CN104216946B - A kind of method and apparatus for beating again packet application program for determination - Google Patents

A kind of method and apparatus for beating again packet application program for determination Download PDF

Info

Publication number
CN104216946B
CN104216946B CN201410373867.1A CN201410373867A CN104216946B CN 104216946 B CN104216946 B CN 104216946B CN 201410373867 A CN201410373867 A CN 201410373867A CN 104216946 B CN104216946 B CN 104216946B
Authority
CN
China
Prior art keywords
item
application program
data portion
arrangement
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410373867.1A
Other languages
Chinese (zh)
Other versions
CN104216946A (en
Inventor
周荣誉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201410373867.1A priority Critical patent/CN104216946B/en
Publication of CN104216946A publication Critical patent/CN104216946A/en
Application granted granted Critical
Publication of CN104216946B publication Critical patent/CN104216946B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/11File system administration, e.g. details of archiving or snapshots
    • G06F16/122File system administration, e.g. details of archiving or snapshots using management policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Abstract

The present invention provides a kind of in computer equipment for determining the method for beating again packet application program, wherein, method includes the following steps: executable file of a. according only to an application program, whether the arrangement for detecting the item in the data portion of the executable file, which meets, is beaten again packet arranging rule;B. it when the arrangement of the item in the data portion, which meets, beats again packet arranging rule, determines that the application program is attached most importance to and is packaged application program.According to the solution of the present invention, it does not need for application program to be compared with corresponding legal application program, it does not need to collect a large amount of legal application program yet, it can determine whether the application program is to beat again packet application program according only to the executable file of application program, it realizes simple, easy to operate, workload is small, and does not make special requirement to the performance of computer equipment.

