Mainstream reinforcement manufacturers

1. Tencent legu
2. 360 strengthening
3. Ali gather security
4. Baidu reinforcement
5. Reinforcement of top image
6. Netease cloud reinforcement
7. Bang Bang reinforcement
8. Love encryption
9. Naga
10. Tongfu shield reinforcement
11. ...

The first generation of shells ： Dynamic loading

The development process

The program is divided into loading （loader） And key logic （payload） Two parts , And packed separately

Core logic

Startup time loader Will run first , Release key logic payload, And then use java Dynamic loading technology for loading , And transfer control

deficiencies

1、payload Some need to be decompressed and released in the file system , You can get it directly
2、 Can pass hook Virtual machine keyword function , In the load payload When the dex In memory dump come out

Second generation shells ： The memory is not loaded

The development process

load loader, initialization StubApplication, Load after decryption payload, Transfer control to the original appcation Of Oncreate Method , It is best to load other components normally

Core logic

1、 Interception system IO Correlation function , Such as read/write, Provide transparent encryption in these functions
2、 Directly call the functions provided by the virtual machine to load without landing , That is, memory loading .

deficiencies

1、 Perform a large number of decryption operations at startup , It's easy to get stuck or fake death
2、payload After being loaded , It's continuous in memory , Intercept key functions in memory dump It can still be obtained directly .

Third generation shells ： Generation instruction extraction

The development process

First, the protection level is reduced to the function level , And then the original dex Function content in Code Item Clean up 、 Move to encrypted file separately 、 At runtime, the function content will be restored to the corresponding function body

Core logic

1、 After loading, restore the function memory to dex In the memory area
2、 The virtual machine reads dex After the document , Memory has a structure for each function , One of them only points to the content of the function Codeitem, You can modify the corresponding function content by modifying this pointer
3、 Intercept functions related to finding and executing code in the virtual machine , Return function content

deficiencies

1、 Instruction extraction scheme and virtual machine jit Optimization conflict 、 Not the best performance
2、 Still used java Virtual machine performs function content execution , It cannot resist custom virtual machines such as dexhunter
3、 Use a lot of virtual machine internal structure 、 There are compatibility issues

The fourth generation of shells ： Conversion instructions

Core logic

1、dex The function of the file is marked native, The content is extracted and transformed into JNI Standard dynamic library so file 、so File by JNI and Android System interaction
2、 The content of the function body is extracted and converted into a custom instruction format 、 This format is executed using a custom receiver , Then use JNI Interact with the system

deficiencies

1、 An attacker can convert instructions /VMP The reinforcement scheme is regarded as a black box 、 Through custom JNI The interface object detects the inside of the black box 、 Record and analyze ;
2、 The four generation VMP Generally, it is used together with the third generation reinforcement technology 、 The problems of the three generations 、 The scheme still exists

The fifth generation shell ：VMP Virtual machine source code protection

Core logic

1、 Based on the fourth generation solution ：Java or kotlin => C++ That is to use java2cpp programme
2、 be based on LLVM Tool chain implementation so Of VMP;
3、 Through to IR Do instruction conversion , Generate custom instruction set IR => VM , app An independent execution environment is isolated internally , The core code runs under this environment ;

deficiencies

1、 Can't get rid of JNI Dependence
2、 because java2cpp It will lead to a linear increase in volume , Performance is down ;