I've had great success using Frida (<a href="https://frida.re/" rel="nofollow">https://frida.re/</a>) to do stuff like this recently. Frida injects a V8 runtime into the target process, enabling you to use JavaScript to dynamically patch/inspect/modify code and data, with all of the JavaScript running inside the target process so there's minimal impact on performance. They provide a nice Python API for remotely controlling the process.<p>It works on rooted devices, debuggable apps, and can also be added to an existing APK with minimal effort (just patch a single Java class and add a native library - there are scripts to do it for you).
When I needed to "destatify" executable, to patch statically compiled library functions to shared imports I used LIEF library: <a href="https://milek7.pl/.stuff/galdocs/destaticizer.py" rel="nofollow">https://milek7.pl/.stuff/galdocs/destaticizer.py</a>
Very neat! Less hacky than I expected. It looks like it all just reads in the ELF file, makes the change to the ELF data structures in memory and then writes back out a new ELF file?
That's cool :) I think it would be a lot easier to inject the payload at runtime though - the only problem I had when doing this was I got the wrong instruction set initially (thumb vs non-thumb).
looks like a neat way around the hell of patching relocations. though, if you'd want to modify the binary arbitrarily and not hijack sections or such things, it might be nice to look into that.