CN107273723B - So file shell adding-based Android platform application software protection method - Google Patents
So file shell adding-based Android platform application software protection method Download PDFInfo
- Publication number
- CN107273723B CN107273723B CN201710324703.3A CN201710324703A CN107273723B CN 107273723 B CN107273723 B CN 107273723B CN 201710324703 A CN201710324703 A CN 201710324703A CN 107273723 B CN107273723 B CN 107273723B
- Authority
- CN
- China
- Prior art keywords
- file
- protected
- shell
- key
- linker
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000003068 static effect Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 21
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an Android platform application software protection method based on shell adding of a so file. And secondly, setting fields related to the section in the so shell file as random numbers, so that the difficulty of static decompilation is increased, and setting 0 for related check fields during the loading of the protected so file, so that the difficulty of memory dump attack is increased. And finally, loading the so-shell file as a custom Linker to the protected so-file, and after the loading is finished, setting 0 to all the Program headers of the so-shell file and the protected so-file to prevent the attack of dump of the memory and the attack of modifying the Linker of the system.
Description
Technical Field
The invention relates to the field of software information security research, in particular to a method for protecting Android platform application software based on so file shell adding.
Background
The Android system is a Linux-based, open source code-based smartphone operating system launched by Google in 11 months 2007. Since the introduction of the system, the system has rolled up the global mobile intelligent terminal market by its open source property, and is supported by a large number of developers and many manufacturers, and the system becomes the most popular operating system of the mobile terminal. Although the Android platform adopts a multi-level security protection mechanism, due to the defects of the Android platform, the software of the Android platform is still threatened from various aspects by using a Java language which is easy to decompile, wherein the most important threat is reverse attack. The key parts of the software are cracked through reverse engineering, so that software information is obtained or a series of malicious attacks are implemented. The reverse Android software generally comprises the following steps: the method comprises the steps of decompiling the software, reading the decompiled code, dynamically debugging the decompiled code if necessary, injecting or directly modifying the decompiled code after finding a breakthrough, and recompiling the software for testing.
The apk application in the Java layer is easy to be reversed to obtain Java source codes, and the Native program in the Native layer has higher safety and can directly interact with a CPU (central processing unit), so that the reversing difficulty is high, and the performance of the program is improved. Because the so file of the Native layer is difficult to be statically decompiled, most attacks against the so file are dynamic debugging and memory dump analysis, and even the system Linker can be modified to realize the automatic attack on the so file so as to obtain decrypted data.
Disclosure of Invention
In order to solve the existing problems, the invention provides an Android platform application software protection method based on so file shell adding, the method modifies a so shell file and encrypts a key function of the protected so file, and the so shell file is used as a custom Linker to load the protected so file, so that the static decompiling of the so shell file can be resisted, the dynamic analysis difficulty of the protected so file is increased, and in addition, the source code is ensured not to be tampered by combining with the verification of a remote server, so that the purpose of protecting an Android application program is achieved.
The method for protecting the Android platform application software based on the shell adding of the so file mainly comprises two processes of shell adding and shell removing, and specifically comprises the following steps:
(1) finding out a function in the protected so file, and performing asymmetric encryption by using a key, wherein the key is placed in a server;
(2) after the protected so file is modified, the protected so file is asymmetrically encrypted by using a key, and the key is stored in a server;
(3) embedding the encrypted protected so file into the tail part of the so shell file;
(4) modifying the so shell file;
(5) when the program runs, after the system Linker loads the so shell file, the control right is handed over to the so shell file;
(6) the server returns the key, and the so shell file decrypts the protected so file;
(7) the so shell file imitates a system Linker to load the protected so file, a key is returned from the server to decrypt the function of the protected so file, and the so shell file and the protected so file are modified after the loading is finished;
(8) the protected so file executes the functions of decryption and dynamic loading of the dex file, and hands over control to the source program.
In the step (1), the logic of dynamically loading and decrypting the dex file is realized in the protected so file, and the algorithm for encrypting the function of the protected so file is AES;
in the step (2), the relevant check field during the loading of the protected so file is set to 0 and then encrypted, and the encryption algorithm is AES;
in the step (3), the so shell file realizes the Linker operation and the logic of decrypting the so file;
in the step (4), the main operation is to set a random number to a field related to the section in the so shell file;
in the step (5), the program ensures that the soh shell file is loaded first by the system Linker during running;
in step (6), stripping the encrypted protected so file from the so shell file, and then decrypting and decrypting the function;
in the step (7), when the so shell file is used as a custom Linker to load the decrypted protected so file, the operation of verifying the file is skipped, and after the loading is finished, the Program headers of the so shell file and the protected so file are all set to be 0;
in step (8), after the protected so file is decrypted, function pointers of openDexFile, getclasssNameList and defineClassNative (defineStrassNative) in the Liddvm.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the existing Android application program protection technology has the problems that so files are easy to dynamically analyze or an encryption algorithm is too simple, and the like, and the method has the following advantages:
1. in the traditional encryption method, a protected so file is embedded into a shell file, and a system Linker is used for loading and linking, so that an attacker can even realize automatic shell removal through the modified system Linker. The so shell file is used for simulating a system Linker to load the protected so file, so that the mode of modifying the system Linker attack can be effectively prevented.
2. Since so files are hard to be statically decompiled, the main attack mode for so files is dynamic analysis, and the most common attack means is to export so files in the memory through dump. In the method designed by the invention, the document structure of the so shell document is modified to prevent static decompiling, and the so shell document and the so document are modified before and after the so shell document is loaded with the protected so document, so that an attacker cannot acquire the address of the so document in the memory through keywords and cannot analyze the so document by a dynamic debugging tool.
3. The key function of the protected so file and the whole protected so file are subjected to AES encryption, the two keys are placed in the server, an attacker is difficult to obtain the keys through the server, and the source code safety of the so file is guaranteed.
Drawings
Fig. 1 is a flowchart of shelling a so file in an Android application.
So, fig. 2 is a flow chart of the function pointer for obtaining lid vm.
FIG. 3 is a flowchart of shell unpacking of a so file when an Android application runs.
Fig. 4 is a schematic diagram of a process of loading the so file.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited thereto.
The invention provides an Android platform application software protection method based on so file shell adding, wherein the shell adding process is mainly carried out at a computer end, and FIG. 1 is a flow chart of shell adding, and the specific steps are as follows:
(1) first, the function in the protected so file is implemented, which mainly includes three custom functions for implementing dynamic loading and a decrypted dex file, where the three custom functions for implementing dynamic loading mainly obtain function pointers corresponding to openDexFile, getClassNameList, and defineclass (defineclass native) in the lid vm. After the four function names are found through the hash symbol table, the area of the function is encrypted by using an AES algorithm, and an AES key is placed in the server.
(2) During the loading of the system Linker on the so file, the so file is verified, the so shell file is used for replacing the system Linker, the so file cannot be verified, and the loading work is directly carried out. If an attacker loads the so file which is already reinforced by using the system Linker, the ELF file cannot be verified and the loading cannot be carried out. Meanwhile, when an attacker dynamically analyzes the so file, relevant fields of relevant so files are searched in the memory to determine the position of the so file, so that the so file is complete under dump. After being encrypted by the function of (1). The document sets all the relevant fields of e _ ident [16] (file identification), e _ type (file type), e _ machine (architecture type), e _ version (file version), e _ flag (file correlation attribute) check to 0, then uses AES algorithm to encrypt the binary stream of the so-protected file, and uploads the AES key to the server.
(3) From the view of the link and the execution view of the so file, when the so file is loaded, the execution view is used, and is not related to the link view, so the fields e _ shoff, e _ shartsize, e _ shmum and e _ shardndx related to the section can be modified, and since the set jump address is the address of the dynamic linker when the so file is loaded, the e _ entry can also be modified. In order to achieve the purpose of static decompiling of the so-shell file, fields of e _ entry, e _ shoff, e _ shartsize, e _ shmum and e _ shrendx in the so-shell file are set as random numbers.
(4) And (3) embedding the protected so file encrypted in the step (2) into the tail part of the so shell file, and simultaneously carrying out encryption operation on the dex file. The example encrypts a dex file DES, and the encrypted ciphertext and the key are embedded in a resource file picture.
(5) And (4) putting the so shell file into the source program apk, signing and packaging to obtain the reinforced program.
The shell opening process is mainly performed at the Android mobile phone end, fig. 3 is a flow chart of operation after the Android program is reinforced, and the specific steps are as follows:
(1) as shown in steps 1, 2, 3 and 4 of fig. 4, the process of loading and linking the so file by the system Linker is performed, in order to enable the system Linker to load the so file first, the so file needs to be placed in an initialization stage of the system Linker, that is, a JNI _ OnLoad or a so file. After the so shell file is loaded by a system Linker, the control right is given to the so shell file.
(2) After the so shell file obtains the control right of the system Linker, the encrypted protected so file is firstly returned from the server to perform AES decryption, and then the so shell file continues to run as an interpreter and uses the key returned by the server to perform AES decryption on the function AES in the protected so file, as shown in steps 5 and 6 of fig. 4. The loading link of the so shell file to the protected so file can be completely realized according to the system Linker, so the source code is similar to the system Linker. The difference is that: (1) in the loading and linking stage, the decrypted so file is in the memory, and the file operation needs to be changed into the memory operation. (2) In order to prevent an attacker from analyzing a protected so file by utilizing various kinds of mapping information of the soinfo in a memory, an export table of the protected so file and an export table of a so shell file are merged, then the soinfo of the protected so file is deleted, meanwhile, the merged soinfo is not added into a global linked list, and when the soinfo is needed, the system Linker directly distributes the soinfo. (3) The application will perform a symbol lookup on the so file, but the protected so file is attached to the so shell file, so the application cannot access the dynamic symbol table of the protected so file. In order to solve the problem, the protected so file dynamic symbol table must be exported to the so shell file dynamic symbol table, and the symbol lookup process in the so file dynamic symbol table involves three structures of a symbol hash table, a symbol table and a character string table, as shown in step 7 of fig. 4, the character string table and the symbol table of the protected so file are added to the character string table and the symbol table of the so shell file, the hash table is reconstructed according to the new symbol table, and finally the reconstructed hash table is put into the so shell file.
(3) The Program Header describes so file structure information related to Program execution, from which the size offset of each segment, the virtual address where it is located, and the like can be determined. When a so file is loaded, functions such as ReadProgramHeader, resereadaddressspace and LoadSegments in the LOAD _ library function read the segment with the Program Header loading type of PT _ LOAD, and then store the loading result of the Program Header into the soinfo, namely si- > pdr ═ elf _ reader. In order to avoid the attack, after the protected so file is loaded, the so shell file finds the self and the Program Header address of the protected so file through the self information, and all the Program headers are set to be 0.
(4) The method for dynamically loading the DexClassLoader in the Java layer has some safety problems, not only can the odex file be generated in the storage space of the mobile phone in a file form, but also the decrypted dex file is stored in the storage space in a file form in a plain text, so that the method uses a function of a lid vm. The decrypted protected so file finds an encrypted dex file and a key from a resource file, the DES decryption is carried out on the dex file by using the key, the dex file is dynamically loaded by using a custom function corresponding to openDexFile, getclassnameList and defineClassNative in a Liddvm.
Claims (6)
1. A method for protecting Android platform application software based on so file shelling is characterized by comprising the following steps:
A. encryption process
(1) Dynamically loading a dex file for the protected so file;
(2) carrying out asymmetric encryption on a function in the protected so file, and uploading a secret key to a server;
(3) modifying the protected so file and the so shell file, simultaneously carrying out asymmetric encryption on the modified protected so file, and uploading the key to the server;
(4) after the protected so file is encrypted, a ciphertext of the protected so file is embedded into the tail of the so shell file, the dex file is encrypted at the same time, and the encrypted ciphertext and the key are embedded into the resource file;
B. decryption process
(5) When the program runs, the so shell file decrypts the protected so file by using a server key, then loads the so shell file as a custom Linker to replace a system Linker, runs as the Linker and decrypts a function in the protected so file by using the server key, and modifies the so shell file and the protected so file after the loading is finished; the method comprises the following steps that a system Linker loads a so shell file at first during program operation;
(6) the decrypted protected so file finds the encrypted dex file and the resource file key from the resource file, and decrypts the dex file by using the resource file key;
(7) the protected so file decrypts the dex file and dynamically loads the dex file on a Native layer; when the so shell file is used as a custom Linker to load the decrypted protected so file, skipping the operation of verifying the file;
after the so shell file is loaded by a system Linker, the control right is handed over to the so shell file.
2. The method of claim 1, wherein in step (2), the relevant check field during the loading of the protected so file is set to 0 before encryption, and the encryption algorithm is AES algorithm.
3. The method as claimed in claim 2, wherein the step (3) further comprises the step of setting a part of fields in the so shell file as random numbers.
4. A method according to claim 3, characterized in that in step (5) the encrypted protected so file is stripped from the so shell file, decrypted and function decrypted.
5. The method according to claim 4, wherein in step (5), the modified contents of the so shell file and the protected so file after the loading is completed are all set to 0.
6. The method as claimed in claim 1, wherein in step (3), the modified content of the so-protected file is that e _ ident [16], e _ type, e _ machine, e _ version, e _ flag check related fields in the file are all set to 0, and the modified content of the so-shell file is that e _ entry, e _ shoff, e _ shartsize, e _ shm and e _ shardx fields in the so-shell file are set to random numbers.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710324703.3A CN107273723B (en) | 2017-07-07 | 2017-07-07 | So file shell adding-based Android platform application software protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710324703.3A CN107273723B (en) | 2017-07-07 | 2017-07-07 | So file shell adding-based Android platform application software protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107273723A CN107273723A (en) | 2017-10-20 |
| CN107273723B true CN107273723B (en) | 2022-01-28 |
Family
ID=60074120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710324703.3A Active CN107273723B (en) | 2017-07-07 | 2017-07-07 | So file shell adding-based Android platform application software protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107273723B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109657480A (en) * | 2017-10-11 | 2019-04-19 | 中国移动通信有限公司研究院 | A kind of document handling method, equipment and computer readable storage medium |
| CN109255245A (en) * | 2018-08-13 | 2019-01-22 | 海南新软软件有限公司 | A kind of local cryptographic key protection method, apparatus and system |
| CN109271759B (en) * | 2018-09-26 | 2022-04-05 | 杭州凯米科技有限公司 | So file security reinforcement technical method based on android platform |
| CN109858203A (en) * | 2018-12-21 | 2019-06-07 | 厦门市美亚柏科信息股份有限公司 | A kind of safety protecting method, device and the storage medium of Android platform application |
| CN110046504B (en) * | 2019-04-22 | 2021-04-06 | 北京智游网安科技有限公司 | SO file hiding method, storage medium and device based on Linker |
| CN111191195A (en) * | 2019-12-10 | 2020-05-22 | 航天信息股份有限公司 | Method and device for protecting APK |
| CN115039096A (en) * | 2020-05-20 | 2022-09-09 | 深圳市欢太科技有限公司 | File processing method, file processing device, storage medium and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392181A (en) * | 2014-11-18 | 2015-03-04 | 北京奇虎科技有限公司 | SO file protection method and device and android installation package reinforcement method and system |
| CN106203006A (en) * | 2016-08-31 | 2016-12-07 | 北京鼎源科技有限公司 | Android application reinforcement means based on dex Yu so file Dynamic Execution |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9958924B2 (en) * | 2013-08-28 | 2018-05-01 | Cisco Technology, Inc. | Configuration of energy savings |
-
2017
- 2017-07-07 CN CN201710324703.3A patent/CN107273723B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392181A (en) * | 2014-11-18 | 2015-03-04 | 北京奇虎科技有限公司 | SO file protection method and device and android installation package reinforcement method and system |
| CN106203006A (en) * | 2016-08-31 | 2016-12-07 | 北京鼎源科技有限公司 | Android application reinforcement means based on dex Yu so file Dynamic Execution |
Non-Patent Citations (1)
| Title |
|---|
| 基于Android平台的SO加固技术研究;韩子诺 等;《现代计算机(专业版)》;20151225;第49-53页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107273723A (en) | 2017-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| CN111052115B (en) | Data processing apparatus and method of authentication depending on call path | |
| KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
| JP5990654B2 (en) | Application code obfuscation device and method | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| JP5996810B2 (en) | Self-rewriting platform application code obfuscation device and method | |
| CN104680039B (en) | A kind of data guard method and device of application program installation kit | |
| CN106203006A (en) | Android application reinforcement means based on dex Yu so file Dynamic Execution | |
| Kholia et al. | Looking inside the (Drop) box | |
| CN107077540B (en) | Method and system for providing cloud-based application security services | |
| US20120144208A1 (en) | Indexed table based code encrypting/decrypting device and method thereof | |
| CN107291485B (en) | Dynamic link library reinforcing method, operation method, reinforcing device and safety system | |
| CN109241707A (en) | Application program obscures method, apparatus and server | |
| US10867017B2 (en) | Apparatus and method of providing security and apparatus and method of executing security for common intermediate language | |
| CN114547558B (en) | Authorization method, authorization control device, equipment and medium | |
| US10331896B2 (en) | Method of protecting secret data when used in a cryptographic algorithm | |
| CN110597496A (en) | Method and device for acquiring bytecode file of application program | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| KR101667774B1 (en) | Apparatus and Method of Providing Security for Script Program | |
| KR20180028666A (en) | Method and apparatus for preventing reverse engineering | |
| EP2674892A1 (en) | A method, a device and a computer program support for execution of encrypted computer code | |
| CN104866740A (en) | Static analysis preventing method and device for files | |
| US11061998B2 (en) | Apparatus and method for providing security and apparatus and method for executing security to protect code of shared object | |
| KR101556908B1 (en) | Apparatus For Protecting Binary Code | |
| Sonnleitner et al. | Indirect Data Representation Via Offset Vectoring: A Code-integrity-driven In-memory Data Regeneration Scheme. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |