CN112765608A - Target apk source code acquisition method, electronic device and medium - Google Patents
Target apk source code acquisition method, electronic device and medium Download PDFInfo
- Publication number
- CN112765608A CN112765608A CN202110074673.1A CN202110074673A CN112765608A CN 112765608 A CN112765608 A CN 112765608A CN 202110074673 A CN202110074673 A CN 202110074673A CN 112765608 A CN112765608 A CN 112765608A
- Authority
- CN
- China
- Prior art keywords
- dex file
- memory
- target apk
- dex
- apk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to a target apk source code acquisition method, electronic equipment and a medium, wherein the method comprises the steps of S1, detecting whether a preset callback function of a target apk is executed or not by adopting a first hook function which is configured in advance, and executing the step S2 if the preset callback function is executed; step S2, traversing the memory space of the target apk operation, and acquiring all dex files corresponding to preset byte code characteristics in the memory of the target apk operation to form a first dex file set; step S3, obtaining a hash value of each dex file in the first dex file set, and judging whether the hash value of each dex file in the first dex file set belongs to a preset android system framework hash value set, if so, deleting a corresponding dex file from the first dex file set to obtain a second dex file set; and step S4, performing decompiling based on each dex file in the second dex file set to obtain a source code corresponding to the target apk. The invention can quickly and accurately acquire the source code from the reinforced APK to be detected.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a target apk source code acquisition method, electronic equipment and a medium.
Background
With the rapid development of Android technology, a large number of Android installation packages (APKs for short) are developed, and in order to avoid disassembling and analyzing the APKs, most of the APKs are reinforced by a reinforcement program and then put on shelves for users to download. However, as the number of APKs increases, a large number of risk APKs also appear, so that the risk detection needs to be performed on the APKs, and thus, the security analysis needs to be performed on the source codes of the APKs to be detected. However, for the reinforced APK to be detected, the corresponding source code cannot be directly acquired. Therefore, how to acquire the source code of the reinforced APK to be detected becomes an urgent technical problem to be solved.
Disclosure of Invention
The invention aims to provide a target APK source code obtaining method, electronic equipment and a medium, which can quickly and accurately obtain a source code from a reinforced APK to be detected.
According to a first aspect of the present invention, a target apk source code obtaining method is provided, including:
step S1, detecting whether a preset callback function of a target APK is executed or not by adopting a first hook function configured in advance, if yes, executing step S2, wherein the target APK is a reinforced APK to be detected, a reinforcement program is operated in the operation process of the target APK, the reinforcement program releases a source code of the target APK, and then the source code of the target APK is released in an operating memory space of the target APK to be executed;
step S2, traversing the memory space in which the target apk operates, and acquiring all dex files corresponding to preset byte code characteristics in the memory in which the target apk operates to form a first dex file set, wherein the preset byte code characteristics are code segments capable of uniquely identifying the dex files in the dex files, the memory space in which the target apk operates is an independent memory operation space, and a process in which the target apk operates and an android system framework process operate;
step S3, obtaining a hash value of each dex file in the first dex file set, and judging whether the hash value of each dex file in the first dex file set belongs to a preset android system framework hash value set, if so, deleting a corresponding dex file from the first dex file set to obtain a second dex file set;
and step S4, performing decompiling based on each dex file in the second dex file set to obtain a source code corresponding to the target apk.
According to a second aspect of the present invention, there is provided an electronic apparatus comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of the first aspect of the invention.
According to a third aspect of the invention, there is provided a computer readable storage medium, the computer instructions being for performing the method of the first aspect of the invention.
Compared with the prior art, the invention has obvious advantages and beneficial effects. By means of the technical scheme, the target apk source code obtaining method, the electronic equipment and the medium provided by the invention can achieve considerable technical progress and practicability, have wide industrial utilization value and at least have the following advantages:
the invention can quickly and accurately acquire the source code from the reinforced APK to be detected.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood, the present invention may be implemented in accordance with the content of the description, and in order to make the above and other objects, features, and advantages of the present invention more clearly understood, the following preferred embodiments are described in detail with reference to the accompanying drawings.
