| In response to my country's "Internet +" call,mobile applications have been empowered by excellent technologies in the Internet,and have obtained unprecedented development prospects,bringing huge reforms to people's lives and production.At the same time,under the legitimate interest competition between you and me,there are often malicious software,telecommunications fraud and other toxic applications surging under the general trend.The importance of network security is increasing and indispensable.Similarly,in the process of mobile security terminal protection,basic research on analyzing and preventing malicious code implantation applications is also a hot topic in the current security field.Among them,an important technology-reverse analysis,Is a "sacred sword" to detect and kill malicious code.From a macro point of view,as the first step in the reverse-assisted analysis of mobile application security,the unpacking technology derived from reinforcement methods is booming.In recent years,although many hardening vendors have used different methods,the goal is to protect Android applications by extracting important file content.However,it also brings some serious problems.For example,Android malicious applications use reinforcement methods to hide their high-risk code to evade detection by anti-virus engines,which makes filtering out malware more difficult.At present,the existing Android shelling framework cannot adapt to new reinforcement methods,making the shelling technology always lag behind the birth of new reinforcement technologies.In this thesis,a general automation framework called Deep Auto D is proposed to extract DEX files.This thesis uses the unpacking technology solution that integrates the deep deception call chain to detect mainstream apps in the popular application market,and the algorithm provided can be customized to any version of the Android system.The experimental results show that the Deep Auto D proposed in this thesis can be efficiently Extract and restore complete DEX files.After years of development and confrontation,the Android platform APP reinforcement technology has been quite mature.The protection granularity has gradually evolved from the DEX code extraction to the core function code being written into the shared link file,and then O-LLVM obfuscation and other technologies are added to the Native layer file.The protection surface is lowered from the Java layer to the Native layer,and the general DEX dynamic modification evolves to a highly customized Native layer obfuscation mechanism,in order to continuously increase the difficulty and workload of reverse analysis to enhance the protection of the client code.Correspondingly,in response to the recent rise of O-LLVM confusion reinforcement technology,this thesis also proposes an automated anti-aliasing solution called Ci ANa.Ci ANa uses the Capstone framework to analyze the basic blocks and their instruction structure to find out the real blocks floating around in the program disassembly control flowchart,and then uses flow-sensitive mixed execution to determine the execution sequence relationship between the real blocks,and finally The real block assembly instruction performs instruction repair to obtain the de-obfuscated executable binary file.The experimental results show that the Ci ANa proposed in this thesis can restore the Android Native files after OLLVM obfuscation under the ARM/ARM64 architecture.According to the research in this article,Ci ANa is the first framework that can effectively de-obfuscate the full version(Debug/Realse version)of O-LLVM in the ARM/ARM64 architecture so far,providing necessary auxiliary functions for reverse analysis. |
PDF Full Text Request