Description

A kind of method and apparatus for beating again packet application program for determination
Technical field
The present invention relates to field of computer technology, more particularly to one kind to beat again packet application for determining in computer equipment The method and apparatus of program.
Background technique
With the wider market application of open system, for various purposes, more and more legal copy application programs exist Be tampered after cracking, thus generate contain the information after distorting beat again packet application program, also referred to as mountain vallage application program.It is this It beats again packet application program and has become one of main source viral in Android system, seriously affected the safety of Android system.
In the prior art, determine an application program whether attach most importance to be packaged application program when, generally require by except answering With the various information other than program itself.For example, collecting a large amount of legal application programs as a kind of scheme to establish feature Library, and by by information such as digital signature of application program legal in the information such as the digital signature of an application program and feature database It is compared, is packaged application program to determine whether the application program attaches most importance to.It for another example, alternatively, can will be to be determined Application program be compared with legal application program or fixed packet application program of beating again, to determine the application program Whether attach most importance to and is packaged application program.
However, the number of application program is being continuously increased in the market, it is difficult to be collected into all legal application program or again It is packaged application program, and gathering speed is difficult to keep up with the speed of legal application program update, it is certain that this has above scheme Hysteresis quality, to usually be only applicable to more popular a small number of application programs.
Summary of the invention
The object of the present invention is to provide a kind of in computer equipment for determining the method and dress of beating again packet application program It sets.
According to an aspect of the present invention, a kind of side for beating again packet application program for determination in computer equipment is provided Method, wherein method includes the following steps:
A. according only to the executable file of an application program, the row of the item in the data portion of the executable file is detected Whether cloth, which meets, is beaten again packet arranging rule;
B. when the arrangement of the item in the data portion, which meets, beats again packet arranging rule, determine that the application program is attached most importance to It is packaged application program.
According to another aspect of the present invention, it additionally provides one kind and beats again packet using journey for determining in computer equipment The device of sequence, wherein the device includes following device:
For the executable file according only to an application program, the item in the data portion of the executable file is detected Whether arrangement meets the device for beating again packet arranging rule;
For determining that the application program is when the arrangement of the item in the data portion meets and beats again packet arranging rule Beat again the device of packet application program.
Compared with prior art, the invention has the following advantages that 1) only on the basis of the executable file of an application program, The executable file whether arrangement of the item in data portion to judge the executable file meets after recompilating usually has Some beats again packet arranging rule, thus to determine whether an application program is to beat again packet application program;2) it does not need to apply Program is compared with corresponding legal application program or fixed packet application program of beating again, namely does not need to collect largely just Version application program or it is fixed beat again packet application program, and can determine the application according only to the executable file of application program Whether program is to beat again packet application program, realizes that simply easy to operate, workload is small, and not to the performance of computer equipment Make special requirement.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, of the invention other Feature, objects and advantages will become more apparent upon:
Fig. 1 is for a preferred embodiment of the invention for determining the method for beating again packet application program in computer equipment Flow diagram;
Fig. 2 is the structural schematic diagram of the APK file of Android application program;
Fig. 3 is the structural schematic diagram of DEX file;
Fig. 4 is for a preferred embodiment of the invention for determining the device for beating again packet application program in computer equipment Structural schematic diagram.
The same or similar appended drawing reference represents the same or similar component in attached drawing.
Specific embodiment
Present invention is further described in detail with reference to the accompanying drawing.
Fig. 1 is for a preferred embodiment of the invention for determining the method for beating again packet application program in computer equipment Flow diagram.
Wherein, the method for the present embodiment is mainly realized by computer equipment;The computer equipment includes but unlimited In the network equipment and user equipment;The network equipment includes but is not limited to single network server, multiple network server groups At server group or be based on cloud computing (Cloud Computing) cloud consisting of a large number of computers or network servers, Wherein, cloud computing is one kind of distributed computing, a super virtual computing consisting of a loosely coupled set of computers Machine;Network locating for the network equipment includes but is not limited to internet, wide area network, Metropolitan Area Network (MAN), local area network, VPN network etc..Institute Stating user equipment includes but is not limited to PC machine, tablet computer, smart phone, PDA, IPTV etc..
It should be noted that the computer equipment is only for example, other calculating that are existing or being likely to occur from now on are set It is standby to be such as applicable to the present invention, it should also be included within the scope of protection of the present invention, and be incorporated herein by reference.
Method according to the present embodiment includes step S1 and step S2.
In step sl, computer equipment detects the executable file according only to the executable file of an application program Data portion in the arrangement of item whether meet and beat again packet arranging rule.
Wherein, the application program is preferably suitable for open system.It is highly preferred that the application program is suitable for Android system.
Wherein, the executable file is the file that can be loaded and be executed by operating system;Preferably, described executable File is DEX file.As an example, Fig. 2 shows the APK of Android application program (Android Package, Android peaces Dress packet) file a kind of bibliographic structure, the executable file can be classes.dex file shown in it.In Fig. 2, Res is the catalogue for storing resource file, and the layout file under res catalogue is to be compiled as screen layout (or one of screen Point) XML file, the drawable under res catalogue is for storing resource file;META-INF is to create when generating jar file File, the MANIFEST.MF file under the catalogue is for describing relevant information such as attribute information of jar file etc., CERT.SF It is APK signature file with CERT.RSA file;Resources.arsc is the Binary Resources file after compiling, AndroidManifest.xml is program global configuration file, and classes.dex is the executable file of Android application program.
Wherein, executable file may include file header, data directory and data portion after file header;Its In, file header may include the offset address and length information of other structures in check information and executable file, data directory It may include data indexing information, data portion may include data pointed by index in data directory.As an example, scheme 3 show a kind of structure of DEX file, and DEX file includes file header (header), including character string list (String Table), list of types (Type Table), function prototype list (Proto Table), variable list (Field Table), Function list (Method Table), class define the data directory and data of list (Class Definition Table) Partially (Data);Wherein, data portion includes data segment (data Section) and Map sections (Map Section);Wherein, number It include comment entry (annotation item), code entry (code item), annotated list (annotation according to section Directory), interface (interface), parameter (parameter), character string (string), debugging item (debug item), Annotation setting (annotation set), quiescent value (static value) and class data (class data) etc.;Wherein, Map sections include Map list (Map List).
Wherein, the item in the data portion may include any item included in the data portion of executable file;It is excellent Selection of land, the item in the data portion includes the item (Item) that the data portion of DEX file is included, such as the Map_ in Map sections Class_Def_Item etc. in Item, data segment.
Wherein, the packet arranging rule of beating again may include any peculiar row for being used to indicate and beating again the item in packet application program The rule of cloth;Preferably, the packet arranging rule of beating again includes at least one of the following:
1) rule one: in the data portion there are scheduled item and the scheduled item on a predetermined position.
Wherein, the scheduled item is an appointed item in data portion.Wherein, the predetermined position is used to indicate A position appointed, in data portion;Preferably, the predetermined position corresponds to continuous multiple positions in data portion (bit) or byte (byte);It is highly preferred that a data address in executable file can be used to indicate the predetermined position, Predetermined position namely 0x238 as described in using 0x238 expression are the base address in the predetermined position.
Preferably, the scheduled item includes the item in the Map list of the data portion.It is highly preferred that the scheduled item For TYPE_DEBUG_INFO_ITEM;And the scheduled item be TYPE_DEBUG_INFO_ITEM when, the predetermined position can be The position where penultimate Map_Item in Map list.
2) rule two: the sequence of the class defined item in the data portion does not meet predetermined ordering rule.Preferably, regular Two include: that the deviant of the class defined item in the data portion is ordered as random ordering.
Wherein, the class defined item includes the defined item of any class used in executable file;Preferably, the class Defined item is Class_Def_Item included in the data portion of DEX file.
Wherein, the predetermined ordering rule includes the ordering rule of any scheduled, all kinds of defined item.For example, described pre- Determine ordering rule are as follows: each class defined item is according to the alphabetical carry out sequence arrangement of the title of class, and the deviant of class defined item is pressed It is ranked up according to sequence from small to large.
It should be noted that above-mentioned packet arranging rule of beating again is only for example, rather than limitation of the present invention, art technology Personnel will be understood that any rule for indicating to beat again the peculiar arrangement of packet application program, should be included in of the present invention It beats again in packet arranging rule.
Explanation includes above-mentioned rule a period of time when beating again packet arranging rule below, and computer equipment is according only to an application program Executable file, detect the item in the data portion of the executable file arrangement whether meet rule one implementation.
Specifically, computer equipment detects the number of the executable file according only to the executable file of an application program Include but is not limited to according to the implementation whether arrangement of the item in part meets rule one:
1) computer equipment searches scheduled item in the data portion of executable file;When finding scheduled item and this is predetermined Position on a predetermined position when, computer equipment determines that the arrangement of item meets described regular one;It is pre- when failing to find this Determine item, alternatively, finding the position of the scheduled item and the scheduled item not at predetermined position, computer equipment determines the arrangement of item Do not meet described regular one.
For example, rule one are as follows: there are scheduled item TYPE_DEBUG_INFO_ITEM in the data portion of executable file, and The scheduled item is located at the position where the penultimate Map Item in Map list.Data of the computer equipment in DEX file The scheduled item is searched in part;When finding penultimate Map of the position of the scheduled item and the scheduled item in Map list When position where Item, computer equipment determines that the arrangement of the scheduled item meets rule one;When failing to find the scheduled item, Alternatively, the position of the scheduled item is in the other positions other than the position where the penultimate Map Item in Map list When, computer equipment determines that the arrangement of the scheduled item is not inconsistent normally one.
Wherein, computer equipment can by data portion search scheduled item corresponding to type codes (Type Code), To search the scheduled item.
For example, scheduled item is the TYPE_DEBUG_INFO_ITEM in Map list, and its type codes is 0x2003, then counts Calculate machine equipment can be by searching the item that Type Code is 0x2003, to search TYPE_ in the data portion of DEX file DEBUG_INFO_ITEM。
2) computer equipment searches the predetermined position in the data portion;It is described when existing on the predetermined position When scheduled item, computer equipment determines that the arrangement of item meets described regular one;When there is no described predetermined on the predetermined position Xiang Shi, computer equipment determine that the arrangement of the item does not meet described regular one.
For example, rule one are as follows: there are scheduled item TYPE_DEBUG_INFO_ITEM in the data portion of executable file, and The scheduled item is located at the position where the penultimate Map Item in Map list.Computer equipment is searched in data portion Position where the penultimate Map Item of Map list;When Type Code in this position is 0x2003 (i.e. TYPE_ The type codes of DEBUG_INFO_ITEM) when, computer equipment determines that the arrangement of the scheduled item meets rule one;When in this position Type Code non-zero x2003 when, computer equipment determines that the arrangement of the scheduled item is not inconsistent normally one.
Wherein, the data base of list where computer equipment can obtain scheduled item from the file header of executable file Location, to further calculate out predetermined position.
For example, computer equipment can obtain first Map data base address (map_ from the file header of executable file Off the number of the Map Item in Map list), and according to the Map data base address is read, to calculate falling for Map list Position where second Map Item of number.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in item arrangement whether meet rule one implementation, should be included in the scope of the present invention.
It should be noted that including regular a period of time when beating again packet arranging rule only, if computer equipment determines executable text The arrangement of item in the data portion of part meets rule one, is equivalent to computer equipment and determines in the data portion of executable file The arrangement of item meet and beat again packet arranging rule, and if computer equipment determine the row of the item in the data portion of executable file Cloth is not inconsistent normally one, is equivalent to computer equipment and determines that the arrangement of the item in the data portion of executable file is not met and beats again Packet arranging rule.
Illustrate below when beating again packet arranging rule includes above-mentioned regular two, computer equipment is according only to an application program Executable file, detect the item in the data portion of the executable file arrangement whether meet rule two implementation.
Specifically, computer equipment detects the number of the executable file according only to the executable file of an application program Include but is not limited to according to the implementation whether arrangement of the item in part meets rule two:
1) difference between the deviant of the current two adjacent class defined items of computer equipment detection;When the difference is small When zero, computer equipment is repeated using next two adjacent class defined items as current two adjacent class defined items Previous step operates to continue to execute detection;And when the difference is greater than zero, computer equipment determines the arrangement symbol of the item Normally two.
For example, computer equipment obtains the deviant of first class defined item and second class defined item first, and detect The difference between deviant that two adjacent classes define;When the difference is less than zero, computer equipment determines second class The senses of a dictionary entry and third class defined item are as two currently adjacent class defined items, and in the deviant of acquisition third class defined item Later, the difference between second class defined item and the deviant of third class defined item is detected;It so repeats, until detecting There are the differences between the deviant of two adjacent class defined items to be greater than zero, alternatively, having detected all two adjacent classes Difference between the deviant of defined item.
It should be noted that when computer equipment has detected between the deviant of all two adjacent class defined items Difference, and when all differences detected are respectively less than zero, computer equipment determine that the arrangement of item is not inconsistent normally two.
