# Patching APKs

## Decompiling

Patching APKs works by changing the Smali code. To get this code, use [apktool](https://ibotpeaches.github.io/Apktool/) to decompile it:

```shell-session
$ apktool d -f -r app.apk -o app/
```

After that has finished, you will find a `smali/` folder in the output folder of the above command. This contains all the Smali code which is a human-readable assembly for Android. You can open this in your favorite editor to change any of the instructions or values. \
For example, you may find a number responsible for the required score, that you can change to a lower number to bypass some checks.&#x20;

## Rebuilding

It is often difficult to make big changes to the Smali code, but you can pretty easily change number values or strings in the `.smali` files. After making the changes you want, you can turn it back into an APK file to run in Android Studio.&#x20;

To build this after making the changes in your `smali/` folder, go to the top directory again, and use apktool to build the APK:

<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ apktool b -f app/
</strong>I: Using Apktool 2.4.0-dirty
I: Smaling smali folder into classes.dex...
I: Copying raw resources...
I: Copying libs... (/lib)
I: Copying libs... (/kotlin)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...
</code></pre>

Now you will find an APK file in `app/dist/app.apk` with your changes. However, to actually be able to run it on an Android device, you first need to **sign** it.&#x20;

## Signing

To verify the integrity of apps, they must be signed by someone before being able to run on the device. This includes emulated devices, so we need to first sign the patched APK before trying to run it in Android Studio.&#x20;

The first thing you need to do before signing is to align the APK file. This can be done with the [zipalign](https://developer.android.com/studio/command-line/zipalign) tool:

```shell-session
$ zipalign -f 4 app/dist/app.apk app/dist/app-aligned.apk
```

After which, you can actually get to the signing. For this, we can use the [apksigner](https://developer.android.com/studio/command-line/apksigner) tool made for this. It needs a few files first, like a **keystore** to read the certificate from. If you do not have a keystore key, which you likely won't if this is the first time you are signing an APK, you can create one with the following command using [keytool](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html):

{% code overflow="wrap" %}

```shell-session
$ keytool -genkey -noprompt -dname 'CN=, OU=, O=, L=, S=, C=' -keystore apk.keystore -alias 'apk' -keyalg RSA -storepass 'password' -keypass 'password'
```

{% endcode %}

This specific command will create a keystore with the following attributes (which can be anything) that we'll need later:

* Alias: `apk`
* Passwords: `password`

After this has been created, use `apksigner` command to use this keystore, and sign the aligned APK:

<pre class="language-shell-session" data-overflow="wrap"><code class="lang-shell-session"><strong>$ apksigner sign -out app/dist/app-signed.apk --ks-key-alias 'apk' --ks apk.keystore --key-pass 'pass:password' --ks-pass 'pass:password' -v app/dist/app-aligned.apk
</strong>Signed
</code></pre>

Finally, the fully signed APK should be stored in `app/dist/app-signed.apk`. You can verify this using `apksigner verify`:

<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ apksigner verify -v app/dist/app-signed.apk
</strong>Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
</code></pre>

This `.apk` file can now successfully be imported into Android Studio, and emulated on a device to run your patched application.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.jorianwoltjer.com/mobile/patching-apks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.