How to Prevent Android app code theft and android code theft

How to Prevent Android app code theft and android code theft

In the previous article, we talked about the shell adding technology in the apk anti-decompilation technology. If you do not understand it, you can check my previous blog http://my.oschina.net/u/2323218/blog/393372. Next we will introduce another technology to prevent apk decompilation-modifying bytecode during runtime. In this way, when implementing app wrapping at work, we can see a foreign article about android security implementation and originality. Next we will introduce this method.

We know that all the class files generated by java after apk are integrated into a classes by dx commands. dex file. When the apk is running, the dalvik Virtual Machine loads classes. dex file and use the dexopt command to further optimize it into an odex file. Our method is to modify the dalvik command in this process to achieve our goal.

I. dex File Format

The dex file format consists of seven main parts and data areas. The format is as follows:

The header part records the main information. The other part is the index, and the index content exists in the data area.

The Header structure is as follows:

One advantage of dex over class files is that it manages all constant string sets in a unified manner, which can reduce redundancy and reduce the final size of dex files. For details about the dex file, refer to the dex-format.html file in the dalvik/docsdirectory of the android source code. However, I remember that this file was unavailable after android4.0.

According to the Format Structure of the dex File above, the bytecode executed by the dalvik Virtual Machine to run the dex file exists in the method_ids area. We can see that the dalvik Virtual Machine source code has

Struct DexCode {

U2 registersSize;

U2 insSize;

U2 outsSize;

U2 triesSize;

U4 debugInfoOff;/* file offset to debug info stream */

U4 insnsSize;/* size of the insns array, in u2 units */

U2 insns [1];

/* Followed by optional u2 padding */

/* Followed by try_item [triesSize] */

/* Followed by uleb128 handlersSize */

/* Followed by catch_handler_item [handlersSize] */

};

In this structure, the insns array stores the dalvik bytecode. We only need to locate the DexCode data segment of the relevant class method, and then we can modify the insns array to achieve our goal.

 

Ii. odex File Format

 

When apk is installed or started, dexopt is used to generate the optimized odex file. The process is to decompress classes. dex in the apk, use dexopt to process and save it as the/data/dalvik-cache/data @ app @ <package-name> -X.apk @ classes. dex file.

The odex file structure is as follows:

We found that the dex file is part of the optimized odex, and we only need to find the dex part from odex.

 

Iii. method implementation

To modify the bytecode, you must first locate the location where you want to modify the code, which requires parsing the dex file. The dex file is parsed in dexDump. cpp of the dalvik source code to provide our specific implementation. Based on its implementation, we can find the classes and methods we need. The specific implementation steps are as follows:

(1) Find the odex file generated by our apk and obtain the ing address and size of the odex file in the memory. The implementation code is as follows:

Void * base = NULL; int module_size = 0; char filename [512]; // simple test code here! For (int I = 0; I <2; I ++) {sprintf (filename, "/data/dalvik-cache/data@app@%s-mongod.apk @ classes. dex "," com. android. dex ", I + 1); base = get_module_base (-1, filename); // obtain the ing address of the odex file in the memory if (base! = NULL) {break ;}} module_size = get_module_size (-1, filename); // obtain the odex File Size

(2) Know the dex file offset in odex to parse the dex file. The Code is as follows:

// search dex from odex    void *dexBase = searchDexStart(base);    if(checkDexMagic(dexBase) == false){           ALOGE("Error! invalid dex format at: %p", dexBase);           return;    }

(3) After finding the dex offset, You can parse the dex file to find the class of the method we want to replace, find the method in the class and return the DexCode struct corresponding to the method. Function implementation:

static const DexCode *dexFindClassMethod(DexFile *dexFile, const char *clazz, const char *method)  {      DexClassData* classData = dexFindClassData(dexFile, clazz);      if(classData == NULL) return NULL;      const DexCode* code = dexFindMethodInsns(dexFile, classData, method);      if(code != NULL) {          dumpDexCode(code);      }      return code;  }

(4) After finding DexCode, you can replace the command. The implementation is as follows:

const DexCode  *code =      dexFindClassMethod(&gDexFile, "Lcom/android/dex/myclass;", "setflagHidden");  const DexCode*code2 =   dexFindClassMethod(&gDexFile, "Lcom/android/dex/myclass;", "setflag");      // remap!!!!      if(mprotect(base, module_size, PROT_READ | PROT_WRITE | PROT_EXEC) == 0){      DexCode *pCode = (DexCode *)code2;      // Modify!      pCode->registersSize = code->registersSize;          for(u4 k=0; k<code->insnsSize; k++){                 pCode->insns[k] = code->insns[k];          }        mprotect(base, module_size, PROT_READ | PROT_EXEC);  }

Note: Because the dalvik command is modified at runtime, the memory ing of the process is read-only, so you need to call the mprotect function to change the read-only to read/write to modify the command.

 

Based on the above description, I believe you have a certain understanding of the technology for modifying bytecode during runtime. Next we will explain another android apk anti-decompilation technology and look forward to your support. If you have any questions about the technology mentioned in this article and want to obtain the engineering source code of the technology mentioned in this Article

Get a blog update reminder and share more technical information as soon as possible. Welcome to the personal public platform: coder_online, scan the QR code below or search for coder_online, we can communicate online.

From: http://my.oschina.net/u/2323218/blog/396203