CN112052460A - DEX file virtualization encryption method, computer equipment and storage medium - Google Patents
DEX file virtualization encryption method, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112052460A CN112052460A CN202010776466.6A CN202010776466A CN112052460A CN 112052460 A CN112052460 A CN 112052460A CN 202010776466 A CN202010776466 A CN 202010776466A CN 112052460 A CN112052460 A CN 112052460A
- Authority
- CN
- China
- Prior art keywords
- instruction
- virtual
- dalvik
- original
- dex file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000004590 computer program Methods 0.000 claims description 21
- 238000006467 substitution reaction Methods 0.000 claims description 14
- 238000010586 diagram Methods 0.000 description 3
- 239000011800 void material Substances 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention provides a DEX file virtualization encryption method, computer equipment and a storage medium, wherein the method comprises the following steps: acquiring an original dalvik instruction and encrypting according to an instruction replacement table to generate a virtual dalvik instruction; storing the virtual dalvik instruction into a pre-established virtual machine and modifying a data call path; and generating an entry instruction for calling the virtual machine resolver, and replacing the original dalvik instruction in the DEX file with the entry instruction for calling the virtual machine resolver. The method saves the dalvik instruction and the instruction data required by the execution of the dalvik instruction into the pre-established virtual machine, and removes the dependence of the dalvik instruction on the DEX file, so that the execution of the dalvik instruction cannot be influenced no matter whether the DEX file is subjected to secondary compilation or not, the decoding of the instruction in a memory is avoided, the plaintext data of the instruction cannot be acquired in a memory DUMP mode, and the safety of the DEX file is improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a DEX file virtualization encryption method, computer equipment and a storage medium.
Background
The DEX file is an executable file of an Android system and comprises all operation instructions and operation data of an application program. The dalvik instruction in the DEX file is divided into an opcode and an operand, where the operand indicates the source of the data required for instruction execution. For example, a string assignment instruction, the operand records the index of the string in the DEX string table.
In daily use, many application scenes have the requirement of secondary compilation of the DEX file, such as embedding the secondary compilation DEX file into a payment module, a statistical module and the like by a game distributor. However, the traditional virtualized encryption method for the DEX file only performs equivalent replacement on the instruction, and data required by instruction execution indicated by the operand points to the original DEX file, so that if the original DEX file is compiled twice, the instruction number points to wrong data, and further the instruction execution is wrong.
Therefore, the prior art is subject to further improvement.
Disclosure of Invention
In view of the defects in the prior art, the invention aims to provide a DEX file virtualization encryption method, computer equipment and a storage medium, which overcome the defect that the traditional DEX file virtualization encryption technology is not suitable for DEX files with secondary compilation requirements.
The invention provides a DEX file virtualization encryption method, which comprises the following steps:
acquiring an original dalvik instruction in the DEX file; wherein the original dalvik instruction includes an original opcode and an original operand;
encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction;
storing the virtual dalvik instruction into a pre-established instruction table of a virtual machine, and modifying a data call path of the virtual dalvik instruction according to a data table of the virtual machine; the data table stores virtual instruction data required by the execution of the virtual dalvik instruction;
and generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction, and replacing the original dalvik instruction in the DEX file with the entry instruction for calling the virtual machine parser so as to realize the virtualized encryption of the DEX file.
The DEX file virtualization encryption method comprises the following steps of:
analyzing the DEX file, and traversing to obtain code _ item data structures of all methods in the DEX file;
and resolving an insns field from the code _ item data structure, and acquiring an original dalvik instruction according to the insns field.
The method for virtualizing and encrypting the DEX file, wherein the step of encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction comprises the following steps:
acquiring a virtual operation code corresponding to an original operation code of the original dalvik instruction in the instruction substitution table;
and replacing the original operation code of the original dalvik instruction with the virtual operation code to generate a virtual dalvik instruction.
The DEX file virtualization encryption method, wherein the step of modifying the data call path of the virtual dalvik instruction according to the data table of the virtual machine comprises:
acquiring a virtual operand corresponding to the virtual instruction data in a data table of the virtual machine;
replacing original operands of the virtual dalvik instruction with the virtual operands.