Drawings
Fig. 1 is a flowchart of a target apk source code acquisition method according to an embodiment of the present invention.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined objects, the following detailed description will be given to specific embodiments and effects of a target apk source code acquisition method, an electronic device and a medium according to the present invention, with reference to the accompanying drawings and preferred embodiments.
The embodiment of the invention provides a target apk source code acquisition method, which comprises the following steps as shown in figure 1:
step S1, detecting whether a preset callback function of the target apk is executed or not by adopting a first hook function which is configured in advance, and if yes, executing step S2;
the hook function refers to a hook function, the first hook function is used for detecting whether a preset callback function of the target apk is executed or not, so as to determine a time point for triggering traversal of a memory space where the target apk operates, and after the preset callback function is executed, dex files of the target apk are all loaded into the memory space where the target apk operates, so that the step S2 can be triggered based on execution of the preset callback function. The preset callback function may be, as an example, an attechbasecontext function of an Application class, an onCreate function of an Application class, or an onCreate function of Activity. Preferably, an attachBaseContext function of the first callback function Application class can be used as a preset callback function, so that the acquisition efficiency of the dex file of the target apk is improved.
The target apk is a reinforced to-be-detected apk, a reinforcement program is operated in the operation process of the target apk, the reinforcement program releases the source code of the target apk, and then the source code of the target apk is released in the operation memory space of the target apk to be executed. The method for releasing the source code loaded with the target apk mainly comprises the following two steps of firstly, decrypting an original encrypted file into a file directory, obtaining a storage path, and loading the original encrypted file into a memory space operated by the target apk based on the storage by using an android code loader. And secondly, analyzing the codes, directly storing the analyzed codes in a system memory, and directly importing the codes in the system memory into a memory space where the target apk operates through an internal method of an android virtual machine.
Step S2, traversing the memory space of the target apk operation, and acquiring all dex files corresponding to preset byte code characteristics in the memory of the target apk operation to form a first dex file set;
the dex files are executable files on an Android platform, one or more dex files are arranged in each apk installation package, all source codes of the apk are contained in the dex files, and corresponding java source codes can be obtained through a decompilation tool. The preset byte code characteristics are code segments capable of uniquely identifying the dex file in the dex file, and all dex files in the memory space operated by the target apk can be obtained through the preset byte code characteristics. The memory space in which the target apk operates is an independent memory operation space, that is, is isolated from other apks, and in the operation process of an application program, except for loading the class and method of the application program, the class and method of the android system framework also need to be loaded, so that the process of the target apk and the process of the android system framework are operated in the memory space in which the target apk operates, and therefore, the dex files in the first dex file set include both the dex file of the target apk and the dex file of the android system framework, and therefore, the dex file of the android system framework can be further filtered through step S3.
Step S3, obtaining a hash value of each dex file in the first dex file set, and judging whether the hash value of each dex file in the first dex file set belongs to a preset android system framework hash value set, if so, deleting a corresponding dex file from the first dex file set to obtain a second dex file set;
the hash value of the dex file of the android system framework can be obtained in advance, and the android system framework hash value set is constructed.
And step S4, performing decompiling based on each dex file in the second dex file set to obtain a source code corresponding to the target apk.
Specifically, each dex file in the second dex file set can be decompiled by using an existing decompilation tool, and a description thereof is omitted here.
The embodiment of the invention can quickly and accurately acquire the source code from the reinforced APK to be detected, and provides a foundation for APK security detection.
