[bug] APK Crashes after patching

[batreller]

Every time I launch the APK it crashes
And I get message saying "Amazon Mobile Delivery keeps stopping", however, frida seem to be sucessfully injected

To Reproduce
Steps to reproduce the behavior:
Patching APK

I have pulled from phone working APK that I have installed to the phone from Amazon Flex official website - https://logistics.amazon.co.uk/app/download-app-direct/android

After that I have found launchable activity in AndroidManifest.xml file which is as I understand com.amazon.rabbit.android.RabbitApplication

C:\Users\user>objection patchapk -s C:\Users\user\Desktop\amazon\amazon_flex_extracted.apk --skip-resources --ignore-nativelibs --target-class com.amazon.rabbit.android.RabbitApplication
No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 16.2.5
Patcher will be using Gadget version: 16.2.5
Detected apktool version as: 2.9.3
Running apktool empty-framework-dir...
Press any key to continue . . .
Unpacking C:\Users\user\Desktop\amazon\amazon_flex_extracted.apk
App already has android.permission.INTERNET
Using target class: com.amazon.rabbit.android.RabbitApplication for patch
Smali not found in smali directory. This might be a multidex APK. Searching...
Found smali at: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Reading smali from: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Injecting loadLibrary call at line: 298
Attempting to fix the constructors .locals count
Current locals value is 0, updating to 1:
Writing patched smali back to: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Copying Frida gadget to libs path...
Rebuilding the APK with the frida-gadget loaded...
Built new APK with injected loadLibrary and frida-gadget
Performing zipalign
Zipalign completed
Signing new APK.
Signed the new APK
Copying final apk from C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp.aligned.objection.apk to C:\Users\компьютер\Desktop\amazon\amazon_flex_extracted.objection.apk in current directory...
Cleaning up temp files...

Running APK
Frida gadget is injected while the tab saying "Amazon Mobile Delivery keeps stopping" is opened

As soon as you click "Close" button on the phone connection gets terminated

Similar issues
#167

Expected behavior
Application should not crash and should keep working properly

Crash log
Crash log of Amazon Mobile Delivery application

--------- beginning of crash
05-21 16:54:09.602 27638 27638 E AndroidRuntime: FATAL EXCEPTION: main
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Process: com.amazon.rabbit, PID: 27638
05-21 16:54:09.602 27638 27638 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{com.amazon.rabbit/com.amazon.rabbit.android.presentation.core.LaunchActivity}: android.content.res.Resources$NotFoundException: Drawable com.amazon.rabbit:drawable/application_background with resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3539)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3699)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:106)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:236)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:8037)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: Drawable com.amazon.rabbit:drawable/application_background with resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: File res/kjl.xml from drawable resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawableForCookie(ResourcesImpl.java:914)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.originalLoadDrawable(ResourcesImpl.java:693)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawable(ResourcesImpl.java:600)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.MiuiResourcesImpl.loadDrawable(MiuiResourcesImpl.java:307)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.loadDrawable(Resources.java:1010)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.getDrawableForDensity(Resources.java:1000)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.getDrawable(Resources.java:939)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.Context.getDrawable(Context.java:702)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.core.content.ContextCompat$Api21Impl.getDrawable(ContextCompat.java:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.core.content.ContextCompat.getDrawable(ContextCompat.java:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.ResourceManagerInternal.getDrawable(ResourceManagerInternal.java:5)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.AppCompatDrawableManager.getDrawable(AppCompatDrawableManager.java:2)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.TintTypedArray.getDrawableIfKnown(TintTypedArray.java:25)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.attachToWindow(AppCompatDelegateImpl.java:35)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.ensureWindow(AppCompatDelegateImpl.java:17)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.onCreate(AppCompatDelegateImpl.java:6)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatActivity.onCreate(AppCompatActivity.java:6)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.amazon.rabbit.android.presentation.core.LaunchActivity.onCreate(LaunchActivity.kt:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Activity.performCreate(Activity.java:8157)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Activity.performCreate(Activity.java:8129)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1310)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3512)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3699)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:106)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:236)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:8037)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
05-21 16:54:09.603 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: File res/kjl.xml from xml type drawable resource ID #0x7f080091
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlResourceParser(ResourcesImpl.java:1312)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlDrawable(ResourcesImpl.java:975)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawableForCookie(ResourcesImpl.java:897)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        ... 32 more
05-21 16:54:09.603 27638 27638 E AndroidRuntime: Caused by: java.io.FileNotFoundException: res/kjl.xml
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.AssetManager.nativeOpenXmlAsset(Native Method)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:1128)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlResourceParser(ResourcesImpl.java:1296)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        ... 34 more

Full log of Amazon Mobile Delivery application (unfortunately it is quite large and I decided to upload it to pastebin) - https://pastebin.com/xf9MSWSb

On line 691 of this crash report "objection explore" command was executed and as you can see it immediatelly caused a crash

Environment (please complete the following information):

• Device: Xiaomi Redmi Note 8T
• Phone OS: MIUI 12.5.2
• Frida Version 16.1.3
• Objection Version 1.11.0
• Apktool Version 2.9.3
• Apksigner Version 0.9
• PC OS: Windows 10

Application
Application can be installed from official Amazon website - https://logistics.amazon.co.uk/app/download-app-direct/android

[IPMegladon]

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

[weeebdev]

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

and if that's the case, what do I do?

[IPMegladon]

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

and if that's the case, what do I do?

I have a hacky way that you can try which might work - please let me know if it does, might be worth the trouble to add to objection if enough people have this issue (and the "fix" works).

1. First you need to get all the apk files.
2. Use the following command to patch base.apk with Objection, adding the specified flags:
   objection patchapk -s base.apk --ignore-nativelibs --skip-resources --use-aapt2 --pause
   -> do not resume.
3. Use Apktool to decompress the APK that contains native code libraries (e.g., split_config..apk) apktool d -m --no-res --no-src --force split_config.arm64_v8a.apk.
   -> Replace split_config.arm64_v8a.apk with the appropriate architecture apk.
4. Locate the libfrida-gadget.so file inserted by Objection from the temporary directory shown in Step 2's output, and move it to the decompressed APK: mv /tmp/tmpXXXXXX/lib/arm64-v8a/libfrida-gadget.so split_config.arm64_v8a/lib/arm64-v8a/.
   -> Replace /tmp/tmpXXXXXX/ and split_config.arm64_v8a/ with the paths relevant to your architecture.

• Update the config file for apktool in the apk we decompiled (e.g split_config.arm64_v8a/apktool.yml).
• Include another entry under the doNotCompress section: - lib/arm64-v8a/libfrida-gadget.so (replace arch).

6. After that, we can recompile both these apks.

• For objection just press enter.
• For the native library apk we use apktool again: apktool b split_config.arm64_v8a --use-aapt2 .

7. Sign the apk files except for base.objection.apk using objection signapk

• First objection signapk split_config.arm64_v8a/dist/split_config.arm64_v8a.apk.
• Similarly objection signapk split_config.xxxx.apk for the others(e.g. split_config.en.apk, split_config.xhdpi.apk).

8. Move signed arch apk to current directory mv split_config.arm64_v8a/dist/split_config.arm64_v8a.objection.apk ./
9. Install it: adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apk <other_signed_apks>
   -> adding the relevant other split_config.xxxx.objection.apk files.

Hope this actually works.

[rithvikvibhu]

Thanks @IPMegladon the process worked! Hope this gets added to objection in the future.

[thisisjaymehta]

When I try @IPMegladon method, I get this error:
Failure [INSTALL_FAILED_INVALID_APK: INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2]

[IPMegladon]

@thisisjaymehta You can perhaps try https://github.com/REAndroid/APKEditor. Something like java -jar APKEditor.jar m -i splits/ -o merged.apk. However, I haven't used that before.

[thisisjaymehta]

I had tried that as well, but the merged APK fails to install at all. Even the merged APK without objection fails to install. So, that tool is not merging my APK properly.

[umrashrf]

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

and if that's the case, what do I do?

I have a hacky way that you can try which might work - please let me know if it does, might be worth the trouble to add to objection if enough people have this issue (and the "fix" works).

1. First you need to get all the apk files.
2. Use the following command to patch base.apk with Objection, adding the specified flags:
   objection patchapk -s base.apk --ignore-nativelibs --skip-resources --use-aapt2 --pause
   -> do not resume.
3. Use Apktool to decompress the APK that contains native code libraries (e.g., split_config..apk) apktool d -m --no-res --no-src --force split_config.arm64_v8a.apk.
   -> Replace split_config.arm64_v8a.apk with the appropriate architecture apk.
4. Locate the libfrida-gadget.so file inserted by Objection from the temporary directory shown in Step 2's output, and move it to the decompressed APK: mv /tmp/tmpXXXXXX/lib/arm64-v8a/libfrida-gadget.so split_config.arm64_v8a/lib/arm64-v8a/.
   -> Replace /tmp/tmpXXXXXX/ and split_config.arm64_v8a/ with the paths relevant to your architecture.

• Update the config file for apktool in the apk we decompiled (e.g split_config.arm64_v8a/apktool.yml).
• Include another entry under the doNotCompress section: - lib/arm64-v8a/libfrida-gadget.so (replace arch).