The DEX file virtualization encryption method comprises the following steps of modifying a data call path of the virtual dalvik instruction according to a data table of the virtual machine:
acquiring original instruction data required by the execution of the original dalvik instruction;
and storing the original instruction data into a data table of the virtual machine to form virtual instruction data required by the virtual dalvik instruction execution.
The DEX file virtualization encryption method comprises the following steps of:
determining an offset according to an original operand of the original dalvik instruction;
and acquiring original instruction data required by the execution of the original dalvik instruction according to the offset.
The DEX file virtualization encryption method comprises the following steps of generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction:
acquiring a method ID corresponding to the virtual dalvik instruction in the instruction table;
and generating an entrance instruction for calling the virtual machine resolver according to the method ID.
The DEX file virtualization encryption method comprises the following steps of replacing original dalvik instructions in the DEX file with the calling virtual machine resolver entrance instructions:
executing the calling virtual machine resolver inlet instruction;
and calling the virtual machine to execute the virtual dalvik instruction according to the calling virtual machine resolver inlet instruction.
A computer device comprising a memory storing a computer program and a processor, wherein the processor implements the steps of the DEX file virtualization encryption method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the DEX file virtualization encryption method.
The DEX file virtualization encryption method, the computer equipment and the storage medium have the advantages that when the DEX file is subjected to virtualization encryption, the dalvik instruction in the DEX file and instruction data required by execution of the dalvik instruction are stored in the pre-established virtual machine, dependence of the dalvik instruction on the DEX file is removed, execution of the dalvik instruction cannot be influenced no matter whether the DEX file is subjected to secondary compiling or not, the virtual machine is called to execute the dalvik instruction by calling the virtual machine resolver inlet instruction, decoding of the instruction in a memory is avoided, plaintext data of the instruction cannot be obtained through a memory DUMP mode, and safety of the DEX file is improved.
Drawings
FIG. 1 is a flow chart of a preferred embodiment of a DEX file virtualization encryption method provided in the embodiments of the present invention;
fig. 2 is a flowchart of an embodiment of a specific application of a method for virtualizing and encrypting a DEX file according to an embodiment of the present invention;
fig. 3 is a functional schematic of the computer device of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The DEX file virtualization encryption method provided by the invention can be applied to computer equipment. The computer device may be, but is not limited to, various personal computers, notebook computers, mobile phones, tablet computers, vehicle-mounted computers, and portable wearable devices. The computer device of the invention adopts a multi-core processor. The processor of the computer device may be at least one of a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Video Processing Unit (VPU), and the like.
The invention provides a DEX file virtualization encryption method, aiming at solving the problems that the traditional DEX file virtualization encryption technology only performs equivalent replacement on an instruction, data required by instruction execution indicated by an operand points to an original DEX file, and if the original DEX file is secondarily compiled, the instruction number points to wrong data, so that the instruction execution is wrong.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for virtualizing and encrypting a DEX file according to a preferred embodiment of the present invention. In the embodiment of the invention, the DEX file virtualization encryption method comprises four steps:
s1, acquiring an original dalvik instruction in the DEX file; wherein the original dalvik instruction includes an original opcode and an original operand;
s2, encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction;
s3, storing the virtual dalvik instruction into a pre-established instruction list of the virtual machine, and modifying a data call path of the virtual dalvik instruction according to the data list of the virtual machine; the data table stores virtual instruction data required by the execution of the virtual dalvik instruction;
s4, generating a virtual machine parser calling entry instruction according to the virtual dalvik instruction, and replacing the original dalvik instruction in the DEX file with the virtual machine parser calling entry instruction to achieve virtualization encryption of the DEX file.
