How the Android program prevents anti-compilation

1. Packers

APK Shell: Outside the program to wrap a layer of code, to protect the inside of the code is not illegally modified or decompile.

The protected program is encrypted with an encryption algorithm, and the decryption logic is written in the Shell's apk, which is actually a protected program.

Mostly through Dexclassloader or hidden functions opendexfile the source Dex (that is, the protected app) is loaded, and then dynamically replaces the application to start the source program. There are some differences between shell and traditional PE file on Windows.

To crack the traditional shell, need to track control flow to find Oep, and then the source program from memory dump down, rebuild the input table, the most difficult is to follow the shell control flow away, security engineers in order to increase the difficulty of cracking, using a lot of technology to let the cracker go more difficult. The key to the confrontation between the security engineer and the cracker is the difficulty of finding Oep.
On the Android platform, because of the new Dex shell technology is immature, resulting in some alternative shelling method can bypass the analysis algorithm, directly dump the source program. To give an example, After the 4.0 version of Android to provide opendexfile this function to load Dex from memory, the required parameter is the source Dex in memory address, so as long as the function down, and then find the memory address from the register, can be decrypted source dex from memory dump down, directly to its anti-compilation can get the source code The Further, about the Opendexfile function, In fact, it has a close relationship with the Libdvm.so library, which provides a large number of functions to manipulate the Dex file, if the relevant function in the library is broken down, and then from the memory of the violent dump of a large chunk of memory area, often directly to the memory of the source of Dex to grasp.

http://taoyuanxiaoqi.com/2015/01/12/apkshell1/

2. Encrypt apk

The apk is actually a zip-format compressed package that will be encrypted when compressed at a location of 1. and the Android Package installation Service (Packagemanagerservice) does not care about this encryption bit (which we call it for the time being) during APK installation, and does not affect the operation of the APK. But Android 4.2.x version and later system will reject the installation of this encryption apk.

3. Modify bytecode at runtime

http://my.oschina.net/u/2323218/blog/396203

Dalvik virtual machine Run Dex File execution bytecode exists in the Method_ids area, need to find in the optimized Odex file, Dex offset, as well as the interesting bytecode, to replace.

Because the Dalvik instruction is modified at run time, this is the memory map of the process is read-only, so calls to the Mprotect function will be called to read-only for the instruction to be changed.

Question: Can you succeed if you adopt a protection against the Write command area (measures to prevent ROP or stack overflow attacks)?

How the Android program prevents anti-compilation