As an example, the step S2 includes:
step S21, traversing the memory space of the target apk operation, and acquiring the file header information of the dex file corresponding to each preset bytecode feature in the memory of the target apk operation;
step S22, parsing a corresponding header memory start address and a size of a dex file from header information corresponding to each of the predetermined bytecode features;
step S23, determining the memory start address of the file header as the start position corresponding to the dex file, and determining the memory end address of the dex file based on the start position of each dex file and the size of the dex file;
step S23, obtaining codes between the memory start address and the memory end address of the dex file corresponding to all the preset bytecode characteristics, storing the codes as corresponding dex files, and forming the dex files corresponding to all the preset bytecode characteristics into the first dex file set.
As an embodiment, the preset bytecode is characterized by a preset Magic number, the Magic number is used for identifying a file type, the Magic numbers of all dex files in a memory space where the target apk operates are consistent, the dex files of the target apk and the dex files of the android system frame can be obtained through the preset Magic number, and the dex files of the android system frame are further filtered through step S3. The preset Magic number is used as a preset byte code characteristic to obtain the data corresponding to the target APK, the data is simple and quick, and the dex files of the target APK which exist in the data area and are not loaded in the code area can also be obtained in a manner of retrieving the Magic number. However, in some reinforcement methods, when the source code of the target APK is released to be executed in the running memory space of the target APK, the Magic number of a part of or all of the dex files may be changed to another number, in this case, the dex file of the target APK corresponding to the changed Magic number may not be obtained. Therefore, before the step S4, the following steps may be provided:
step S101, detecting whether a memory code loading process of a target apk is executed or not by adopting a second hook function which is configured in advance, and if so, acquiring a corresponding memory address and a corresponding memory size in each target apk memory code loading process;
and the second hook function is specifically configured according to the android system version and the device firmware type.
Step S102, acquiring a corresponding dex file based on each target apk memory address and memory size.
It should be noted that, the two sets of logic from step S101 to step S102 and from step S1 to step S3 may be executed in parallel, and the two sets of logic are respectively used to obtain corresponding target apk files, and finally, the results obtained from the two sets of logic are merged. In the parallel execution process, it is not clear whether the Magic number of the target apk file obtained through the steps S101 to S102 is changed, so that the step S103 may be added before the step S4, and the Magic number corresponding to each target apk memory code is updated to the preset Magic number, as an embodiment, the step S103 may be directly incorporated into the step S101, that is, the Magic number corresponding to each target apk memory code is directly updated to the preset Magic number in the process of obtaining the memory address and the memory size corresponding to each target apk memory code loading flow. Step S103 is also provided between step S101 and step S102.
The process of merging the dex files of the corresponding target apk respectively obtained by the two sets of logics of step S101 to step S102 and step S1 to step S3 is described in detail below by two specific embodiments.
The first embodiment,
The steps between the step S3 and the step S4 further include:
step S301, storing all the dex files obtained in step S102 into the second dex file set, and removing duplicate of the same dex files.
The second dex file set is updated through the step S301, so that the dex files of the target apk in the second dex file set are more comprehensive and reliable.
Example II,
In the step S2, the dex file corresponding to each preset bytecode feature is named by a memory start address, and the steps S3 and S4 further include:
step S112, acquiring the initial address of each target apk memory code;
step S113, judging whether the initial address of each target apk memory code exists in the corresponding name information set of the dex file in the second dex file set, if not, executing step S114;
step S114, obtaining a corresponding code segment based on the target apk memory address and the memory size, naming the code segment with the start address of the target apk memory, obtaining a dex file corresponding to the target apk, and storing the dex file into the second dex file set.
Judging through the initial address of the target apk memory code, when the initial address of the target apk memory code exists in the corresponding name information set of the dex file in the second dex file set, which indicates that the second dex file set stores the corresponding dex file, the dex file is not repeatedly acquired, the calculated amount is reduced, and the acquisition efficiency of the target apk source code is improved.
It should be noted that some exemplary embodiments of the present invention are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. A process may be terminated when its operations are completed, but may have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc.
An embodiment of the present invention further provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions configured to perform a method according to an embodiment of the invention.
