Background technology
In some computer softwares, there is one section to be responsible for protection software specially and not to be illegally modified or the program of decompiling.They are all generally to take control prior to program operation, then complete the task of their protection software.Just as vegeto-animal shell, be all the shell of (but afterwards also occurred so-called " in shell with seed ") equally natural in health outside.Because this section of program and natural shell have a lot of identical places in function, the rule based on name, everybody just calls such program " shell ".Just as computer virus is the same with natural virus, be all the method in name in fact.Abstract function, the shell of software and the shell of occurring in nature are very nearly the same.It is nothing but the thing in protection, hidden shell.
From the angle of technology, shell is one section of code being executed in before original program.The code of original program may compressed, encryption in adding the process of shell.When the file after adding shell is carried out, this section of code moves prior to original program, and it is reduced into original program code the code after compression, encryption, and then right of execution is given back to source code.The shell of software is divided into classes such as encrypting shell, compression shell, camouflage shell, multilayered shell, and object is all for the real OEP(entrance of concealing program, prevents from being cracked).
Programmer finishes after software, is compiled into executable file.1. having some copyright informations to need protection, do not want to allow others at will change, as author's name, in order to protect software not to be cracked, is all to adopt to add shell protection conventionally.2. that program need to be done is a little bit smaller, thus convenient use.So, need to use some softwares, they can compress executable file.3. hacker circle shells to hide antivirus software to software shellings such as wooden horses.Realize above-mentioned functions, these softwares are called and add shell software.
The program that adds shell can effectively stop the dis-assembling analysis to program, to protect software copyright, prevents from being cracked by software.
PC platform has existed a large amount of standardized shells that add to conciliate shell instrument now, add shell and generally belong to software cryptography, shelling is general to divide manually and automatic two kinds, manually with debugging acids such as TRW2000, TR, SOFTICE, tackle exactly, sheller is had to certain level requirement, relate to the knowledge of a lot of assembly language and software debugging aspect.And automatically with special shelling instrument, take off exactly, the anti-tool of compression that the most frequently used certain compressed software has other people to write is corresponding, and some tool of compression self energy decompress(ion), as UPX; Some does not provide this function, as: ASPACK, just needs UNASPACK to tackle.Benefit is simple, and it is just useless that shortcoming has been version updating.Shelling tackles with special shelling instrument exactly in addition, and most popular is PROCDUMP v1.62, can tackle the compression shelves of current various compressed softwares.Conventionally, as long as know the cipher mode of file, just can use different instruments, diverse ways to shell.Be below industry usually can encounter add shell side formula and the measure that simply shells, only for reference: the cardinal rule of shelling is exactly that single step is followed the tracks of, can only be forward, can not be backward.The general flow of shelling is: look into shell → searchings OEP → Dump → reparation, look for the general thinking of OEP as follows: first see that shell is to encrypt shell or compression shell, compression shell is easier comparatively speaking, is generally not extremely, just can arrive entrance after finding corresponding popad.When knowing that file is added shell software cryptography by some compressions, next step will analyze title, the version of encryption software.Because the different software shell that even different editions adds, the method for heat treatment is not identical.
But Android does not also occur that as emerging mobile platform apk adds shell instrument.The Dex file of Android is widely applied to promote to adding shell and has been brought certain difficulty, but from technical standpoint, it is also feasible that Android apk adds shell shelling, and along with the continuous extension necessity of application constantly embodies.
Summary of the invention
For the deficiency of current Android platform application program protection aspect, object of the present invention is intended to propose a kind of hulling method that adds of Android platform application program protection, and safety advances the development of this platform application.
Above-mentioned purpose of the present invention, its technical solution being achieved is: the protection of a kind of Android platform application program add hulling method, it is characterized in that: described in add hulling method comprise towards the former executable file of Android platform application program add shell step and shelling step two parts, the wherein said shell step that adds is to utilize external adding shell instrument is analyzed the file format structure of former executable file and encrypted source program is to be with hull number certificate; Described shelling step is in the internal memory of mobile terminal, preferentially to load and move shelling program before application program operation, and band hull number is loaded on in internal memory normally operation by former executable file according to carrying out after source program deciphering.
Further, described shelling program is separated with band hull number certificate and shelling program is stored in cloud server, and before running of mobile terminal application program, directly dynamic load shells program to internal memory operation, to being with hull number according to carrying out source program deciphering.
Further, described shelling program with hull number according to dressing up shelling program dex file by the external shell set of tools that adds, first operation shelling program part in internal memory before running of mobile terminal application program, to band hull number according to carrying out source program deciphering.
Further, described shelling program with a kind of assembling mode with hull number certificate is, band hull number certificate is write to shelling program dex end of file, and at tail of file, add the length with hull number certificate again, according to the assembled information with checksum, signature and file_size in shell data modification shelling program dex file header, finally revise AndroidMainfest.xml file in source program and cover the file of the same name of shelling program.
