Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a flowchart illustrating a method for shelling an application file according to a first embodiment of the present invention, where as shown in fig. 1, the method includes the following steps:
step S101, monitoring the current method to be shelled operated by the file to be shelled, and reading the process information corresponding to the current method to be shelled.
The file to be unshelled refers to an application file subjected to reinforcement processing, for example, an apk (Android package) file in an Android environment, one apk file at least includes one DEX file, and one apk file corresponds to one process.
In this embodiment, specifically, an example of shelling an apk file (to-be-shelled file) after being reinforced in a dalvik virtual machine mode is taken as an example, and in a popular way, the method of this embodiment is to extract a method that actually exists in a DEX file reinforced in an apk, so as to obtain a complete DEX file. In addition, when the file to be shelled includes a plurality of DEX files, the method described in this embodiment may still be used for shelling.
The current method for monitoring the file to be shelled may be implemented by inserting a monitoring code at an entry of an interpreter of the virtual machine, and monitoring the method to be shelled by the interpreter using the monitoring code, which is not limited in this respect. After the current method to be shelled is monitored, reading process information corresponding to the current method to be shelled, where the process information may refer to a process name.
Step S102, judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled.
The process meeting the preset shelling condition refers to a process which is written for the APP in advance and related to a program related to the functions of the APP, except a self-contained process of the system or a third-party plug-in calling process. It may be determined whether the process is a process that meets the preset shelling condition according to the process information corresponding to the current method to be shelled read in step S101.
Step S103, if it is determined that the process corresponding to the current method to be shelled meets the preset shelling condition, converting the memory data of the current method to be shelled into the first structure information.
If the process corresponding to the current method to be shelled is judged to be the process meeting the preset shelling condition, the memory data of the current method to be shelled is converted into the first structure information for facilitating subsequent searching and modification, wherein the memory data is binary memory data. And if the process corresponding to the current method to be hulled is judged not to be the process meeting the preset hulling condition, not processing the current method to be hulled. That is to say, in the method of this embodiment, whether to perform shelling on the current method to be shelled is determined according to the process corresponding to the current method to be shelled, and only the corresponding process is the method to be shelled that satisfies the preset condition.
And step S104, determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information.
In practical application, a system function can be called to process the first structure information, and then the second structure information of the DEX file corresponding to the file to be shelled is determined, specifically, first, a memory area of the DEX file in the file to be shelled is determined according to the first structure information, and then, the system function is called to analyze data in the memory area, so that the second structure information corresponding to the DEX file is obtained. Wherein the second structure information corresponds one-to-one to information contained in the DEX file.
And step S105, repairing the second structure information by using the first structure information, and generating a DEX file with a file to be shelled being shelled according to the repaired second structure information.
The second structure information is obtained according to the DEX file in the memory, and since part of codes in the DEX file may be modified and mapped to other storage areas in the memory other than the continuous memory of the file, a situation that part of the codes in the second structure information correspond to empty byte codes at the positions of the part of bytes may occur, and thus part of the byte codes in the second structure information needs to be repaired. The first structure information is obtained by monitoring the running method to be shelled, and the memory data of the method to be shelled is real and effective in the memory, that is, the first structure information is real and effective in the memory.
And after the second structure information is repaired, obtaining memory data in the memory area of the complete DEX file, and writing the memory data in the memory area of the complete DEX file into a disk file, thereby obtaining the DEX file after the file to be shelled is shelled.
According to the method and the device for shelling the application file, firstly, a current method to be shelled, operated by the file to be shelled, is monitored, and process information corresponding to the current method to be shelled is read; secondly, judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information; then, determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information; and finally, repairing the second structure body information by using the first structure body information, and generating a DEX file with a file to be shelled being shelled. Through this mode, can effectively peel to the application file after the reinforcement to can guarantee the integrality of the data of the DEX file that obtains after the peel, promote peel effect and peel success rate.
Fig. 2 is a flowchart illustrating a second method for shelling an application file according to a second embodiment of the present invention, where as shown in fig. 2, the method includes the following steps:
step S201, monitoring a current method to be shelled operated by the file to be shelled, and reading process information corresponding to the current method to be shelled.
