CN106919429B

CN106919429B - Method and device for processing decompiled data

Info

Publication number: CN106919429B
Application number: CN201510994114.7A
Authority: CN
Inventors: 徐胜
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-12-25
Filing date: 2015-12-25
Publication date: 2021-05-04
Anticipated expiration: 2035-12-25
Also published as: CN106919429A

Abstract

The invention discloses a method and a device for processing decompiled data. Wherein, the method comprises the following steps: creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array; after the application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information; acquiring multidimensional vector objects corresponding to each method and call relations among the multidimensional vector objects; and respectively recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array. The invention solves the technical problem that the traversal speed is low in the aspect of full-branch coverage execution because the basic block structure constructs the function call relation in a pointer mode in the prior art.

Description

Method and device for processing decompiled data

Technical Field

The invention relates to the field of decompilated data, in particular to a method and a device for processing decompilated data.

Background

The Android program runs in a Dalvik virtual machine, the Dalvik virtual machine interprets and executes Dalvik instructions of the Android program, and the Dalvik instructions are decompiled to output smali instructions which are convenient for people to read.

Performing execution stream tracking on an Android program, which is generally divided into two types: static tracking and dynamic tracking. Dynamic tracking, namely runtime tracking, has the defect that the coverage of the execution branch is not complete; static trace branches cover all, but involve slicing techniques for programs and function call tracing techniques. In the existing static tracking technology, the sliced basic blocks are concatenated in a pointer mode to express a function call relation.

In the prior art, a basic block structure is used for constructing a function call relation in a pointer mode, although a problem that a certain branch execution flow is traversed by a forward deep recursion from a certain function can be solved, for a positioning execution inlet, the difficulty of program design and coding is increased in the aspects of full branch coverage execution and backward tracking execution, a program is difficult to understand, and the stability, the expandability and the flexibility of the program are reduced.

Aiming at the technical problems that in the prior art, a basic block structure body constructs a function call relation in a pointer mode, and the traversal speed is low in the aspect of full-branch coverage execution, an effective solution is not provided at present.

Disclosure of Invention

The embodiment of the invention provides a method and a device for processing decompiled data, which are used for at least solving the technical problems that in the prior art, a basic block structure constructs a function call relation in a pointer mode, and the traversal speed is low in the aspect of full-branch coverage execution.

According to an aspect of an embodiment of the present invention, there is provided a method for processing decompiled data, including: creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array; after the application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information; acquiring multidimensional vector objects corresponding to each method and call relations among the multidimensional vector objects; and respectively recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array.

According to another aspect of the embodiments of the present invention, there is also provided a processing apparatus for decompiling data, including: a creation module for creating a three-dimensional array model, the apparatus comprising: the first dimension array, the second dimension array and the third dimension array; the first obtaining module is configured to, after decompiling the application program into a decompiler program, traverse a plurality of methods included in the decompiler program of the device, and obtain identification information of each method, where the identification information of the device method includes: method class name and method signature information; the second acquisition module is used for acquiring the multidimensional vector objects corresponding to each method of the device and the calling relationship among the multidimensional vector objects of the device; and the recording module is used for respectively recording the device identification information of each method of the device, the corresponding device multi-dimensional vector objects and the calling relationship among the multi-dimensional vector objects into the first-dimensional array of the device, the second-dimensional array of the device and the third-dimensional array of the device.

In the embodiment of the present invention, after the application program is decompiled into the decompiler, the method steps through a plurality of methods included in the decompiler to obtain the identification information of each method, the calling relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object, and the identification information of each method, the calling relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object are recorded to the created three-dimensional array model.

It is easy to note that, by acquiring the identification information of each method by the traversal decompiler, the calling relationship between the corresponding multidimensional vector object and each multidimensional vector object is all recorded in the created three-dimensional array model, and the purpose of quickly positioning the multidimensional vector object from the three-dimensional array model according to the class name and the signature information of the method is achieved.

Therefore, the technical problem that in the prior art, the basic block structure constructs the function call relation in a pointer mode and the traversal speed is low in the aspect of full branch coverage execution is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a block diagram of a hardware configuration of a computer terminal of a processing method of decompiling data according to an embodiment of the present application;

FIG. 2 is a flowchart of a method for decompiling data according to a first embodiment of the present application;

FIG. 3 is a diagram illustrating an alternative multi-dimensional vector mapping in a three-dimensional coordinate system according to an embodiment of the present application;

FIG. 4 is a flow chart of an alternative method of decompiling data according to an embodiment of the present application;

FIG. 5 is a diagram of a processing apparatus for decompiling data according to a second embodiment of the present application;

FIG. 6 is a diagram of an alternative apparatus for decompiling data according to the second embodiment of the present application;

FIG. 7 is a diagram of an alternative apparatus for decompiling data according to a second embodiment of the present application;

FIG. 8 is a diagram of an alternative apparatus for decompiling data according to a second embodiment of the present application;

FIG. 9 is a diagram of an alternative apparatus for decompiling data according to the second embodiment of the present application;

FIG. 10 is a diagram of an alternative apparatus for decompiling data according to the second embodiment of the present application;

FIG. 11 is a diagram of an alternative apparatus for decompiling data according to a second embodiment of the present application;

FIG. 12 is a diagram of an alternative apparatus for decompiling data according to a second embodiment of the present application; and

fig. 13 is a block diagram of a computer terminal according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

dalvik virtual machine: the method is one of core components of an Android mobile device platform collaboratively developed by manufacturers such as Google company and the like, and can support the operation of Java application programs converted into a dex (Dalvik Executable) format, wherein the dex format is a compression format specially designed for Dalvik and is suitable for systems with limited memory and processor speed.

Smali: is an assembler of dex format files used by Dalvik virtual machines.

Example 1

There is also provided, in accordance with an embodiment of the present invention, an embodiment of a method for decompiling data, where it is noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.

The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of being operated on a computer terminal, fig. 1 is a block diagram of a hardware structure of the computer terminal according to the processing method for decompiling data of the embodiment of the present application. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

The memory 104 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the method for processing decompiled data in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the method for processing decompiled data. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

Under the above operating environment, the present application provides a method for decompiling data as shown in fig. 2. Fig. 2 is a flowchart of a method for processing decompiled data according to a first embodiment of the present application, where as shown in fig. 2, the method includes:

step S21, creating a three-dimensional array model, the three-dimensional array model including: the first dimension array, the second dimension array and the third dimension array.

In an optional scheme, the three-dimensional array model may be represented by a three-dimensional coordinate system model, the first dimensional array, the second dimensional array, and the third dimensional array may be described by coordinate axes in the three-dimensional coordinate system model, where the first dimensional array may be an X axis, the second dimensional array may be a Y axis, and the third dimensional data may be a Z axis, creating the three-dimensional array model may be initializing the three-dimensional coordinate system model to make the X, Y, and Z axes empty, where the X, Y, and Z axes are all sequential structures, each element of the Z axis queue is also a sequential structure for storing vectors of multiple callers, and elements of the X and Y axis queues store a string object and a vector object, respectively.

Step S23, after the application program is decompiled as a decompiler, traversing a plurality of methods included in the decompiler, and acquiring identification information of each method, where the identification information of the method includes: method class name and method signature information.

Step S25, obtaining the multidimensional vector object corresponding to each method and the call relation between each multidimensional vector object.

