Android application program protection method based on dual ARM instruction virtualization

Abstract

The invention discloses an Android application program protection method based on dual ARM instruction virtualization. The method comprises the steps that key code segments needing to be protected ina so file are searched for, wherein the key code segments include a key code segment needing VOP protection and a key code segment needing VMP protection; Hex extraction and mapping virtualization areperformed on the key code segment needing VOP protection, and a VOP virtual machine so file is formed; the key code segment needing VOP protection is encrypted, Hook replacement is performed on the encrypted VOP key code segment, and a virtual instruction code in the VOP virtual machine so file is made to replace an encrypted code, corresponding to the encrypted VOP key code segment, in the so file; instruction virtualization is performed on the key code segment needing VMP protection, and a protected VMP virtual machine so file with virtual sections is formed; and driving data in the VMP virtual machine so file is made to replace the code, corresponding to the key code segment, in the so file. Through the method, two different virtual machine protection thoughts are combined, attack costof a reverser is increased, and the complexity of a protected program is enhanced.

Description

technical field [0001] The invention belongs to the technical field of SO (abbreviation for shared object) file reinforcement in Android application programs, and in particular relates to a virtual Android application program protection method based on dual ARM instructions. Background technique [0002] In recent years, with the popularization of Android smart devices and the increasing number of applications on the corresponding devices, more and more attackers and hackers focus on the applications on the mobile platform, so the following What is more serious is that the phenomenon of reverse analysis and secondary packaging has become more and more serious, which has brought huge economic loss to the developers and users of the program. [0003] Therefore, in order to reduce the unnecessary economic loss of the developer and protect the legitimate rights and interests of the users, it is urgent to effectively protect and strengthen the APP (short for application). At pre...

AI Technical Summary

Problems solved by technology

However, the current protection of SO files is mainly in the packing and obfuscation stage. Packing mainly uses UPX packing (the Ultimate Packer for eXecutables) or by rewriting the loader for packing protection. The packing program can prevent certain Static analysis, but it cannot effectively prevent dynamic debugging analysis. If an attacker understands the entire ELF linker loading process, he can accurately find the timing of unpacking and unpacking. That is to say, packing cannot essentially deal with dynamic analysis. and an experienced reverse engineer

Another common protection method for so files is obfuscation. At present, obfuscation mainly uses OLLVM obfuscation based on source code. Although OLLVM obfuscation seems to increase the complexity of control flow on the surface, too much control flow will affect The performance of the program itself, and based on the source code, has great limitations. In many cases, it is protected on the basis of binary, and the operability is relatively weak.

Although there is currently a virtualization protection technology for SO files, this method can indeed increase the cost of dynamic analysis in terms of the effect of virtualization protection, but on the premise of a device such as a mobile phone and a tablet, this method will introduce High performance overhead, lack of versatility and scalability, resulting in this method has not been applied to the market so far

Images