The embodiment of the invention also provides a computer-readable storage medium, and the computer instructions are used for executing the method of the embodiment of the invention.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A method for acquiring a target apk source code is characterized by comprising the following steps:
step S1, detecting whether a preset callback function of a target APK is executed or not by adopting a first hook function configured in advance, if yes, executing step S2, wherein the target APK is a reinforced APK to be detected, a reinforcement program is operated in the operation process of the target APK, the reinforcement program releases a source code of the target APK, and then the source code of the target APK is released in an operating memory space of the target APK to be executed;
step S2, traversing the memory space in which the target apk operates, and acquiring all dex files corresponding to preset byte code characteristics in the memory in which the target apk operates to form a first dex file set, wherein the preset byte code characteristics are code segments capable of uniquely identifying the dex files in the dex files, the memory space in which the target apk operates is an independent memory operation space, and a process in which the target apk operates and an android system framework process operate;
step S3, obtaining a hash value of each dex file in the first dex file set, and judging whether the hash value of each dex file in the first dex file set belongs to a preset android system framework hash value set, if so, deleting a corresponding dex file from the first dex file set to obtain a second dex file set;
and step S4, performing decompiling based on each dex file in the second dex file set to obtain a source code corresponding to the target apk.
2. The method of claim 1,
the preset callback function is an attechBaseContext function of an Application class.
3. The method of claim 1,
the step S2 includes:
step S21, traversing the memory space of the target apk operation, and acquiring the file header information of the dex file corresponding to each preset bytecode feature in the memory of the target apk operation;
step S22, parsing a corresponding header memory start address and a size of a dex file from header information corresponding to each of the predetermined bytecode features;
step S23, determining the memory start address of the file header as the start position corresponding to the dex file, and determining the memory end address of the dex file based on the start position of each dex file and the size of the dex file;
step S23, obtaining codes between the memory start address and the memory end address of the dex file corresponding to all the preset bytecode characteristics, storing the codes as corresponding dex files, and forming the dex files corresponding to all the preset bytecode characteristics into the first dex file set.
4. The method according to any one of claims 1 to 3,
the preset byte code is characterized by a preset Magic number.
5. The method of claim 4,
before the step S4, the method further includes:
step S101, detecting whether a memory code loading process of a target apk is executed or not by adopting a pre-configured second hook function, if so, acquiring a corresponding memory address and a corresponding memory size in each target apk memory code loading process, wherein the second hook function is configured according to an android system version and a device firmware type;
step S102, acquiring a corresponding dex file based on each target apk memory address and memory size.
6. The method of claim 5,
before the step S4, the method further includes, in step S103, updating the Magic number corresponding to each target apk memory code to a preset Magic number.
7. The method of claim 6,
the steps between the step S3 and the step S4 further include:
step S301, storing all the dex files obtained in step S102 into the second dex file set, and removing duplicate of the same dex files.
8. The method of claim 6,
in the step S2, the dex file corresponding to each preset bytecode feature is named by a memory start address, and the steps S3 and S4 further include:
step S112, acquiring the initial address of each target apk memory code;
step S113, judging whether the initial address of each target apk memory code exists in the corresponding name information set of the dex file in the second dex file set, if not, executing step S114;
step S114, obtaining a corresponding code segment based on the target apk memory address and the memory size, naming the code segment with the start address of the target apk memory, obtaining a dex file corresponding to the target apk, and storing the dex file into the second dex file set.
9. An electronic device, comprising:
at least one processor;
and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1-8.