Step S27, recording the identification information of each method, the corresponding multidimensional vector object, and the call relationship between each multidimensional vector object into the first dimensional array, the second dimensional array, and the third dimensional array, respectively.

In an alternative, the above steps may be performed by a three-dimensional coordinate system model management module (denoted as C) mainly responsible for mapping the registered multidimensional vectors into a three-dimensional coordinate system, and the multidimensional vectors Ds and Dt respectively obtain respective coordinates (m, m, m) and (n, n, n) in the three-dimensional coordinate system as shown in fig. 3. The branch execution tracking module (denoted as T) is mainly responsible for tracking the execution flow of the program from a certain execution entry in a forward or backward direction.

In the solution disclosed in the foregoing embodiment of the present application, after the application program is decompiled as the decompiler, the multiple methods included in the decompiler may be traversed, the identification information of each method and the call relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object may be obtained, and the identification information of each method and the call relationship between the corresponding multidimensional vector object and each multidimensional vector object may be recorded to the created three-dimensional array model.

Therefore, the scheme of the first embodiment provided by the application solves the technical problem that in the prior art, the basic block structure constructs the function call relation in a pointer mode, and the traversal speed is low in the aspect of full branch coverage execution.

According to the above-mentioned embodiments of the present application, in a preferred scheme, the corresponding recording positions in the first-dimension array, the second-dimension array and the third-dimension array in any one of the methods have the same position coordinates.

According to the above embodiment of the present application, step S27, recording the identification information of each method to the first dimension array includes:

step S271, mapping the identification information of each method to the first dimension array in a sequential structure in the form of a queue, and recording the recording position of the identification information of each method in the queue of the first dimension array.

In an alternative scheme, the acquired identification information of each method (i.e., the class name and the method signature of the method of the slice) may be mapped onto the X-axis of the three-dimensional coordinate system initialized in step S21, i.e., placed in an X-axis queue, and the position of the multidimensional vector Ds in step S25 may be denoted as m, and mapped onto the Y-axis, i.e., placed in an m-position in a Y-axis queue. If it has already been mapped, no mapping is required.

According to the above embodiment of the present application, in step S27, recording the multidimensional vector object corresponding to each method into the second dimensional array includes:

step S273, mapping the multidimensional vector object corresponding to each method to the second dimensional array in a queue-like sequential structure, and recording a recording position of the multidimensional vector object corresponding to each method in the queue of the second dimensional array.

According to the above embodiment of the present application, in step S25, obtaining the multidimensional vector object corresponding to each method includes:

in step S251, after the plurality of methods included in the decompilated program are obtained by traversal, slicing and branch stripping processing are performed on each method to obtain a plurality of execution branches included in each method, and an execution branch is composed of a program basic block obtained by decompilation.

Specifically, the program basic block may be a smali instruction basic block, and the smali instruction basic blocks obtained after slicing each method acquired in step S25 may be grouped into a branch execution sequence (Bc1, Bc2, …, Bcn) according to a branch jump offset, each execution branch Bcx (i.e., any one of Bc1, Bc2, …, Bcn) is a basic block sequence (b1, b2, …, bn), and each basic block bx (i.e., any one of b1, b2, …, bn) is composed of a smali instruction.

In an alternative scheme, the above steps may be performed by a program slicing and branch stripping module, where the program slicing and branch stripping module (denoted as B) is mainly responsible for decompiling the Android program into a smali program, and slicing and branch stripping the smali program one by one according to a method, and finally, a plurality of execution branches formed by sliced smali instruction basic blocks are formed, such as execution branches Bc1 and Bc2 of multidimensional vectors Ds and Dt shown in fig. 3, respectively.

Step S253, mapping the execution branch included in each method to a multidimensional vector, and establishing a multidimensional vector object corresponding to the execution branch sequence of each method, where the execution branch included in the method has a branch vector in the corresponding multidimensional vector object.

Specifically, a corresponding multidimensional vector Ds object is established for the branch execution sequence (Bc1, Bc2, …, Bcn) obtained in the above step S251.

In an alternative scheme, the above steps may be performed by a vector model management module, where the vector model management module (denoted as V) is mainly responsible for mapping all execution branches of each method completed by the B module into a multidimensional vector, each method in the program corresponds to one multidimensional vector, and each branch of each method corresponds to a dimension in one multidimensional vector, such as the relationship between Ds and Dt and Bc1 and Bc2, respectively, in fig. 1. Each time the creation of a multi-dimensional vector is completed, the vector is registered in the three-dimensional coordinate system management module.

According to the above embodiment of the present application, obtaining a calling relationship between multidimensional vector objects corresponding to each method includes: step S255, circularly traverse the multidimensional vector objects in the second dimensional array, and after determining the first multidimensional vector object of any one method in the second dimensional array, determine the second multidimensional vector object having a function call relationship with the first multidimensional vector object by using a backtracking processing method, so as to obtain a call relationship between the multidimensional vector objects corresponding to each method.

According to the above embodiment of the present application, in step S255, after determining the first multidimensional vector object of any one method in the second dimensional array, determining the second multidimensional vector object having a function call relationship with the first multidimensional vector object by using a backtracking processing method, and obtaining a call relationship between the multidimensional vector objects corresponding to each method includes:

in step S2551, a first multi-dimensional vector object recorded at the first recording position in the second-dimensional array is acquired.

Step S2552, traverse a plurality of branch vectors included in the first multidimensional vector object to obtain a basic block of the program included in the execution branch corresponding to each branch vector, where the basic block of the program is formed by the program instruction obtained by decompilation.

In step S2553, if one or more program instructions included in the branch vector are call function instructions, identification information of a called function called by the call function instructions is acquired.

Step S2554, according to the identification information of the called function, querying whether a method identical to the identification information of the called function exists in the first dimension array, and obtaining a first type of method identical to the identification information.

In step S2555, a first recording position of the first method in the first dimension array is obtained.

Step S2556, a second recording position which is the same as the coordinate value of the first recording position is searched in the second dimensional array, and a second multidimensional vector object recorded at the second recording position is obtained, where the second multidimensional vector object is a vector object called by the first multidimensional vector object.

Step S2557, recording a function call relationship between the first multi-dimensional vector object and the second multi-dimensional vector object at a corresponding position in the third dimensional array, where the corresponding position in the third dimensional array is the same as the first recording position in the second dimensional array.

In an optional scheme, an execution branch Bcx corresponding to each branch vector in a multidimensional vector Ds is circularly traversed, a smali instruction in the branch is traversed, if a call function instruction exists, class name and method name information of the function are taken out and recorded as Xn, then whether a coordinate n of Xn exists in an X axis is searched, if the point exists, a called vector Dt is taken out through an n coordinate on a Y axis corresponding to the point, and the vector Ds is placed in a queue at a Z axis n corresponding to the vector Dt, so that a relationship that the vector Ds points to the vector Dt is established, that is, a function call relationship is established.

According to the embodiment of the application, under the condition that the method with the same identification information is not inquired in the first dimension array, a null vector is established in the second dimension array, and the identification information of the function called by the calling function instruction is mapped to the corresponding position in the first dimension array.

In an alternative, if Xn is not present on the X-axis, a null vector Dt is created that maps to the Y-axis coordinates, while Xn maps to the X-axis at n-coordinates.

According to the above embodiment of the present application, after traversing the plurality of methods included in the decompiler at step S23, the method further includes:

in step S231, if the methods included in the decompiler are completely traversed, the tracing process flow is started.

Step S233, receiving the identification information of the method to be tracked, and determining the multidimensional vector object to be tracked according to the identification information of the method to be tracked.

In step S235, a forward tracing or backward tracing decompiler is performed based on the multidimensional vector object to be traced.

In an optional scheme, in the process of tracking a certain vector, when a function calling situation is met, the next execution entry function can be positioned only by searching a Z-axis mapping relation in a three-dimensional coordinate system, and depth-first traversal is continued after the entry; and the reverse tracking execution flow is similar, the vector is reversely tracked from the tail part of the vector after the entry is positioned, the Z axis is searched when the vector reaches the vertex of the vector, and the vector positioned to the caller through the three-dimensional coordinate system continues the reverse tracking process after the Z axis is found. According to the method, through the three-dimensional coordinate system and the multi-dimensional vector model, the traversing and searching speed is increased in the aspects of positioning an execution inlet and tracking the program execution flow in the forward or backward direction, the branch coverage is perfected, and the program code is clearer, simpler, more stable and easier to maintain.

According to the above embodiment of the present application, in step S235, the forward tracking decompiler based on the multidimensional vector object to be tracked includes:

step S2351, a third recording position of the multidimensional vector object to be tracked in the second dimensional array and branch vectors included in the multidimensional vector object to be tracked are obtained, wherein each branch vector corresponds to an execution branch including a plurality of basic blocks.

Step S2353, performing backward tracing based on the tail program basic block of the execution branch, and when the head program basic block of the execution branch is traced, acquiring the multidimensional vector object having a call relation with the multidimensional vector object to be traced from the third dimensional array.

In step S2355, after the multidimensional vector object having a call relation with the multidimensional vector object to be traced is taken as an execution entry, a subsequent depth-first traversal is performed to complete the backward tracing.

According to the above embodiment of the present application, in a preferred scheme, the multidimensional vector object recorded at the first recording position in the third dimensional array is used as the multidimensional vector object having a calling relationship with the multidimensional vector object to be tracked, wherein the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinates.

According to the above embodiment of the present application, in step S235, performing a forward tracking or backward tracking decompilation procedure based on the multidimensional vector object to be tracked includes:

step S2350, obtain all branch vectors included in the multidimensional vector object to be tracked, wherein each branch vector corresponds to a branch of execution comprising a plurality of basic blocks.

Step S2352, performing depth-first traversal on all branch vectors included in the multi-dimensional vector object to be tracked, and acquiring identification information of a call function instruction when one or more program instructions included in the first branch vector are traversed to be the call function instruction.

Step S2354, determining the coordinate position of the call function instruction in the first dimension array according to the identification information of the call function instruction.

Step S2356, according to the coordinate position of the calling function instruction in the first dimension array, the corresponding new multi-dimension vector object is obtained by searching in the second dimension array.

Step S2358, and executing deep recursion from the new multi-dimensional vector object to complete the forward tracking.

In an alternative scheme, in a three-dimensional coordinate system, the signature information is converted into a point m on the X-axis coordinate according to a provided class name adding method, and then a vector Dm is taken out to the position m on the Y-axis. If the execution flow is the forward tracing execution flow, all execution branches mapped by the Dm are taken out and depth-first traversal is carried out, every time a certain execution branch encounters a call function instruction, the class name and the method signature of the function are taken out, the X axis is removed, the coordinate position k is found, then the Y axis is found according to the position k, a new vector Dk is found, and the forward tracing execution flow is realized by continuing the depth recursive traversal from the Dk. If the execution flow is traced backwards, all branches mapped by the Dm are taken out, then tracing is started from a basic block at the tail part of the branch, every time the head part of the execution branch is traced, a certain vector Dz in the vector queue at the m position on the Z axis is taken out, and then the vector Dz is taken as an execution entry again to perform the tracing backwards.

According to the embodiment of the application, any java method in the Android program is sliced according to the branch instruction in the smali language, and a basic block formed by the smali instruction after slicing forms a plurality of execution branches. According to the method, three-dimensional coordinate system and multi-latitude vector modeling are carried out on the smali instruction of the Android program, and a method capable of quickly tracking the program execution flow from a certain execution point in the forward direction or the backward direction is provided for Android static automatic vulnerability mining.

A preferred embodiment of the present application is described in detail below with reference to fig. 3 and 4.

As shown in fig. 3 and 4, an alternative decompiling data processing method is provided, which may include the following steps S41 to S415:

step S41, three-dimensional coordinate axes X, Y, and Z are initialized.

Optionally, the three-dimensional coordinate system model is initialized to make the X, Y, and Z axes empty, where the X, Y, and Z axes are all sequential structures, each element of the Z-axis queue is also a sequential structure for storing vectors of multiple callers, and the elements of the X-axis queue and the Y-axis queue store a string object and a vector object, respectively.

Step S42, the method in the smali program is traversed.

In step S43, it is determined whether traversal is complete.

Specifically, the next method in the smali program is traversed, and if the traversal is not completed, the step S44 is entered; if the traversal is complete, step S412 is entered.

In step S44, the method slice is generated into branch execution sequences (Bc1, Bc2, …, Bcn) and converted into vectors Ds.

Optionally, according to the branch jump offset, the basic blocks of the smali instructions obtained after slicing the method in step S42 are assembled into branch execution sequences (Bc1, Bc2, …, Bcn), each branch of execution Bcx is a basic block sequence (b1, b2, …, bn), each basic block bx is composed of smali instructions, and corresponding multidimensional vector Ds objects are established for the branch execution sequences (Bc1, Bc2, …, Bcn).

In step S45, the class name of the slicing method and the method signature information are mapped to the X axis, and Ds is mapped to the Y axis.

Alternatively, the class name and the method signature of the method sliced in step S44 are mapped onto the X-axis of the three-dimensional coordinate system initialized in step S41, i.e., placed in the X-axis queue, and the position in the X-axis queue is denoted as m, and the vector Ds in step S44 is mapped onto the Y-axis, i.e., placed in the Y-axis queue at the m-position. If it has already been mapped, no mapping is required.

In step S46, the vector Bcx is executed cyclically through the branches in the vector Ds.

In step S47, it is determined whether or not there is a call function command.

Specifically, if there is a call instruction, step S48 is performed, and the class name and method name information of the called function are fetched and recorded as Xm; if not, the process returns to step S46.

In step S49, it is determined whether or not the X axis has the Xm coordinate m.

Specifically, if the X axis has an Xm coordinate m, the process proceeds to step S410, where the vector Dt adjusted at the m position coordinate on the Y axis is taken, the vector Ds is placed in a queue of the Z axis coordinate corresponding to the vector Dt, and the process returns to step S42 after the execution is completed; if not, the process goes to step S411, and establishes a null vector Dt to be mapped to the Y-axis coordinate, and maps Xm to the X-axis coordinate, and after the execution is completed, the process returns to step S42.

Optionally, circularly traversing Bcx corresponding to each branch vector in the vector Ds, traversing a smal instruction in the branch, if a call function instruction exists, taking out the class name and method name information of the function as Xn, then searching whether the X axis has a coordinate n of Xn, if the X axis has the coordinate n, taking out the called vector Dt through the n coordinate on the Y axis corresponding to the point, and putting the vector Ds into a queue at the Z axis n corresponding to the vector Dt, so that the relationship that the vector Ds points to the vector Dt is established, namely a function call relationship is established; if Xn does not exist on the X axis, a null vector Dt is established to be mapped on the Y axis coordinate, and Xn is mapped on the X axis at the n coordinate. Step S42 continues until the traversal is completed.

Step S412, starting the instruction execution tracking process, taking the class name to be tracked and the method signature information as Xm, converting the class name to be tracked and the method signature information into a coordinate m on an X axis, and then taking a vector Dm at the position of m on a Y axis.

Alternatively, in a three-dimensional coordinate system, the signature information is converted into a point m on the X-axis coordinate according to the provided class name adding method, and then the vector Dm is taken out to the m position on the Y-axis.

In step S413, it is determined whether the process is a forward trace execution process or a backward trace execution process.

Specifically, if the forward tracing execution process is performed, step S414 is performed, all execution branches mapped by Dm are taken out and depth-first traversal is performed, each time a call function instruction is encountered in a certain execution branch, the class name and the method signature of the function are taken out to find the coordinate position k on the X axis, then the Y axis is found according to the position k to find a new vector Dk, and depth-recursive traversal is continued from Dk to implement forward tracing execution flow; if the process is a backward trace execution process, step S415 is performed, the trace is started from the basic block at the tail of the branch after all branches mapped by Dm are fetched, and every time the head of the branch is traced, a certain vector Dz in the vector queue at the m position on the Z axis is fetched, and then the trace is performed backward with the vector Dz as the execution entry.

The method comprises the steps of mapping class name and method signature information of all methods to a horizontal axis (marked as an X axis) in a three-dimensional coordinate system, mapping all execution branches corresponding to the methods to a multi-dimensional vector (marked as a D axis), mapping all the multi-dimensional vectors to a vertical axis (marked as a Y axis) in the three-dimensional coordinate system, and mapping the calling relation of a certain multi-dimensional vector to a Z axis perpendicular to an X-axis Y-axis plane of the three-dimensional coordinate system. When an execution branch needs to be tracked from a certain method in the forward direction, a multidimensional vector D of an execution entry function can be quickly positioned from a Y axis corresponding to an X axis of a three-dimensional coordinate system only by using a class name adding method signature of the method, and then, depth-first recursive traversal is adopted for all vectors of the D, namely, full branch coverage is completed.

The above preferred embodiment may be implemented by the following modules:

the program slicing and branch stripping module (denoted as B) is mainly responsible for decompiling the Android program into a smali program, slicing and branch stripping the smali program one by one according to a method, and finally forming a plurality of execution branches formed by sliced smali instruction basic blocks, such as execution branches Bc1 and Bc2 of Ds and Dt in fig. 3.

The vector model management module (denoted as V) is mainly responsible for mapping all execution branches of each method completed by the B module into a multidimensional vector, each method in the program corresponds to one multidimensional vector, and each branch of each method corresponds to a dimension in one multidimensional vector, such as relationships between Ds and Dt and Bc1 and Bc2, respectively, in fig. 1. Each time the creation of a multi-dimensional vector is completed, the vector is registered in the three-dimensional coordinate system management module.

And the three-dimensional coordinate system model management module (denoted as C) is mainly responsible for mapping the registered multi-dimensional vectors into the three-dimensional coordinate system, and Ds and Dt in fig. 3 respectively obtain respective coordinates (m, m, m) and (n, n, n) in the three-dimensional coordinate system.

The branch execution tracking module (denoted as T) is mainly responsible for tracking the execution flow of the program from a certain execution entry in a forward or backward direction.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

Example 2

According to an embodiment of the present invention, there is also provided a decompilated data processing apparatus for implementing the decompilated data processing method, as shown in fig. 5, the apparatus includes: a creation module 51, a first acquisition module 53, a second acquisition module 55 and a recording module 57.

The creating module 51 is configured to create a three-dimensional array model, where the three-dimensional array model includes: the first dimension array, the second dimension array and the third dimension array.

In an optional scheme, the three-dimensional array may be a three-dimensional coordinate system model, the first dimensional array, the second dimensional array, and the third dimensional array may be coordinate axes of the three-dimensional coordinate system model, the first dimensional array may be an X axis, the second dimensional array may be a Y axis, the third dimensional data may be a Z axis, creating the three-dimensional array model may be initializing the three-dimensional coordinate system model, and making the X, Y, and Z axes be empty, where the X, Y, and Z axes are all sequential structures, each element of the Z axis queue is also a sequential structure for storing vectors of multiple callers, and elements of the X and Y axis queues store a character string object and a vector object, respectively.

The first obtaining module 53 is configured to, after decompiling the application program into a decompiler program, traverse a plurality of methods included in the decompiler program, and obtain identification information of each method, where the identification information of the method includes: method class name and method signature information.

The second obtaining module 55 is configured to obtain a multidimensional vector object corresponding to each method and a call relationship between each multidimensional vector object.

The recording module 57 is configured to record the identification information of each method, the corresponding multidimensional vector object, and the call relationship between each multidimensional vector object into the first dimensional array, the second dimensional array, and the third dimensional array, respectively.

In the solution disclosed in the second embodiment of the present application, after the application program is decompiled as the decompiler, the first obtaining module and the second obtaining module traverse a plurality of methods included in the decompiler, obtain the identification information of each method, the calling relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object, and the recording module records the identification information of each method, the calling relationship between the corresponding multidimensional vector object and each multidimensional vector object to the three-dimensional array model created by the creating module.

Therefore, the second embodiment of the present application solves the technical problem that in the prior art, the basic block structure constructs the function call relationship in a pointer manner, and the traversal speed is slow in the aspect of full branch coverage execution.

According to the above embodiment of the present application, in a preferred solution, the recording module 57 includes: a first recording sub-module.

The first recording submodule is used for mapping the identification information of each method to the first-dimension array in a queue-form sequential structure, and recording the recording position of the identification information of each method in the queue of the first-dimension array.

In an alternative scheme, the recording sub-module may map the acquired identification information (i.e., the class name and the method signature of the method of the slice) of each method to an X-axis of a three-dimensional coordinate system initialized by the creation module, that is, put the three-dimensional coordinate system into an X-axis queue, where the position of the three-dimensional coordinate system in the X-axis queue is denoted as m, and map the multidimensional vector Ds acquired by the second acquisition module to a Y-axis, that is, to an m-position in a Y-axis queue. If it has already been mapped, no mapping is required.

According to the above embodiment of the present application, in a preferred solution, the recording module 57 further includes: a second recording sub-module.

The second recording submodule is used for mapping the multidimensional vector object corresponding to each method to the second dimensional array in a sequence structure in a queue form, and recording the recording position of the multidimensional vector object corresponding to each method in the queue of the second dimensional array.

According to the above embodiment of the present application, as shown in fig. 6, the second obtaining module 55 includes: a first processing module 61 and a building module 63.

The first processing module 61 is configured to, after obtaining a plurality of methods included in the decompiled program by traversal, perform slicing and branch stripping processing on each method to obtain a plurality of execution branches included in each method, where an execution branch is formed by a program basic block obtained by decompilation.

