AhMyth v1.0-beta.5a

[Morsmalleo]

AhMyth v1.0-beta.5a

This release is a Revision of v1.0-beta.5 which contained breaking bugs, these bugs have since been fixed, and a few new other updates were added to. This uses the same update information as the v1.0-beta.5 release, with the only changes to the info being where the bugs have been fixed.

See the Changelog below for more Update Information on this release.

Changelog

Server Updates

• Changed On Boot & On Launch checkbox names in the UI when binding is enabled, to Boot Method & Activity Method.

• Renamed the "$appCtrl.copyPermissions" function to "$appCtrl.modifyManifest" and Completely rewrote the function to utilise the "xml2js" library when copying over permissions, it also now handles the injection of the payload service and receiver for the Activity and Boot methods for binding. This contains a lot more useful features than the legacy "$appCtrl.copyPermissions" function. Click the dropdown tab below to see what the rewrite of this function does.

What Does This new Update do

1. Defines the function "$appCtrl.copyPermissions".
2. The function takes two parameters: data and callback.
3. Retrieves the checkboxes for Camera, Storage, Mic, Location, Contacts, SMS, and Call Logs.
4. Sets the default permissions array using CONSTANTS.permissions.
5. Creates an empty array selectedPermissions to store selected permissions.
6. Checks each checkbox and add the corresponding permission to selectedPermissions array.
7. If all checkboxes are checked, set selectedPermissions to default permissions array.
8. If all checkboxes are unchecked, set selectedPermissions to default permissions array.
9. Outputs a log message stating that the Android Manifest XML Data is being parsed.
10. Converts data to a string if it's not already a string.
11. Parses the XML data using xml2js.parseString.
12. If there's an error during parsing, call callback with an error message.
13. Gets the manifest object from the parsed XML result.
14. Checks if manifestObj.application.receiver is an array and convert it to an array if necessary.
15. Checks if manifestObj.application.service is an array and convert it to an array if necessary.
16. Creates a Set called existingPermissions to store existing permissions.
17. Checks if permissions already exist in the manifest and add them to existingPermissions set.
18. Checks if features already exist in the manifest and add them to existingPermissions set.
19. Filters selectedPermissions array to exclude duplicates and existing permissions.
20. Outputs a log message indicating that AhMyth Payload Permissions are being injected.
21. Adds new permissions and features to the manifest based on filtered selectedPermissions.
22. Creates receiver and service tags using constants.
23. Adds receiver and service tags to manifestObj.application.receiver and manifestObj.application.service arrays.
24. Creates an XML string using xml2js.Builder and modified manifest object.
25. Modifies the XML string to add indentation before closing </application> tag.
26. Replaces the closing </manifest> tag with a new closing tag without extra newline.
27. Calls callback with null (no error) and the final modified XML as the result.

• Rewrote the "GetLauncherActivity" function utilised by the "$appCtrl.BindOnLauncher" function to make use of the "xml2js" library to help in finding a suitable main class file for hooking from the manifest file data, this aids in solving Binding problems for Issue #315 When using the On Launch method for binding. Click the dropdown tab below for a step by step explanation of what the rewrite for this function does:

What Does This new Update do?

1. It attempts to extract the <application> tag from the manifest object by accessing manifest['manifest']['application'][0]. This assumes that the manifest object has a structure where manifest contains a manifest property, which contains an application property that is an array (hence the [0] index).

2. It then checks if the extracted application object exists and if it has an android:name attribute (application['$']['android:name']). The android:name attribute typically specifies the fully qualified class name of the main application class in the AndroidManifest.xml file.

3. If the android:name attribute exists and the class name doesn't start with "android.app", it performs some manipulation on the class name. It splits the class name by the dot (.) separator and takes the last part (i.e., the class name without the package). If the class name starts with a dot (.), it removes the dot. Then it logs a message indicating that it has scoped the main application class for hooking and returns the manipulated class name appended with the ".smali" extension.

4. If the previous step doesn't find the main application class, the function proceeds to search for the launcher activity. It looks for an activity object within the application object that contains an intent filter with the action "android.intent.action.MAIN" and category "android.intent.category.LAUNCHER" or "android.intent.category.DEFAULT".

5. It iterates over the activity objects in the manifest using the Array.prototype.find() method and checks if any of them have an intent filter that matches the launcher conditions mentioned in the previous step. If it finds a matching activity, it retrieves the android:name attribute of that activity.

6. Similar to step 3, if the retrieved activity class name doesn't start with "android.app", it performs the same manipulation to get the class name without the package. If the class name starts with a dot (.), it removes the dot. Then it logs a message indicating that it has scoped the main launcher activity class for hooking and returns the manipulated class name with the ".smali" extension.

7. If no launcher activity is found in the activities, the function checks for activity aliases (activity-alias objects) that have the same intent filter conditions as in step 4.

8. It iterates over the activity-alias objects in the manifest and checks if any of them have an intent filter that matches the launcher conditions. If it finds a matching activity alias, it retrieves the android:targetActivity attribute, which specifies the target activity of the alias.

9. The target activity name is then manipulated in the same way as before (without the package and without a leading dot), logged as a message indicating that it has scoped the main launcher activity class in an alias for hooking, and returned with the .smali extension.

10. If none of the above conditions match (no main application class, no launcher activity, and no launcher activity alias), the function returns -1 to indicate that the launcher activity couldn't be found.

• Fixed Permissions problem with Linux AhMyth binaries by editing the postins script, they should work properly now.

• Removed the Config folder and the AhMyth.desktop file for Linux as it could only work on Kali & Parrot.

• Added Boot Persistence to payloads bound using the On Launch method for binding, payloads bound using the On Launch method for binding will now start to connect back faster after a device has restarted.

• Bumped Apktool version from v2.6.1 up to v2.8.1, while this aids in building backdoored original APK files, AhMyth users running a 32bit OS Architecture will be upset to know that Apktool will drop support for 32bit OS architecture once it reaches v3.0.0, which means that AhMyth will officially dropped support for 32bit OS Architecture when this happens as well.

• Upgraded the "autoinstall" file used for installing AhMyth from source on Linux so it correctly installs the needed dependencies, if they're already installed then the script will do nothing, the "autoinstall" file for Linux has also been renamed from "autoinstall" to "autoinstall_linux", the file has also been upgraded to correctly install AhMyth and its needed dependencies for Debian & APT Based Linux Distro's as well as Arch Linux & pacman based Linux Distro's

• Renamed the "install.bat" file for installing electron v11 for AhMyth on Windows to "autoinstall_win.bat"

• Added a "start_linux" script for Linux Users that starts AhMyth correctly based on the users Privilege Level (i.e root | non-root)

• Updated the "start.bat" file for starting AhMyth on Windows, to start and then minimize, so that the command prompt can start AhMyth in the background, the file has also been renamed from "start.bat" to "start_win.bat"

• Rewrote the checkbox code responsible for allowing users to customize what permissions are used in both a bound and standalone APK payload, this incorporates permissions mapping used in the Constants.js file.

• Updated the AhMyth receiver, AhMyth service and original permissions array, which are all exported from the Constants.js file, to work with the "xml2js" library.

• Corrected the height of the black message box in the main AhMyth GUI as well as the Victim's Lab, it now fits evenly in both the Main window and Victim's Lab window.

• Fixed the green Maximize & Restore button in the main AhMyth GUI, it now restores the window back to its original window size after being maximized.

• Rewrote the entire "GetLauncherPath" function utilized by the "$appCtrl.BindOnLauncher" function to use readdirp, a cross platform recursive version of nodeJS's fs.readdir(), this allows AhMyth to recursively search an entire APK for a hookable class file when using the On Launch method for binding regardless of the platform it's running on! This function takes its namesake from the original "GetLauncherActivity" function. This rewrite completely eliminates the need for installing external dependencies to run the Binding Features such as PowerShell for Windows, and findutils for macOS & Linux.

• Cleaned up the code so it all conforms to proper JavaScript function naming:
  • changed $appCtrl.CopyAhmythFilesAndGenerateApk to $appCtrl.copyAhmythFilesAndGenerateApk.
  • changed $appCtrl.BindOnLauncher & $appCtrl.BindOnBoot functions and instances to $appCtrl.bindOnActivity & $appCtrl.bindOnBoot.
  • changed GetLauncherActivity to getLauncherActivity.
  • changed GetLauncherPath to getLauncherPath.
  • changed all instances or WriteErrorLog to writeErrorLog.
    
    
    

What's New?