Specifically, a monitoring code is inserted into an entrance of an interpreter, and the monitoring code is used for monitoring the current method to be hulled passing through the interpreter; wherein, the interpreter entry is the initial position of the file to be shelled entering the interpreter function. And inserting a monitoring code at an entrance of an interpreter of a dalvik virtual machine in the Android source code, and monitoring the current method to be shelled passing through the interpreter.
Optionally, before the method of this embodiment is executed, the method further includes: and modifying the interpretation mode of the executable file of the virtual machine in the source code into a portable mode, wherein the portable mode is suitable for a corresponding programming running environment, such as C + +, and the like. By the method, firstly, all the running statements in the file to be shelled can be ensured to pass through the interpreter; secondly, any APP running in the source code can be guaranteed to run in a portable mode; third, it can be guaranteed that the DEX file in the file to be shelled can be compiled into the interpretation mode of the machine code. In practical applications, other interpretation modes may be adopted according to the actual programming operation environment, and the present invention is not limited to this.
Step S202, according to the process information corresponding to the current method to be shelled, judging whether the process corresponding to the current method to be shelled is a process meeting the preset shelling condition.
The specific steps of judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition are as follows:
and judging whether the process is related to the program related to the function of the application, if so, judging that the process is the process meeting the preset shelling condition. By the method, whether the process corresponding to the current method to be shelled is the process meeting the preset shelling condition is directly judged, for example, whether the process is the process related to a program which is written for the APP by a programmer in advance and is related to the function of the APP is judged.
In addition, in practical application, the following method can be adopted to judge the process corresponding to the current hulling method: firstly, judging whether the process is a system process or a plug-in calling process, and if the process is judged to be neither the system process nor the plug-in calling process, further judging whether the process is a process related to a program related to the function of the application. That is, the process satisfying the preset shelling condition specifically refers to: besides the self-contained process of the system or the calling process of the third-party plug-in, the process related to the pre-written program corresponding to the file to be shelled.
In practical application, any one of the two manners may be used alone to determine the process corresponding to the current method for hulling, and the two manners may also be combined to determine the process, which is not limited in this invention.
In step S203, if it is determined that the process corresponding to the current method to be shelled meets the preset shelling condition, the memory data of the current method to be shelled is converted into the first structure information, and the first structure information is stored.
If the process corresponding to the current method to be shelled is judged to be the process meeting the preset shelling condition, converting the memory data of the current method to be shelled into first structure information, wherein the number of the first structure information can be multiple according to different actual conditions; and for the current method to be hulled corresponding to the process which does not meet the preset hulling condition, the memory data is not processed.
Optionally, the first structure information may be stored in a hash table, the hash table storage may enable fast lookup, and when the hash table is used to store the first structure information, when it is detected that the currently stored first structure information is the same as the previously stored first structure information, the currently stored first structure information is not stored, that is, different methods to be shelled are different between the hash table storage. In practical applications, the first structure information may also be stored in other manners, for example, the first structure information is stored in a linked list, or the first structure information is stored in a binary tree, which is not limited in this invention.
Step S204, when the number of the stored first structure information is greater than or equal to the preset threshold, determining a memory area of the DEX file in the file to be shelled according to the attribute information included in any one of the first structure information.
Step S204 to step S205 correspond to a method for determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information, and in practical applications, when the number of the stored first structure information is greater than or equal to a preset threshold, the second structure information of the DEX file corresponding to the file to be shelled may be determined according to any one of the first structure information. Accordingly, the memory area of the DEX file in the file to be shelled can be determined according to any one of the first structure information.
The preset threshold is determined according to the size of the file to be shelled, and if the preset threshold is too small, the repairing times in the subsequent repairing process are more; if the preset threshold is too large, the time consumed by single repair is long, and the repair efficiency is low under the two conditions, so that the preset threshold can be determined according to the size of the file to be unshelled. Optionally, the preset threshold is set to 1000.
The step of determining the memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information specifically includes: determining the length of the DEX file according to first attribute information contained in the first structure information; and determining the initial position of the DEX file according to the second attribute information contained in the first structure information, and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the initial position of the DEX file. For example, a DvmDex structure can be determined according to a clazz- > pDvmDex attribute of the Method structure, the start position of the DEX file can be determined according to a pDexFile- > baseAddr attribute in the DvmDex structure, the length of the DEX file can be determined according to a pDexFile- > pheder- > fileSize attribute in the DvmDex structure, and then the position of the DEX file in the memory, that is, the memory area of the DEX file in the file to be shelled, is obtained.