The existing virtualization encryption technology of the DEX file only performs equivalent replacement on the instruction, data required by instruction execution indicated by an operand points to the original DEX file, and if the original DEX file is secondarily compiled, the instruction number points to wrong data, so that the instruction execution is wrong. In order to solve the above problem, in this embodiment, an original dalvik instruction in the DEX file is first obtained, then the original dalvik instruction is encrypted according to a pre-generated instruction substitution table to generate a virtual dalvik instruction, then the virtual dalvik instruction is stored in a pre-created instruction table of the virtual machine, a data call path of the virtual dalvik instruction is modified according to the data table of the virtual machine, finally a virtual machine parser entry instruction is generated and called according to the virtual dalvik instruction, and the original dalvik instruction in the DEX file is replaced with a virtual machine parser entry instruction to implement virtualized encryption of the DEX file. In the embodiment, when the DEX file is subjected to virtualization encryption, the dalvik instruction and instruction data required by execution of the dalvik instruction in the DEX file are stored in a pre-created virtual machine, the dependency of the dalvik instruction on the DEX file is removed, so that the execution of the dalvik instruction cannot be influenced no matter whether the DEX file is subjected to secondary compilation or not, the dalvik instruction is executed by calling the virtual machine parser entry instruction to call the virtual machine, the instruction is prevented from being decoded in a memory, plaintext data of the instruction cannot be acquired in a memory DUMP mode, and the security of the DEX file is improved.
In one embodiment, step S1 specifically includes:
s11, analyzing the DEX file, and traversing to obtain code _ item data structures of all methods in the DEX file;
s12, resolving an insns field from the code _ item data structure, and acquiring an original dalvik instruction according to the insns field.
In specific implementation, the DEX file is analyzed according to the file format of the DEX file, code _ item data structures of all methods in the DEX file are obtained in a traversing mode, then an insns field is analyzed from the code _ item data structures, and an original dalvik instruction is obtained according to the insns field. The code _ item data structure is one of a plurality of data structures of the DEX file, and the code _ item data structure stores specific information of instructions of all methods of the DEX file, such as an ins-size field for indicating the number of parameters of the method, an ins-size field for indicating the number of instructions of the method and an ins field for indicating the content of the instructions. In this embodiment, after the code _ item data structure is obtained, the original dalvik instruction in the DEX file can be obtained further according to the insns field in the code _ item data structure.
In one embodiment, step S2 specifically includes:
s21, acquiring a virtual operation code corresponding to the original operation code of the original dalvik instruction in the instruction substitution table;
s22, replacing the original operation code of the original dalvik instruction with the virtual operation code to generate a virtual dalvik instruction.
In specific implementation, in order to improve the security of the dalvik instruction, in this embodiment, a random instruction replacement table is generated in advance, and the instruction replacement table stores virtual opcodes corresponding to the original opcodes of the original dalvik instruction. After the original dalvik instruction in the DEX file is obtained, the virtual operation code corresponding to the original operation code of the original dalvik instruction in the instruction replacement table is further obtained, and the original operation code of the original dalvik instruction is replaced by the virtual operation code which can be identified only by the virtual machine parser, so that the safety of the DEX file is improved. For example, if 256 original dalvik instructions are stored in the DEX file, a random instruction replacement table is generated in which 256 virtual opcodes corresponding to the original opcodes in the original dalvik instructions are stored. Assuming that the original operation code 00 represents a nop, 01 represents a move, the virtual operation code 00 represents a move, and 01 represents a nop, when the original dalvik instruction is encrypted by using an instruction substitution code, the original operation code 00 is replaced by the virtual operation code 01 to generate a virtual dalvik instruction, if the virtual dalvik instruction is identified by using a systematic dalvik virtual machine, the virtual dalvik instruction can be mistakenly identified as a move instruction, correct instruction operation can be identified only through a pre-established virtual machine parser, and the security of the DEX file is improved.
In a specific embodiment, the step of modifying the data call path of the virtual dalvik instruction according to the data table of the virtual machine in step S3 specifically includes:
s31, acquiring a virtual operand corresponding to the virtual instruction data in a data table of the virtual machine;
s32, replacing the original operand of the virtual dalvik instruction with the virtual operand.
