当前位置:网站首页>Evolution of APK reinforcement technology, APK reinforcement technology and shortcomings
Evolution of APK reinforcement technology, APK reinforcement technology and shortcomings
2022-07-05 22:29:00 【Poor Stephen】
Mainstream reinforcement manufacturers
- Tencent legu
- 360 strengthening
- Ali gather security
- Baidu reinforcement
- Reinforcement of top image
- Netease cloud reinforcement
- Bang Bang reinforcement
- Love encryption
- Naga
- Tongfu shield reinforcement
- ...
The first generation of shells : Dynamic loading
The development process
The program is divided into loading (loader) And key logic (payload) Two parts , And packed separately
Core logic
Startup time loader Will run first , Release key logic payload, And then use java Dynamic loading technology for loading , And transfer control
deficiencies
1、payload Some need to be decompressed and released in the file system , You can get it directly
2、 Can pass hook Virtual machine keyword function , In the load payload When the dex In memory dump come out
Second generation shells : The memory is not loaded
The development process
load loader, initialization StubApplication, Load after decryption payload, Transfer control to the original appcation Of Oncreate Method , It is best to load other components normally
Core logic
1、 Interception system IO Correlation function , Such as read/write, Provide transparent encryption in these functions
2、 Directly call the functions provided by the virtual machine to load without landing , That is, memory loading .
deficiencies
1、 Perform a large number of decryption operations at startup , It's easy to get stuck or fake death
2、payload After being loaded , It's continuous in memory , Intercept key functions in memory dump It can still be obtained directly .
Third generation shells : Generation instruction extraction
The development process
First, the protection level is reduced to the function level , And then the original dex Function content in Code Item Clean up 、 Move to encrypted file separately 、 At runtime, the function content will be restored to the corresponding function body
Core logic
1、 After loading, restore the function memory to dex In the memory area
2、 The virtual machine reads dex After the document , Memory has a structure for each function , One of them only points to the content of the function Codeitem, You can modify the corresponding function content by modifying this pointer
3、 Intercept functions related to finding and executing code in the virtual machine , Return function content
deficiencies
1、 Instruction extraction scheme and virtual machine jit Optimization conflict 、 Not the best performance
2、 Still used java Virtual machine performs function content execution , It cannot resist custom virtual machines such as dexhunter
3、 Use a lot of virtual machine internal structure 、 There are compatibility issues
The fourth generation of shells : Conversion instructions
Core logic
1、dex The function of the file is marked native, The content is extracted and transformed into JNI Standard dynamic library so file 、so File by JNI and Android System interaction
2、 The content of the function body is extracted and converted into a custom instruction format 、 This format is executed using a custom receiver , Then use JNI Interact with the system
deficiencies
1、 An attacker can convert instructions /VMP The reinforcement scheme is regarded as a black box 、 Through custom JNI The interface object detects the inside of the black box 、 Record and analyze ;
2、 The four generation VMP Generally, it is used together with the third generation reinforcement technology 、 The problems of the three generations 、 The scheme still exists
The fifth generation shell :VMP Virtual machine source code protection
Core logic
1、 Based on the fourth generation solution :Java or kotlin => C++ That is to use java2cpp programme
2、 be based on LLVM Tool chain implementation so Of VMP;
3、 Through to IR Do instruction conversion , Generate custom instruction set IR => VM , app An independent execution environment is isolated internally , The core code runs under this environment ;
deficiencies
1、 Can't get rid of JNI Dependence
2、 because java2cpp It will lead to a linear increase in volume , Performance is down ;
边栏推荐
- Three "factions" in the metauniverse
- Cobaltstrike builds an intranet tunnel
- The difference between MVVM and MVC
- Oracle views the data size of a table
- Business introduction of Zhengda international futures company
- Oracle advanced query
- Leetcode simple question: check whether each row and column contain all integers
- The code generator has deoptimised the styling of xx/typescript.js as it exceeds the max of 500kb
- Stored procedures and stored functions
- The introduction to go language is very simple: String
猜你喜欢
Qtquick3d real time reflection
Win11运行cmd提示“请求的操作需要提升”的解决方法
What if the files on the USB flash disk cannot be deleted? Win11 unable to delete U disk file solution tutorial
50. Pow(x, n). O(logN) Sol
Pl/sql basic case
What changes has Web3 brought to the Internet?
90后测试员:“入职阿里,这一次,我决定不在跳槽了”
Web3为互联网带来了哪些改变?
Blocking of concurrency control
How can easycvr cluster deployment solve the massive video access and concurrency requirements in the project?
随机推荐
Oracle advanced query
When the industrial Internet era is truly mature, we will look at the emergence of a series of new industrial giants
344. Reverse String. Sol
Nanjing: full use of electronic contracts for commercial housing sales
Pinctrl subsystem and GPIO subsystem
A substring with a length of three and different characters in the leetcode simple question
Character conversion PTA
Summary of concurrency control
FBO and RBO disappeared in webgpu
第一讲:蛇形矩阵
Platformio create libopencm3 + FreeRTOS project
Oracle views the data size of a table
QT creator 7-cmake update
如何创建线程
谷歌地图案例
[agc009e] eternal average - conclusion, DP
509. Fibonacci Number. Sol
我对新中台模型的一些经验思考总结
Wonderful review of the digital Expo | highlight scientific research strength, and Zhongchuang computing power won the digital influence enterprise award
分布式解决方案之TCC