Android DEX shelling

1. What is shelling? Shell is to implant a piece of code in a binary program. It gives priority to program control during running and does some additional work. Most viruses are based on this principle. The process of shelling a pc exe file is as follows: 2. A program with shelling can effectively block disassembly analysis of the program to achieve its ulterior motives. This technology is also commonly used to protect software copyrights and prevent software cracking. Iii. Principle of shelling Android Dex files PC platforms now have a large number of standard shelling and shelling tools, but Android, as a new platform, has not yet seen Dex shelling tools. The extensive use of Android Dex files makes it difficult to add shells. However, in theory, it is also feasible to add Android Dex shells. In this process, there are three roles involved: 1. Shelling program: encrypting the source program as the shell data, assembling the shell program and shell data DEX file 2. Shelling program: decrypts shell data and dynamically loads the data through DexClassLoader during runtime. 3. source program: protected code that requires shell processing. different distribution of shell data in DEX files is achieved based on the shelling program, this article introduces the implementation principles of two Android Dex shelling methods. (1) shelling data is located at the end of the shelling program file. This method is simple and practical. The combined DEX file structure is as follows. Working Process of the shell program: 1. encrypt the DEX file of the source program as the shell data 2. Write the shell data to the end of the Dex file of the shell program, and add the shell data size at the end of the file. 3. Modify the checksum, signature, and file_size headers in the DEX header of the shelling program. 4. Modify the AndroidMainfest. xml file of the source program, and modify the program entry Activity as the program entry Activity. Working Process of the DEX program: 1. Read the data at the end of the DEX file to obtain the length of the backdoor data. 2. Read the shell data from the DEX file and decrypt the shell data. Save and decrypt data in file form to a. dex 3. dynamically load a. dex through DexClassLoader, and start the source program entry Activity. (2) It is relatively complicated to deshell the data in the file header of the program. after merging, The DEX file structure is as follows: Working Process of the shelling program: 1. encrypt the DEX file of the source program as the shell data. 2. Calculate the shell Data Length, add the length to the end of the DEX file header, and continue the shell data to the end of the file header. (The data is inserted at 0x70) 3. Modify the checksum, signature, file_size, header_size, string_ids_off, type_ids_off, proto_ids_off, field_ids_off, method_ids_off, class_defs_off, and data_off items in the DEX header. Analyze the map_off data and modify the data offset. 4. Modify the AndroidMainfest. xml file of the source program, and modify the program entry Activity as the program entry Activity. Working Process of the DEX program: 1. Read the data length from 0x70. 2. Read the shell data from the DEX file and decrypt the shell data. Save and decrypt data in file form to a. dex 3. dynamically load a. dex through DexClassLoader, and start the source program entry Activity.