In the implementation, as can be seen from the above steps, the operation code in the virtual dalvik instruction encrypted by the instruction substitution table is the virtual operation code, and the operand is still the original operand, i.e. the data required for executing the virtual dalvik instruction still points to the DEX file. In order to change the data call path of the virtual dalvik instruction, in this embodiment, first, a virtual operand corresponding to virtual instruction data required by the execution of the virtual dalvik instruction is obtained in a data table of the virtual machine, and an original operand of the virtual dalvik instruction is replaced with the virtual operand, so that the call path of the instruction data required by the execution of the virtual dalvik instruction is changed from the DEX file to a pre-created virtual machine, thereby implementing the decoupling of the dalvik instruction and the DEX file. For example, the virtual dalvik instruction is 01080000, where the instruction data corresponding to the original operand "0000" is "Hello" and the virtual operand corresponding to the same instruction data "Hello" in the data table of the virtual machine is "0003", the original operand "0000" is modified to "0003" after the virtual dalvik instruction 01080000 is stored in the data table of the virtual machine, thereby changing the call path of the instruction data required for the virtual dalvik instruction to execute.
In a specific embodiment, the step of modifying the data call path of the virtual dalvik instruction according to the data table of the virtual machine in step S3 includes:
r1, acquiring original instruction data required by the execution of the original dalvik instruction;
r2, storing the original instruction data into a data table of the virtual machine, and forming virtual instruction data required by the virtual dalvik instruction execution.
Specifically, as mentioned in the previous step, the dalvik instruction includes an opcode and an operand, the operand indicating the source of data required for instruction execution, for example, in the binary instruction 1A 010300, 1A is the opcode and means the const-string assignment, 010300 is the operand, where operand 01 is register V1,0300 is the string ID and points to string table 3. To achieve the decoupling of the dalvik instruction from the DEX file, in the present embodiment, the original instruction data required for the execution of the original dalvik instruction is first obtained, for example, the 3 rd string in the string table mentioned in the previous step. And then storing the original instruction data into a pre-established data table of the virtual machine to form virtual instruction data required by the execution of the virtual dalvik instruction, so that the data call path of the virtual dalvik instruction is modified in the subsequent step, and the dalvik instruction is decoupled from the DEX file.
In one embodiment, step R1 includes:
r11, determining an offset from an original operand of the original dalvik instruction;
and R12, acquiring original instruction data required by the original dalvik instruction to execute according to the offset.
Specifically, the original operand points to original instruction data required by execution of the original dalvik instruction, and the original instruction data is stored in a character string table, a method table, or a field table in the DEX file and in a table index related to a character string resource, and each piece of original instruction data has a corresponding offset. For example, taking a String table as an example, the String table records the offset from the beginning of the DEX file to each String data, and fixes 4 bytes of one record, the original operand 0300 of the original dalvik instruction 1a 080300 points to the 3 rd String, and to obtain the 3 rd String, the offset of the record at the 3 × 4 position is first obtained, and then the corresponding String stored in the String table is located according to the offset.
In a specific embodiment, the step of generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction in step S4 specifically includes:
s41, acquiring a method ID corresponding to the virtual dalvik instruction in the instruction table;
and S42, generating an entrance instruction for calling the virtual machine resolver according to the method ID.
Specifically, after the virtual dalvik instructions are stored in a pre-created instruction list of the virtual machine, each virtual dalvik instruction has a corresponding method ID, the method ID corresponding to the virtual dalvik instruction needing to be subjected to virtualization encryption is obtained, an entry instruction of a resolver of the virtual machine is generated according to the method ID, then the corresponding original dalvik instruction in the DEX file is cleared, and the entry instruction of the resolver of the virtual machine is injected into the storage position of the original dalvik instruction in the DEX file, so that the virtual machine can be called to execute the dalvik instruction by calling the entry instruction of the resolver of the virtual machine when the application runs. By calling the virtual machine to execute the dalvik instruction, a translator can decompile the DEX file to obtain the original code, and the safety of the DEX file is improved. For example, the original method in the DEX file is: void test () { a ═ a + 1; and the method after deleting the dalvik instruction is as follows: the method for injecting the virtual machine resolver entry instruction after void test () { } is as follows: void test () { ncall.iv (); v/when running method, start virtual machine engine }.