Step S205, a system function is called to analyze the data in the memory area, and second structural body information corresponding to the method in the DEX file is obtained.
The memory area of the DEX file obtained in step S204 is a whole block of memory, which contains a continuous segment of data, and information of each method contained in the DEX file cannot be directly obtained, so that data in the memory area of the DEX file needs to be analyzed. For example, a dexGetClassDef function is called to obtain a DexClassDef structure, then all directMethod functions and virtualMethod functions in the DexClassDef structure are traversed, the DexGetMethodId, dexStringById, dexGetCode and other system functions are called to analyze the DexClassDef structure, and a Method structure, that is, second structure information corresponding to each Method included in the DEX file is determined according to the analysis result.
In step S206, the bytecode in the first structure information and the bytecode in the second structure information are determined.
Step S206 to step S210 correspond to a method for repairing the second structure information by using the first structure information, and first, a bytecode included in the first structure information and a bytecode included in the second structure information are determined, respectively.
Step S207, comparing the bytecode in the first structure information with the bytecode in the second structure information to obtain a comparison result.
The second structure information is obtained according to the DEX file in the memory, and since part of codes in the DEX file may be modified and mapped to other storage areas in the memory other than the continuous memory of the file, a situation that part of the codes in the second structure information correspond to empty byte codes at the positions of the part of bytes may occur, and thus part of the byte codes in the second structure information needs to be repaired. The first structure information is obtained by monitoring the running method to be shelled, and the memory data of the method to be shelled is real and effective in the memory, that is, the first structure information is real and effective in the memory.
Specifically, the stored first structure information is traversed, and the bytecode in the first structure information is compared with the bytecode in the second structure information to obtain a comparison result, wherein the bytecode of the second structure information missing relative to the first structure information can be determined according to the comparison result.
Step S208, according to the comparison result, determining the first bytecode in the first structure information and the first bytecode position of the first bytecode in the first structure information, where the first bytecode is determined according to the comparison result in step S207, and specifically, the first bytecode may be a bytecode portion added to the first structure information relative to the second structure information, that is, a bytecode missing from the second structure information relative to the first structure information.
And determining the first byte code and the first byte code position of the first byte code in the first structure body information according to the comparison result.
In step S209, a second bytecode position in the second structure information corresponding to the first bytecode position is determined.
According to the first bytecode and the first bytecode position determined in the above step, a second bytecode position corresponding to the first bytecode position in the second structure information can be determined.
And step S210, replacing the first byte code to the position of the second byte code to obtain repaired second structural body information, and generating the DEX file after the file to be shelled is shelled according to the repaired second structural body information.
The step of replacing the byte code of the second structure information, which is missing relative to the first structure information, to the corresponding position in the second structure information, thereby completing the repair of the second structure information, wherein the repaired second structure information is the memory data in the memory area of the complete DEX file, and the memory data in the memory area of the complete DEX file is written into a file, thereby obtaining the DEX file after the file to be dehulled is dehulled.
In summary, in consideration of the situation that in the prior art, after a file to be shelled is shelled, a part of bytecodes are missing in an obtained DEX file, the method innovatively inserts a monitoring code into an interpreter entry of a virtual machine to monitor a method to be shelled passing through the interpreter, further obtains memory data of a process corresponding to the method to be shelled and converts the memory data into first structure information, and then repairs the DEX file by using the first structure information. The interpreter inlet into which the monitoring code is inserted can ensure that each running method in the file to be shelled passes through the interpreter inlet, so that the obtained memory data (first structure information) can be ensured to be real and effective, and the memory data of the DEX file obtained after the file to be shelled is shelled can be ensured to be complete by repairing the DEX file by using the first structure information, so that the shelling effect and the shelling success rate are improved.
Fig. 3 is a schematic structural diagram illustrating an apparatus for shelling an application file according to a third embodiment of the present invention, where as shown in fig. 3, the apparatus includes: a monitoring module 310, a reading module 320, a judging module 330, a converting module 340, a second structure information determining module 350, a repairing module 360, and a shelling module 370.