Further, described shelling program with a kind of assembling mode of hull number certificate, be, first calculate band shell data length, at shelling program dex file correspondence position, 0 * 70 place adds band shell data length, and continues to add band hull number according to tail of file; According to the assembled information with checksum, signature, file_size, header_size, string_ids_off, type_ids_off, proto_ids_off, fiele_ids_off, method_ids_off, class_ids_off and data_off in shell data modification shelling program dex file header, analyze map_off data Update Table side-play amount, finally revise AndroidMainfest.xml file in source program and cover the file of the same name of shelling program.
Application the present invention adds the technical scheme of shelling; for the application under Android platform adds shelling, the thinking of innovation and feasible technology solution route have been proposed; can be used for mobile platform executable file to protect; the program that prevents is attacked by hacker's means such as decompilings, the confidentiality of protection business software, protection user application safety.
Embodiment
The present invention is directed to the safety problem of mobile platform application program, proposed a kind of method that application programs dynamically adds shelling, improve the scheme collection that adds shell shelling towards mobile platform application program.
From general aspect of the present invention, this add hulling method comprise towards the former executable file of Android platform application program add shell step and shelling step two parts, wherein add shell step and be and utilize external adding shell instrument is analyzed the file format structure of former executable file and encrypted source program is to be with hull number certificate; Shelling step is in the internal memory of mobile terminal, preferentially to load and move shelling program before application program operation, and band hull number is loaded on in internal memory normally operation by former executable file according to carrying out after source program deciphering.Although from see that to add exuviating technology close with aforementioned conventional in form, but in fact the present invention add hulling method for be the application program under Android platform, be .apk file do add shell and shelling, its process approach and code compilation aspect are brand-new exploration and breakthroughs, and added shell is a kind of encryption shell of Custom Encryption algorithm.
And the invention described above adds hulling method provides many-sided, perfect technical solution to adding the concrete mode of shell device, sheller in the method process.Be appreciated that such scheme of the present invention, first need to analyze the file structure of Android executable file dex.Dex file header (File Header) mainly comprise verification and and offset address and the length information of other structure, as shown in the table
, below make a concrete analysis of the concrete meaning of structure and each field of this dex file header.
Evil spirit digital section magic, it is exactly mainly the identifier of dex file, it takies 4 bytes, in current source code, be " dex n ", its effect is mainly used for identifying dex file, such as there being a file also to take dex as suffix name, only this can't be considered to the file of Davlik virtual machine operation, also will judge this 4 bytes.Davlik virtual machine also has the dex of optimization in addition, also by individual field, distinguishes, and when it is the dex file of optimizing, its value just becomes " dey n ".According to these 4 bytes, just can identify dissimilar dex file.
Follow " dex n " below be version field, be mainly used to identify the version of dex file.The version number supporting at present be " 035 0 ", no matter the version of whether optimizing is all this version number of use.
Check code field checksum, is mainly used to check start to end-of-file (EOF) from this field, whether this segment data is complete, has nobody to revise, or whether has and make mistakes etc. in transport process.Being commonly used to the algorithm that checks that whether data are complete, having CRC32, have SHA128 etc., is not this two class but adopt here, and adopt a more special algorithm, be called adler32, this is algorithm conventional in the zlib that increases income, and is used for checking whether integrality of file.This algorithm is invented by MarkAdler, and its degree of reliability is similar with CRC32, but or little by little weak, but it has a good advantage, and while calculating check code with software exactly, relatively CRC32 wants fast a lot.Visible Android system, with regard on algorithm just for mobile device has been optimized.In Java, can use java.util.zip.Adler32 class to do verification operation.
SHA-1 signature field signature, in dex file header since before had the check word segment encode of 4 bytes, also have SHA-1 signature field why? it is not repetition? think over, design is from reasonable like this.Because dex file is not generally very little, simple application program has tens K, so most check codes according to using 4 bytes, and the probability of repetition still has, and that is to say the data modification in file, or very possible check is not out.At this moment check code has just lost effect, needs to use more powerful check code, and this just needs SHA-1.SHA-1 check code has 20 bytes, than check code above many 16 bytes, the check of hardly can different files calculating is the same.The object of two check codes of design, be exactly first to use first check code to check fast, can first the dex file of simply makeing mistakes have been lost like this, then re-use second complicated check code and carry out complicated calculations, whether authenticating documents is complete, guarantees so the complete and safety of the file of carrying out.
SHA(Secure Hash Algorithm, Secure Hash Algorithm) be the design of American National security bureau, a series of Cryptographic Hash Functions of National Institute of Standards and Technology's issue.SHA-1 seem with MD5 algorithm the spitting image of, be perhaps that Ron Rivest has play a part in the design of SHA-1 certain.The inside of SHA-1 is stronger than MD5, and it is made a summary than 4 bytes of 16 byte long of MD5, and this algorithm has successfully stood cryptanalysis expert's attack, also thereby be subject to the extensive high praise of password educational circles.The signature of this algorithm on current network, just has a large amount of uses in BT software, such as whether will calculate the same kind of period of the day from 11 p.m. to 1 a.m in BT, utilize the signature of file to judge.Film with a 8G is downloaded from several thousand BT users there, also there will not be the data of mistake, causes film not play.