6. After that, we can recompile both these apks.

• For objection just press enter.
• For the native library apk we use apktool again: apktool b split_config.arm64_v8a --use-aapt2 .

7. Sign the apk files except for base.objection.apk using objection signapk

• First objection signapk split_config.arm64_v8a/dist/split_config.arm64_v8a.apk.
• Similarly objection signapk split_config.xxxx.apk for the others(e.g. split_config.en.apk, split_config.xhdpi.apk).

8. Move signed arch apk to current directory mv split_config.arm64_v8a/dist/split_config.arm64_v8a.objection.apk ./
9. Install it: adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apk <other_signed_apks>
   -> adding the relevant other split_config.xxxx.objection.apk files.

Hope this actually works.

This worked for me but when I open the app on my Samsung Galaxy S9+, it didn't pause. My device is not rooted. It doesn't seem to have disabled sslpinning.

I did get a minor error "Unrecognized option: --use-aapt2". Is this serious? I ran objection patchapk --help and --use-aapt2 is indeed there. This is weird.

$objection patchapk -s base.apk --ignore-nativelibs --skip-resources --use-aapt2 --pause
No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 17.9.1
Patcher will be using Gadget version: 17.9.1
Detected apktool version as: 3.0.2
Running apktool empty-framework-dir...
Apktool 3.0.2 - a tool for reengineering Android apk files
with smali 3.0.9-dev and baksmali 3.0.9-dev
Copyright 2010 Ryszard Wiśniewski <brut.alll@gmail.com>
Copyright 2010 Connor Tumbleson <connor.tumbleson@gmail.com>

General options:
 -q,--quiet     Suppress normal output.
 -v,--verbose   Increase output verbosity.

apktool d|decode [options] <apk-file>
 -a,--all-src              Decode all sources in the apk (includes unknown dex files).
 -f,--force                Force delete destination directory.
 -j,--jobs <num>           Set the number of jobs to execute in parallel to <num>.
 -l,--lib <package:file>   Use shared library <package> located in <file>.
                           Can be specified multiple times.
 -o,--output <dir>         Output decoded files to <dir>. (default: apk.out)
 -p,--frame-path <dir>     Use framework files located in <dir>.
 -r,--no-res               Do not decode resources.
 -s,--no-src               Do not decode sources.
 -t,--frame-tag <tag>      Use framework files tagged with <tag>.

apktool b|build [options] <apk-dir>
 -f,--force                Skip changes detection and build all files.
 -j,--jobs <num>           Set the number of jobs to execute in parallel to <num>.
 -l,--lib <package:file>   Use shared library <package> located in <file>.
                           Can be specified multiple times.
 -o,--output <file>        Output the built apk to <file>. (default: dist/name.apk)
 -p,--frame-path <dir>     Use framework files located in <dir>.

apktool if|install-framework [options] <apk-file>
 -p,--frame-path <dir>   Set the path for framework files to <dir>.
 -t,--frame-tag <tag>    Suffix framework files with <tag>.

apktool h|help

apktool v|version

For additional info, see: https://apktool.org
For smali/baksmali info, see: https://github.com/google/smali
Unpacking base.apk
App already has android.permission.INTERNET
Target class not specified, searching for launchable activity instead...
Smali not found in smali directory. This might be a multidex APK. Searching...
Found smali at: /var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp/smali_classes7/com/appname/android/MainActivity.smali
Reading smali from: /var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp/smali_classes7/com/appname/android/MainActivity.smali
Injecting loadLibrary call at line: 36
Attempting to fix the constructors .locals count
Current locals value is 0, updating to 1:
Writing patched smali back to: /var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp/smali_classes7/com/appname/android/MainActivity.smali
Creating library path: /var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp/lib/arm64-v8a
Copying Frida gadget to libs path...
Patching paused. The next step is to rebuild the APK. If you require any manual fixes, the current temp directory is:
/var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp
Press ENTER to continue...
Rebuilding the APK with the frida-gadget loaded...
Rebuilding the APK may have failed. Read the following output to determine if apktool actually had an error: 

Unrecognized option: --use-aapt2

Built new APK with injected loadLibrary and frida-gadget
Performing zipalign
Zipalign completed
Signing new APK.
Signed the new APK
Copying final apk from /var/folders/54/c6gb8hkj22s9kfzzhml9hn480000gn/T/tmp77vv8gkq.apktemp.aligned.objection.apk to base.objection.apk in current directory...
Cleaning up temp files...

It seems like objection -g package_name explore has been deprecated and objection -n package_name start does not work.

$ objection -n package_name start
Frida server or gadget is not running on the target!