Android Dex shell technology (1), Android dex

Android Dex shell technology (1), Android dex

 

Recently, I was studying the shelling technology of the Android platform. I used to think that only the code on the native layer can be shelled. I looked at the information on the Internet and found that the original Java layer can also be shelled, although there are some differences with the traditional shell, but in terms of the final effect, the purpose of anti-static analysis is still achieved.

Currently, most apk protection methods on the Android Market are obfuscation of Java-Layer Code, placing key data on the native layer, and then shelling the so file using traditional shelling methods, the disadvantage of this method is that the Java-Layer Code Security relies entirely on code obfuscation. In fact, as long as you are familiar with the smali syntax, the meaning of code obfuscation is not as big as you think, for those senior C/C ++ reverse engineers, reverse smali is much easier than simply listing in a pile of assembly code.

 

How to shell Traditional PE files

 

 

The explanation of the shell of the PE file is very detailed, so we will not elaborate on it much. The general principle is to encrypt or compress the source PE file and embed the data into the shell program, after the shell program is executed, it decrypts and loads the source PE file, and then jumps to the entry (OEP) of the source PE file for execution. The static analysis shell program can only see the shell program and the encrypted source PE file. If you want to obtain the source PE file (shelling), you can only run the shell to decrypt the source PE file, find OEP, and dump the decrypted PE file from the memory, recreate the input table and generate the PE file after shelling. Software Security engineers can use Anti-debug and complicated control flow technologies on the shell to prevent the scammers from looking for OEP.

It can be seen that a traditional "shell" must have the following features:

1. The source program is compressed or encrypted and embedded in the shell program;

2. The shell program runs before the source program and decrypts the source program;

3. decrypted data must be stored in the memory;

4. The source program should be able to run normally after being loaded;

The most important thing is the 3rd point. It should be clear that as long as enough time is invested, the shell will eventually be cracked. The significance of the shell lies in increasing the cracking cost, to minimize the crack time, you must put the key point of confrontation with the hacker into the difficulty of analyzing the decryption logic of the shell program, if the attacker can bypass the shell analysis step and directly obtain the decrypted source code, the shell is invalid. If the decrypted data is stored in the file system, the attacker can directly obtain the source program. Why do we need to raise this question separately? The Traditional shell-loaded source program can be relocated to OEP after decryption. Android needs to use the Class Loader DexClassLoader to load executable files, the prototype is as follows:

public DexClassLoader (String dexPath, String optimizedDirectory, String libraryPath, ClassLoader loader)

 

The first dexPath parameter represents a path, that is, DexClassLoader can only load executable files stored in the file system. The problem arises. Just now, we cannot put the decrypted source program on the file system, however, to use DexClassLoader to load the android Executable File dex, you must first store it on the file system, which is the biggest difficulty in shelling Dex files.

To solve this problem, I thought of two methods. The first method is to reduce the time exposed in the file system. After the DexClassLoader loads the source program, it is immediately deleted from the file system, in this way, the attacker must perform dynamic debugging and disconnect the source program before it can be obtained. However, this method is not safe. We need a method that does not leave any trace on the file system. Let's look back at DexClassLoader. Although it only provides the path as the parameter, there must be a step in its loading process: converting the file into an input stream and then ing it To the memory. That is to say, dexClassLoader eventually needs to load the source program from the memory. After checking the information on the Internet. Later, let's talk about how to implement the first method in this article.

Embed the source APK into the shell Dex

We know that Apk is the installation package of Android, essentially a zip file, which can only be run after installation. The classes in APK. dex is the real executable file. Why embed APK instead of classes. what about dex? Because classes. dex does not contain resource files, if only classes. dex is loaded, there will be no resources after running.

For details about the embedded APK method, refer to this blog: http://blog.csdn.net/androidsecurity/article/details/8678399. The best practice is to encrypt the APK, add it to the end of the classes. dex shell, add the APK file length, and finally modify the dex File Header of classes. dex. This part is very simple. The blogger also provides the source code, so I will not elaborate on it.

It should be noted that, if the source APK shell classes is embedded. dex directly into the shell APK, put into the phone installation will be wrong, the reason is that the APK signature, need to delete the shell apk in the META-INF folder, and then use signapk. jar re-signature, my signapk. jar is as follows: http://www.uzzf.com/soft/60860.html

 

Strip the source APK from the shell

After the shell program runs, use getApplicationInfo (). sourceDir can get the APK address of the shell itself, open it as a file, enter it in a ZipInputStream stream, and traverse the zip file to find the classes. dex, input it to a byte array, use byte array length-4 to get the length of the embedded source APK file, and finally call System. arraycopy copies the source apk and decrypts it to the file system. The code for reading the shell apk is as follows:

 

1         ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream();2         ZipInputStream localZipInputStream = new ZipInputStream(3                 new BufferedInputStream(new FileInputStream(4                         this.getApplicationInfo().sourceDir)));

 

 

Use DexClassLoader to dynamically load the source APK

Android allows calling the executable file of apk without installing apk. To achieve this, you can use DexClassLoader, which is a Class Loader dedicated to Android, it uses the APK path as the parameter and finds the classes in the APK. dex file, load the class in it, so that we can call the code in the source APK. It should be noted that the android component class directly loaded with DexClassLoader is dead and does not have a life cycle. It is no different from ordinary classes, that is to say, we cannot directly call the components loaded by DexClassLoader as we call Android components. After searching for a while on the Internet, if Proxy and Delegate are used to shell the Dex file, it is equivalent to replacing the application running environment, the running shell is completely changed to the source program. At this time, you only need to call the Application of the source program. onCreate (), the source program starts. In addition, you must add the code to start MainActivity in Application. onCreate () of the source program. Otherwise, MainActivity will not be started automatically.

 

To be continued ......

How does android dex file protection work? How can I hide dex shells? How to implement it?

The source code hiding encryption technology proposed by love encryption is to hide dex, and then generate a shell file, similar to a virtual image. If a hacker wants to steal the source code, there will be no substantive source code. This protection is very effective.

How does Android anti-cracking work? Is it to reinforce the android app so that no one else can see my dex file?

Obfuscation code and protection against secondary packaging cannot be achieved ~~~
However, you can try the APK security protection that you love to encrypt and protect key files such as DEX, RES, And SO !!!