-
-
[原创]dex vmp虚拟化
-
发表于: 2018-12-29 11:23
-
简介dex vmp是传说中的第四代加固技术,它的表现形式是 把本身是java代码变成native代码 原理很简单就是把java代码method结构体中的二进制指令抽出来 本地解析二进制指令集 这样破解者变的很难看smali 或是java 
(3)java关键字解析 synchronized
e.g
程序vmp虚拟化之后
1.先实现把method 二进制 存储成文件 用baksmali 复写
public static short[] getInstructions(DexBackedMethod dexBackedMethod) {
int codeOffset = getCodeOffset(dexBackedMethod);
DexBackedDexFile dexFile = dexBackedMethod.getImplementation().dexFile;
// 这个size指是u2数组的元素个数。
int instructionsSize = dexFile.readSmallUint(codeOffset + CodeItem.INSTRUCTION_COUNT_OFFSET);
int instructionsStartOffset = codeOffset + CodeItem.INSTRUCTION_START_OFFSET;
short[] insts = new short[instructionsSize];
for (int i = 0; i < instructionsSize; i++) {
insts[i] = (short) dexFile.readUshort(instructionsStartOffset);
instructionsStartOffset += 2;
}
return insts;
} 2.解析二进制指令集
smali指令有256个指令集 http://androidxref.com/4.4.4_r1/xref/dalvik/libdex/DexOpcodes.h
enum Opcode {
// BEGIN(libdex-opcode-enum); GENERATED AUTOMATICALLY BY opcode-gen
OP_NOP = 0x00,
OP_MOVE = 0x01,
OP_MOVE_FROM16 = 0x02,
OP_MOVE_16 = 0x03,
OP_MOVE_WIDE = 0x04,
OP_MOVE_WIDE_FROM16 = 0x05,
OP_MOVE_WIDE_16 = 0x06,
OP_MOVE_OBJECT = 0x07,
OP_MOVE_OBJECT_FROM16 = 0x08,
OP_MOVE_OBJECT_16 = 0x09,
OP_MOVE_RESULT = 0x0a,
OP_MOVE_RESULT_WIDE = 0x0b,
OP_MOVE_RESULT_OBJECT = 0x0c,
OP_MOVE_EXCEPTION = 0x0d,
OP_RETURN_VOID = 0x0e,
OP_RETURN = 0x0f,
OP_RETURN_WIDE = 0x10,
OP_RETURN_OBJECT = 0x11,
OP_CONST_4 = 0x12,
OP_CONST_16 = 0x13,
OP_CONST = 0x14,
OP_CONST_HIGH16 = 0x15,
OP_CONST_WIDE_16 = 0x16,
OP_CONST_WIDE_32 = 0x17,
OP_CONST_WIDE = 0x18,
OP_CONST_WIDE_HIGH16 = 0x19,
OP_CONST_STRING = 0x1a,
OP_CONST_STRING_JUMBO = 0x1b,
OP_CONST_CLASS = 0x1c,
OP_MONITOR_ENTER = 0x1d,
OP_MONITOR_EXIT = 0x1e,
OP_CHECK_CAST = 0x1f,
OP_INSTANCE_OF = 0x20,
OP_ARRAY_LENGTH = 0x21,
OP_NEW_INSTANCE = 0x22,
OP_NEW_ARRAY = 0x23,
OP_FILLED_NEW_ARRAY = 0x24,
OP_FILLED_NEW_ARRAY_RANGE = 0x25,
OP_FILL_ARRAY_DATA = 0x26,
OP_THROW = 0x27,
OP_GOTO = 0x28,
OP_GOTO_16 = 0x29,
OP_GOTO_32 = 0x2a,
OP_PACKED_SWITCH = 0x2b,
OP_SPARSE_SWITCH = 0x2c,
OP_CMPL_FLOAT = 0x2d,
OP_CMPG_FLOAT = 0x2e,
OP_CMPL_DOUBLE = 0x2f,
OP_CMPG_DOUBLE = 0x30,
OP_CMP_LONG = 0x31,
OP_IF_EQ = 0x32,
OP_IF_NE = 0x33,