A monitoring module 310 adapted to monitor a current method to be shelled by which a file to be shelled runs;
a reading module 320, adapted to read process information corresponding to a current method to be shelled;
the determining module 330 is adapted to determine whether the process corresponding to the current method to be shelled is a process meeting a preset shelling condition according to the process information corresponding to the current method to be shelled;
the conversion module 340 is adapted to convert the memory data of the current method to be shelled into the first structure information if it is determined that the process corresponding to the current method to be shelled is a process satisfying a preset shelling condition;
a second structure information determining module 350, adapted to determine, according to the first structure information, second structure information of the DEX file corresponding to the file to be decapsulated;
the repairing module 360 is suitable for repairing the second structural body information by using the first structural body information;
and the shelling module 370 is adapted to generate a DEX file with a file to be shelled being shelled according to the repaired second structure information.
According to the shelling device for the application files provided by the embodiment, the application files after being reinforced can be effectively shelled, the integrity of the data of the obtained DEX files after shelling can be guaranteed, and the shelling effect and the shelling success rate are improved.
Fig. 4 is a schematic structural diagram of a shelling apparatus for application files according to a fourth embodiment of the present invention, and as shown in fig. 4, the shelling apparatus further includes, on the basis of the apparatus shown in fig. 3: a storage module 410 and a modification module 420.
A storage module 410 adapted to store the first structure information; the second structure information determining module 350 is further adapted to determine, when the number of the stored first structure information is greater than or equal to a preset threshold, the second structure information of the DEX file corresponding to the file to be shelled according to any one of the first structure information.
In a specific embodiment, the second structure information determining module 350 further includes:
the memory area determining unit 351 is adapted to determine a memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information;
the analyzing unit 352 is adapted to invoke a system function to analyze the data in the memory area, so as to obtain the second structure information corresponding to the method in the DEX file.
The memory region determination unit 351 is further adapted to:
determining the length of the DEX file according to first attribute information contained in the first structure information;
determining the starting position of the DEX file according to second attribute information contained in the first structure information;
and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the starting position of the DEX file.
The repair module 360 is further adapted to:
respectively determining byte codes in the first structural body information and byte codes in the second structural body information;
comparing the byte codes in the first structural body information with the byte codes in the second structural body information to obtain a comparison result;
according to the comparison result, determining a first byte code in the first structure information and a first byte code position of the first byte code in the first structure information, wherein the first byte code is a byte code in which the second structure information is missing relative to the first structure information;
determining a second byte position in the second structure information corresponding to the first byte position;
and replacing the first byte code to the position of the second byte code to obtain the repaired second structural body information.
The monitoring module 310 is further adapted to:
inserting a monitoring code at an entrance of an interpreter, and monitoring the current method to be hulled by the interpreter by using the monitoring code;
wherein, the interpreter entry is the initial position of the file to be shelled entering the interpreter function.
In a specific embodiment, the above apparatus further comprises:
a modification module 420 adapted to modify an interpretation mode of the executable file of the virtual machine in the source code to a portable mode.
The determining module 330 is further adapted to:
and judging whether the process is related to the program related to the function of the application, if so, judging that the process is the process meeting the preset shelling condition.
The storage module 410 is further adapted to:
storing the first structure body information in a hash table; or storing the first structure body information in a linked list; or storing the first structure body information in a binary tree.
According to the device for shelling application files provided by this embodiment, a monitoring code is inserted into an interpreter entry of a virtual machine to monitor a method to be shelled that passes through the interpreter, so as to obtain memory data of a process corresponding to the method to be shelled and convert the memory data into first structure information, and then the first structure information is used to repair a DEX file. Firstly, inserting a monitoring code into an interpreter entrance, which can ensure that each running method in a file to be shelled passes through the interpreter entrance, thereby ensuring that the obtained memory data (first structure information) is real and effective; secondly, the first structure information is used for repairing the DEX file, so that the memory data of the DEX file obtained after the file to be shelled is shelled can be ensured to be complete, and the shelling effect and the shelling success rate are improved.
Embodiments of the present invention provide a non-volatile computer storage medium, where at least one executable instruction is stored in the computer storage medium, and the computer executable instruction may execute the method for shelling an application file in any of the above method embodiments.
Fig. 5 is a schematic structural diagram of a computing device according to a fifth embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein:
the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically execute the relevant steps in the foregoing embodiment of the method for shelling the application file.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may be specifically configured to enable the processor 502 to execute a shelling method of an application file in any of the above-described method embodiments. For specific implementation of each step in the program 510, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing embodiment of the method for removing a shell of an application file, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.