| Android application packing is a common android application software code protection technology.The original program bytecode of the packaged android application is hidden,may also be exploited by attackers to hide malicious APIs and bypass detection.The current mainstream android application unpacking technology is non-virtualization protection technology.The unpacking method is mainly to collect Dex file information by inserting unpacking code at a fixed unpacking point,extract it,and then assemble and repair it.This method is easily bypassed by anti-debugging and reverse hijacking techniques.For the most powerful protection shell of virtualization technology,there are only shellers customized for specific security vendors,and there is no universal and efficient automatic unpacking solution.In view of the above problems,this paper proposes an android application that can be applied in the latest android system environment(Android runtime,ART).Packing techniques are first classified by heuristics(ordinary shell,extraction shell,Dex VMP shell),and then a general and effective unpacking scheme is designed for different types of packing methods.The main work of this paper includes the following two points:(1)Aiming at the problem that the existing mainstream unpacking frameworks based on a single shell have a low success rate in unpacking Android applications that use different packing technologies to protect the shell,this paper designs a heuristic method to classify the shell types and design different unpacking schemes for it.Unpacked and tested on 30,000 actual apps in a real environment.The experimental results show that the unpacking accuracy of the method proposed in this paper is as high as 94.6%,which is 9.9%and 6.9% higher than the current mainstream open source general unpacking tools such as Fart and Youpk,respectively.At the same time,the average unpacking efficiency of the method proposed in this paper is improved by 1.73M/s compared with other mainstream unpacking systems.In addition,compared with Fart,which has the best extraction effect in the industry,the method proposed in this paper improves the integrity of Dex files in common shells by 2.5%,compared with other mainstream unpacking systems,the integrity of the extracted Dex file is improved by an average of 13.7%.(2)In this paper,the dynamic search of unpacking points and the parameter tracking technology based on abstract syntax tree are combined to alleviate the problem of easy failure of fixed unpacking points,and the daemon thread is used to prevent the unpacking operation from being inline hooked.Aiming at the problem that the existing extraction shell extraction scheme cannot repair all the method bodies,which leads to the low integrity of the extraction dex file,a method of overriding class loading and full class calling is proposed.Most of the Dex VMP unpacking methods customized by specific manufacturers need to be reversed,and their universality is poor and cannot be automatically unpacked.A fuzzing test method based on dominance point instrumentation is proposed.The experimental results in the real environment show that the proposed method in this paper.The proposed method for the three major manufacturers of virtualization protection technology360 Security,Ai Encryption and Bang Bang Security Dex VMP unpacking rate reached89.3%,84.3%,87.7% respectively. |