" android:value="92"/>
</service>
<service android:enabled="true" android:exported="false" android:name="com.yandex.metrica.ConfigurationService" android:process=":Metrica">
<meta-data android:name="metrica:configuration:api:level" android:value="3"/>
<intent-filter>
<action android:name="com.yandex.metrica.configuration.ACTION_INIT"/>
</intent-filter>
</service>
<service android:enabled="true" android:exported="false" android:name="com.yandex.metrica.ConfigurationJobService" android:permission="android.permission.BIND_JOB_SERVICE" android:process=":Metrica"/>
<receiver android:enabled="true" android:exported="true" android:name="com.yandex.metrica.MetricaEventHandler">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER"/>
</intent-filter>
</receiver>
<receiver android:enabled="true" android:exported="true" android:name="com.yandex.metrica.ConfigurationServiceReceiver" android:process=":Metrica">
<intent-filter>
<action android:name="com.yandex.metrica.configuration.service.PLC"/>
</intent-filter>
</receiver>
<provider android:authorities="stopwatch.timer.app.appmetrica.preloadinfo.retail" android:enabled="true" android:exported="true" android:name="com.yandex.metrica.PreloadInfoContentProvider" android:process=":Metrica"/>
<meta-data android:name="com.android.dynamic.apk.fused.modules" android:value="base"/>
<meta-data android:name="com.android.stamp.source" android:value="https://play.google.com/store"/>
<meta-data android:name="com.android.stamp.type" android:value="STAMP_TYPE_STANDALONE_APK"/>
<meta-data android:name="com.android.vending.splits" android:resource="@xml/splits0"/>
<meta-data android:name="com.android.vending.derived.apk.id" android:value="6"/>
</application>
This is just a simple timer app nothing special
Ok so inside the <activity
class, we can see the declared Launcher Activity
;
<activity android:launchMode="singleTop" android:name="stopwatch.timer.app.activities.MainActivity" android:screenOrientation="portrait" android:theme="@style/AppTheme.NoActionBar">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
Where it reads...
android:name="stopwatch.timer.app.activities.MainActivity"
in the <activity
class, is the path to the Launcher Activity
needed for Binding, so what I'll get you to do now is enter the decompiled StopWatch
APK folder where the AndroidManifest.xml
is located, and run the following command in a terminal over the decompiled APK folder...
find -name "MainActivity.smali"
Then print the output here.
┌──(kali㉿kali)-[~]
└─$ find -name "MainActivity.smali"
./smali_classes2/stopwatch/timer/app/activities/MainActivity.smali
┌──(kali㉿kali)-[~] └─$ find -name "MainActivity.smali" ./smali_classes2/stopwatch/timer/app/activities/MainActivity.smali
Yep just as I suspected, the Activity is located within a smali_classes
folder, so currently AhMyth is only able to search the smali
directory of APK's for the Launcher Activity
, I am currently in the process of fixing this, so the next release of AhMyth will see this bug fixed.
Ok so I have been working on fixing this bug ALL NIGHT 🌑🌒🌓🌔🌕🌖🌗🌘🌑 and it seems it's going to take a bit longer than expected, don't worry though, I WILL fix this! I don't give a shit how long it takes me 😁😂
Nice if u need help write me on Discord sweax#8298 thanks for ur awesome work
If I need help I will, updates on research into fixing this bug will be posted here
DevLog - Monday, 15 July 2022, 7:08am (AEST)
Ok so further research into this problem has confirmed for me that AhMyth certainly does locate the correct .smali
file to hook as well as it's path, the problem is the smaliPath
, the smaliPath is currently deckared as the smali/
folder for decompiled APK's, so therefor, AhMyth will locate the correct file to hook no problems, but it will only search the smali/
directory for it hence why it fails when the correct .smali
file is located in a directory like smali_classes4
or smali_classes11
.
So what I need to do is find a way to get the absolute path of the Launcher Activity, which is basically starting from the user's Home Directory all the way to the Launcher Activity Smali file to hook, this way, I should not have to declare the smaliPath
at all, it would already be declared in the absolute path.
DevLog - Tuesday 2nd, August | 3:46PM
Definitely getting somewhere on fixing this bug, been working on implementing some new code, and the tests are proving very promising, take a look at the results of the new coding tests below.
Ignore the Reading Launcher Activity Failed
error as this was only a Dev test, focus on the highlighted elements.
