https://github.com/ax/apk.sh Skip to content Toggle navigation Sign up * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code + Explore + All features + Documentation + GitHub Skills + Blog * Solutions + For + Enterprise + Teams + Startups + Education + By Solution + CI/CD & Automation + DevOps + DevSecOps + Case Studies + Customer Stories + Resources * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles + Repositories + Topics + Trending + Collections * Pricing [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} ax / apk.sh Public * Notifications * Fork 42 * Star 816 apk.sh makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK. License GPL-3.0 license 816 stars 42 forks Star Notifications * Code * Issues 0 * Pull requests 2 * Actions * Projects 0 * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Security * Insights ax/apk.sh This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 1 branch 0 tags Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/a] Use Git or checkout with SVN using the web URL. [gh repo clone ax/apk] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @ax ax Update apk.sh ... 27149b1 Dec 14, 2022 Update apk.sh Fix 27149b1 Git stats * 18 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time LICENSE Create LICENSE Oct 20, 2022 README.md Update README.md Nov 24, 2022 apk.sh Update apk.sh Dec 14, 2022 View code [ ] [?] apk.sh Features Getting started apk.sh pull apk.sh patch Frida's Gadget configurations Requirements Links of Interest README.md [?] apk.sh apk.sh is a Bash script that makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK. Features apk.sh basically uses apktool to disassemble, decode and rebuild resources and some bash to automate the frida gadget injection process. It also supports app bundles/split APKs. * Patching APKs to load frida-gadget.so on start. * Support for app bundles/split APKs. * Disassembling resources to nearly original form with apktool. * Rebuilding decoded resources back to binary APK/JAR with apktool. * [?] Code signing the apk with apksigner. * [?] Multiple arch support (arm, arm64, x86, x86_64). * No rooted Android device needed. Getting started [?] Pulling an APK from a device is simple as running ./apk.sh pull Decoding an APK is simple as running ./apk.sh decode Rebuilding an APK is simple as running ./apk.sh build apk.sh pull apk.sh pull pull an APK from a device. It supports app bundles/split APKs, which means that split APKs will be joined in a single APK (this is useful for patching). If the package is an app bundle/split APK, apk.sh will combine the APKs into a single APK, fixing all public resource identifiers. apk.sh patch apk.sh patch patch an APK to load frida-gadget.so on start. frida-gadget.so is a Frida's shared library meant to be loaded by programs to be instrumented (when the Injected mode of operation isn't suitable). By simply loading the library it will allow you to interact with it using existing Frida-based tools like frida-trace. It also supports a fully autonomous approach where it can run scripts off the filesystem without any outside communication. Patching an APK is simple as running ./apk.sh patch --arch arm. You can calso specify a Frida gadget configuration in a json ./apk.sh patch --arch arm --gadget-conf Frida's Gadget configurations In the default interaction, Frida Gadget exposes a frida-server compatible interface, listening on localhost:27042 by default. In order to achieve early instrumentation Frida let Gadget's constructor function block until you either attach() to the process, or call resume() after going through the usual spawn() -> attach() -> ...apply instrumentation... steps. If you don't want this blocking behavior and want to let the program boot right up, or you'd prefer it listening on a different interface or port, you can customize this through a json configuration file. The default configuration is: { "interaction": { "type": "listen", "address": "127.0.0.1", "port": 27042, "on_port_conflict": "fail", "on_load": "wait" } } You can pass the gadget configuration file to apk.sh with the --gadget-conf option. A typically suggested configuration might be: { "interaction": { "type": "script", "path": "/data/local/tmp/script.js", "on_change":"reload" } } script.js could be something like: var android_log_write = new NativeFunction( Module.getExportByName(null, '__android_log_write'), 'int', ['int', 'pointer', 'pointer'] ); var tag = Memory.allocUtf8String("[frida-sript][ax]"); var work = function() { setTimeout(function() { android_log_write(3, tag, Memory.allocUtf8String("ping @ " + Date.now())); work(); }, 1000); } work(); // console.log does not seems to work. see: https://github.com/frida/frida/issues/382 console.log("console.log"); console.error("console.error"); console.warn("WARN"); android_log_write(3, tag, Memory.allocUtf8String(">--(O.o)-<)"); adb push script.js /data/local/tmp ./apk.sh patch --arch arm --gadget-conf adb install file.gadget.apk Requirements * apktool * apksigner * unxz * zipalign * aapt * adb Links of Interest https://frida.re/docs/gadget/ https://lief-project.github.io/doc/latest/tutorials/ 09_frida_lief.html https://koz.io/using-frida-on-android-without-root/ https://github.com/sensepost/objection/ https://github.com/NickstaDB/patch-apk/ https://neo-geo2.gitbook.io/adventures-on-security/ frida-scripting-guide/frida-scripting-guide About apk.sh makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK. Topics android reverse-engineering apk frida android-reverse-engineering objection split-apk frida-gadget Resources Readme License GPL-3.0 license Stars 816 stars Watchers 5 watching Forks 42 forks Releases No releases published Contributors 2 * @ax ax ax * @g-n-x g-n-x pedro Languages * Shell 100.0% Footer (c) 2022 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.