How our payload code getting triggered after Binding with any apk.

[iamvikashh]

I have seen in the code we are registering a broadcast receiver for starting our foreground/background service which connects to iosocket. but I want to know are we relying on broadcast only to trigger service code or are we also manipulating the targeted app smalli code before recompiling it along with payload code.

[Morsmalleo]

I have seen in the code we are registering a broadcast receiver for starting our foreground/background service which connects to iosocket. but I want to know are we relying on broadcast only to trigger service code or are we also manipulating the targeted app smalli code before recompiling it along with payload code.

With Binding On Launch, the main Launcher Activity smali file of the original APK always has what's called a "Hook" injected, this is what starts the payload after binding on launch

[iamvikashh]

can you tell where this Hook is injected in the code? i looked in appctrl.js but there we are only merging smalli codes of both apk.

[Morsmalleo]

AppCtrl.js is the one of the controllers for the AhMyth Server itself, it's responsible for the building processes and pretty much everything else AhMyth does when you use it, anything related to *.js files in the "AhMyth-Server" is for is for the server, hence the name of the directory AhMyth-Server if you're good with Java code you can look at the AhMyth-Client directory but you wanted the hook for binding.

if you want to find the actual code for the hook 🪝 that gets injected into an original applications launcher activity, then you'll want to go through the smali code of the main launcher activity for the original application you are binding with, not the Server code for AhMyth itself.

The location of the launcher activity for an original APK gets printed in green letters in the black GUI terminal in AhMyth when Binding so use this to find where the launcher activity file is located within the original APK, once you've found the launcher activity file, open it and you'll want to look for the following;

invoke-static {}, Lahmyth/mine/king/ahmyth/MainService;->start()V

This is what starts the payload after binding, you always find it above the first instance of return-void in the smali code of the launcher activity, so it will be easy to find.

This sort of hook method was borrowed from Metasploit Framework's "msfvenom", only my versions of AhMyth have it, which is why Binding is more stable the ever, however some APK's do throw exceptions and I am working on that to just for the record

[iamvikashh]

Hi morsmalleo, thanks for giving such a brief explanation. I checked it out and now I understood how it works. can you please also suggest me any template app which will work fine with onLaunch bind? Apps that I tried till now only work with onBoot. and again thanks for the help.

[Morsmalleo]

No unfortunately you'll need to find an APK that works for on launch, some will work, some won't.

For the on Launch method to work on any apk I'll need to shrink the payload majorly and I'm working on this so you'll need to wait for updates on that one