OP_IF_LT = 0x34,
OP_IF_GE = 0x35,
OP_IF_GT = 0x36,
OP_IF_LE = 0x37,
OP_IF_EQZ = 0x38,
OP_IF_NEZ = 0x39,
OP_IF_LTZ = 0x3a,
OP_IF_GEZ = 0x3b,
OP_IF_GTZ = 0x3c,
OP_IF_LEZ = 0x3d,
OP_UNUSED_3E = 0x3e,
OP_UNUSED_3F = 0x3f,
OP_UNUSED_40 = 0x40,
OP_UNUSED_41 = 0x41,
OP_UNUSED_42 = 0x42,
OP_UNUSED_43 = 0x43,
OP_AGET = 0x44,
OP_AGET_WIDE = 0x45,
OP_AGET_OBJECT = 0x46,
OP_AGET_BOOLEAN = 0x47,
OP_AGET_BYTE = 0x48,
OP_AGET_CHAR = 0x49,
OP_AGET_SHORT = 0x4a,
OP_APUT = 0x4b,
OP_APUT_WIDE = 0x4c,
OP_APUT_OBJECT = 0x4d,
OP_APUT_BOOLEAN = 0x4e,
OP_APUT_BYTE = 0x4f,
OP_APUT_CHAR = 0x50,
OP_APUT_SHORT = 0x51,
OP_IGET = 0x52,
OP_IGET_WIDE = 0x53,
OP_IGET_OBJECT = 0x54,
OP_IGET_BOOLEAN = 0x55,
OP_IGET_BYTE = 0x56,
OP_IGET_CHAR = 0x57,
OP_IGET_SHORT = 0x58,
OP_IPUT = 0x59,
OP_IPUT_WIDE = 0x5a,
OP_IPUT_OBJECT = 0x5b,
OP_IPUT_BOOLEAN = 0x5c,
OP_IPUT_BYTE = 0x5d,
OP_IPUT_CHAR = 0x5e,
OP_IPUT_SHORT = 0x5f,
OP_SGET = 0x60,
OP_SGET_WIDE = 0x61,
OP_SGET_OBJECT = 0x62,
OP_SGET_BOOLEAN = 0x63,
OP_SGET_BYTE = 0x64,
OP_SGET_CHAR = 0x65,
OP_SGET_SHORT = 0x66,
OP_SPUT = 0x67,
OP_SPUT_WIDE = 0x68,
OP_SPUT_OBJECT = 0x69,
OP_SPUT_BOOLEAN = 0x6a,
OP_SPUT_BYTE = 0x6b,
OP_SPUT_CHAR = 0x6c,
OP_SPUT_SHORT = 0x6d,
OP_INVOKE_VIRTUAL = 0x6e,
OP_INVOKE_SUPER = 0x6f,
OP_INVOKE_DIRECT = 0x70,
OP_INVOKE_STATIC = 0x71,
OP_INVOKE_INTERFACE = 0x72,
OP_UNUSED_73 = 0x73,
OP_INVOKE_VIRTUAL_RANGE = 0x74,
OP_INVOKE_SUPER_RANGE = 0x75,
OP_INVOKE_DIRECT_RANGE = 0x76,
OP_INVOKE_STATIC_RANGE = 0x77,
OP_INVOKE_INTERFACE_RANGE = 0x78,
OP_UNUSED_79 = 0x79,
OP_UNUSED_7A = 0x7a,
OP_NEG_INT = 0x7b,
OP_NOT_INT = 0x7c,
OP_NEG_LONG = 0x7d,
OP_NOT_LONG = 0x7e,
OP_NEG_FLOAT = 0x7f,
OP_NEG_DOUBLE = 0x80,
OP_INT_TO_LONG = 0x81,
OP_INT_TO_FLOAT = 0x82,
OP_INT_TO_DOUBLE = 0x83,
OP_LONG_TO_INT = 0x84,
OP_LONG_TO_FLOAT = 0x85,
OP_LONG_TO_DOUBLE = 0x86,
OP_FLOAT_TO_INT = 0x87,
OP_FLOAT_TO_LONG = 0x88,
OP_FLOAT_TO_DOUBLE = 0x89,
OP_DOUBLE_TO_INT = 0x8a,
OP_DOUBLE_TO_LONG = 0x8b,
OP_DOUBLE_TO_FLOAT = 0x8c,
OP_INT_TO_BYTE = 0x8d,
OP_INT_TO_CHAR = 0x8e,
OP_INT_TO_SHORT = 0x8f,
OP_ADD_INT = 0x90,
OP_SUB_INT = 0x91,
OP_MUL_INT = 0x92,
OP_DIV_INT = 0x93,
OP_REM_INT = 0x94,
OP_AND_INT = 0x95,
OP_OR_INT = 0x96,
OP_XOR_INT = 0x97,
OP_SHL_INT = 0x98,
OP_SHR_INT = 0x99,
OP_USHR_INT = 0x9a,
OP_ADD_LONG = 0x9b,
OP_SUB_LONG = 0x9c,
OP_MUL_LONG = 0x9d,
OP_DIV_LONG = 0x9e,
OP_REM_LONG = 0x9f,
OP_AND_LONG = 0xa0,
OP_OR_LONG = 0xa1,
OP_XOR_LONG = 0xa2,
OP_SHL_LONG = 0xa3,
OP_SHR_LONG = 0xa4,
OP_USHR_LONG = 0xa5,
OP_ADD_FLOAT = 0xa6,
OP_SUB_FLOAT = 0xa7,
OP_MUL_FLOAT = 0xa8,
OP_DIV_FLOAT = 0xa9,
OP_REM_FLOAT = 0xaa,
OP_ADD_DOUBLE = 0xab,
OP_SUB_DOUBLE = 0xac,
OP_MUL_DOUBLE = 0xad,
OP_DIV_DOUBLE = 0xae,
OP_REM_DOUBLE = 0xaf,
OP_ADD_INT_2ADDR = 0xb0,
OP_SUB_INT_2ADDR = 0xb1,
OP_MUL_INT_2ADDR = 0xb2,
OP_DIV_INT_2ADDR = 0xb3,
OP_REM_INT_2ADDR = 0xb4,
OP_AND_INT_2ADDR = 0xb5,
OP_OR_INT_2ADDR = 0xb6,
OP_XOR_INT_2ADDR = 0xb7,
OP_SHL_INT_2ADDR = 0xb8,
OP_SHR_INT_2ADDR = 0xb9,
OP_USHR_INT_2ADDR = 0xba,
OP_ADD_LONG_2ADDR = 0xbb,
OP_SUB_LONG_2ADDR = 0xbc,
OP_MUL_LONG_2ADDR = 0xbd,
OP_DIV_LONG_2ADDR = 0xbe,
OP_REM_LONG_2ADDR = 0xbf,
OP_AND_LONG_2ADDR = 0xc0,
OP_OR_LONG_2ADDR = 0xc1,
OP_XOR_LONG_2ADDR = 0xc2,
OP_SHL_LONG_2ADDR = 0xc3,
OP_SHR_LONG_2ADDR = 0xc4,
OP_USHR_LONG_2ADDR = 0xc5,
OP_ADD_FLOAT_2ADDR = 0xc6,
OP_SUB_FLOAT_2ADDR = 0xc7,
OP_MUL_FLOAT_2ADDR = 0xc8,
OP_DIV_FLOAT_2ADDR = 0xc9,
OP_REM_FLOAT_2ADDR = 0xca,
OP_ADD_DOUBLE_2ADDR = 0xcb,
OP_SUB_DOUBLE_2ADDR = 0xcc,
OP_MUL_DOUBLE_2ADDR = 0xcd,
OP_DIV_DOUBLE_2ADDR = 0xce,
OP_REM_DOUBLE_2ADDR = 0xcf,
OP_ADD_INT_LIT16 = 0xd0,
OP_RSUB_INT = 0xd1,
OP_MUL_INT_LIT16 = 0xd2,
OP_DIV_INT_LIT16 = 0xd3,
OP_REM_INT_LIT16 = 0xd4,
OP_AND_INT_LIT16 = 0xd5,
OP_OR_INT_LIT16 = 0xd6,
OP_XOR_INT_LIT16 = 0xd7,
OP_ADD_INT_LIT8 = 0xd8,
OP_RSUB_INT_LIT8 = 0xd9,
OP_MUL_INT_LIT8 = 0xda,
OP_DIV_INT_LIT8 = 0xdb,
OP_REM_INT_LIT8 = 0xdc,
OP_AND_INT_LIT8 = 0xdd,
OP_OR_INT_LIT8 = 0xde,
OP_XOR_INT_LIT8 = 0xdf,
OP_SHL_INT_LIT8 = 0xe0,
OP_SHR_INT_LIT8 = 0xe1,
OP_USHR_INT_LIT8 = 0xe2,
OP_IGET_VOLATILE = 0xe3,
OP_IPUT_VOLATILE = 0xe4,
OP_SGET_VOLATILE = 0xe5,
OP_SPUT_VOLATILE = 0xe6,
OP_IGET_OBJECT_VOLATILE = 0xe7,
OP_IGET_WIDE_VOLATILE = 0xe8,
OP_IPUT_WIDE_VOLATILE = 0xe9,
OP_SGET_WIDE_VOLATILE = 0xea,
OP_SPUT_WIDE_VOLATILE = 0xeb,
OP_BREAKPOINT = 0xec,
OP_THROW_VERIFICATION_ERROR = 0xed,
OP_EXECUTE_INLINE = 0xee,
OP_EXECUTE_INLINE_RANGE = 0xef,
OP_INVOKE_OBJECT_INIT_RANGE = 0xf0,
OP_RETURN_VOID_BARRIER = 0xf1,
OP_IGET_QUICK = 0xf2,
OP_IGET_WIDE_QUICK = 0xf3,
OP_IGET_OBJECT_QUICK = 0xf4,
OP_IPUT_QUICK = 0xf5,
OP_IPUT_WIDE_QUICK = 0xf6,
OP_IPUT_OBJECT_QUICK = 0xf7,
OP_INVOKE_VIRTUAL_QUICK = 0xf8,
OP_INVOKE_VIRTUAL_QUICK_RANGE = 0xf9,
OP_INVOKE_SUPER_QUICK = 0xfa,
OP_INVOKE_SUPER_QUICK_RANGE = 0xfb,
OP_IPUT_OBJECT_VOLATILE = 0xfc,
OP_SGET_OBJECT_VOLATILE = 0xfd,
OP_SPUT_OBJECT_VOLATILE = 0xfe,
OP_UNUSED_FF = 0xff,
// END(libdex-opcode-enum)
};
3.解析对应的每个指令 e.g乘法指令集
HANDLE_OP_X_INT_LIT16(OP_MUL_INT_LIT16, "mul", *, 0)
OP_END
#define HANDLE_OP_X_INT_LIT16(_opcode, _opname, _op, _chkdiv) \3.难点
HANDLE_OPCODE(_opcode /*vA, vB, #+CCCC*/) \
vdst = INST_A(inst); \
vsrc1 = INST_B(inst); \
vsrc2 = FETCH(1); \
MY_LOG_VERBOSE("|%s-int/lit16 v%d,v%d,#+0x%04x", \
(_opname), vdst, vsrc1, vsrc2); \
if (_chkdiv != 0) { \
s4 firstVal, result; \
firstVal = GET_REGISTER(vsrc1); \
if ((s2) vsrc2 == 0) { \
EXPORT_PC(); \
GOTO_exceptionThrown(); \
} \
if ((u4)firstVal == 0x80000000 && ((s2) vsrc2) == -1) { \
/* won't generate /lit16 instr for this; check anyway */ \
if (_chkdiv == 1) \
result = firstVal; /* division */ \
else \
result = 0; /* remainder */ \
} else { \
result = firstVal _op (s2) vsrc2; \
} \
SET_REGISTER(vdst, result); \
} else { \
/* non-div/rem case */ \
SET_REGISTER(vdst, GET_REGISTER(vsrc1) _op (s2) vsrc2); \
} \
FINISH(2);
(1) 在执行指令时候 找一些资源问题 比如字符串 “dddd” "liumeng" 我的解决方式是自己解析dex 获取资源
char* unLebel(const DexFile *pDexFile,u4 ref){
char* unString= (char *) (pDexFile->baseAddr + pDexFile->pStringIds[ref].stringDataOff);
int count = 0;
int cur = 0;
cur = unString[0];
while (cur > 0x7f) {
count++;
cur = unString[count];
}
int size = ++count;
int unStrSize = unString[0] + 1 - size;
char *utfStr=(char*)malloc(unStrSize+1);
for (int i = 0; i < unStrSize; i++) {
utfStr[i] = unString[i + 1];
}
utfStr[unStrSize] = '\0';
return utfStr;
} (2)获取资源 直接使用jni方式 进行调用 这样可以兼容davlik 和artchar* returName= methodToCall->returnName;
char* paramName= methodToCall->protoName;
strcat(paramName,returName);
jmethodID methodID = env->GetStaticMethodID(appClass, methodToCall->methodName, paramName);
MY_LOG_INFO("[static] start");
free(paramName);
free(methodToCall->methodName);
if(returName[0]=='Z') {
jboolean resultBoolean=env->CallStaticBooleanMethod(appClass,methodID,outs[0],outs[1],outs[2],outs[3],outs[4]);
MY_LOG_INFO("------CallStaticBooleanMethod");
retval.i=resultBoolean;
}
(3)java关键字解析 synchronized
在smali上表现的是两条指令 OP_MONITOR_ENTER OP_MONITOR_EXIT
HANDLE_OPCODE(OP_MONITOR_ENTER)
{
jobject obj;
vsrc1 = INST_AA(inst);
MY_LOG_INFO("|monitor-enter v%d %s(0x%08x)",
vsrc1, kSpacing+6, GET_REGISTER(vsrc1));
obj = (jobject)GET_REGISTER(vsrc1);
MY_LOG_INFO("+ locking %p %s", obj);
EXPORT_PC(); /* need for precise GC */
if (dvmTryLockMutex(&mutex) != 0) {
dvmLockMutex(&mutex);
}
}
FINISH(1);
OP_ENDHANDLE_OPCODE(OP_MONITOR_EXIT)本人qq 614610476 欢迎探讨
{
jobject obj;
EXPORT_PC();
vsrc1 = INST_AA(inst);
MY_LOG_INFO("|monitor-exit v%d %s(0x%08x)",
vsrc1, kSpacing+5, GET_REGISTER(vsrc1));
obj = (jobject)GET_REGISTER(vsrc1);
if (obj==NULL) {
ADJUST_PC(1); /* monitor-exit width is 1 */
GOTO_exceptionThrown();
}
dvmUnlockMutex(&mutex);
}
FINISH(1);
OP_END
最后于 2018-12-29 15:15
被liumengde编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
jiangwei的这个 https://blog.csdn.net/jiangwei0910410003/article/details/78070610 是把smali抽出来修改。楼主这个是把smali代码native化。 |
|
|
|
|
|
|
|
|
好吧 又重新看了一遍 |
|
|
|
|
|
|
|
|
|
|
|
问题问的好,这一次虽然贴的代码格式不好,但可以起到指点的作用,作者写的很简洁,中心思想和明了,可以直接看vmp.txt,就是实现dex抽取指令和实现native去解析,一种直接反射调用(GetStaticMethodID),第二种就是相当于自己实现内部解析方法,另外还说了资源的查找问题,字符串 “dddd” "liumeng" 解决方式是自己解析dex,获取资源,可见作者课下做了苦功,并且实现,一语中的,只是代码贴的有些仓促 起到点化的作用也未尝不可, 另外第一次可以鼓励新人发帖,还望谅解,优秀是肯定的,现在适当放宽了优秀贴的限制,鼓励新人的加入和分享,但必须说优秀贴也有质量高低的,但唯一不变的是精华贴的审核也会更加严格,请放心即可。 另外贴一下优秀的标准即可参考: 1.发帖者本人原创,转载的一律不设; 2.文章没达到精华要求,但有一定的保存价值,或文章不错,但内容太过简短,设优秀。 3.程序源码可以设优秀; 4.优秀或有价值的工具,可以设优秀。 |
|
|
|
|
|
哎。。没想到版主这么心平气和的回了... 他贴的代码,没有任何一段是他原创的,都是android的dvm相关的系统代码,他这样做我都怀疑他自己有没有实现出来过,另外他这个是在讲android的系统源码,而不是讲加固。 毫不夸张的说,要是按照这些代码把解析opcode给编译出来,就相当于自己编译了一个libdvm.so出来,能不能用还是两回说... 我看到vmp的标题而且还加了优了,本来抱着某种期待,点进来看,但是看完了发现居然没有一段代码是他自己原创的,还打着原创的旗号...我真的有一种有被人喂了屎的气愤。。 希望浮华之人能少一点吧。 |
|
|
|
|
|
|
|
|
|
|
|
dexvmp 的基本原理很多人都知道,实现起来这里面坑不少呢,基于 JNI 实现的 vmp 还是有别与 dalvik/art 的原生实现。JNI 是 java 特性,不是 android 特有,如果能实现这样的 vmp 不仅可以保护 android 上的 dex,还可以保护 pc 上的 java程序,android 上 sdk 的加固就和 pc 上的 jar 差不多 |
|
|
<无>把我删了当没来过
最后于 2019-7-5 17:43
被YoHooo编辑
,原因:
|
|
|
|
|
|
|
YoHooo
