Continuing my previous post about Android app reverse engineering and Smali editing, this time, I want to see if I can edit a snippet code in an activity of some app (which name I won't disclose here:) let's just say it's a popular bank's app in Israel), which is responsible for sending login credentials to some server for authentication, and then saving them somewhere for later use.
As before, we start with unpacking the apk with apktool.
After that's done, we need to find the Smali file, holding the values we
want to save.
For this app, it's the user and password of the user, that'll be
sent in the HTTP request in order to authenticate to the server.
In order to do
that, I started the app and found the text for the login activity button, it
was a simple 'login' string. Then, I've searched the app's 'strings.xml' file –
just to verify I can find it there as well.
After that, you can search that string in the all the unpacked Smali
files, you can use jd-gui for that or maybe write a small Python script that implements this search if you want.
Here's an example:
Among others, the file UserLoginActivity.smali was returned from my
script.
In the file, I've found a method called 'loginToServer()', which checked
some other values, and if they weren't met, an HTTP request to the server with
the user's credentials was sent.
In order to save the user's credentials, I'm going to hook loginToServer(), call the android
logging method (which will save them locally on the Android logcat file) and then continue execution to the rest of the original method. This obviously
can be replaced with a HTTP request of our own, that will be sent to our remote
server, with the user's credentials.
The first step is to add a local variable for our logging tag string. At
the beginning of any Smali method name, a ' .locals' parameter can be found with a
number after it, like so:
.locals 5
So, we'll change this value to 6 in order to add 1 more local for our
log tag strings.
Next, we'll assign our tag string to the added local:
const-string v5, "The login for this user is: "
Then, call the Android Log() method with d (=debug) parameter:
invoke-static {v5, v4},
Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
The whole code will like this:
And here's how it looks like on logcat file, after I ran the app and logged in:
That's all for now, until next time :)