In a specific embodiment, step S4 is followed by:
s51, executing the virtual machine parser entry calling instruction;
and S52, calling the virtual machine to execute the virtual dalvik instruction according to the calling virtual machine resolver entrance instruction.
Further, after replacing the dalvik instruction in the DEX file with a calling virtual machine parser entry instruction, the virtual machine can be called to execute the virtual dalvik instruction by executing the calling virtual machine parser entry instruction. When the virtual machine executes the virtual dalvik instruction, firstly, the virtual dalvik instruction needing to be executed is determined according to the method ID carried in the entry instruction of the calling virtual machine resolver, the virtual operation code and the virtual operand of the virtual dalvik instruction are analyzed, the operation of the virtual dalvik instruction and the instruction data needed by the execution operation are obtained, and the instruction execution result is returned.
In order to better understand the technology of the present invention, the present invention further provides a specific application example, as shown in fig. 2, which specifically includes the following steps:
Based on the above embodiments, the present invention further provides a computer device, whose functional block diagram may be as shown in fig. 3. The computer device comprises a processor, a memory, a network interface, a display screen and a temperature sensor which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a DEX file virtualization encryption method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the temperature sensor of the computer equipment is arranged in the computer equipment in advance and used for detecting the current operating temperature of the internal equipment.
It will be appreciated by those skilled in the art that the schematic block diagram shown in fig. 3 is only a block diagram of a portion of the structure associated with the inventive arrangements and does not constitute a limitation of the computing devices to which the system of the inventive arrangements may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor when executing the computer program implementing at least the following steps:
acquiring an original dalvik instruction in the DEX file; wherein the original dalvik instruction includes an original opcode and an original operand;
encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction;
storing the virtual dalvik instruction into a pre-established instruction table of a virtual machine, and modifying a data call path of the virtual dalvik instruction according to a data table of the virtual machine; the data table stores virtual instruction data required by the execution of the virtual dalvik instruction;
and generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction, and replacing the original dalvik instruction in the DEX file with the entry instruction for calling the virtual machine parser so as to realize the virtualized encryption of the DEX file.
In one embodiment, the processor, when executing the computer program, may further implement: analyzing the DEX file, and traversing to obtain code _ item data structures of all methods in the DEX file; and resolving an insns field from the code _ item data structure, and acquiring an original dalvik instruction according to the insns field.
In one embodiment, the processor, when executing the computer program, may further implement: acquiring a virtual operation code corresponding to an original operation code of the original dalvik instruction in the instruction substitution table; and replacing the original operation code of the original dalvik instruction with the virtual operation code to generate a virtual dalvik instruction.
In one embodiment, the processor, when executing the computer program, may further implement: acquiring a virtual operand corresponding to the virtual instruction data in a data table of the virtual machine; replacing original operands of the virtual dalvik instruction with the virtual operands.
In one embodiment, the processor, when executing the computer program, may further implement: acquiring original instruction data required by the execution of the original dalvik instruction; and storing the original instruction data into a data table of the virtual machine to form virtual instruction data required by the virtual dalvik instruction execution.
In one embodiment, the processor, when executing the computer program, may further implement: determining an offset according to an original operand of the original dalvik instruction; and acquiring original instruction data required by the execution of the original dalvik instruction according to the offset.
In one embodiment, the processor, when executing the computer program, may further implement: acquiring a method ID corresponding to the virtual dalvik instruction in the instruction table; and generating an entrance instruction for calling the virtual machine resolver according to the method ID.
In one embodiment, the processor, when executing the computer program, may further implement: executing the calling virtual machine resolver inlet instruction; and calling the virtual machine to execute the virtual dalvik instruction according to the calling virtual machine resolver inlet instruction.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases, or other media used in embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
In summary, the present invention provides a DEX file virtualization encryption method, a computer device, and a storage medium, where the method includes: acquiring an original dalvik instruction in the DEX file; encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction; storing the virtual dalvik instruction into a pre-established instruction table of a virtual machine, and modifying a data call path of the virtual dalvik instruction according to a data table of the virtual machine; and generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction, and replacing the original dalvik instruction in the DEX file with the entry instruction for calling the virtual machine parser. The method saves the dalvik instruction in the DEX file and the instruction data required by the execution of the dalvik instruction in the pre-created virtual machine, relieves the dependence of the dalvik instruction on the DEX file, ensures that the execution of the dalvik instruction cannot be influenced no matter whether the DEX file is subjected to secondary compilation or not, calls the virtual machine to execute the dalvik instruction by calling the virtual machine resolver inlet instruction, avoids decoding the instruction in a memory, cannot acquire the plaintext data of the instruction in a memory DUMP mode, and improves the safety of the DEX file.
