| In recent years,malicious applications in Android mobile terminals have caused great troubles to the privacy information and property security of every user.In order to protect Android applications,a series of packer services have appeared on the market.While the packer service protects Android applications,malware also uses packer protection technology to evade the scan of the detection system.At the same time,it is difficult for researchers to discover whether there are privacy leaks and other issues in the packaged applications according to the "Information Security Technology Personal Information Security Specification".Whether it is through static analysis of malicious behavior in the code or looking for privacy leakage risks,the original dex file must be extracted from the apk first.In order to get the original dex file from the encrypted application,it is common practice to unpack the encrypted application as a whole.With the continuous development of packing technology,on the basis of the overall packing scheme,more detailed protection methods for application programs have emerged.Therefore,although this general unpacking scheme can solve the overall packing scheme to a certain extent,it is difficult to deal with the deeper packing scheme based on function and instruction granularity,and so it is impossible to effectively unpack the existing packed applications.Aiming at the harm caused by malicious applications to developers and users,this paper studies the automatic unpacking technology of Android applications to obtain the original dex file in the apk.This paper proposes an automatic unpacking scheme for Android applications that is actively loaded,actively calls functions based on real parameters,and monitors the execution of smali instructions.The design idea is to load and initialize all the component classes through the class loader in advance,obtain all the class name information in the dex file to which the component class belongs when passing through the established unpacking point.And again actively loads and initializes all classes to unpack the application as a whole.Then,by actively calling all methods in classes and monitoring the execution process of the smali instruction in the interpreter,the original instruction set is obtained,and the unpacking of the original instruction set is completed.The main problems solved are:(1)Propose an overall unpacking scheme that actively loads classes and initializes them,loads and initializes class functions in all dex files by traversing the class loader,and solves the dynamic loading of dex files through custom loaders and other class loaders And other issues.(2)A function granularity unpacking scheme based on active reflection calling based on real parameters is proposed,which uses real parameters in memory to make active reflection calls for all classes,and actively restores the extracted instruction set,so as to solve the inability of the overall unpacking scheme To deal with the problem of the packing scheme in the function.Breakthrough through above technology,the unpacking of the target Android application is realized,and the unpacking scheme in this paper is deployed and applied to the app privacy detection system.The test results show that the unpacking scheme of Android applications in this paer can deal with dynamic loading technology that uses customized class loader,bogus functions,and packaging technology that uses self-modifying method.And this performs well in the app privacy detection system. |