Wherein, the class defined item is used to indicate the definition in data portion to class used in the application program;It is preferred that Ground, the class defined item are the Class_Def_Item in the class data of the data segment of DEX file data portion.
Wherein, the deviant is used to indicate the inclined of file header of the starting position of such defined item apart from executable file It moves.Preferably, in DEX file, the class data-bias (Class_Data_Off) of class defined item can be directly acquired as such The deviant of defined item.It is highly preferred that computer equipment defines list base according to the class read from the file header of DEX file Address, to obtain deviant of the class data-bias of class defined item as such defined item.
For example, computer equipment defines list base address 0x0110 according to class, the inclined of first class defined item is calculated Base address=0x0110+0x0018=0x0128 of shifting value, thus according to the calculating to base address read first class The class data-bias of defined item, the deviant as such defined item, wherein 0x0018 is can predetermined fixed value.
It should be noted that beat again the sequence of the deviant of class defined item in packet application program often with legal application program The sequence of the deviant of middle class defined item is inconsistent, and the deviant of class defined item is according to from small to large in legal application program Sequence is ranked up, and the difference beaten again between the deviant that will appear two adjacent class defined items in packet application program is big In zero the case where.
2) computer equipment reads the deviant of each class defined item;When each class defined item deviant be arranged as it is suitable When sequence, computer equipment determines that the arrangement of item does not meet described regular two;When the deviant is when being arranged as random ordering, computer Equipment determines that the arrangement of item meets described regular two.
For example, the data portion of DEX file includes 4 class defined items, computer equipment reads the inclined of 4 class defined items Shifting value is successively are as follows: 0x0227,0x0247,0x0267,0x0287.Computer equipment determines being arranged as sequentially for the deviants such as this, Then computer equipment determines that the arrangement of item is not inconsistent normally two.
In another example the data portion of DEX file includes 4 class defined items, computer equipment reads 4 class defined items Deviant is successively are as follows: 0x0227,0x0267,0x0287,0x0247.What computer equipment determined the deviants such as this is arranged as unrest Sequence, then computer equipment determines that the arrangement of item meets rule two.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in item arrangement whether meet rule two implementation, should be included in the scope of the present invention.
It should be noted that when beating again packet arranging rule only includes rule two, if computer equipment determines executable text The arrangement of item in the data portion of part meets rule two, is equivalent to computer equipment and determines in the data portion of executable file The arrangement of item meet and beat again packet arranging rule, and if computer equipment determine the row of the item in the data portion of executable file Cloth is not inconsistent normally two, is equivalent to computer equipment and determines that the arrangement of the item in the data portion of executable file is not met and beats again Packet arranging rule.
It should be noted that computer equipment can be when beating again packet arranging rule includes above-mentioned regular one and rule two In the case that the arrangement of item in the data portion of executable file meets rule one and rule two simultaneously, executable text is just determined The arrangement of item in the data portion of part, which meets, beats again packet arranging rule;Alternatively, computer equipment can be in the number of executable file In the case where meeting one of rule one or rule two according to the arrangement of the item in part, the data portion of executable file is determined In the arrangement of item meet and beat again packet arranging rule.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in the arrangement of item whether meet the implementation for beating again packet arranging rule, should be included in the scope of the present invention It is interior.
In step s 2, when the arrangement of the item in data portion, which meets, beats again packet arranging rule, computer equipment is determined The application program, which is attached most importance to, is packaged application program.
Specifically, it when the arrangement of the item in the data portion of executable file, which meets, beats again packet arranging rule, then calculates Machine equipment can determine that the application program is attached most importance to and is packaged application program, that is, the program for being cracked and recompilating.
In the prior art, it generallys use the method for recompilating executable file and wraps an application program to beat again.For example, To APK file shown in Fig. 2, generallys use Apktool tool and decompile into the classes.dex file in the APK file Then Smali file carries out certain modification in the Smali file, then modified Smali file is recompilated into Dex.
However, during above-mentioned recompility executable file, it will usually cause the arrangement of executable file middle term It was found that variation.
According to the solution of the present invention, only on the basis of the executable file of an application program, to judge the executable file Data portion in item arrangement whether meet recompilate after executable file usually have beat again packet arranging rule, Thus to determine whether an application program is to beat again packet application program;The solution of the present invention is not needed application program and corresponding Legal application program or fixed packet application program of beating again be compared, namely do not need to collect a large amount of legal application programs Or it is fixed beat again packet application program, and can determine according only to the executable file of application program the application program whether be Packet application program is beaten again, realizes that simply easy to operate, workload is small, and does not make special want to the performance of computer equipment It asks.
Fig. 3 is for a preferred embodiment of the invention for determining the device for beating again packet application program in computer equipment Structural schematic diagram.The present embodiment is used to determine the device (hereinafter referred to as " beating again packet determining device ") for beating again packet application program Including detecting the arrangement of the item in the data portion of the executable file for the executable file according only to an application program Whether the device (hereinafter referred to as " detection device 1 ") of beating again packet arranging rule is met, and for when the item in data portion Arrangement meets when beating again packet arranging rule, determines to attach most importance to for program and is packaged the device of application program (hereinafter referred to as " first determines Device 2 ").
Detection device 1 detects in the data portion of the executable file according only to the executable file of an application program The arrangement of item whether meet and beat again packet arranging rule.
Wherein, the application program is preferably suitable for open system.It is highly preferred that the application program is suitable for Android system.
Wherein, the executable file is the file that can be loaded and be executed by operating system;Preferably, described executable File is DEX file.As an example, Fig. 2 shows the APK of Android application program (Android Package, Android peaces Dress packet) file a kind of bibliographic structure, the executable file can be classes.dex file shown in it.In Fig. 2, Res is the catalogue for storing resource file, and the layout file under res catalogue is to be compiled as screen layout (or one of screen Point) XML file, the drawable under res catalogue is for storing resource file;META-INF is to create when generating jar file File, the MANIFEST.MF file under the catalogue is for describing relevant information such as attribute information of jar file etc., CERT.SF It is APK signature file with CERT.RSA file;Resources.arsc is the Binary Resources file after compiling, AndroidManifest.xml is program global configuration file, and classes.dex is the executable file of Android application program.
Wherein, executable file may include file header, data directory and data portion after file header;Its In, file header may include the offset address and length information of other structures in check information and executable file, data directory It may include data indexing information, data portion may include data pointed by index in data directory.As an example, scheme 3 show a kind of structure of DEX file, and DEX file includes file header (header), including character string list (String Table), list of types (Type Table), function prototype list (Proto Table), variable list (Field Table), Function list (Method Table), class define the data directory and data of list (Class Definition Table) Partially (Data);Wherein, data portion includes data segment (data Section) and Map sections (Map Section);Wherein, number It include comment entry (annotation item), code entry (code item), annotated list (annotation according to section Directory), interface (interface), parameter (parameter), character string (string), debugging item (debug item), Annotation setting (annotation set), quiescent value (static value) and class data (class data) etc.;Wherein, Map sections include Map list (Map List).
Wherein, the item in the data portion may include any item included in the data portion of executable file;It is excellent Selection of land, the item in the data portion includes the item (Item) that the data portion of DEX file is included, such as the Map_ in Map sections Class_Def_Item etc. in Item, data segment.
Wherein, the packet arranging rule of beating again may include any peculiar row for being used to indicate and beating again the item in packet application program The rule of cloth;Preferably, the packet arranging rule of beating again includes at least one of the following:
1) rule one: in the data portion there are scheduled item and the scheduled item on a predetermined position.
Wherein, the scheduled item is an appointed item in data portion.Wherein, the predetermined position is used to indicate A position appointed, in data portion;Preferably, the predetermined position corresponds to continuous multiple positions in data portion (bit) or byte (byte);It is highly preferred that a data address in executable file can be used to indicate the predetermined position, Predetermined position namely 0x238 as described in using 0x238 expression are the base address in the predetermined position.
Preferably, the scheduled item includes the item in the Map list of the data portion.It is highly preferred that the scheduled item For TYPE_DEBUG_INFO_ITEM;And the scheduled item be TYPE_DEBUG_INFO_ITEM when, the predetermined position can be The position where penultimate Map_Item in Map list.
2) rule two: the sequence of the class defined item in the data portion does not meet predetermined ordering rule.Preferably, regular Two include: that the deviant of the class defined item in the data portion is ordered as random ordering.
Wherein, the class defined item includes the defined item of any class used in executable file;Preferably, the class Defined item is Class_Def_Item included in the data portion of DEX file.
Wherein, the predetermined ordering rule includes the ordering rule of any scheduled, all kinds of defined item.For example, described pre- Determine ordering rule are as follows: each class defined item is according to the alphabetical carry out sequence arrangement of the title of class, and the deviant of class defined item is pressed It is ranked up according to sequence from small to large.
It should be noted that above-mentioned packet arranging rule of beating again is only for example, rather than limitation of the present invention, art technology Personnel will be understood that any rule for indicating to beat again the peculiar arrangement of packet application program, should be included in of the present invention It beats again in packet arranging rule.
Explanation includes above-mentioned rule a period of time when beating again packet arranging rule below, and detection device 1 is according only to an application program Executable file, detect the item in the data portion of the executable file arrangement whether meet rule one implementation.
Specifically, detection device 1 detects the data of the executable file according only to the executable file of an application program The implementation whether arrangement of the item in part meets rule one includes but is not limited to:
1) detection device 1 includes that the first lookup device (not shown), the second determining device (not shown) and third determine dress Set (not shown).First lookup device is for searching scheduled item in the data portion of executable file;Second determining device is used In when finding the position of scheduled item and the scheduled item on a predetermined position, determining that the arrangement of item meets described regular one;The Three determining devices are used for when failing to find the scheduled item, alternatively, finding the position of the scheduled item and the scheduled item not pre- When positioning is set, determine that the arrangement of item does not meet described regular one.
For example, rule one are as follows: there are scheduled item TYPE_DEBUG_INFO_ITEM in the data portion of executable file, and The scheduled item is located at the position where the penultimate Map Item in Map list.First searches device in the number of DEX file According to searching the scheduled item in part;When finding penultimate of the position of the scheduled item and the scheduled item in Map list When position where Map Item, the second determining device determines that the arrangement of the scheduled item meets rule one;When failing to find this Scheduled item, alternatively, other other than the position where the penultimate Map Item in Map list of the position of the scheduled item When on position, third determining device determines that the arrangement of the scheduled item is not inconsistent normally one.
Wherein, the first lookup device can be by searching type codes (Type corresponding to scheduled item in data portion Code), the scheduled item is searched.
For example, scheduled item be Map list in TYPE_DEBUG_INFO_ITEM, and its type codes be 0x2003, first Search device can be by searching the item that Type Code is 0x2003, to search TYPE_ in the data portion of DEX file DEBUG_INFO_ITEM。
2) detection device 1 includes the second lookup device (not shown), the 4th determining device (not shown) and the 5th determining dress Set (not shown).Second lookup device in the data portion for searching the predetermined position;4th determining device is used for When there are when the scheduled item, determine that the arrangement of item meets described regular one on the predetermined position;5th determining device is used for When the scheduled item is not present on the predetermined position, determine that the arrangement of the item does not meet described regular one.
For example, rule one are as follows: there are scheduled item TYPE_DEBUG_INFO_ITEM in the data portion of executable file, and The scheduled item is located at the position where the penultimate Map Item in Map list.Second, which searches device, searches data portion Position where the penultimate Map Item of middle Map list;When Type Code in this position is 0x2003 (i.e. TYPE_ The type codes of DEBUG_INFO_ITEM) when, the 4th determining device determines that the arrangement of the scheduled item meets rule one;When the position On Type Code non-zero x2003 when, the 5th determining device determines that the arrangement of the scheduled item is not inconsistent normally one.
Wherein, the data base of list where the second lookup device can obtain scheduled item from the file header of executable file Location, to further calculate out predetermined position.
For example, the second lookup device can obtain first Map data base address (map_ from the file header of executable file Off the number of the Map Item in Map list), and according to the Map data base address is read, to calculate falling for Map list Position where second Map Item of number.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in item arrangement whether meet rule one implementation, should be included in the scope of the present invention.
It should be noted that including regular a period of time when beating again packet arranging rule only, if detection device 1 determines executable file Data portion in item arrangement meet rule one, be equivalent to detection device 1 determine executable file data portion in Arrangement meet and beat again packet arranging rule, and if detection device 1 determine the arrangement of the item in the data portion of executable file It is not inconsistent normally one, is equivalent to detection device 1 and determines that the arrangement of the item in the data portion of executable file is not met and beats again packet Arranging rule.
Illustrate below when beating again packet arranging rule includes above-mentioned regular two, detection device 1 is according only to an application program Executable file, detect the item in the data portion of the executable file arrangement whether meet rule two implementation.
Specifically, detection device 1 detects the data of the executable file according only to the executable file of an application program The implementation whether arrangement of the item in part meets rule two includes but is not limited to:
1) detection device 1 includes that (figure is not for sub- detection device (not shown), iteration means (not shown) and the 6th determining device Show).Sub- detection device is used to detect the difference between the deviant of current two adjacent class defined items;Iteration means are for working as When the difference is less than zero, using next two adjacent class defined items as current two adjacent class defined items, and trigger Sub- detection device repeats operation;6th determining device is used to determine the arrangement symbol of the item when the difference is greater than zero Normally two.
For example, sub- detection device obtains the deviant of first class defined item and second class defined item first, and detect The difference between deviant that two adjacent classes define;When the difference is less than zero, iteration means define second class With third class defined item as currently adjacent two class defined items, and the deviant of acquisition third class defined item it Afterwards, it triggers sub- detection device and repeats operation to detect between second class defined item and the deviant of third class defined item Difference;So repeat, until the difference for detecting the presence of between the deviants of two adjacent class defined items is greater than zero, or Person has detected the difference between the deviant of all two adjacent class defined items.
It should be noted that the difference between the deviant of all two adjacent class defined items ought have been detected, and institute All differences of detection are when being respectively less than zero, and detection device 1 determines that the arrangement of item is not inconsistent normally two.
Wherein, the class defined item is used to indicate the definition in data portion to class used in the application program;It is preferred that Ground, the class defined item are the Class_Def_Item in the class data of the data segment of DEX file data portion.
Wherein, the deviant is used to indicate the inclined of file header of the starting position of such defined item apart from executable file It moves.Preferably, in DEX file, the class data-bias (Class_Data_Off) of class defined item can be directly acquired as such The deviant of defined item.It is highly preferred that sub- detection device can define list according to the class read from the file header of DEX file Base address, to obtain deviant of the class data-bias of class defined item as such defined item.
For example, sub- detection device defines list base address 0x0110 according to class, the inclined of first class defined item is calculated Base address=0x0110+0x0018=0x0128 of shifting value, thus according to the calculating to base address read first class The class data-bias of defined item, the deviant as such defined item, wherein 0x0018 is can predetermined fixed value.
It should be noted that beat again the sequence of the deviant of class defined item in packet application program often with legal application program The sequence of the deviant of middle class defined item is inconsistent, and the deviant of class defined item is according to from small to large in legal application program Sequence is ranked up, and the difference beaten again between the deviant that will appear two adjacent class defined items in packet application program is big In zero the case where.
2) detection device 1 includes reading device (not shown), the 7th determining device (not shown) and the 8th determining device (figure Do not show).Reading device is used to read the deviant of each class defined item;7th determining device is used to work as the inclined of each class defined item When being arranged as sequence of shifting value, computer equipment determine that the arrangement of item does not meet described regular two;8th determining device is for working as When being arranged as random ordering of the deviant, computer equipment determine that the arrangement of item meets described regular two.
For example, the data portion of DEX file includes 4 class defined items, reading device reads the offset of 4 class defined items Value is successively are as follows: 0x0227,0x0247,0x0267,0x0287.7th determining device determines being arranged as sequentially for the deviants such as this, Then the 7th determining device determines that the arrangement of item is not inconsistent normally two.
In another example the data portion of DEX file includes 4 class defined items, reading device reads the inclined of 4 class defined items Shifting value is successively are as follows: 0x0227,0x0267,0x0287,0x0247.What the 8th determining device determined the deviants such as this is arranged as unrest Sequence, then the 8th determining device determines that the arrangement of item meets rule two.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in item arrangement whether meet rule two implementation, should be included in the scope of the present invention.
It should be noted that when beating again packet arranging rule only includes rule two, if detection device 1 determines executable file Data portion in item arrangement meet rule two, be equivalent to detection device 1 determine executable file data portion in Arrangement meet and beat again packet arranging rule, and if detection device 1 determine the arrangement of the item in the data portion of executable file It is not inconsistent normally two, is equivalent to detection device 1 and determines that the arrangement of the item in the data portion of executable file is not met and beats again packet Arranging rule.
It should be noted that detection device 1 can be can when beating again packet arranging rule includes above-mentioned regular one and rule two In the case where executing the arrangement of the item in the data portion of file while meeting rule one and rule two, executable file is just determined Data portion in the arrangement of item meet and beat again packet arranging rule;Alternatively, detection device 1 can be in the data portion of executable file In the case that the arrangement of item in point meets one of rule one or rule two, determine in the data portion of executable file The arrangement of item, which meets, beats again packet arranging rule.
It should be noted that the above-mentioned examples are merely illustrative of the technical solutions of the present invention, rather than to limit of the invention System, it should be appreciated by those skilled in the art that any executable file according only to an application program, detects the executable file Data portion in the arrangement of item whether meet the implementation for beating again packet arranging rule, should be included in the scope of the present invention It is interior.
When the arrangement of the item in data portion, which meets, beats again packet arranging rule, the first determining device 2 determines the application Program, which is attached most importance to, is packaged application program.
Specifically, when the arrangement of the item in the data portion of executable file, which meets, beats again packet arranging rule, then first Determining device 2 can determine that the application program is attached most importance to and is packaged application program, that is, the program for being cracked and recompilating.
In the prior art, it generallys use the method for recompilating executable file and wraps an application program to beat again.For example, To APK file shown in Fig. 2, generallys use Apktool tool and decompile into the classes.dex file in the APK file Then Smali file carries out certain modification in the Smali file, then modified Smali file is recompilated into Dex.
However, during above-mentioned recompility executable file, it will usually cause the arrangement of executable file middle term It was found that variation.
According to the solution of the present invention, only on the basis of the executable file of an application program, to judge the executable file Data portion in item arrangement whether meet recompilate after executable file usually have beat again packet arranging rule, Thus to determine whether an application program is to beat again packet application program;The solution of the present invention is not needed application program and corresponding Legal application program or fixed packet application program of beating again be compared, namely do not need to collect a large amount of legal application programs Or it is fixed beat again packet application program, and can determine according only to the executable file of application program the application program whether be Packet application program is beaten again, realizes that simply easy to operate, workload is small, and does not make special want to the performance of computer equipment It asks.
It should be noted that the present invention can be carried out in the assembly of software and/or software and hardware, for example, this hair Specific integrated circuit (ASIC) can be used in bright each device or any other is realized similar to hardware device.In one embodiment In, software program of the invention can be executed to implement the above steps or functions by processor.Similarly, of the invention Software program (including relevant data structure) can be stored in computer readable recording medium, for example, RAM memory, Magnetic or optical driver or floppy disc and similar devices.In addition, some of the steps or functions of the present invention may be implemented in hardware, example Such as, as the circuit cooperated with processor thereby executing each step or function.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included in the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.This Outside, it is clear that one word of " comprising " does not exclude other units or steps, and odd number is not excluded for plural number.That states in system claims is multiple Unit or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to table Show title, and does not indicate any particular order.

Claims (18)

1. a kind of be used to determine the method for beating again packet application program in computer equipment, wherein method includes the following steps:
A. according only to the executable file of an application program, the arrangement for detecting the item in the data portion of the executable file is It is no meet beat again packet arranging rule;
B. when the arrangement of the item in the data portion, which meets, beats again packet arranging rule, determine that the application program is attached most importance to packing Application program;
Wherein, the item in the data portion indicates Item included in the data portion of executable file, wherein does not need The application program is compared with corresponding legal application program or fixed packet application program of beating again.
2. according to the method described in claim 1, wherein, the packet arranging rule of beating again includes at least one of the following:
Rule one: in the data portion there are scheduled item and the scheduled item on a predetermined position;
Rule two: the sequence of the class defined item in the data portion does not meet predetermined ordering rule.
3. according to the method described in claim 2, wherein, the packet arranging rule of beating again includes described regular one, the step a The following steps are included:
The scheduled item is searched in the data portion;
When finding the position of the scheduled item and the scheduled item on the predetermined position, the arrangement of the item is determined Meet described regular one;
When failing to find the scheduled item, alternatively, finding the position of the scheduled item and the scheduled item not described pre- When positioning is set, determine that the arrangement of the item does not meet described regular one.
4. according to the method described in claim 2, wherein, the packet arranging rule of beating again includes described regular one, the step a The following steps are included:
The predetermined position is searched in the data portion;
When there are when the scheduled item, determine that the arrangement of the item meets described regular one on the predetermined position;
When the scheduled item is not present on the predetermined position, determine that the arrangement of the item does not meet described regular one.
5. method according to any one of claim 2 to 4, wherein the scheduled item includes the Map of the data portion Item in list.
6. according to the method described in claim 2, wherein, the packet arranging rule of beating again includes described regular two, the step a The following steps are included:
Difference between the deviant of the current two adjacent class defined items of a1 detection;
A2 is defined when the difference is less than zero using next two adjacent class defined items as current two adjacent classes , and repeating said steps a1;
A3 determines that the arrangement of the item meets rule two when the difference is greater than zero.
7. according to the method described in claim 2, wherein, the packet arranging rule of beating again includes described regular two, the step a The following steps are included:
Read the deviant of each class defined item;
When the deviant is when being arranged as sequence, determine that the arrangement of item does not meet described regular two;
When the deviant is when being arranged as random ordering, determine that the arrangement of item meets described regular two.
8. method according to claim 1 to 4, wherein the application program is suitable for Android system.
9. according to the method described in claim 8, wherein, the executable file is dex file.
10. a kind of be used to determine the device for beating again packet application program in computer equipment, wherein the device includes following dress It sets:
For the executable file according only to an application program, the arrangement of the item in the data portion of the executable file is detected Whether the device of beating again packet arranging rule is met;
For when the arrangement of the item in the data portion meets and beats again packet arranging rule, determining that the application program is to beat again The device of packet application program;
Wherein, the item in the data portion indicates Item included in the data portion of executable file, wherein does not need The application program is compared with corresponding legal application program or fixed packet application program of beating again.
11. device according to claim 10, wherein the packet arranging rule of beating again includes at least one of the following:
Rule one: in the data portion there are scheduled item and the scheduled item on a predetermined position;
Rule two: the sequence of the class defined item in the data portion does not meet predetermined ordering rule.
12. device according to claim 11, wherein the packet arranging rule of beating again includes described regular one, the use In the executable file according only to an application program, whether the arrangement for detecting the item in the data portion of the executable file is accorded with It includes following device that the device of packet arranging rule is beaten again in conjunction:
For searching the device of the scheduled item in the data portion;
For determining the row of the item when finding the position of the scheduled item and the scheduled item on the predetermined position Cloth meets regular one device;
For when failing to find the scheduled item, alternatively, finding the position of the scheduled item and the scheduled item not in institute When stating predetermined position, determine that the arrangement of the item does not meet regular one device.
13. device according to claim 11, wherein the packet arranging rule of beating again includes described regular one, the use In the executable file according only to an application program, whether the arrangement for detecting the item in the data portion of the executable file is accorded with It includes following device that the device of packet arranging rule is beaten again in conjunction:
For searching the device in the predetermined position in the data portion;
For when there are when the scheduled item, determine that the arrangement of the item meets regular one dress on the predetermined position It sets;
For determining that the arrangement of the item does not meet described regular one when the scheduled item is not present on the predetermined position Device.
14. device described in any one of 1 to 13 according to claim 1, wherein the scheduled item includes the data portion Item in Map list.
15. device according to claim 11, wherein the packet arranging rule of beating again includes described regular two, the use In the executable file according only to an application program, whether the arrangement for detecting the item in the data portion of the executable file is accorded with It includes following device that the device of packet arranging rule is beaten again in conjunction:
For detecting the device of the difference of the deviant time of current two adjacent class defined items;
For being defined next two adjacent class defined items as current two adjacent classes when the difference is less than zero , and trigger the device that operation is repeated for detecting the device of difference;
For determining that the arrangement of the item meets the device of rule two when the difference is greater than zero.
16. device according to claim 11, wherein the packet arranging rule of beating again includes described regular two, the use In the executable file according only to an application program, whether the arrangement for detecting the item in the data portion of the executable file is accorded with It includes following device that the device of packet arranging rule is beaten again in conjunction:
For reading the device of the deviant of each class defined item;
For determining that the arrangement of item does not meet regular two device when the deviant is when being arranged as sequence;
For determining that the arrangement of item meets regular two device when the deviant is when being arranged as random ordering.
17. device described in any one of 0 to 13 according to claim 1, wherein the application program is suitable for Android system.
18. device according to claim 17, wherein the executable file is dex file.
CN201410373867.1A 2014-07-31 2014-07-31 A kind of method and apparatus for beating again packet application program for determination Active CN104216946B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410373867.1A CN104216946B (en) 2014-07-31 2014-07-31 A kind of method and apparatus for beating again packet application program for determination

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410373867.1A CN104216946B (en) 2014-07-31 2014-07-31 A kind of method and apparatus for beating again packet application program for determination

Publications (2)

Publication Number Publication Date
CN104216946A CN104216946A (en) 2014-12-17
CN104216946B true CN104216946B (en) 2019-03-26

Family

ID=52098436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410373867.1A Active CN104216946B (en) 2014-07-31 2014-07-31 A kind of method and apparatus for beating again packet application program for determination

Country Status (1)

Country Link
CN (1) CN104216946B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104317599B (en) * 2014-10-30 2017-06-20 北京奇虎科技有限公司 Whether detection installation kit is by the method and apparatus of secondary packing
US10547626B1 (en) * 2016-02-08 2020-01-28 Palo Alto Networks, Inc. Detecting repackaged applications based on file format fingerprints
CN108255695A (en) * 2016-12-29 2018-07-06 武汉安天信息技术有限责任公司 APK beats again the detection method and system of packet
CN108173906A (en) * 2017-12-07 2018-06-15 东软集团股份有限公司 Installation kit method for down loading, device, storage medium and electronic equipment
CN110390185B (en) * 2018-04-20 2022-08-09 武汉安天信息技术有限责任公司 Repackaging application detection method, rule base construction method and related device
CN108829406B (en) * 2018-06-13 2022-10-14 珠海豹趣科技有限公司 Installation package packaging method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1862493A (en) * 2005-05-12 2006-11-15 施乐公司 Method for creating unique identification for copies of executable code and management thereof
CN101042657A (en) * 2006-03-22 2007-09-26 北京握奇数据系统有限公司 Building method and apparatus for application program with safety requirement
CN101119373A (en) * 2007-09-04 2008-02-06 北京大学 Gateway stream type virus scanning method and system
CN102663286A (en) * 2012-03-21 2012-09-12 奇智软件(北京)有限公司 Method and device for identifying virus APK (android package)
CN103473346A (en) * 2013-09-24 2013-12-25 北京大学 Android re-packed application detection method based on application programming interface

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501644B2 (en) * 2010-03-15 2016-11-22 F-Secure Oyj Malware protection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1862493A (en) * 2005-05-12 2006-11-15 施乐公司 Method for creating unique identification for copies of executable code and management thereof
CN101042657A (en) * 2006-03-22 2007-09-26 北京握奇数据系统有限公司 Building method and apparatus for application program with safety requirement
CN101119373A (en) * 2007-09-04 2008-02-06 北京大学 Gateway stream type virus scanning method and system
CN102663286A (en) * 2012-03-21 2012-09-12 奇智软件(北京)有限公司 Method and device for identifying virus APK (android package)
CN103473346A (en) * 2013-09-24 2013-12-25 北京大学 Android re-packed application detection method based on application programming interface

Also Published As

Publication number Publication date
CN104216946A (en) 2014-12-17

Similar Documents

Publication Publication Date Title
CN104216946B (en) A kind of method and apparatus for beating again packet application program for determination
US9798648B2 (en) Transitive source code violation matching and attribution
Scanniello et al. Clustering support for static concept location in source code
KR101106595B1 (en) Method and apparatus for automated testing for software program
US20140279787A1 (en) Systems And Methods for an Adaptive Application Recommender
Pradel et al. EventBreak: Analyzing the responsiveness of user interfaces through performance-guided test generation
US20170132638A1 (en) Relevant information acquisition method and apparatus, and storage medium
US9201964B2 (en) Identifying related entities
CN103597469A (en) Live browser tooling in an integrated development environment
US9471362B2 (en) Correlating hypervisor data for a virtual machine with associated operating system data
CN104933171B (en) Interest point data association method and device
WO2014190427A1 (en) Identifying client states
CN103077254A (en) Webpage acquiring method and device
CN110069693A (en) Method and apparatus for determining target pages
CN109542295A (en) The linkage of page viewing area shows method, electronic equipment and storage medium
Buinevich et al. Method for partial recovering source code of telecommunication devices for vulnerability search
Peng et al. Graph-based ajax crawl: Mining data from rich internet applications
US10346450B2 (en) Automatic datacenter state summarization
CN103678510A (en) Method and device for providing visualized label for webpage
US9880925B1 (en) Collecting structured program code output
US11221881B2 (en) Computer resource leak detection
JP5875961B2 (en) Source code similarity evaluation program, source code similarity evaluation apparatus, and computer-readable storage medium
JP5462713B2 (en) Web page collection apparatus, method, and program
JP2018506783A (en) Generating element identifiers
CN110347577B (en) Page testing method, device and equipment thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant