• Stars
    star
    279
  • Rank 147,967 (Top 3 %)
  • Language
    C++
  • Created over 2 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Bypass APK Signatures Verify & Integrity Check using Reflection

What is it?

APKKiller is a method to bypass various android application security system check such as Signature Verification, Integrity Check, etc. APKKiller uses JNI & Reflection to bypass Hidden API Restriction, however there is no guarantee that APKKiller will bypass all android application security. APKKiller is made for educational purpose only, use with discretion.

How does it work?

When an android application is loaded, it stores various information regarding current running Application like App Name, Package Name, Signature, APK Path, etc. You can't access those information normal way, but with Reflection you access, read and write new data to those internal classes & fields.

These informations are stored in a class like AppBindData, LoadedApk, ApplicationInfo, etc.

APKKiller changes data on those classes to spoof current application information such APK Path, APK Signatures, APK Installer Information, etc. APKKiller is not guaranteed to work on all apps/games, but it is guaranteed to bypass majorities of application security system.

How to use it?

  1. Get the target app original Signature using APK Sign Reader or APK Sign Reader (for windows)
  2. Change apk_signatures in APKKiller.h using the result of APKSignReader
  3. Build the APKKiller Project to APK
  4. Decompile both APKKiller APK and Target APK
  5. Copy smali from com/kuro (APKKiller smali) to the Target App smali
  6. Copy libs from APKKiller APK to Target APK (Make sure only copy same ABIs as the Target App, for example if Target App has only armeabi-v7a, then you should only copy armeabi-v7a)
  7. Locate Target App entry point in the smali, you can do this by taking a look at AndroidManifest.xml
  8. Call Start function on the target app attachBaseContext (Application) or onCreate (Activity) [Preferrably attachBaseContext]

For example:

attachBaseContext

image

onCreate

image

  1. Copy Target original APK file to <decompile_target_app_dir>/assets/original.apk
  2. Compile Target App and test it!