It is to be understood that the system of the present invention is not limited to the above examples, and that modifications and variations may be made by one of ordinary skill in the art in light of the above teachings, and all such modifications and variations are intended to fall within the scope of the appended claims.
Claims (10)
1. A DEX file virtualization encryption method is characterized by comprising the following steps:
acquiring an original dalvik instruction in the DEX file; wherein the original dalvik instruction includes an original opcode and an original operand;
encrypting the original dalvik instruction according to a pre-generated instruction substitution table to generate a virtual dalvik instruction;
storing the virtual dalvik instruction into a pre-established instruction table of a virtual machine, and modifying a data call path of the virtual dalvik instruction according to a data table of the virtual machine; the data table stores virtual instruction data required by the execution of the virtual dalvik instruction;
and generating an entry instruction for calling a virtual machine parser according to the virtual dalvik instruction, and replacing the original dalvik instruction in the DEX file with the entry instruction for calling the virtual machine parser so as to realize the virtualized encryption of the DEX file.
2. The DEX file virtualization encryption method of claim 1, wherein the step of obtaining original dalvik instructions in the DEX file comprises:
analyzing the DEX file, and traversing to obtain code _ item data structures of all methods in the DEX file;
and resolving an insns field from the code _ item data structure, and acquiring an original dalvik instruction according to the insns field.
3. The method for DEX file virtualization encryption of claim 1, wherein the step of encrypting the original dalvik instructions according to a pre-generated instruction substitution table, generating virtual dalvik instructions comprises:
acquiring a virtual operation code corresponding to an original operation code of the original dalvik instruction in the instruction substitution table;
and replacing the original operation code of the original dalvik instruction with the virtual operation code to generate a virtual dalvik instruction.
4. The DEX file virtualization encryption method of claim 1, wherein the step of modifying the data call path of the virtual dalvik instruction according to the data table of the virtual machine comprises:
acquiring a virtual operand corresponding to the virtual instruction data in a data table of the virtual machine;
replacing original operands of the virtual dalvik instruction with the virtual operands.
5. The DEX file virtualization encryption method of claim 4, wherein the step of modifying the data call path of the virtual dalvik instruction according to the data table of the virtual machine is preceded by:
acquiring original instruction data required by the execution of the original dalvik instruction;
and storing the original instruction data into a data table of the virtual machine to form virtual instruction data required by the virtual dalvik instruction execution.
6. The DEX file virtualization encryption method of claim 5, wherein the step of obtaining original instruction data required for the execution of the original dalvik instructions comprises:
determining an offset according to an original operand of the original dalvik instruction;
and acquiring original instruction data required by the execution of the original dalvik instruction according to the offset.
7. The DEX file virtualization encryption method of claim 1, wherein the step of generating a call virtual machine parser entry instruction from the virtual dalvik instruction comprises:
acquiring a method ID corresponding to the virtual dalvik instruction in the instruction table;
and generating an entrance instruction for calling the virtual machine resolver according to the method ID.
8. The DEX file virtualization encryption method of claim 1, wherein the step of replacing the original dalvik instructions in the DEX file with the call virtual machine parser entry instructions is followed by:
executing the calling virtual machine resolver inlet instruction;
and calling the virtual machine to execute the virtual dalvik instruction according to the calling virtual machine resolver inlet instruction.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the DEX file virtualization encryption method according to any of claims 1 to 8.
10. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the DEX file virtualization encryption method according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010776466.6A CN112052460A (en) | 2020-08-05 | 2020-08-05 | DEX file virtualization encryption method, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010776466.6A CN112052460A (en) | 2020-08-05 | 2020-08-05 | DEX file virtualization encryption method, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112052460A true CN112052460A (en) | 2020-12-08 |
Family
ID=73602222
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010776466.6A Pending CN112052460A (en) | 2020-08-05 | 2020-08-05 | DEX file virtualization encryption method, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112052460A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106960141A (en) * | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | Coding, coding/decoding method and the device of virtual machine instructions, virtual machine protection system |
| CN107729725A (en) * | 2017-10-09 | 2018-02-23 | 南京南瑞集团公司 | A kind of Android applications hardened system and method based on virtual machine instructions modification |
| CN108681457A (en) * | 2018-05-11 | 2018-10-19 | 西北大学 | The Android application program guard methods explained with residual code based on code sinking |
| CN108733379A (en) * | 2018-05-28 | 2018-11-02 | 常熟理工学院 | The Android application reinforcement means that mapping is obscured is detached based on DEX bytecodes |
| CN109189470A (en) * | 2018-08-21 | 2019-01-11 | 北京奇虎科技有限公司 | Code reinforcement means and device |
| CN109697339A (en) * | 2017-10-20 | 2019-04-30 | 南京理工大学 | A kind of Android application method for security protection based on dynamic virtual instruction map |
-
2020
- 2020-08-05 CN CN202010776466.6A patent/CN112052460A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106960141A (en) * | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | Coding, coding/decoding method and the device of virtual machine instructions, virtual machine protection system |
| CN107729725A (en) * | 2017-10-09 | 2018-02-23 | 南京南瑞集团公司 | A kind of Android applications hardened system and method based on virtual machine instructions modification |
| CN109697339A (en) * | 2017-10-20 | 2019-04-30 | 南京理工大学 | A kind of Android application method for security protection based on dynamic virtual instruction map |
| CN108681457A (en) * | 2018-05-11 | 2018-10-19 | 西北大学 | The Android application program guard methods explained with residual code based on code sinking |
| CN108733379A (en) * | 2018-05-28 | 2018-11-02 | 常熟理工学院 | The Android application reinforcement means that mapping is obscured is detached based on DEX bytecodes |
| CN109189470A (en) * | 2018-08-21 | 2019-01-11 | 北京奇虎科技有限公司 | Code reinforcement means and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109643343B (en) | Kernel-based detection of target application functions using virtual address mapping | |
| US11507671B1 (en) | Detection and healing of vulnerabilities in computer code | |
| Zhang et al. | VTint: Protecting Virtual Function Tables' Integrity. | |
| CN108090346B (en) | Code multiplexing attack defense method and system based on data flow monitoring | |
| US10846101B2 (en) | Method and system for starting up application | |
| CN107480476B (en) | Android native layer instruction compiling virtualization shell adding method based on ELF infection | |
| CN114154190A (en) | Managing sensitive production data | |
| CN104798075A (en) | Application randomization | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| Besson et al. | A concrete memory model for CompCert | |
| CN115017058B (en) | Test method and device of kernel module, electronic equipment and storage medium | |
| US9129137B2 (en) | Method, computer program and device for providing security for intermediate programming code for its execution by a virtual machine | |
| Yoon et al. | Pift: Predictive information-flow tracking | |
| CN115659333A (en) | Sandbox based on binary instrumentation, memory isolation method and storage medium | |
| CN112882694A (en) | Program compiling method and device, electronic equipment and readable storage medium | |
| Choi et al. | Reusable inline caching for JavaScript performance | |
| KR20210024161A (en) | Method for analysis of source texts | |
| CN110597496B (en) | Method and device for acquiring bytecode file of application program | |
| US8935781B1 (en) | Native code module security for arm 64-bit instruction set architectures | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN112052460A (en) | DEX file virtualization encryption method, computer equipment and storage medium | |
| Stepan | Defeating polymorphism: beyond emulation | |
| US11256786B2 (en) | Method to secure a software code | |
| US20220308991A1 (en) | Test processing method and information processing apparatus | |
| Guo et al. | A survey of obfuscation and deobfuscation techniques in android code protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |