background
Now the security compliance control of APP in the market is becoming more and more strict, which requires compliance testing and reinforcement before APP is put on the shelves. For APP, reinforcement can improve the security of APP, increase the threshold for APP to be cracked by reverse analysis, and improve the detection of security compliance through reinforcement protection. As the APP reinforcement technology is constantly breached, so the reinforcement technology is also in the process of rapid iteration. Now the reinforcement products on the market is still more, and each reinforcement technology products have their respective advantages and disadvantages, but the technology used by the reinforcement product to have a lot of common places. The following is a summary of the reinforcement and peeling countermeasures.
Strengthening preparation
APP reinforcement mainly protects DEX files, SO files and resource files in the APP. Therefore, the key file structure in the APP is briefly summarized here.
Structure of App file
Dex File structure
SO file structure
Simple APP reinforcement principle process
The hardened code is run first for initialization.
Hardened code begins to decrypt protected core code;
Hardened code begins to load decrypted core code;
Hardened code transfers control to core code.
First generation reinforced and shelled
The first generation of reinforcement technology is mainly to protect the DEX file of the APP and do some simple anti-debugging protection.
Dex protection:
Dex file encryption, string encryption, and custom DexClassLoader.
Dynamic protection:
Ptrace reverse debugging, TracePid value verification reverse debugging.
The first generation of reinforcement also appeared at the same time all kinds of reinforcement technology break. Thus, there are various methods of peeling against reinforcement.
The most prominent principle is to dump the complete structure of dex directly from memory:
In order to ensure the normal operation of the program during startup, the hardening shell will automatically decrypt the protected DEX file and complete loading. Based on the principle of sub-decryption, I can choose to dump it at the time when dex loading is complete. So as to realize the peeling of the first protective shell and encryption shell.
Here are a few peeling schemes
Cache peeling method:
In the first generation of some hardened products, the installation package is encrypted and compressed. After installation, the decrypted Odex file is generated in the data/ Dalvik-cache directory. At this time, only the Odex file needs to be obtained as a breakthrough point for analysis.
Memory dump stripping method
Using tools: IDA Pro + dumpDEX
/proc/%d/maps
2. Search for the keyword dex.035 or dex.036 in the memory
3. Manually dump the found data.
Dynamic debugging peeling method
1. Append the app through the android_server agent based on IDA.
2. Run the dvmDexFileOpenPartial breakpoint on IDA to confirm the start address and size of the dump.
3. Dump the original data with IDA script.
HOOK hulling method
Hook stripping method is generally based on frida and Xposed the two framework for Hook operation.
This hook unshell method: first, we need to analyze the app and find the function that can hook.
Then in the choice of handy, applicable frida or Xposed framework hook.
(Xposed is Java compiler for Java layer hook; Frida works with Java layer and Native layer hooks).
Unshell the key function dvmDexFileOpenPartial by hook.
Can also be implemented through the Xposed framework hook ClassLoader loadClass function decoupling.
Custom system peeling method
Mainly by modifying the system source code in the key function, and then modify the source code recompile and brush machine.
For example, modify the critical logic of the dvMdexFileOpenPartial function. Modify the function to write the function we want to implement.
Second generation reinforced and shelled
Because the first-generation hardening is integrated, you can obtain the entire dex content as long as the key points are dumped. Due to the shortcomings of the first generation shell, it is followed by the extraction technology of key classes in APP. Then the second generation of reinforcement mainly carries out the following function points.
DEX protection: DEX class extraction, DEX dynamic loading, SO dynamic loading
So protection: So encryption
Dynamic protection: reverse debugging, HOOK prevention
Resource file protection: local database and local file protection
Shell technical scheme
Peeling principle:
Call every method in the class actively, and realize the restoration of function instructions
There are two kinds of common implementation methods of instruction extraction of reinforcement manufacturers. One is to restore the instruction code at the original cheap location of DEX file, and the other is random allocation. By revising offset, the program can find the function instruction through the modified cheap in the execution process. Android program in the execution process, when using the class, need to load, and in the loading process, the function instruction will be restored or revised function instruction point to the position, we can take advantage of this opportunity to copy the code to the original code position, and then realize the class extraction shell shell.
Below are the peeling methods for the second generation reinforcement
Memory recombination peeling method
According to the format of dex file in memory, find the complete DEX file and combine them together.
Memory dump stripping method
Using tools: IDA Pro + dumpDEX
/proc/%d/maps
2. Search for the keyword dex.035 or dex.036 in the memory
3. Manually dump the found data.
You can also use the dump script in Frida directly to unshell memory dump.
Dynamic debugging peeling method
1. Append the app through the android_server agent based on IDA.
2. Run the dvmDexFileOpenPartial breakpoint on IDA to confirm the start address and size of the dump.
3. Dump the original data with IDA script.
HOOK hulling method
Hook stripping method is generally based on frida and Xposed the two framework for Hook operation.
This hook unshell method: first, we need to analyze the app and find the function that can hook.
Then in the choice of handy, applicable Frida or Xposed framework for the key function hook.
(Xposed is Java compiler for Java layer hook; Frida works with Java layer and Native layer hooks).
The key functions memcMP and dexFileParse are hook to realize unshell.
Decoupling can also be implemented through the loadClass function of the Hook ClassLoader.
Custom system peeling method
Mainly by modifying the system source code in the key function, and then modify the source code recompile and brush machine.
For example, modify the key logic of memcMP and dexFileParse functions. Modify the function to write the function we want to implement.
Third generation reinforced and shelled
The third generation reinforcement scheme mainly extracts functions and performs dynamic encryption and decryption. The key reinforcement technology points are listed below
DEX protection: DEX Method code extraction and DEX Method dynamic decryption
SO protection :SO shell
Dynamic defense: prevents memory dump and system core library HOOK
Resource file protection: H5 file protection
APP function extraction instruction flow:
1. Parse the original DEX file format and save the code structure information of all methods.
2. Retrieve the code structure information by passing in the method and class name of the instruction to be nulled.
3. Obtain the number of instructions and offset address through the code structure information of the method, construct an empty instruction set, and then overwrite the original instruction.
4. Recalculate the checksum and signature information of the dex file and write it back to the header information.
Peeling method:
HOOK hulling method
Through the use of FRIda framework hook key function DexFile, OpenFile, dexFindClass and other key functions to achieve decoupling.
Custom system peeling method
By modifying the key functions in the system source code such as DexFile, OpenFile, dexFindClass function of the key logic, and then reprogramming the system.
Dehulling was carried out in ART by modifying custom dex2OAT method.
Fourth generation reinforced and shelled
The strongest reinforcement on the market right now is code virtualization protection. Virtual machine code (a custom code set) is interpreted and executed by the VIRTUAL machine CPU by compiling the code of a program into virtual machine instructions.
The key reinforcement techniques are listed below
DEX protection: code VMP virtualization protection
SO Protection: LLVM-based SO file protection (ELF VMP)
Shell scheme
HOOK hulling method
You can hook different virtual machine (Dalvik and ART) implementations based on the Frida framework.
Custom system peeling method
conclusion
Using the Frida peeling method:
1. Find the DexFile object (the Art VM is a DexFile object, and the Dalvik VM is a DexFile structure), obtain the start address and size of the DEX file, and dump the DEX file.
Common functions that can find DexFile objects include LoadMethod and ResolveMethod. Common functions that can directly obtain the start address and size of DEX include openMemory, dexparse, dexFileParse, dvmDexFileOpenPartial and so on. Frida_unpack is a good example of this.
2. Use FRIda’s search memory to match features of DEX files, such as the magic value in the header of DEX files -dex.035 or dex.036. Frida-dexdump is a good example of this method.
Custom system and custom Android device methods:
1, the use of customized Android ROM, can effectively fight against all the encryption shell in the market, class extraction type shell; Compared with open source unshell tools, are generally based on hook framework, such as Frida, Xposed; At present, most reinforcement manufacturers have carried out security tests on the features of hook framework and unhulling framework, which will lead to app startup failure and thus unhulling failure. However, through the customized ROM, there is no dependence on hook framework and no relevant framework feature code marks, so the success rate of unhulling will be relatively high.
2. The advantages of using customized Android hardware devices. Based on the open source nature of Android, Every time Google releases a new version of ROM, it will be the first to apply it on the devices of Pixel and Nexus series, which also leads most security practitioners to adopt customized ROM implementation methods at intervals in order to improve work efficiency. In the market, open source unshell ROM is mostly needed to brush Nexus and Pixel series models, which also makes most reinforcement manufacturers do special and deeper security protection detection on Nexus and Pixel series models, so as to ensure the safety of the program in the process of running. By customizing Android hardware devices, there are no features related to Nexus and Pixel devices, which can improve the success rate of peeling.