Map_off field, this field is mainly preserved map starting position, starts, to the length of map data, by this index, just can find map data exactly from file header.The data structure of map is as follows
Each data sense of DexMapItem organization definition: type, type number, type starting position.It has comprised all types that may occur in dex file.Can find out that it is much the same that the type here has with the type defining in file header, the type is here exactly the type defining in file header in fact.The data of this map, are exactly the repetition of type in front in fact, for role of inspection, exist completely.When Android system loads dex file, if in comparison document head type number and map during Type-Inconsistencies, will stop using this dex file.
String_ids_size/off field, these two fields are mainly used to identification strings resource.After source program compiling, the character string of using in program is all kept in this data segment, to explain that carrying out this dex file uses.Comprising class title in Using Call Library Function, describe, for the character string of output display etc.
String_ids_size has identified how many character strings, the starting position of string_ids_off identification strings data field.
The just allocation index of string table that preserve data field.If find the real data of character string, also need to find by individual allocation index the corresponding starting position of file, then just can obtain string data.The index of each string item takies 4 bytes, so the size of this data field is just 4*string_ids_size.Character string in real data district adopts UTF8 form to preserve.
For example, if being used 16 systems to show, dex file thes contents are as follows: 063c 696e 6974 3e00; Its real data is " < init>0 ".
In this segment data, not only comprise in addition content and the end mark of character string, in the position starting most, also indicated the length of character string.In upper example, first byte 06 just means that this character string has 6 characters.According to the different distributions in shelling program dex file with hull number certificate, the implementation that two kinds of Android Dex add shell is proposed.
As shown in Figure 2, be that the present invention adds a kind of mode FB(flow block) that hulling method shelling program contains enforcement.Visible shelling program with hull number according to dressing up shelling program dex file by the external shell set of tools that adds, first operation shelling program part in internal memory before running of mobile terminal application program, to band hull number according to carrying out source program deciphering.In this embodiment, adding shell workflow is: band hull number certificate is write to shelling program dex end of file, and at tail of file, add the length with hull number certificate again, according to the assembled information with checksum, signature and file_size in shell data modification shelling program dex file header, finally revise AndroidMainfest.xml file in source program and cover the file of the same name of shelling program; Shelling workflow is correspondingly: the length that first reads dex end of file data acquisition band hull number certificate, from dex file, read band hull number certificate and move shelling program and deciphered again, with document form, preserve band hull number according to a.apk file, finally pass through this a.apk file of dex Classloader dynamic load.
As shown in Figure 3, be that the present invention adds the another kind of mode FB(flow block) that hulling method shelling program contains enforcement.The same this shelling program with hull number according to dressing up shelling program dex file by the external shell set of tools that adds, first operation shelling program part in internal memory before running of mobile terminal application program, to band hull number according to carrying out source program deciphering.In this embodiment, add shell workflow relatively complicated: first calculate band shell data length, at shelling program dex file correspondence position 0 * 70 place's interpolation band shell data length, and continue to add band hull number certificate to tail of file; According to the assembled information with checksum, signature, file_size, header_size, string_ids_off, type_ids_off, proto_ids_off, fiele_ids_off, method_ids_off, class_ids_off and data_off in shell data modification shelling program dex file header, analyze map_off data Update Table side-play amount, finally revise AndroidMainfest.xml file in source program and cover the file of the same name of shelling program; Shelling workflow is correspondingly: need first 0 * 70 length reading with hull number certificate from position, then from dex file, read band hull number certificate and move shelling program and deciphered, with document form, preserve band hull number according to a.apk file, finally pass through this a.apk file of dex Classloader dynamic load.
Above two embodiment are current enforcements and the feasible scheme of empirical tests, but it should be noted that: for the integrated position in dex file with hull number certificate and shelling program, must insert and carry out in strict accordance with the file structure of dex, can not misplace, otherwise will affect the success or failure of shelling.In addition, for further improving the security of shelling program, prevent that hacker from realizing the shelling of application program, reverse cracking by stealing shelling program, the present invention has also designed a kind of shelling program Dynamic loading technique, and the program that will shell (sheller executable file) is separated with band hull number certificate.Particularly, as shown in Figure 1, be that the present invention adds the FB(flow block) that a kind of program that shells of hulling method is carried embodiment outward, its add shell process ditto described in, only in dex file containing shelling program, therefore omit.Visible this shelling program of diagram is stored in cloud server, when application start, first this sheller executable file is loaded in local internal memory, and by shelling program, the shelling from band hull number certificate of pending function program is carried out in local internal memory, this shelling process is invisible.
Visible in sum; application the present invention adds the technical scheme of shelling; for the application under Android platform adds shelling, the thinking of innovation and feasible technology solution route have been proposed; can be used for mobile platform executable file to protect; the program that prevents is attacked by hacker's means such as decompilings, the confidentiality of protection business software, protection user application safety.