10. A computer-readable storage medium having stored thereon computer-executable instructions for performing the method of any of the preceding claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110074673.1A CN112765608B (en) | 2021-01-20 | 2021-01-20 | Target apk source code acquisition method, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110074673.1A CN112765608B (en) | 2021-01-20 | 2021-01-20 | Target apk source code acquisition method, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112765608A true CN112765608A (en) | 2021-05-07 |
| CN112765608B CN112765608B (en) | 2023-05-12 |
Family
ID=75703506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110074673.1A Active CN112765608B (en) | 2021-01-20 | 2021-01-20 | Target apk source code acquisition method, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112765608B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113805892A (en) * | 2021-09-17 | 2021-12-17 | 杭州云深科技有限公司 | Abnormal APK (android Package) identification method, electronic equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317625A (en) * | 2014-11-09 | 2015-01-28 | 刘鹏 | Dynamic loading method for APK files |
| CN104317950A (en) * | 2014-11-07 | 2015-01-28 | 中国农业银行股份有限公司 | Conformance check method and device of codes |
| WO2016078130A1 (en) * | 2014-11-18 | 2016-05-26 | 刘鹏 | Dynamic loading method for preventing reverse of apk file |
| CN105740661A (en) * | 2014-12-11 | 2016-07-06 | 中国移动通信集团公司 | Method and device for protecting application program |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
| CN110232262A (en) * | 2019-06-17 | 2019-09-13 | 中金金融认证中心有限公司 | A kind of reinforcement means and system of Android application |
-
2021
- 2021-01-20 CN CN202110074673.1A patent/CN112765608B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317950A (en) * | 2014-11-07 | 2015-01-28 | 中国农业银行股份有限公司 | Conformance check method and device of codes |
| CN104317625A (en) * | 2014-11-09 | 2015-01-28 | 刘鹏 | Dynamic loading method for APK files |
| WO2016078130A1 (en) * | 2014-11-18 | 2016-05-26 | 刘鹏 | Dynamic loading method for preventing reverse of apk file |
| CN105740661A (en) * | 2014-12-11 | 2016-07-06 | 中国移动通信集团公司 | Method and device for protecting application program |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
| CN110232262A (en) * | 2019-06-17 | 2019-09-13 | 中金金融认证中心有限公司 | A kind of reinforcement means and system of Android application |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113805892A (en) * | 2021-09-17 | 2021-12-17 | 杭州云深科技有限公司 | Abnormal APK (android Package) identification method, electronic equipment and readable storage medium |
| CN113805892B (en) * | 2021-09-17 | 2024-04-05 | 杭州云深科技有限公司 | Abnormal APK identification method, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112765608B (en) | 2023-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106371940B (en) | Method and device for solving program crash | |
| EP3528149B1 (en) | Software repackaging prevention method and device | |
| US9811663B2 (en) | Generic unpacking of applications for malware detection | |
| CN105786538B (en) | software upgrading method and device based on android system | |
| US20160378456A1 (en) | Method for offline updating virtual machine images | |
| CN110083360B (en) | Compiling method, device, equipment and storage medium of application program code | |
| KR20140124774A (en) | Generating and caching software code | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
| CN111008034A (en) | Patch generation method and device | |
| CN111967017A (en) | Method and device for generating dependency relationship, terminal equipment and storage medium | |
| US10983923B2 (en) | Dynamic memory protection | |
| CN105205398A (en) | Shell checking method based on dynamic behaviors of APK (android package) packing software | |
| CN112765608A (en) | Target apk source code acquisition method, electronic device and medium | |
| KR102173151B1 (en) | Apparatus and method for automatic extraction of original source code | |
| CN110502900B (en) | Detection method, terminal, server and computer storage medium | |
| CN107301105B (en) | Method and device for checking hot patch or dynamic library | |
| CN112052461A (en) | Code processing method based on instruction injection, terminal and storage medium | |
| CN113094664B (en) | System for preventing android application program from being decompiled | |
| CN113094665B (en) | System for preventing java program from being decompiled | |
| CN114417347A (en) | Vulnerability detection method, device, equipment, storage medium and program of application program | |
| JP2004326337A (en) | Code analysis program, code analysis automation program and automated code analysis system | |
| US11256602B2 (en) | Source code file retrieval | |
| CN103593612B (en) | A kind of method and device of processing rogue program | |
| KR101562282B1 (en) | System and Method for Verifying Integrity of an ODEX | |
| CN110764784B (en) | Method for identifying three-party SO (SO) file, intelligent terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |