为Android的apk应用程序文件加壳以防止反编译的教程

一、什么是加壳?

加壳是在二进制的程序中植入一段代码,在运行的时候优先取得程序的控制权,做一些额外的工作。

大多数病毒就是基于此原理。

二、加壳作用

加壳的程序可以有效阻止对程序的反汇编分析,以达到它不可告人的目的。

这种技术也常用来保护软件版权,防止被软件破解。

三、Android Dex文件加壳原理

PC平台现在已存在大量的标准的加壳和解壳工具,但是Android作为新兴平台还未出现APK加壳工具。

Android Dex文件大量使用引用给加壳带来了一定的难度,但是从理论上讲,Android APK加壳也是可行的。


在这个过程中,牵扯到三个角色:

1、加壳程序:加密源程序为解壳数据、组装解壳程序和解壳数据

2、解壳程序:解密解壳数据,并运行时通过DexClassLoader动态加载

3、源程序:需要加壳处理的被保护代码

根据解壳数据在解壳程序DEX文件中的不同分布,本文将提出两种Android Dex加壳的实现方案。

解壳数据位于解壳程序文件尾部:该种方式简单实用,合并后的DEX文件结构如下。


2016428142304174.png (242×541)

四、加壳程序工作流程:

1、加密源程序APK文件为解壳数据

2、把解壳数据写入解壳程序Dex文件末尾,并在文件尾部添加解壳数据的大小。


3、修改解壳程序DEX头中checksum、signature 和file_size头信息。


4、修改源程序AndroidMainfest.xml文件并覆盖解壳程序AndroidMainfest.xml文件。

五、解壳DEX程序工作流程:

1、读取DEX文件末尾数据获取借壳数据长度。


2、从DEX文件读取解壳数据,解密解壳数据。

以文件形式保存解密数据到a.APK文件

3、通过DexClassLoader动态加载a.apk。

解壳数据位于解壳程序文件头

该种方式相对比较复杂, 合并后DEX文件结构如下:

2016428142331268.png (241×526)

六、加壳程序工作流程:

1、加密源程序APK文件为解壳数据

2、计算解壳数据长度,并添加该长度到解壳DEX文件头末尾,并继续解壳数据到文件头末尾。


(插入数据的位置为0x70处)

3、修改解壳程序DEX头中checksum、signature、file_size、header_size、string_ids_off、type_ids_off、proto_ids_off、field_ids_off、

method_ids_off、class_defs_off和data_off相关项。

  分析map_off 数据,修改相关的数据偏移量。

 

4、修改源程序AndroidMainfest.xml文件并覆盖解壳程序AndroidMainfest.xml文件。

七、加壳程序流程及代码实现

1、加密源程序APK为解壳数据

2、把解壳数据写入解壳程序DEX文件末尾,并在文件尾部添加解壳数据的大小。


3、修改解壳程序DEX头中checksum、signature 和file_size头信息。

代码实现如下:


package com.android.dexshell; 
import java.io.ByteArrayOutputStream; 
import java.io.File; 
import java.io.FileInputStream; 
import java.io.FileOutputStream; 
import java.io.IOException; 
import java.security.MessageDigest; 
import java.security.NoSuchAlgorithmException; 
import java.util.zip.Adler32; 
 
public class DexShellTool { 
 /** 
  * @param args 
  */ 
 public static void main(String[] args) { 
  // TODO Auto-generated method stub 
  try { 
   File payloadSrcFile = new File("g:/payload.apk"); 
   File unShellDexFile = new File("g:/unshell.dex"); 
   byte[] payloadArray = encrpt(readFileBytes(payloadSrcFile)); 
   byte[] unShellDexArray = readFileBytes(unShellDexFile); 
   int payloadLen = payloadArray.length; 
   int unShellDexLen = unShellDexArray.length; 
   int totalLen = payloadLen + unShellDexLen +4; 
   byte[] newdex = new byte[totalLen]; 
   //添加解壳代码 
   System.arraycopy(unShellDexArray, 0, newdex, 0, unShellDexLen); 
   //添加加密后的解壳数据 
   System.arraycopy(payloadArray, 0, newdex, unShellDexLen, 
     payloadLen); 
   //添加解壳数据长度 
   System.arraycopy(intToByte(payloadLen), 0, newdex, totalLen-4, 4); 
      //修改DEX file size文件头 
   fixFileSizeHeader(newdex); 
   //修改DEX SHA1 文件头 
   fixSHA1Header(newdex); 
   //修改DEX CheckSum文件头 
   fixCheckSumHeader(newdex); 
 
 
   String str = "g:/classes.dex"; 
   File file = new File(str); 
   if (!file.exists()) { 
    file.createNewFile(); 
   } 
    
   FileOutputStream localFileOutputStream = new FileOutputStream(str); 
   localFileOutputStream.write(newdex); 
   localFileOutputStream.flush(); 
   localFileOutputStream.close(); 
 
 
  } catch (Exception e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
 } 
  
 //直接返回数据,读者可以添加自己加密方法 
 private static byte[] encrpt(byte[] srcdata){ 
  return srcdata; 
 } 
 
 
 private static void fixCheckSumHeader(byte[] dexBytes) { 
  Adler32 adler = new Adler32(); 
  adler.update(dexBytes, 12, dexBytes.length - 12); 
  long value = adler.getValue(); 
  int va = (int) value; 
  byte[] newcs = intToByte(va); 
  byte[] recs = new byte[4]; 
  for (int i = 0; i < 4; i++) { 
   recs[i] = newcs[newcs.length - 1 - i]; 
   System.out.println(Integer.toHexString(newcs[i])); 
  } 
  System.arraycopy(recs, 0, dexBytes, 8, 4); 
  System.out.println(Long.toHexString(value)); 
  System.out.println(); 
 } 
 
 
 public static byte[] intToByte(int number) { 
  byte[] b = new byte[4]; 
  for (int i = 3; i >= 0; i--) { 
   b[i] = (byte) (number % 256); 
   number >>= 8; 
  } 
  return b; 
 } 
 
 
 private static void fixSHA1Header(byte[] dexBytes) 
   throws NoSuchAlgorithmException { 
  MessageDigest md = MessageDigest.getInstance("SHA-1"); 
  md.update(dexBytes, 32, dexBytes.length - 32); 
  byte[] newdt = md.digest(); 
  System.arraycopy(newdt, 0, dexBytes, 12, 20); 
  String hexstr = ""; 
  for (int i = 0; i < newdt.length; i++) { 
   hexstr += Integer.toString((newdt[i] & 0xff) + 0x100, 16) 
     .substring(1); 
  } 
  System.out.println(hexstr); 
 } 
 
 
 private static void fixFileSizeHeader(byte[] dexBytes) { 
 
 
  byte[] newfs = intToByte(dexBytes.length); 
  System.out.println(Integer.toHexString(dexBytes.length)); 
  byte[] refs = new byte[4]; 
  for (int i = 0; i < 4; i++) { 
   refs[i] = newfs[newfs.length - 1 - i]; 
   System.out.println(Integer.toHexString(newfs[i])); 
  } 
  System.arraycopy(refs, 0, dexBytes, 32, 4); 
 } 
 
 
 private static byte[] readFileBytes(File file) throws IOException { 
  byte[] arrayOfByte = new byte[1024]; 
  ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream(); 
  FileInputStream fis = new FileInputStream(file); 
  while (true) { 
   int i = fis.read(arrayOfByte); 
   if (i != -1) { 
    localByteArrayOutputStream.write(arrayOfByte, 0, i); 
   } else { 
    return localByteArrayOutputStream.toByteArray(); 
   } 
  } 
 } 
 
 
} 



八、解壳程序流程及代码实现

在解壳程序的开发过程中需要解决如下几个关键的技术问题:

1.解壳代码如何能够第一时间执行?

Android程序由不同的组件构成,系统在有需要的时候启动程序组件。

因此解壳程序必须在Android系统启动组件之前运行,完成对解壳数据的解壳及APK文件的动态加载,否则会使程序出现加载类失败的异常。


Android开发者都知道Applicaiton做为整个应用的上下文,会被系统第一时间调用,这也是应用开发者程序代码的第一执行点。

因此通过对AndroidMainfest.xml的application的配置可以实现解壳代码第一时间运行。






package com.android.dexunshell; 
 
import java.io.BufferedInputStream; 
import java.io.ByteArrayInputStream; 
import java.io.ByteArrayOutputStream; 
import java.io.DataInputStream; 
import java.io.File; 
import java.io.FileInputStream; 
import java.io.FileOutputStream; 
import java.io.IOException; 
import java.lang.ref.WeakReference; 
import java.util.ArrayList; 
import java.util.HashMap; 
import java.util.Iterator; 
import java.util.zip.ZipEntry; 
import java.util.zip.ZipInputStream; 
 
import dalvik.system.DexClassLoader; 
import android.app.Application; 
import android.content.pm.ApplicationInfo; 
import android.content.pm.PackageManager; 
import android.content.pm.PackageManager.NameNotFoundException; 
import android.os.Bundle; 
 
public class ProxyApplication extends Application { 
 
 private static final String appkey = "APPLICATION_CLASS_NAME"; 
 private String apkFileName; 
 private String odexPath; 
 private String libPath; 
 @Override 
 public void onCreate() { 
  // TODO Auto-generated method stub 
  super.onCreate(); 
  try { 
   File odex = this.getDir("payload_odex", MODE_PRIVATE); 
   File libs = this.getDir("payload_lib", MODE_PRIVATE); 
   odexPath = odex.getAbsolutePath(); 
   libPath = libs.getAbsolutePath(); 
   apkFileName = odex.getAbsolutePath()+"/payload.apk"; 
   File dexFile = new File(apkFileName); 
   if(!dexFile.exists()) 
    dexFile.createNewFile(); 
   //读取程序classes.dex文件 
   byte[] dexdata = this.readDexFileFromApk(); 
   //分离出解壳后的apk文件已用于动态加载 
   this.splitPayLoadFromDex(dexdata); 
   //配置动态加载环境 
   this.configApplicationEnv(); 
    
  } catch (Exception e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
 } 
  
 private void configApplicationEnv() throws NameNotFoundException, IllegalAccessException, InstantiationException, ClassNotFoundException, IOException{ 
 
  Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{}); 
  HashMap mPackages = (HashMap)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mPackages"); 
  //替换组件类加载器为DexClassLoader,已使动态加载代码具有组件生命周期 
  WeakReference wr = (WeakReference) mPackages.get(this.getPackageName()); 
  DexClassLoader dLoader = new DexClassLoader(apkFileName, 
    odexPath, libPath, (ClassLoader) RefInvoke.getFieldOjbect("android.app.LoadedApk", wr.get(), "mClassLoader")); 
  RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", wr.get(), dLoader); 
 
  //如果源应用配置有Appliction对象,则替换为源应用Applicaiton,以便不影响源程序逻辑。

ApplicationInfo appInfo = this.getPackageManager().getApplicationInfo(this.getPackageName(),PackageManager.GET_META_DATA); Bundle bundle = appInfo.metaData; if(bundle != null && bundle.containsKey(appkey)){ String appClassName = bundle.getString(appkey); Application app = (Application)dLoader.loadClass(appClassName).newInstance(); RefInvoke.setFieldOjbect("android.app.ContextImpl", "mOuterContext", this.getBaseContext(), app); RefInvoke.setFieldOjbect("android.content.ContextWrapper", "mBase", app, this.getBaseContext()); Object mBoundApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mBoundApplication"); Object info = RefInvoke.getFieldOjbect("android.app.ActivityThread$AppBindData", mBoundApplication, "info"); RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication", info, app); Object oldApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mInitialApplication"); RefInvoke.setFieldOjbect("android.app.ActivityThread", "mInitialApplication", currentActivityThread, app); ArrayList mAllApplications = (ArrayList)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mAllApplications"); mAllApplications.remove(oldApplication); mAllApplications.add(app); HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mProviderMap"); Iterator it = mProviderMap.values().iterator(); while(it.hasNext()){ Object providerClientRecord = it.next(); Object localProvider = RefInvoke.getFieldOjbect("android.app.ProviderClientRecord", providerClientRecord, "mLocalProvider"); RefInvoke.setFieldOjbect("android.content.ContentProvider", "mContext", localProvider, app); } RefInvoke.invokeMethod(appClassName, "onCreate", app, new Class[]{}, new Object[]{}); } } private void splitPayLoadFromDex(byte[] data) throws IOException{ byte[] apkdata = decrypt(data); int ablen = apkdata.length; byte[] dexlen = new byte[4]; System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4); ByteArrayInputStream bais = new ByteArrayInputStream(dexlen); DataInputStream in = new DataInputStream(bais); int readInt = in.readInt(); System.out.println(Integer.toHexString(readInt)); byte[] newdex = new byte[readInt]; System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt); File file = new File(apkFileName); try { FileOutputStream localFileOutputStream = new FileOutputStream(file); localFileOutputStream.write(newdex); localFileOutputStream.close(); } catch (IOException localIOException) { throw new RuntimeException(localIOException); } ZipInputStream localZipInputStream = new ZipInputStream( new BufferedInputStream(new FileInputStream(file))); while (true) { ZipEntry localZipEntry = localZipInputStream.getNextEntry(); if (localZipEntry == null) { localZipInputStream.close(); break; } String name = localZipEntry.getName(); if (name.startsWith("lib/") && name.endsWith(".so")) { File storeFile = new File(libPath+"/"+name.substring(name.lastIndexOf('/'))); storeFile.createNewFile(); FileOutputStream fos = new FileOutputStream(storeFile); byte[] arrayOfByte = new byte[1024]; while (true) { int i = localZipInputStream.read(arrayOfByte); if (i == -1) break; fos.write(arrayOfByte, 0, i); } fos.flush(); fos.close(); } localZipInputStream.closeEntry(); } localZipInputStream.close(); } private byte[] readDexFileFromApk() throws IOException { ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream(); ZipInputStream localZipInputStream = new ZipInputStream( new BufferedInputStream(new FileInputStream(this.getApplicationInfo().sourceDir))); while (true) { ZipEntry localZipEntry = localZipInputStream.getNextEntry(); if (localZipEntry == null) { localZipInputStream.close(); break; } if (localZipEntry.getName().equals("classes.dex")) { byte[] arrayOfByte = new byte[1024]; while (true) { int i = localZipInputStream.read(arrayOfByte); if (i == -1) break; dexByteArrayOutputStream.write(arrayOfByte, 0, i); } } localZipInputStream.closeEntry(); } localZipInputStream.close(); return dexByteArrayOutputStream.toByteArray(); } ////直接返回数据,读者可以添加自己解密方法 private byte[] decrypt(byte[] data){ return data; } }

RefInvoke为反射调用工具类:


package com.android.dexunshell; 
 
import java.lang.reflect.Field; 
import java.lang.reflect.InvocationTargetException; 
import java.lang.reflect.Method; 
 
public class RefInvoke { 
  
 public static Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){ 
   
  try { 
   Class obj_class = Class.forName(class_name); 
   Method method = obj_class.getMethod(method_name,pareTyple); 
   return method.invoke(null, pareVaules); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchMethodException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (InvocationTargetException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
  return null; 
   
 } 
  
 public static Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){ 
   
  try { 
   Class obj_class = Class.forName(class_name); 
   Method method = obj_class.getMethod(method_name,pareTyple); 
   return method.invoke(obj, pareVaules); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchMethodException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (InvocationTargetException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
  return null; 
   
 } 
  
 public static Object getFieldOjbect(String class_name,Object obj, String filedName){ 
  try { 
   Class obj_class = Class.forName(class_name); 
   Field field = obj_class.getDeclaredField(filedName); 
   field.setAccessible(true); 
   return field.get(obj); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchFieldException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
  return null; 
   
 } 
  
 public static Object getStaticFieldOjbect(String class_name, String filedName){ 
   
  try { 
   Class obj_class = Class.forName(class_name); 
   Field field = obj_class.getDeclaredField(filedName); 
   field.setAccessible(true); 
   return field.get(null); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchFieldException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } 
  return null; 
   
 } 
  
 public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){ 
  try { 
   Class obj_class = Class.forName(classname); 
   Field field = obj_class.getDeclaredField(filedName); 
   field.setAccessible(true); 
   field.set(obj, filedVaule); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchFieldException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  }  
 } 
  
 public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){ 
  try { 
   Class obj_class = Class.forName(class_name); 
   Field field = obj_class.getDeclaredField(filedName); 
   field.setAccessible(true); 
   field.set(null, filedVaule); 
  } catch (SecurityException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (NoSuchFieldException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalArgumentException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (IllegalAccessException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  } catch (ClassNotFoundException e) { 
   // TODO Auto-generated catch block 
   e.printStackTrace(); 
  }   
 } 
 
} 



九、总结

本文代码基本实现了APK文件的加壳及脱壳原理,该代码作为实验代码还有诸多地方需要改进。

比如:

1、加壳数据的加密算法的添加。


2、脱壳代码由java语言实现,可通过C代码的实现对脱壳逻辑进行保护,以达到更好的反逆向分析效果。

0.218064s