• Created a function to check the users current Java version and prevent any process from running if the users current applied JDK version is anything but JDK version 11.x, the function only checks for the major version (i.e 11), so any version of JDK 11 should work, if you aren't using JDK 11, AhMyth will now tell you so.

• Added a function to throw an Orange [!] WARNING: Deprecation message for 32bit users stating the AhMyth will cease support for Operating Systems running 32bit architecture as soon as Apktool reaches v3.0.0, the function also greets 64bit users with a green [★] Welcome to AhMyth message.

• Updated the $appCtrl.generateApk function so that certain functions for building standalone APK payload files dont interfere when the user is Binding with an original APK, such functions that did this included the following:

  • The checkbox code in the generateApk function which is used for selecting and applying certain permissions for Standalone Payloads, this has now been updated to to apply permissions for Standalone Payloads only, the updated function also makes use of async/await to make sure everything runs smoothly and in order instead like buggy shit lol.

  • The checkbox code in the modifyManifest function which is used when binding to modify and original apk manifest.

Permissions for Bound and Standalone payloads are both taken care of seperately now and will no longer interfere with other functions, which fixes further performance bottlenecks.

• Created the new "$appCtrl.createPayloadDirectory" function which is now called inside the "$appCtrl.CopyAhmythFilesAndGenerateApk(apkFolder)" function, which is called when using either the Activity or Boot methods for binding. This helps in solving "Unsigned Short Value Out of Range" errors with Apktool when binding with original applications and also further aids in solving the binding problems with Issue #315. Click the drop down tab below for a step-by-step explanation of what the new function does.

What Does This new Update do?

1. Reads the contents of the target APK folder, then filters and sorts the directories, excluding specific ones.

2. Determines what the last smali directory in the sorted list is. If the last directory is titled smali, then it creates a new directory named smali_classes2, however if the last directory is not titled smali, the function then extracts the number from the name of the last smali_classesX directory (where "X" is the number that's being extracted), then increments the extracted number by 1 to get a new number, which is then used to create a new directory named smali_classesX (where "X" is the new number).

3. Copies the payload files from the AhMyth payload's smali directory over to the newly created payload directory in the original APK.

4. Removes specific subdirectories from the newly created directory to help bypass the 64k Dalvik Method when Building.

5. Then finally calls the generateApk function to build and sign the payload APK.

• Added the following attributes to all of the messages that get printed to the log screen in the AhMyth GUI:

Message log Attributes

1. Added the [★] attribute to all of the main Blue messages that get printed to the AhMyth GUI's black message box when a process is running.

2. Added the [¡] information attribute to all of the Yellow information messages that get printed to the AhMyth GUI's message box to indicate that the corresponding text being shown in the message box is informative.

3. Added the [x] attribute to all of the Red error messages that get printed to the AhMyth GUI's message box screen when something goes wrong.

4. Added the [✓] attribute to all of the Green Success messages that get printed to the AhMyth GUI's message box screen when something goes has successfully finished doing what it's doing such as Building, or when something has initiated successfully such as Listening

• Created a "delayedLog" function that delays the main logs printed to the black message box in the AhMyth GUI by 0o500 seconds (500 milliseconds).

• Created a "WriteErrorLog" function for better handling of logging errors to text files when errors such as "Building Failed!", "Signing Failed!", etc, arise.

• Created a "Stop" button with the function that allows users to disconnect the AhMyth Server from EVERY active/connected client on specific ports, this is located next to the Listen button.

• Created a "clearLogs()" function that clears the black Message Box of its logs each time the "Build", "Bind", "Browse APK", "Listen" & "Stop" buttons are clicked.

• Added a Green Maximize and Restore button to the Victim's Lab window, user can now maximize the Victim's Lab window, and restore it to its original size as well.

• Replaced the old build icons with new build icons for binary installations.

[Morsmalleo]

AhMyth v1.0-beta.5a
This release is a Revision of v1.0-beta.5 which contained breaking bugs, these bugs have since been fixed, and a few new other updates were added to. This uses the same update information as the v1.0-beta.5 release, with the only changes to the info being where the bugs have been fixed.

See the Changelog below for more Update Information on this release.

Changelog

Had to create this manually as I forgot to check the box to create a discussion for this release.

Users can expect AhMyth to look a little bit different for the next release as I plan to make some major updates to the UI in order to give it a more modern look.

I'll also be making a few client updates that quite a few users have requested for the next release as well.