CN106203006A

CN106203006A - Android application reinforcement means based on dex Yu so file Dynamic Execution

Info

Publication number: CN106203006A
Application number: CN201610787151.5A
Authority: CN
Inventors: 文伟平
Original assignee: Beijing Devsource Technology Co Ltd
Current assignee: Beijing Devsource Technology Co Ltd
Priority date: 2016-08-31
Filing date: 2016-08-31
Publication date: 2016-12-07

Abstract

The invention discloses a kind of Android application reinforcement means, described reinforcement means Dynamic Execution based on dex Yu so file, by encryption method, the key code in Android application program is reinforced so that Android application code is protected；Described reinforcement means includes ciphering process and decrypting process, including: by ciphering process, the key code in Android application program is reinforced；It is decrypted when Dynamic Execution Android application program；The decryption function C Plus Plus of core dex is write by the inventive method, increase the difficulty of its decompiling, presented in dynamic link library and be encrypted, be equivalent to core dex double-encryption, the key code of dynamic link library has been also carried out encryption, decrypting process has broken away from JNI call-by mechanism so that decrypting process all will not be carried out at the plaintext so file after hard disk leaves deciphering in internal memory.The inventive method has higher safety.

Description

Android application reinforcement means based on dex Yu so file Dynamic Execution

Technical field

The present invention relates to field of information security technology, particularly relate to a kind of based on dex Yu so file Dynamic Execution Android application reinforcement means.

Background technology

The mobile phone operating system of increasing income that Android is google company to be released in 2007, due to its powerful function and Customization capability flexibly so that it is the most just leap to the first place of the operation system of smart phone market share, according to famous city The latest data of field research institution IDC shows, the third season in 2015, and the market share of android system smart mobile phone is up to 84.7%, far surpass other system.

Although android system has just fully taken into account safety problem at the beginning of design, but along with it is extensively applied, many Potential safety problem the most little by little comes out, and the research to its safety starts to get more and more people's extensive concerning.Due to The programming language that Android platform software uses is Java, and the binary code after Java source code compiling is easily compiled by counter Translate, cause it to crack the program that difficulty uses compiled language to write much smaller than other.Although Android 2.3 adds later Code obfuscation mechanism, but by reverse-engineering, the code that its api class is not gone up is still and is difficult to hide, for assailant, cracks Probability is still the biggest.

More existing Android application program reinforcement means, the method mostly using static treatment, i.e. to dex file Carry out some amendments and increase the difficulty of attack.This reinforcement means only increases code reading difficulty.Or adjust based on JNI By mechanism, by encrypting former so file, use shell side sequence to load and decrypted original so file, indirectly call the function of former so file. But, due to based on the JNI call-by mechanism program, inevitably hard disk of short duration leave deciphering after plaintext so literary composition Part, assailant uses Hook system API, automatized script can crack this scheme easily.Therefore assailant still can obtain Code to program, it is impossible to ensure the safety of application program.

Summary of the invention

In order to overcome above-mentioned the deficiencies in the prior art, the labor of the present invention system architecture of Android, program knot The reverse threat that structure, program execution mechanism and Android platform software face, based on classes.dex file dynamic load, Utilize so storehouse to decipher dex file Scheme of Strengthening, propose and achieve one to make so storehouse depart from the dependence of JNI call-by mechanism, thus The encryption and decryption of so file is completed, it is ensured that do not have the generation of interim so file, ensureing can not be by mapping table in internal memory in internal memory The Scheme of Strengthening with greater security of so core code that method for cutting obtains.

Present invention provide the technical scheme that

A kind of Android application reinforcement means based on dex Yu so file Dynamic Execution, by binary stream encryption method Key code in Android application program is reinforced so that Android application code is protected；Described add Solid method includes ciphering process and decrypting process, specifically includes following steps:

A. ciphering process is realized by Software hardening design module:

Software hardening design module is the reinforcing module for Android application program, by binary stream encryption method pair Android

Key code in application program is reinforced；

A1. decoder software main part apk file, extracts its classes.dex file；

One Android application program (software) can be packaged into an APK file, carries out decompressing permissible for APK file Obtain dex file, assets file, arsc file etc.；Wherein classes.dex comprises is to perform literary composition in Android platform The type of part；

A2. Core Feature partial code is compiled into independent apk file and it is encrypted；

Code is analyzed obtaining by Core Feature partial code according to after extracting classes.dex file, usually, Core code is the program oneself write rather than the system quoted or the code of external libraries；

A3. the apk file after encryption is written to the end of the classes.dex file of software agent part, and at literary composition Part afterbody adds the size of encryption data, finds the original position of Core Feature partial code during in order to decipher；

Compiling of application can obtain the numerical value of the size of this file after becoming independent apk file, is encryption number According to size；

A4. the value of checksum, signature and file_size field of classes.dex file is recalculated.Point Do not calculate the value after the change of these fields, replace checksum, signature and file_size field of original position Value, replaces the content of original position；

A5. amended classes.dex file is put back in software agent part apk bag, use in Android SDK Program is signed by the signature instrument provided；

A6. read so library file (being assumed to be a.so) to be reinforced, resolution file information, obtain the skew of function to be encrypted Address and size, and at function end to be encrypted, write decryDEX () decryption function, the dex literary composition after deciphering encryption Part, recalculates the size of function to be encrypted and fills in；Specifically, the numerical value in amendment decryption function, namely will originally treat Numerical value in encryption function is revised as the numerical value after changing, and this numerical value is the size of function to be encrypted；

A7. treat encryption function and carry out XOR encryption；

A8. resolve the file header of so library file, revise top of file partial words segment value, including so file size, so file The offset address of middle function；

A9. calculate the MD5 value of so library file, and be written into end of file；

A10. the .init_array in so file joint code segment in add running environment detection, antagonism dynamic debugging, MD5 completeness check, and the code that so file is decrypted.

B. start Dynamic Execution Android application program when being decrypted, perform following operation:

B1. software agent part reads classes.dex file from the apk file of self, at classes.dex file Afterbody obtains the length of encryption data, calculates the original position of encryption data according to encrypted data length, thus reads and obtain Encryption data；

B2. calling loadLibrary system function and load a.so, this stage, loadLibrary can load shared library (i.e. So file a.so in embodiment), control pass to dynamic linker Linker, Linker can check that top of file is legal Property, read in the various data structures of correspondence respectively according to the data of head, and the section of all PT_LOAD attributes is loaded onto properly Address space, then in shared library chained list, distribute a soinfo node for this storehouse and fill its data structure, performing mark The code of the joint being designated as .init .init_array carries out code initial work, if there is JNI_OnLoad function, performing should Code；(.init_array process can decipher encryption function)；

B3. call decryDEX () deciphering and obtain the apk of Core Feature part；

B4. the DexClassLoader class provided by Android API, to Core Feature part code (Core Feature portion Point apk) carry out reflection and call, thus realize the dynamic load of Core Feature partial code；

B5., after having called, delete Core Feature part apk file, thus avoid Core Feature partial code to be exposed to Among internal system storage, the person of being hacked obtains.

Compared with prior art, the invention has the beneficial effects as follows:

More existing Android application program reinforcement means, the method mostly using static treatment, i.e. to dex file Carry out some amendments and increase the difficulty of attack, or based on JNI call-by mechanism, by encrypting former so file, use shell side sequence Load and decrypted original so file, indirectly call the function of former so file.But, due to based on the JNI call-by mechanism program, can not Avoid can hard disk of short duration leave deciphering after plaintext so file, assailant uses Hook system API, the automatized script can To crack this scheme easily.The reinforcement means that the present invention provides is encrypted protection to core dex, the deciphering to core dex Function C Plus Plus is write, and adds the difficulty of its decompiling, presented in dynamic link library and be also carried out adding Close.Be equivalent to, to core dex double-encryption, the key code of dynamic link library has been also carried out encryption.And decrypting process is put Take off JNI call-by mechanism so that decrypting process all will not enter at the plaintext so file after hard disk leaves deciphering in internal memory OK, it is to avoid the person of being hacked obtains.The inventive method ensure that does not has the generation of interim so file, ensureing can not be by internal memory So core code that mapping table method for cutting obtains, is the Scheme of Strengthening with greater security.

Accompanying drawing explanation

Fig. 1 is the FB(flow block) that the present invention provides method；

Wherein, A is to extract dex file Core Feature part and be compiled into an independent apk file, and by its write literary composition Part classes.dex tail of file；B is write by the apk file decryption function that this is independent in so file to be reinforced to be added Compact part divides and encrypts this partial code；C is the relevant code loading so file of software agent write at dex, and calculates The value of checksum, signature and file_size field of classes.dex file also replaces the content of original position；D is Reading classes.dex tail of file, perform so file in dex main body, deciphering classes core is properly functioning.

Detailed description of the invention

Below in conjunction with the accompanying drawings, further describe the present invention by embodiment, but limit the model of the present invention never in any form Enclose.

The present invention provides a kind of Android application reinforcement means based on dex Yu so file Dynamic Execution, and Fig. 1 is this The FB(flow block) of bright offer method, comprises the steps:

A. Software hardening design module:

A1. decoder software main part apk file, extracts its classes.dex file；

A4. the value of checksum, signature and file_size field of classes.dex file is recalculated.Point Do not calculate the value after the change of these fields, replace the content of original position i.e.；

A5. amended classes.dex file is put back in software agent part apk bag, use in AndroidSDK Program is signed by the signature instrument provided；

A6. read so library file (being assumed to be a.so) to be reinforced, resolution file information, obtain the skew of function to be encrypted Address and size also write decryDEX () decryption function dex file after deciphering encryption at close function end of waiting for the right price, Recalculate the size of function to be encrypted and fill in；

A7. treat encryption function and carry out XOR encryption；

A8. resolution file head, revises top of file partial words segment value；

A9. the MD5 value of calculation document, and it is written into end of file；

A10. in the code segment of .init_array joint, add running environment detection, antagonism dynamic debugging, MD5 integrity Verification, the decrypted code to the deciphering of so file respective encrypted function.

When B. starting Dynamic Execution Android application program, perform to operate as follows:

B2. calling loadLibrary and load a.so, shared library, control that this stage loadLibrary can load pass Passing dynamic linker Linker, Linker can check that top of file legitimacy, data according to head read in correspondence respectively Various data structures, and the section of all PT_LOAD attributes is loaded onto suitable address space, then it is that this storehouse is at shared library chain Distributing a soinfo node in table and fill its data structure, execution flag is the code of the joint of .init .init_array Carrying out code initial work, if there is JNI_OnLoad function, performing this code.(.init_array process can decipher encryption Function)

B3. call decryDEX () deciphering and obtain Core Feature part apk；

B4. the DexClassLoader class provided by Android API, is carried out reflection and adjusts Core Feature part code With, thus realize the dynamic load of Core Feature partial code；

Embodiment

The present embodiment is to carry out reinforcing operation, including the anti-debugging step of part for an Android application.This Android application can be for b.apk for reinforcing, through above reinforcing step, permissible with named b.apk B.apk is reinforced, prevents that APK is debugged here and crack, check the source code of software.Embodiment step for this APK As follows, wherein A, step B add as conventional anti-debugging step, and C, D, E step is as the core procedure of above invention Carry out.Shown in comprising the following steps that:

A. simulator is detected:

A1. detection "/dev/socket/qemud ", "/dev/qemu_pipe " the two passage.// judge two passages Whether exist, exist then for simulator access ("/dev/socket/qemud ", 0) access ("/dev/qemu_pipe ", 0)

A2. props is detected.Including: ro.product.model: this value is sdk in simulator, generally at normal handset In be the model of mobile phone；Ro.build.tags: this value is test-keys in simulator, in normal handset is generally release-keys；Ro.kernel.qemu: this value is 1 in simulator, generally not this attribute in normal handset.

The most anti-dynamic debugging:

B1. multi-process uses ptrace, // stop the additional ptrace of debugged device (PTRACE_TRACEME, 0,0,0)；

B2. proc/xxx/task and proc/xxx/status is detected；Under default situations in status TracerPid value is 0, if not 0, then program is in debugged state.

The most self-defined so library file ELF header fileinfo

Each field in ELF header portion is as follows: typedef struct{unsigned char e_ident [16]；Elf32_ Half e_type；Elf32_Half e_machine；Elf32_Word e_version；Elf32_Addr e_entry； Elf32_Off e_phoff；Elf32_Off e_shoff；Elf32_Word e_flags；Elf32_Half e_ehsize； Elf32_Half e_phentsize；Elf32_Half e_phnum；Elf32_Half e_shentsize；Elf32_Half e_shnum；Elf32_Half e_shstrndx；}Elf32_Ehdr；

By to the analysis of the loading procedure of dynamic base under Android platform, find that many fields do not use.Amendment These field values do not interfere with the normal use of dynamic base yet.But, use the static analysis tools such as readelf, IDA time Wait, if these field value mistakes, static analysis failure can be caused.Technical solution of the present invention utilizes this characteristic, revises partial words Section, reaches prevention program by the purpose of static analysis.Specifically include: 1) revise 9 bytes after e_ident field.2) amendment e_ Type, e_machine, e_version, e_flag field.3) amendment e_shoff, e_shentsize, e_shnum, e_ Shstrndx field.

D.so specific function is encrypted

D1. read file header, obtain e_phoff, e_phentsize and e_phnum information.

D2. by the p_type field in Elf32_Phdr, DYNAMIC is found.DYNAMIC is exactly .dynamic in fact Section, this is a section in so file.The original position file and length is obtained from p_offset and p_filesz field Degree.

D3. travel through .dynamic, find the skew in .dynsym .dynstr .hash section file and .dynstr size.Under my test environment, in Fedora 14 and Windows 7Cygwin x64, elf.h defines .hash D_tag indicate be: DT_GNU_HASH；And in Android source code: DT_HASH.

D4. according to function name, calculate hash value, obtain offset address and the size of function to be encrypted further.

D5. according to hash value, the bucket of subscript hash%nbuckets is found；According to the value in bucket, read The Elf32_Sym symbol of the manipulative indexing in .dynsym；From the st_name of symbol so finding word corresponding among .dynstr Symbol string function name compares.If then looking for next Elf32_Sym symbol according to chain [hash%nbuckets], Until finding or chain is terminated, code is as follows:

For (i=bucket [funHash%nbucket]；i！=0；I=chain [i]) { if (strcmp (dynstr+ (funSym+i)-> st_name, funcName)==0) { flag=0；break；}}

D6., after finding the Elf32_Sym symbol that function is corresponding, letter can be found according to st_value and st_size field The position of number and size.

D7. will need encryption region be encrypted, use XOR encryption method, i.e. inversion operation: * content=～ (*content)。

E. deciphering flow process is encryption inverse process, is substantially the same, only some trickle differences, specific as follows:

E1. so file initial address in internal memory is found.

E2. Phdr is found by so file header；After Phdr finds PT_DYNAMIC, p_vaddr and p_filesz need to be taken Field.

Subsequent step is identical with the encryption (inversion operation) in D7 step.Thus complete the reinforcing to application.

It should be noted that publicizing and implementing the purpose of example is that help is further appreciated by the present invention, but the skill of this area Art personnel are understood that various substitutions and modifications are all without departing from the present invention and spirit and scope of the appended claims Possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim Book defines in the range of standard.

Claims

1. an Android application reinforcement means, described reinforcement means Dynamic Execution based on dex Yu so file, by encryption Key code in Android application program is reinforced by method so that Android application code is protected；Institute State reinforcement means and include ciphering process and decrypting process, specifically include following steps:

A) by ciphering process, the key code in Android application program is reinforced, execution following steps:

A1. decompression Android application program main part apk file, extracts classes.dex file therein；

A2. Android application program Core Feature partial code is compiled into independent apk file and this apk file is carried out Encryption；

A3. the apk file after encryption is written to the classes.dex file of Android application program main part in A1 End, and the size of encryption data is added at described classes.dex tail of file, find Core Feature part when being used for deciphering The original position of code；

A4. recalculate the value of checksum, signature and file_size field of classes.dex file, replace former The value of the respective field of position, obtains amended classes.dex file；

A5. amended classes.dex file is put back in described application software main part apk bag, then to described Application program is signed；

A6. read so library file to be reinforced, obtained offset address and the size of function to be encrypted by resolution file information, and DecryDEX () decryption function, the dex file after deciphering encryption is write at function end to be encrypted；Recalculate and obtain The value of the size of the function to be encrypted after change, and after the size modification in original function to be encrypted is described change The value of the size of function to be encrypted；

A7. described function to be encrypted is carried out XOR encryption；

A8. resolve the file header of so library file, revise top of file partial words segment value, including letter in so file size, so file The offset address of number；

A9. calculate the MD5 value of so library file, described MD5 value is write the end of described so library file；

A10. add running environment detection in the code segment of the joint of the .init_array in described so library file, antagonism is dynamically adjusted Examination, MD5 completeness check and the code that so library file is decrypted；

B., when Dynamic Execution Android application program is decrypted, perform to operate as follows:

The most described Android application program main part reads classes.dex file from the apk file of self, from Classes.dex tail of file obtains the length of encryption data, is calculated the original position of encryption data, thus reads and obtain Encryption data；

B2. described so library file is loaded；

B3. call decryDEX () decryption function to be decrypted, obtain the apk of Core Feature part；

B4. the DexClassLoader class provided by Android API, is carried out instead the apk of Core Feature part described in B3 Penetrate and call, thus realize the dynamic load of Core Feature partial code；

B5., after having called, delete Core Feature part apk file, thus avoid Core Feature partial code to be exposed to system Among storage inside, the person of being hacked obtains.

2. Android application reinforcement means as claimed in claim 1, is characterized in that, ciphering process described in step A uses binary system Stream encryption method.

3. as claimed in claim 1 Android application reinforcement means, is characterized in that, step A8) described part field includes e_ Ident field, e_type field, e_machine field, e_version field, e_flag field, e_shoff field, e_ Shentsize field, e_shnum field and e_shstrndx field.

4. Android application reinforcement means as claimed in claim 1, is characterized in that, step B2 is by calling loadLibrary system System function loads described so library file, specifically includes following steps:

LoadLibrary loads shared library so library file, and control passes to dynamic linker Linker；

Dynamic linker Linker checks so library file head legitimacy, reads in the data knot of correspondence respectively according to header data Structure, and the section of all PT_LOAD attributes is loaded onto suitable address space；

Distributing a soinfo node in shared library chained list for this so library file and fill its data structure, execution flag is .init；

The code of joint .init_array carries out code initial work；

When there is JNI_OnLoad function, performing this code, deciphering encryption function.