The establishing module 63 is configured to map the execution branch included in each method into a multidimensional vector, and establish a multidimensional vector object corresponding to the execution branch sequence of each method, where the execution branch included in the method has a branch vector in the corresponding multidimensional vector object.

In particular, a corresponding multidimensional vector Ds object is established for the branch execution sequences (Bc1, Bc2, …, Bcn) derived by the first processing module 61.

According to the above embodiment of the present application, as shown in fig. 7, the second obtaining module 55 further includes: a second processing module 71.

The second processing module 71 is configured to cycle through the multidimensional vector objects in the second dimensional array, determine, after determining the first multidimensional vector object of any method in the second dimensional array, the second multidimensional vector object having a function call relationship with the first multidimensional vector object by using a backtracking processing method, and obtain a call relationship between the multidimensional vector objects corresponding to each method.

According to the above-described embodiment of the present application, as shown in fig. 8, the second processing module 71 includes: a first acquisition submodule 81, a processing submodule 82, a second acquisition submodule 83, a third acquisition submodule 84, a fourth acquisition submodule 85, a fifth acquisition submodule 86 and a recording submodule 87.

The first obtaining sub-module 81 is configured to obtain a first multi-dimensional vector object recorded at a first recording position in the second-dimensional array.

The processing submodule 82 is configured to traverse a plurality of branch vectors included in the first multidimensional vector object to obtain a basic block of a program included in an execution branch corresponding to each branch vector, where the basic block of the program is formed by a program instruction obtained by decompilation.

The second obtaining submodule 83 is configured to obtain identification information of a called function called by the calling function instruction if one or more program instructions included in the branch vector are the calling function instruction.

The third obtaining sub-module 84 is configured to query whether a method the same as the identification information of the called function exists in the first dimension array according to the identification information of the called function, and obtain a first type of method the same as the identification information.

The fourth obtaining submodule 85 is configured to obtain a first recording position of the first method in the first dimension array.

The fifth obtaining sub-module 86 is configured to query a second record position in the second dimensional array, where the second record position is the same as the coordinate value of the first record position, and obtain a second multidimensional vector object recorded at the second record position, where the second multidimensional vector object is a vector object called by the first multidimensional vector object.

The recording sub-module 87 is configured to record a function call relationship between the first multi-dimensional vector object and the second multi-dimensional vector object at a corresponding position in the third dimensional array, where the corresponding position in the third dimensional array is the same as the first recording position in the second dimensional array.

According to the above embodiment of the present application, in a preferred aspect, the second processing module 71 may further include: and establishing a submodule.

The establishing submodule is used for establishing a null vector in the second dimensional array under the condition that the method with the same identification information is not inquired in the first dimensional array, and mapping the identification information of the function called by the calling function instruction to the corresponding position in the first dimensional array.

According to the above embodiment of the present application, as shown in fig. 9, the apparatus further includes: an initiating module 91, a first determining module 93 and a tracking module 95.

The starting module 91 is configured to start the tracing process flow if the methods included in the decompiler are completely traversed.

The first determining module 93 is configured to receive identification information of a method to be tracked, and determine a multidimensional vector object to be tracked according to the identification information of the method to be tracked.

The tracking module 95 is used for forward tracking or backward tracking the decompiler based on the multi-dimensional vector object to be tracked.

According to the above embodiment of the present application, as shown in fig. 10, the tracking module 95 includes: a third acquisition module 101, a fourth acquisition module 103 and an execution module 105.

The third obtaining module 101 is configured to obtain a third recording position of the multidimensional vector object to be tracked in the second dimensional array and branch vectors included in the multidimensional vector object to be tracked, where each branch vector corresponds to an execution branch including a plurality of basic program blocks.

The fourth obtaining module 103 is configured to perform back tracing based on the tail program basic block of the execution branch, and obtain, when the head program basic block of the execution branch is traced, a multidimensional vector object having a calling relationship with the multidimensional vector object to be traced from the third dimensional array.

The execution module 105 is configured to perform subsequent depth-first traversal to complete the backward tracing after taking the md vector object having a call relation with the md vector object to be traced as an execution entry.

According to the above embodiment of the present application, as shown in fig. 11, the apparatus further includes: a third processing module 111.

The third processing module 111 is configured to use the multidimensional vector object recorded at the first recording position in the third dimensional array as a multidimensional vector object having a calling relationship with the multidimensional vector object to be tracked, where the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinate.

According to the above embodiment of the present application, as shown in fig. 12, the tracking module 95 includes: a fifth obtaining module 121, a sixth obtaining module 123, a second determining module 125, a querying module 127 and a fourth processing module 129.

The fifth obtaining module 121 is configured to obtain all branch vectors included in the multidimensional vector object to be tracked, where each branch vector corresponds to an execution branch that includes a plurality of basic program blocks.

The sixth obtaining module 123 is configured to perform depth-first traversal on all branch vectors included in the multidimensional vector object to be traced, and obtain identification information of a call function instruction when one or more program instructions included in the first branch vector are traversed to be the call function instruction.

The second determining module 125 is configured to determine a coordinate position of the call function instruction in the first dimension array according to the identification information of the call function instruction.

The query module 127 is configured to query the second dimensional array to obtain a corresponding new multidimensional vector object according to the coordinate position of the call function instruction in the first dimensional array.

The fourth processing module 129 is configured to perform a depth recursive traversal starting with the new multi-dimensional vector object to complete the forward trace.

In an alternative scheme, in a three-dimensional coordinate system, the signature information is converted into a point m on the X-axis coordinate according to a provided class name adding method, and then a vector Dm is taken out to the position m on the Y-axis. If the execution flow is the forward tracing execution flow, all execution branches mapped by the Dm are taken out and depth-first traversal is carried out, every time a certain execution branch encounters a call function instruction, the class name and the method signature of the function are taken out, the X axis is removed, the coordinate position k is found, then the Y axis is found according to the position k, a new vector Dk is found, and the forward tracing execution flow is realized by continuing the depth recursive traversal from the Dk. If the execution flow is traced backwards, all branches mapped by Dm are taken out and tracing is started from basic block at tail of branch, every time tracing is carried out to head of branch, a certain vector Dz in vector queue at m position on Z axis is taken out, then backward execution tracing is carried out again by using vector Dz as execution inlet

Example 3

The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the processing method for decompiling data: creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array; after the application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information; acquiring multidimensional vector objects corresponding to each method and call relations among the multidimensional vector objects; and respectively recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array.

Alternatively, fig. 13 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 13, the computer terminal a may include: one or more processors 131 (only one shown), a memory 133, and a transmission device 135.

The memory 133 can be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for processing decompiled data in the embodiment of the present invention, and the processor 131 executes various functional applications and data processing by running the software programs and modules stored in the memory 133, that is, implements the method for processing decompiled data. Memory 133 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 133 may further include memory located remotely from the processor, which may be connected to terminal a via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor 131 can call the information and application programs stored in the memory 133 through the transmission device 135 to execute the following steps: creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array; after the application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information; acquiring multidimensional vector objects corresponding to each method and call relations among the multidimensional vector objects; and respectively recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array.

Optionally, the processor 131 may further execute program codes of the following steps: in any method, the corresponding recording positions in the first-dimension array, the second-dimension array and the third-dimension array have the same position coordinates.

Optionally, the processor 131 may further execute program codes of the following steps: and mapping the identification information of each method to the first-dimension array in a queue-form sequential structure, and recording the recording position of the identification information of each method in the queue of the first-dimension array.

Optionally, the processor 131 may further execute program codes of the following steps: and mapping the multidimensional vector object corresponding to each method to a second dimensional array in a sequence structure in a queue form, and recording the recording position of the multidimensional vector object corresponding to each method in the queue of the second dimensional array.

Optionally, the processor 131 may further execute program codes of the following steps: after traversing to obtain a plurality of methods contained in the decompilated program, carrying out slicing and branch stripping processing on each method to obtain a plurality of execution branches contained in each method, wherein each execution branch is composed of a program basic block obtained by decompilation; mapping the execution branch contained in each method into a multidimensional vector, and establishing a multidimensional vector object corresponding to the execution branch sequence of each method, wherein the execution branch contained in each method has a branch vector in the corresponding multidimensional vector object.

Optionally, the processor 131 may further execute program codes of the following steps: and circularly traversing the multi-dimensional vector objects in the second dimensional array, after determining the first multi-dimensional vector object of any method in the second dimensional array, determining the second multi-dimensional vector object having a function call relation with the first multi-dimensional vector object by using a backtracking processing method, and obtaining the call relation between the multi-dimensional vector objects corresponding to each method.

Optionally, the processor 131 may further execute program codes of the following steps: acquiring a first multi-dimensional vector object recorded at a first recording position in a second-dimensional array; traversing a plurality of branch vectors contained in the first multidimensional vector object to obtain a program basic block contained in an execution branch corresponding to each branch vector, wherein the program basic block is formed by program instructions obtained by decompilation; if one or more program instructions contained in the branch vector are calling function instructions, acquiring identification information of a called function called by the calling function instructions; according to the identification information of the called function, whether a method which is the same as the identification information of the called function exists or not is inquired in the first dimension array, and a first type of method which is the same as the identification information is obtained; acquiring a first recording position of a first method in a first dimension array; inquiring a second recording position which is the same as the coordinate value of the first recording position in the second dimensional array, and acquiring a second multi-dimensional vector object recorded at the second recording position, wherein the second multi-dimensional vector object is a vector object called by the first multi-dimensional vector object; and recording the function call relation between the first multi-dimensional vector object and the second multi-dimensional vector object at the corresponding position in the third-dimensional array.

Optionally, the processor 131 may further execute program codes of the following steps: and under the condition that the method with the same identification information is not inquired in the first dimension array, establishing a null vector in the second dimension array, and mapping the identification information of the function called by the calling function instruction to the corresponding position in the first dimension array.

Optionally, the processor 131 may further execute program codes of the following steps: if a plurality of methods contained in the decompiler are completely traversed, starting a tracking processing flow; receiving identification information of a method to be tracked, and determining a multi-dimensional vector object to be tracked according to the identification information of the method to be tracked; and performing forward tracking or backward tracking decompilation based on the multi-dimensional vector object to be tracked.

Optionally, the processor 131 may further execute program codes of the following steps: acquiring a third recording position of the multi-dimensional vector object to be tracked in the second-dimensional array and branch vectors contained in the multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks; performing backward tracking based on the tail program basic block of the execution branch, and acquiring a multi-dimensional vector object having a calling relation with the multi-dimensional vector object to be tracked from the third dimensional array when the head program basic block of the execution branch is tracked; and after the multidimensional vector object having a calling relationship with the multidimensional vector object to be traced is taken as an execution entry, subsequent depth-first traversal is executed to complete the backward tracing.

Optionally, the processor 131 may further execute program codes of the following steps: and taking the multi-dimensional vector object recorded at the first recording position in the third dimensional array as the multi-dimensional vector object having a calling relationship with the multi-dimensional vector object to be tracked, wherein the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinate.

Optionally, the processor 131 may further execute program codes of the following steps: acquiring all branch vectors contained in a multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks; performing depth-first traversal on all branch vectors contained in a multi-dimensional vector object to be tracked, and acquiring identification information of a calling function instruction when one or more program instructions contained in the first branch vector are traversed to be the calling function instruction; determining the coordinate position of the calling function instruction in the first dimension array according to the identification information of the calling function instruction; according to the coordinate position of the calling function instruction in the first dimension array, a corresponding new multi-dimensional vector object is obtained by inquiring in the second dimension array; and perform a deep recursive traversal starting with the new multi-dimensional vector object to complete the forward trace.

By adopting the scheme of the processing method of the decompilated data, after the application program is decompilated into the decompilated program, the method steps through a plurality of methods contained in the decompilated program to obtain the identification information of each method, the calling relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object, and the identification information of each method, the calling relationship between the multidimensional vector object corresponding to each method and each multidimensional vector object are recorded to the created three-dimensional array model.

Therefore, the technical problem that in the prior art, the basic block structure constructs the function call relation in a pointer mode and the traversal speed is low in the aspect of full branch coverage execution is solved by the scheme provided by the application.

It can be understood by those skilled in the art that the structure shown in fig. 13 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 13 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 13, or have a different configuration than shown in fig. 13.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 4

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the method for processing decompiled data provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array; after the application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information; acquiring multidimensional vector objects corresponding to each method and call relations among the multidimensional vector objects; and respectively recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array.

Optionally, the storage medium is further configured to store program code for performing the following steps: in any method, the corresponding recording positions in the first-dimension array, the second-dimension array and the third-dimension array have the same position coordinates.

Optionally, the storage medium is further configured to store program code for performing the following steps: and mapping the identification information of each method to the first-dimension array in a queue-form sequential structure, and recording the recording position of the identification information of each method in the queue of the first-dimension array.

Optionally, the storage medium is further configured to store program code for performing the following steps: and mapping the multidimensional vector object corresponding to each method to a second dimensional array in a sequence structure in a queue form, and recording the recording position of the multidimensional vector object corresponding to each method in the queue of the second dimensional array.

Optionally, the storage medium is further configured to store program code for performing the following steps: after traversing to obtain a plurality of methods contained in the decompilated program, carrying out slicing and branch stripping processing on each method to obtain a plurality of execution branches contained in each method, wherein each execution branch is composed of a program basic block obtained by decompilation; mapping the execution branch contained in each method into a multidimensional vector, and establishing a multidimensional vector object corresponding to the execution branch sequence of each method, wherein the execution branch contained in each method has a branch vector in the corresponding multidimensional vector object.

Optionally, the storage medium is further configured to store program code for performing the following steps: and circularly traversing the multi-dimensional vector objects in the second dimensional array, after determining the first multi-dimensional vector object of any method in the second dimensional array, determining the second multi-dimensional vector object having a function call relation with the first multi-dimensional vector object by using a backtracking processing method, and obtaining the call relation between the multi-dimensional vector objects corresponding to each method.

Optionally, the storage medium is further configured to store program code for performing the following steps: acquiring a first multi-dimensional vector object recorded at a first recording position in a second-dimensional array; traversing a plurality of branch vectors contained in the first multidimensional vector object to obtain a program basic block contained in an execution branch corresponding to each branch vector, wherein the program basic block is formed by program instructions obtained by decompilation; if one or more program instructions contained in the branch vector are calling function instructions, acquiring identification information of a called function called by the calling function instructions; according to the identification information of the called function, whether a method which is the same as the identification information of the called function exists or not is inquired in the first dimension array, and a first type of method which is the same as the identification information is obtained; acquiring a first recording position of a first method in a first dimension array; inquiring a second recording position which is the same as the coordinate value of the first recording position in the second dimensional array, and acquiring a second multi-dimensional vector object recorded at the second recording position, wherein the second multi-dimensional vector object is a vector object called by the first multi-dimensional vector object; and recording the function call relation between the first multi-dimensional vector object and the second multi-dimensional vector object at the corresponding position in the third-dimensional array.

Optionally, the storage medium is further configured to store program code for performing the following steps: and under the condition that the method with the same identification information is not inquired in the first dimension array, establishing a null vector in the second dimension array, and mapping the identification information of the function called by the calling function instruction to the corresponding position in the first dimension array.

Optionally, the storage medium is further configured to store program code for performing the following steps: if a plurality of methods contained in the decompiler are completely traversed, starting a tracking processing flow; receiving identification information of a method to be tracked, and determining a multi-dimensional vector object to be tracked according to the identification information of the method to be tracked; and performing forward tracking or backward tracking decompilation based on the multi-dimensional vector object to be tracked.

Optionally, the storage medium is further configured to store program code for performing the following steps: acquiring a third recording position of the multi-dimensional vector object to be tracked in the second-dimensional array and branch vectors contained in the multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks; performing backward tracking based on the tail program basic block of the execution branch, and acquiring a multi-dimensional vector object having a calling relation with the multi-dimensional vector object to be tracked from the third dimensional array when the head program basic block of the execution branch is tracked; and after the multidimensional vector object having a calling relationship with the multidimensional vector object to be traced is taken as an execution entry, subsequent depth-first traversal is executed to complete the backward tracing.

Optionally, the storage medium is further configured to store program code for performing the following steps: and taking the multi-dimensional vector object recorded at the first recording position in the third dimensional array as the multi-dimensional vector object having a calling relationship with the multi-dimensional vector object to be tracked, wherein the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinate.

Optionally, the storage medium is further configured to store program code for performing the following steps: acquiring all branch vectors contained in a multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks; performing depth-first traversal on all branch vectors contained in a multi-dimensional vector object to be tracked, and acquiring identification information of a calling function instruction when one or more program instructions contained in the first branch vector are traversed to be the calling function instruction; determining the coordinate position of the calling function instruction in the first dimension array according to the identification information of the calling function instruction; according to the coordinate position of the calling function instruction in the first dimension array, a corresponding new multi-dimensional vector object is obtained by inquiring in the second dimension array; and perform a deep recursive traversal starting with the new multi-dimensional vector object to complete the forward trace.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims

1. A method for processing decompiled data, comprising:

creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array;

after an application program is decompiled into a decompiler program, traversing a plurality of methods contained in the decompiler program, and acquiring identification information of each method, wherein the identification information of the method comprises: method class name and method signature information;

acquiring multidimensional vector objects corresponding to each method and a calling relation between the multidimensional vector objects;

recording the identification information of each method, the corresponding multi-dimensional vector object and the calling relationship among the multi-dimensional vector objects into the first-dimensional array, the second-dimensional array and the third-dimensional array respectively;

wherein, obtaining the multidimensional vector object corresponding to each method comprises: slicing each method to generate an execution branch sequence, and establishing a multi-dimensional vector object corresponding to the execution branch sequence of each method;

obtaining the calling relationship between each multi-dimensional vector object comprises: and determining a second multi-dimensional vector object having a function call chain relation with the first multi-dimensional vector object to obtain a call relation between each multi-dimensional vector object.

2. The method of claim 1, wherein any one of the methods has the same position coordinates at the corresponding recording positions in the first dimension array, the second dimension array, and the third dimension array.

3. The method of claim 2, wherein recording the identification information of each of the methods to the first dimension array comprises: and mapping the identification information of each method to the first-dimension array in a sequence structure in a queue form, and recording the recording position of the identification information of each method in the queue of the first-dimension array.

4. The method of claim 3, wherein recording the multi-dimensional vector object corresponding to each method to the second-dimensional array comprises: and mapping the multidimensional vector object corresponding to each method to the second dimensional array in a sequence structure in a queue form, and recording the recording position of the multidimensional vector object corresponding to each method in the queue of the second dimensional array.

5. The method according to any one of claims 1 to 4, wherein obtaining the multi-dimensional vector object corresponding to each method comprises:

after traversing to obtain a plurality of methods contained in the decompilated program, performing slicing and branch stripping processing on each method to obtain a plurality of execution branches contained in each method, wherein each execution branch is composed of a program basic block obtained by decompilation;

and mapping the execution branch included in each method into a multidimensional vector, and establishing a multidimensional vector object corresponding to the execution branch sequence of each method, wherein the execution branch included in the method has a branch vector in the corresponding multidimensional vector object.

6. The method of claim 5, wherein obtaining the calling relationship between the multidimensional vector objects corresponding to each method comprises: and circularly traversing the multidimensional vector objects in the second dimensional array, after determining the first multidimensional vector object of any method in the second dimensional array, determining the second multidimensional vector object having a function call chain relation with the first multidimensional vector object by using a backtracking processing method, and obtaining a call relation between the multidimensional vector objects corresponding to each method.

7. The method according to claim 6, wherein after determining the first multidimensional vector object of any one of the methods in the second dimensional array, determining a second multidimensional vector object having a function-call relationship with the first multidimensional vector object by using a backtracking processing method, and obtaining a call relationship between the multidimensional vector objects corresponding to each method comprises:

acquiring a first multi-dimensional vector object recorded at a first recording position in the second-dimensional array;

traversing a plurality of branch vectors contained in the first multidimensional vector object to obtain a program basic block contained in an execution branch corresponding to each branch vector, wherein the program basic block is formed by program instructions obtained by decompilation;

if one or more program instructions contained in the branch vector are calling function instructions, acquiring identification information of a called function called by the calling function instructions;

according to the identification information of the called function, whether a method which is the same as the identification information of the called function exists or not is inquired in the first dimension array, and a first type method which is the same as the identification information is obtained;

acquiring a first recording position of the first method in the first dimension array;

inquiring a second recording position which is the same as the coordinate value of the first recording position in the second dimensional array, and acquiring a second multi-dimensional vector object recorded at the second recording position, wherein the second multi-dimensional vector object is a vector object called by the first multi-dimensional vector object;

and recording a function call relation between the first multi-dimensional vector object and the second multi-dimensional vector object at a corresponding position in the third-dimensional array.

8. The method of claim 7, wherein in the case that no method with the same identification information is found in the first dimension array, establishing a null vector in the second dimension array, and mapping the identification information of the function called by the call function instruction to a corresponding position in the first dimension array.

9. The method of claim 2, wherein after traversing the plurality of methods included in the decompiler, the method further comprises:

if the methods contained in the decompiler are completely traversed, starting a tracking processing flow;

receiving identification information of a method to be tracked, and determining a multi-dimensional vector object to be tracked according to the identification information of the method to be tracked;

forward tracing or backward tracing the decompiler based on the multi-dimensional vector object to be traced.

10. The method of claim 9, wherein forward tracing the decompiler based on the multi-dimensional vector object to be traced comprises:

acquiring a third recording position of the multi-dimensional vector object to be tracked in the second dimensional array and branch vectors contained in the multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks;

performing the backward tracing based on the tail program basic block of the execution branch, and acquiring the multidimensional vector object having a calling relation with the multidimensional vector object to be traced from the third-dimensional array when the head program basic block of the execution branch is traced;

and after the multidimensional vector object having a calling relationship with the multidimensional vector object to be traced is taken as an execution entry, performing subsequent depth-first traversal to complete the backward tracing.

11. The method according to claim 10, wherein the multi-dimensional vector object recorded at the first recording position in the third dimensional array is used as the multi-dimensional vector object having a calling relationship with the multi-dimensional vector object to be tracked, wherein the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinates.

12. The method of claim 9, wherein forward-tracking or backward-tracking the decompiler based on the multi-dimensional vector object to be tracked comprises:

acquiring all branch vectors contained in the multi-dimensional vector object to be tracked, wherein each branch vector corresponds to an execution branch containing a plurality of program basic blocks;

performing depth-first traversal on all branch vectors contained in the multi-dimensional vector object to be tracked, and acquiring identification information of a calling function instruction when one or more program instructions contained in a first branch vector are traversed to be the calling function instruction;

determining the coordinate position of the calling function instruction in the first dimension array according to the identification information of the calling function instruction;

according to the coordinate position of the calling function instruction in the first dimensional array, a corresponding new multi-dimensional vector object is obtained by inquiring in the second dimensional array;

and performing a depth recursive traversal starting with the new multi-dimensional vector object to complete the forward trace.

13. A processing apparatus for decompiling data, comprising:

a creation module for creating a three-dimensional array model, the three-dimensional array model comprising: the first dimension array, the second dimension array and the third dimension array;

the method comprises a first obtaining module, a second obtaining module, a third obtaining module and a fourth obtaining module, wherein the first obtaining module is used for traversing a plurality of methods contained in a decompiler after the decompiler decompilates an application program into the decompiler, and obtaining identification information of each method, and the identification information of each method comprises: method class name and method signature information;

a second obtaining module, configured to obtain the multidimensional vector object corresponding to each method and a call relationship between the multidimensional vector objects;

a recording module, configured to record the identification information of each method, the corresponding multidimensional vector object, and a call relationship between each multidimensional vector object in the first dimensional array, the second dimensional array, and the third dimensional array, respectively;

the second obtaining module is further configured to generate an execution branch sequence for each method slice, and establish a multidimensional vector object corresponding to the execution branch sequence of each method;

the second obtaining module is further configured to obtain a calling relationship between each multidimensional vector object, including: and determining a second multi-dimensional vector object having a function call chain relation with the first multi-dimensional vector object to obtain a call relation between each multi-dimensional vector object.

14. The apparatus of claim 13, wherein the second obtaining module comprises:

a first processing module, configured to, after obtaining a plurality of methods included in the decompilated program in a traversal manner, perform slicing and branch stripping processing on each method to obtain a plurality of execution branches included in each method, where each execution branch is formed by a program basic block obtained by decompilation;

and the establishing module is used for mapping the execution branch contained in each method to the multidimensional vector and establishing the multidimensional vector object corresponding to the execution branch sequence of each method, wherein the execution branch contained in the method has a branch vector in the corresponding multidimensional vector object.

15. The apparatus of claim 14, wherein the second obtaining module further comprises:

and the second processing module is used for circularly traversing the multi-dimensional vector objects in the second dimensional array, determining a second multi-dimensional vector object having a function call chain relation with the first multi-dimensional vector object by using a backtracking processing method after determining the first multi-dimensional vector object of any method in the second dimensional array, and obtaining a call relation between the multi-dimensional vector objects corresponding to each method.

16. The apparatus of claim 15, wherein the second processing module comprises:

the first acquisition submodule is used for acquiring a first multi-dimensional vector object recorded at a first recording position in the second-dimensional array;

the processing submodule is used for traversing a plurality of branch vectors contained in the first multidimensional vector object to obtain a program basic block contained in an execution branch corresponding to each branch vector, wherein the program basic block is formed by program instructions obtained by decompilation;

a second obtaining sub-module, configured to obtain, if one or more program instructions included in the branch vector are a call function instruction, identification information of a called function called by the call function instruction;

a third obtaining sub-module, configured to query, according to the identification information of the called function, whether a method that is the same as the identification information of the called function exists in the first dimensional array, and obtain a first type of method that is the same as the identification information;

a fourth obtaining sub-module, configured to obtain a first recording position of the first type of method in the first dimension array;

a fifth obtaining sub-module, configured to query a second recording position in the second dimensional array, where the second recording position is the same as the coordinate value of the first recording position, and obtain a second multidimensional vector object recorded at the second recording position, where the second multidimensional vector object is a vector object called by the first multidimensional vector object;

and the recording submodule is used for recording the function call relation between the first multi-dimensional vector object and the second multi-dimensional vector object at the corresponding position in the third-dimensional array.

17. The apparatus of claim 13, further comprising:

the starting module is used for starting a tracking processing flow if a plurality of methods contained in the decompiler are completely traversed;

the system comprises a first determining module, a second determining module and a tracking module, wherein the first determining module is used for receiving identification information of a method to be tracked and determining a multi-dimensional vector object to be tracked according to the identification information of the method to be tracked;

a tracking module for forward tracking or backward tracking the decompiler based on the multi-dimensional vector object to be tracked.

18. The apparatus of claim 17, wherein the tracking module comprises:

a third obtaining module, configured to obtain a third recording position of the multidimensional vector object to be tracked in the second dimensional array and branch vectors included in the multidimensional vector object to be tracked, where an execution branch corresponding to each branch vector includes a plurality of basic program blocks;

a fourth obtaining module, configured to perform the back tracing based on the tail program basic block of the execution branch, and obtain, when the head program basic block of the execution branch is traced, a multidimensional vector object having a call relationship with the multidimensional vector object to be traced from the third dimensional array;

and the execution module is used for executing subsequent depth-first traversal to finish the backward tracing after the multi-dimensional vector object which has a calling relationship with the multi-dimensional vector object to be traced is taken as an execution entry.

19. The apparatus of claim 18, further comprising:

and the third processing module is used for taking the multi-dimensional vector object recorded at the first recording position in the third dimensional array as the multi-dimensional vector object having a calling relationship with the multi-dimensional vector object to be tracked, wherein the first recording position of the third dimensional array and the third recording position of the second dimensional array have the same position coordinate.

20. The apparatus of claim 17, wherein the tracking module further comprises:

a fifth obtaining module, configured to obtain all branch vectors included in the multidimensional vector object to be tracked, where an execution branch corresponding to each branch vector includes a plurality of program basic blocks;

a sixth obtaining module, configured to perform depth-first traversal on all branch vectors included in the multidimensional vector object to be tracked, and obtain identification information of a call function instruction when one or more program instructions included in the first branch vector are traversed to be the call function instruction;

the second determining module is used for determining the coordinate position of the calling function instruction in the first dimension array according to the identification information of the calling function instruction;

the query module is used for querying the second dimensional array to obtain a corresponding new multi-dimensional vector object according to the coordinate position of the calling function instruction in the first dimensional array;

a fourth processing module for performing a depth recursive traversal starting with the new multi-dimensional vector object to complete the forward trace.