Results on FlappyBird.apk
Results on Termux.apk straight after testing on Flappy Bird.apk
These tests are promising, VERY promising!! So I will now be working on getting this to work with AhMyth fully.
Unsigned short value is related to android dex limitations.
Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Unsigned short value is related to android dex limitations.
Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
Unsigned short value is related to android dex limitations.
Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
And yes you can find the Apktool that AhMyth uses here, it was mainly upgraded so it could work with Facebook APK's
https://github.com/Morsmalleo/AhMyth/tree/master/AhMyth-Server/app/app/Factory
Unsigned short value is related to android dex limitations. Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
I can tell you that this issue in specific is related to the launcher activity being located in a different Smali folder hence the screenshots of the results above.
Also remember that msfvenom, uses Apktool as well and msfvenom does just fine backdooring APK's, the method of hooking might be different but it's great, Apktool is fine, it's not an Android limitation because I manually backdoors heaps of apps using AhMyth and msfvenom payloads, most of them work save for a few modded ones
Unsigned short value is related to android dex limitations. Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
No the logs are for this APK and you are certainly right about the limitation, but that was not the problem here.
Ok so there are two problems here...
- The launcher activity location
- A bug in AhMyth's coding
The Launcher activity location, is the main issue here because it's located in folders that AhMyth can't access, this is in the process of being fixed hence the screenshots of the results on other APK's above.
The bug in AhMyth's coding was just throwing it's hook into the Launcher activity without giving a shit where it puts it, so this would cause the unsigned short value
error with Apktool, also if the launcher activity was located in a directory that AhMyth currently can't access then it will right the file anyway and still cause the unsigned short value
error, This bug has since been fixed, but thank you for pointing this one out 😁♥️
Unsigned short value is related to android dex limitations. Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
No the logs are for this APK and you are certainly right about the limitation, but that was not the problem here.
Ok so there are two problems here...
- The launcher activity location
- A bug in AhMyth's coding
The Launcher activity location, is the main issue here because it's located in folders that AhMyth can't access, this is in the process of being fixed hence the screenshots of the results on other APK's above.
The bug in AhMyth's coding was just throwing it's hook into the Launcher activity without giving a shit where it puts it, so this would cause the
unsigned short value
error with Apktool, also if the launcher activity was located in a directory that AhMyth currently can't access then it will right the file anyway and still cause theunsigned short value
error, This bug has since been fixed, but thank you for pointing this one out 😁♥️
Actually I'm trying since 2 months to recompile apk with simple msvenom payload and I get that error. Apktool dev told it's because of dex classes limits, you can not exceed 65k methods. Giving exact error of this log, did u tried to bind the fb app with your payload and recompile?
Dev told to just move the smali file into another dex_class
Unsigned short value is related to android dex limitations. Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
No the logs are for this APK and you are certainly right about the limitation, but that was not the problem here. Ok so there are two problems here...
- The launcher activity location
- A bug in AhMyth's coding
The Launcher activity location, is the main issue here because it's located in folders that AhMyth can't access, this is in the process of being fixed hence the screenshots of the results on other APK's above. The bug in AhMyth's coding was just throwing it's hook into the Launcher activity without giving a shit where it puts it, so this would cause the
unsigned short value
error with Apktool, also if the launcher activity was located in a directory that AhMyth currently can't access then it will right the file anyway and still cause theunsigned short value
error, This bug has since been fixed, but thank you for pointing this one out 😁♥️Actually I'm trying since 2 months to recompile apk with simple msvenom payload and I get that error. Apktool dev told it's because of dex classes limits, you can not exceed 65k methods. Giving exact error of this log, did u tried to bind the fb app with your payload and recompile?
Dev told to just move the smali file into another dex_class
I don't know what version of msfvenom you are using because it's backdoors Facebook fine for me, and I'm using the latest apktool updated with my edits, and it works fine
Also, no the Dev is right that is a solution which is what the latest msfvenom does, it patches the smali code in order to avoid this error
May I ask what version you use? Because my version of msvenom just gives same error on modern apps, maybe it works for you beacause you use a modded apktool
On Thu, Aug 18, 2022, 6:20 AM Morsmalleo @.***> wrote:
Also, no the Dev is right that is a solution which is what the latest msfvenom does, it patches the smali code in order to avoid this error
— Reply to this email directly, view it on GitHub https://github.com/Morsmalleo/AhMyth/issues/137#issuecomment-1219024155, or unsubscribe https://github.com/notifications/unsubscribe-auth/AYPABN7CLD3N3LTMUEKA7V3VZW22VANCNFSM54NVHHQA . You are receiving this because you commented.Message ID: @.***>
No I use msfvenom as it is when it comes preinstalled with Kali
On Thu, 18 Aug 2022, 9:03 pm unfairDude, @.***> wrote:
May I ask what version you use? Because my version of msvenom just gives same error on modern apps, maybe it works for you beacause you use a modded apktool
On Thu, Aug 18, 2022, 6:20 AM Morsmalleo @.***> wrote:
Also, no the Dev is right that is a solution which is what the latest msfvenom does, it patches the smali code in order to avoid this error
— Reply to this email directly, view it on GitHub <https://github.com/Morsmalleo/AhMyth/issues/137#issuecomment-1219024155 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AYPABN7CLD3N3LTMUEKA7V3VZW22VANCNFSM54NVHHQA
. You are receiving this because you commented.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/Morsmalleo/AhMyth/issues/137#issuecomment-1219466948, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK5A2BJAWPSXL4ENNLHGJTVZYYATANCNFSM54NVHHQA . You are receiving this because you modified the open/close state.Message ID: @.***>
Recent updates on tests for new coding have found the binding bug for this APK to be fixed, however there's another problem with this APK now the binding bug is fixed, once the APK has been backdoored, the connections from the client to the server are EXTREMELY buggy, so the binding bug is fixed however it won't be implemented until I can find out what the fuck is wrong with the client when it's used an original APK as a template now.
Updates for the binding bug can be found in the Code_Updates.md file as well as updates for other parts of AhMyth's coding.
Updates to this have been taking a while simply because the new binding function works like a fucking charm 😃 but the connections after installation of the backdoored APK, are very unstable for some reason 😭!! So I'm currently doing some debugging
But I am also working on a new hook function for AhMyth which will hopefully solve this problem for this APK as well as others, as well as provide better backdooring solutions to APK's that have failed with AhMyth in the past
Unsigned short value is related to android dex limitations. Btw you mind sharing your apktool version? Am very curious to test with apps like Spotify or instagram
Oh you must mean in the logs section there, that must be from a different apk then because stopwatch Timer doesn't build because it can't locate the launcher activity, same as the others
No the logs are for this APK and you are certainly right about the limitation, but that was not the problem here. Ok so there are two problems here...
- The launcher activity location
- A bug in AhMyth's coding
The Launcher activity location, is the main issue here because it's located in folders that AhMyth can't access, this is in the process of being fixed hence the screenshots of the results on other APK's above. The bug in AhMyth's coding was just throwing it's hook into the Launcher activity without giving a shit where it puts it, so this would cause the
unsigned short value
error with Apktool, also if the launcher activity was located in a directory that AhMyth currently can't access then it will right the file anyway and still cause theunsigned short value
error, This bug has since been fixed, but thank you for pointing this one out 😁♥️Actually I'm trying since 2 months to recompile apk with simple msvenom payload and I get that error. Apktool dev told it's because of dex classes limits, you can not exceed 65k methods. Giving exact error of this log, did u tried to bind the fb app with your payload and recompile?
Dev told to just move the smali file into another dex_class
I know this was spoken about a while ago but here's some tips to get msfvenom working
- Install Apktool from the creators Apktool website because msfvenom fails with any Apktool version that has anything else but the name and version number in its title! So for example if you install Apktool with
apt-get install apktool -y
on Debian, this will install apktool-2.6.1-dirty
and msfvenom will throw a malformed string number
error when it tries to use it, hence why Apktool needs to be obtained from iBotPeache's Apktool website instead of installing from Linux package managers.
- You'll need to install Apksigner and Zipalign using APT
apt install apksigner zipalign
Now once you've done both of these steps, you'll want to run this command to avoid any building errors when recompiling an APK with msfvenom because I see errors related to this happening all the time!
apktool empty-framework-dir --force
Hope that helps you for future reference.
Sorry to past that to you out of the ue to just thought it might help you
Binding Problems with this APK have been fixed! Updates will be released with new release in the next week or two, so until then users will have to wait.
New version released today
reopened due to major bug in binding in latest release
Unfortunately newer updates for the revision of 1.0-beta.5 don't solve the binding problems for this APK, I'm so sorry for any inconvenience.
I will work on solving thing binding problems with this APK as much as possible