Android混淆技巧与反混淆小波

dac519c3b5927f2762a2fa6a94b630f44ad9d11f
Android

#
Image from: http://www.usmile.at/sites/default/files/publications/201306_obf_report_0.pdf
Bob Pan
dex2jar
pxb1988@gmail.com
About Me

#
, !
VS
//

#
Ref: http://www.saikoa.com/comparison-proguard-and-dexguard
ProGuard DexGuard

#
oooooooooooooo... Oo0o0OO00oooOOo0oo ijijijjiiiJiIIjii __$$_$$$$__$$_ java int int = 5;
Unicode ava \u0237 CJK
2800-28FF
:

#
-dontshrink -dontoptimize -dontusemixedcaseclassnames -keepattributes *Annotation* # -keep public class * extends Activity/Application/... ... #keep, -dontwarn ** -printmapping mapping0.txt -injars obad-dex2jar.jar -outjars aaa.jar -libraryjars android.jar
: ? 'abc'
Proguard !

# :abc ? ,
JEB Proguard

#
1. mapping -dontshrink -dontoptimize -injars aaa.jar -libraryjars android.jar -keep class * -printmapping mapping1.txt
com.android.system.admin.x -> com.android.system.admin.x: java.lang.String a -> a java.lang.String d -> d int e -> e ...
Proguard
Mapping
: Proguard

#
2. mapping, Proguard
-dontshrink -dontoptimize -injars aaa.jar -outjars bbb.jar -libraryjars android.jar -applymapping mapping1.txt
com.android.system.admin.x -> ...ObadSQLiteOpenHelper: android.database.sqlite.SQLiteDatabase f -> database byte[] g -> encoded_data_array java.lang.String a(int,int,int) -> decrypt
Proguard
Mapping
: Proguard

# Proguard

#
a Clz_a b fld_b c mtd_c d Clz_d_List
Source Enum ACC_BRIDGE Getter/setter
SDK
+
toString
()

#
DexGuard
String a(int, int, int) Other
String a(String)
:
:
Class.forName(a(130, 1, -10)) .getMethod(a(53, 19, -21), Class.forName(a(79, 1, -11))) .invoke(j, instance);

#
getstatic System.out LDC hello world! invokevirtual println(String)
getstatic System.out sipush 130 sipush 1 sipush -10 invokestatic a(int,int,int) invokevirtual println(String)
System.out.println(hello world!);
: Java bytecode LDC LDC

#
'=='
void fa(){ fb(1.0); } void fb(String version) { if(version == 1.0){ print(yes!); } }
void fa(){ fb(new String(...)); } void fb(String version) { if(version == new String(...)){ print(yes!); } }
, yes ,
: 'equals'
:

#
private static String decrypt(int n, int n2, int n3) { } String a = decrypt(-20, 842, -576);
: , , .
: ? String

#
:t.q(...)

# API
String c = "abc".substring(2,3);
String c = (String)Class.forName("java.lang.String") .getMethod("substring", int.class, int.class) .invoke("abc", 2, 3)
:
:

#
Local Stack Opcode
ldc "abc"
abc sipush 2
abc, 2 sipush 3
abc, 2, 3 invokevirtual substring(II)
String c = "abc".substring(2,3);
1.StackLocal 2.Class 3.Method 4.LocalStack 5.invoke
:
:

#
Local Stack Opcode abc, 2, 3 astore 1, istore 2, istore 3
abc, 2, 3 ldc java.lang.String invokestatic Class.forName
abc, 2, 3 String.class ldc substring, ... # invokevirtual Class.getMethod
abc, 2, 3 substring aload 1, iload 2, iload 3,
abc, 2, 3 substring, abc, [2, 3] invokevirtual Method.invoke()
String a=abc; int b=2; int c=3; String c = (String)Class.forName("java.lang.String") .getMethod("substring", int.class, int.class) .invoke(a, b, c)
:

#
1. Class.forNameclass
String c = (String)Class.forName("java.lang.String") .getMethod("substring", int.class, int.class) .invoke("abc", 2, 3)
String c = (String)String.class .getMethod("substring", int.class, int.class) .invoke("abc", 2, 3)
:?

# :? 2. getMethod
String c = (String)String.class .getMethod("substring", int.class, int.class) .invoke("abc", 2, 3)
String c = (String) [String.substring(II)] .invoke("abc", 2, 3)
Method

#
3. invoke
String c = (String) [String.substring(II)] .invoke("abc", 2, 3)
String c = (String) abc.substring(2,3)
:?

# android
Ref: http://stackoverflow.com/questions/5553146/disable-logcat-output-completely-in-release-android-app/5553290#5553290
-assumenosideeffects class android.util.Log { public static *** d(...); public static *** w(...); public static *** v(...); public static *** i(...); }

#
Ref: http://stackoverflow.com/questions/22713166/removing-log-calls-with-proguard-leaves-behind-stringbuilders
new StringBuilder("version is: ").append(n);
Log.d(tag, version is + version );
: version is + version new StringBuilder(version is ).append(version).toString(). ProguardLog.d, StringBuilder
:
:
: Proguard

#
Ref: http://www.android-decompiler.com/blog/2013/04/07/dexguards-assets-encryption/
:
: AssetManager.open()
apkasset,
Asset

#
InputStream is = this.getAssets().open(); Cipher cipher = Cipher.getInstance("AES/CFB/NoPadding"); cipher.init(DECRYPT_MODE, /* key */); return new CipherInputStream(is, cipher).available();
Asset: open

#
: AndroidManifestResourceIdnamespace/name. AndroidResourceIdxml. namespace/name, .
AndroidManifest namespacename

# AndroidManifest ResourceIdnamesapce/name Apktool axml

#
X 999999999 X X X
+
5
4 Assert 2 XML 1

# -keep
SDK JNI /
SourceFile
jaq.taobao.com

pxb1988@gmail.com
Q & A

Android混淆技巧与反混淆小波

Technology

Transcript of Android混淆技巧与反混淆小波

2.2.2 搜索技巧

卤化反应

‥ 鄭　文　函　搭　混　混　小　學　趣　事　 ‥ ★

J query使用技巧

高分子材料与工程专业实验：实验 3 反应挤出实验 —— 尼龙 / 聚乙烯反应性共混

巧夺改错题高分的答题技巧

Rational Rose 使用技巧

混凝土及钢筋混凝土工程量计算

フロー反応システム・周辺機器 - ymc.co.jp .237 異相系反応システムマイクロミキサによる高効率な気-液混合

Google 使用技巧

資訊小技巧 980318

反客爲主

§13.7 全反射

机反应中的加成和消有除反应

" 與心理助人專業技巧對話 "---- 助人技巧的學習與反思 1

反服貿反資本家的權力遊戲 1206

MINITAB 分析多個反應值的反應曲面

不是巧合，勝似巧合。攝影： Taesang. Vancouve

巧克力不見了

烃化反应

Android混淆技巧与反混淆 小波

Transcript of Android混淆技巧与反混淆 小波

Android混淆技巧与反混淆小波

Transcript of Android混淆技巧与反混淆小波