取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.



A friend of mine she told me that she's disappointed in some mobile forensic tools. Why? Because some goes wrong when running APK Downgrade Extraction...it's a disaster and tragedy. What about other mobile forensic tools? You won't believe it~ some even do not support APK Downgrade Method. She's at her wits' end with this problem, and she had no choice but to give up. What a pity~

In my earlier post I've let you guys know about how to perform APK Downgrade extraction manually. Now I will focus on  Apps based on split apks, such as Naver LINE, FB Messenger etc.

APK Downgrade manually as below works for all Android version no matter it's Android 5/6/7/8/9/10/11...Be careful when some feature such as "Dual Apps" or "Second Space" enabled in Xiaomi,Vivo..etc. APK Downgrade won't work for the clone one app. I have to admit that it's a little complicated. But don't worry, follow me and you could make it without fail.

First you should prepare a phone for testing as possible as you could. Make sure you got Naver LINE or FB Messenger running on it. Don't forget to turn on airplane mode. Connect this phone to your workstation and make sure it could be identified via ADB. Then you are good to go.

How to prove Naver LINE is based on split apks? First you should get its package name as a parameter in order to check its path on this phone. The result shows that you got more than one apk. Is that surprise you??? That's it. Now you know how to figure it out whether an App is based on split apks or not.

I could keep on issuing one and another command, and I could do this all day. But for your convenience's sake, I will group those command into batch script as below. Three files and a folder for saving split apks. Take a look at the filenames and you will know that it only take three phases to complete this mission.

Why phase Two is not a script but a plain text file? Why not put all command together into one script file?

    The reason is that I know "human nature and habits".

A One-Click-Script is very convenient for sure, but batch script is a top-down design, one command run after another very quickly , that means command 2rd won't check the result of command 1st... Guess what? If something goes wrong and this script should fail in the end. Believe me you will not be able to figure it out what's going on. You will just sit there and complain about that script doesn't work.

Phase Two is a little complicated so I just put commands you need in a plain text file. All you have to do is copy and paste step by step. According to my experience, I prepare you Three phases method as below. Let's take Naver LINE for example.
Phase One -Export split apks of LINE.
Phase Two -Uninstall LINE without losing data. Install old version apk of LINE so that you could take advantage of "allowBackup" feature to backup its data.
Phase Three -Restore split apks in order to revert LINE to its original state.

Let's take a look into phase One script. Very easy right? It will export all split apks of LINE to present directory, and move exactly "all" apks in present directory into the folder specified. So,remove any apk in present directory is a must before starting phase One.

Begin to run and check the result. Now you got all original split apks in the folder specified. Let me remind you that you could modify the script as you wish, For example if you change the string of folder name "APKs" in the script, of course you should modify the name of the corresponding folder as well.

Next is phase Two. Uninstall LINE with parameter "-k" to make sure you won't lose its data. If this phone is running Android 7 and above, reboot is a must.

After rebooting, remember to identify the status first. It's very important because after booting the phone the USB status may be "charge only" in some brand, you have to change the setting by yourself manually.

Install older version apk whose "allowBackup" feature is true. If you have trouble to distinguish it's true or false, package viewer could give you a hand to figure it out.

Once done we're going to run adb backup for collecting the data we want. You could set a password of course, but you should not make things difficult. Just set a simple password such as "1234" is ok.

Heaven never lets hardworkers and kind-hearted people down. Now you got the backup file(.ab) in hand. What to do next? We are going to restore original version of LINE on this phone. It goes without saying that you have to perform "uninstall app without losing data" again.

Finally phyase Three arrives, we're going to install all apks we keep in phase One. Please note that I change the path to use another "ADB". I do it on purpose because I want to let you know that older version adb do not support "install-multiple" command. 

It takes some time to complete installing all split apks. It is always darkest before dawn so please be patient. It's worth the wait.

Once done you could click LINE icon on this phone and see if anything goes wrong. No crash or no stuck in Logo screen...No doubt it works.

All you have to do is to take it into practice. I'd like to wish you every sucess in manually performing APK Downgrade for Apps based on single apk or split apks.


posted on 2021-06-03 10:42  Pieces0310  阅读(188)  评论(0编辑  收藏  举报