On an article we talked about APK to prevent anti-compilation technology in the shell technology, if there is not clear can view my previous blog http://my.oschina.net/u/2323218/blog/393372. Next we will introduce another technique to prevent the apk from recompiling-modifying bytecode at runtime. This method is in the work in the implementation of the app wrapping, see a foreign article about the security of Android implementation and original. Let's take a look at this approach.
We know that all Java-generated class files generated by the APK are integrated into a classes.dex file by the DX command, and when the APK is run, the Dalvik VM loads the Classes.dex file and further optimizes the Odex file with the dexopt command. Our approach is to modify the Dalvik directive in this process to achieve our goal.
One, DEX file format
Dex's file format typically consists of 7 main sections and data regions in the following format:
The header section records the main information the other part is just the index, and the contents of the index exist in the data area.
The header section is structured as follows:
One of the advantages of Dex compared to class files is that all of the constant string sets are managed uniformly so that redundancy can be reduced, and the final Dex file size can become smaller. Detailed Dex file Introduction will not say, interested can view the Android source Dalvik/docs directory under the dex-format.html file is described in detail. But I remember this file was not available after the android4.0 version.
Depending on the format structure of the Dex file above, the Dalvik virtual machine running the Dex file executes the bytecode that exists within the Method_ids area. We view Dalvik virtual machine source code will have a
struct Dexcode {
U2 registerssize;
U2 inssize;
U2 outssize;
U2 triessize;
U4 Debuginfooff; /* file offset to debug info stream */
U4 Insnssize; /* Size of the Insns array, in U2 units */
U2 insns[1];
/* followed by optional U2 padding */
/* followed by try_item[triessize] */
/* followed by uleb128 handlerssize */
/* followed by catch_handler_item[handlerssize] */
};
Such a structure, where the Insns array holds the Dalvik bytecode. As long as we locate the Dexcode data segment of the related class method, we can modify the Insns array to achieve our goal.
Ii.. odex file format
When the APK is installed or started, Dex is generated by dexopt to generate an optimized Odex file. The process is to unzip the Classes.dex in the APK, and dexopt processing and save as/data/dalvik-cache/data@app @<package-name>[email protected] File.
The Odex file structure is as follows:
From where we found the Dex file as part of the optimized odex, we just need to find the Dex part from the Odex.
Third, the method realization
To implement a modified bytecode, you first need to locate the location where you want to modify the code, which requires parsing the Dex file first. The parsing of the Dex file gives us a concrete implementation of the Dalvik source code dexDump.cpp, and we can find the classes and methods we need based on its implementation. The specific implementation steps are as follows:
(1) Locate our APK generated Odex file and get the mapped address and size of the Odex file in memory. The implementation code is as follows:
? void *base = null; int module_size = 0; char filename[512]; // simple test code here! for (int i=0; i<2; i++) { sprintf (filename, "/data/dalvik-cache/data @app @%s-%[email protected] ", " Com.android.dex ", i+1); base = get_module_base ( -1, filename);//Get the Odex file in memory mapping address if (base != null) { break; } } Module_size = get_module_size ( -1, filename); //get odex file size
1234567891011121314151617181920212223 |
(2) know that the Dex file is offset in Odex in order to parse the Dex file. The code is as follows:
?
1234567891011 |
Search dex from Odex void *dexbase = Searchdexstart (base); if (checkdexmagic (dexbase) = = False) {Aloge ("error! Invalid DEX format at:%p ", dexbase); Return } |
(3) After finding the Dex offset, you can parse the Dex file to find the class where we want to replace the method, and then find the method in that class and return the Dexcode struct that corresponds to the method. The function is implemented as follows:
?
12345678910111213141516171819 |
static const Dexcode *dexfindclassmethod (dexfile *dexfile, const char *clazz, const char *method) {dexclassdata* cl Assdata = Dexfindclassdata (Dexfile, clazz); if (Classdata = = null) return null; Const dexcode* Code = DEXFINDMETHODINSNS (Dexfile, Classdata, method); if (Code! = NULL) {dumpdexcode (code); } return code; } |
(4) After finding the Dexcode, you can replace the instruction. The implementation is as follows:
?
123456789101112131415161718192021222324252627 |
Const dexcode *code = dexfindclassmethod (&gDexFile , "Lcom/android/dex/myclass;", "Setflaghidden"); const dexcode*code2 = dexfindclassmethod (&gDexFile, "lcom/android/dex/myclass;", "Setflag"); &NBSP;&NBSP;&NBSP;&NBSP;//&NBSP;REMAP!!!! if (Mprotect (base, module_size, prot_read | prot_write | prot_exec) == 0) { dexcode *pcode = ( dexcode *) code2; // modify! pcode->registerssize = code->registerssize; for (u4 k=0; k<code->insnssize; k++) { pcode->insns[k] = code->insns[k]; } mprotect (base, module_size, prot_read | prot_exec); } |
Note: Because the Dalvik instruction is modified at run time, this is the memory map of the process is read-only, so calls to the Mprotect function will be called read-only for the instruction to be modified.
According to the above, I believe we have a certain understanding of the operation of the technology to modify bytecode, the next one we will explain another Android APK to prevent anti-compilation technology, look forward to everyone's support. If you have any questions about this technology and want to get the engineering source of the technology that this article speaks about
The first time to get blog update reminders, as well as more technical information sharing, welcome to the personal public platform: Programmer Interaction Alliance (coder_online), sweep the QR code below or search number Coder_online can pay attention to, we can communicate online.
Android APK anti-compilation technology third-encryption