Development code protection—virtualization of ARM platform code protection

Background: There are more and more cases of user sensitive data leakage due to the lack of mobile APP security, especially involving economic and financial, e-commerce payment, and mobile games. APP security protection issues, whether it is a loophole or a virus, etc. Today, I will share a technology with App security protection - virtualization of code protection.

1.1 What is code virtualization?
　　We know that the execution of the program depends on the parsing and processing of the instruction set that conforms to the specification by the CPU. If the original instruction set is transformed through a custom specification to generate a new instruction set (called a virtual instruction set), the CPU will not recognize the virtual instruction. At this time, if you cooperate with an interpreter (called a virtual machine) that can parse the virtual instruction set, it is possible to execute virtual instructions not directly through the CPU but through the virtual machine. This process is called code virtualization.

1.2 Why virtualize code?
　　In order to avoid situations such as app resources being stolen, network protocols being cracked, and games being destroyed by plug-ins, more and more developers have to invest more time and energy to consider code security issues. But on mobile platforms, offense and defense are not equal, and attackers often have higher levels of authority than defenders. With the popularization of technical materials, the reverse analysis of mobile platforms has become easier, and many security experts have launched a lot of packer products. Although packers will have good results against static analysis, they will be exposed in memory after running. , so that the attacker can grab the window dump memory, and then make necessary repairs, and then read and analyze it in IDA. After the code is virtualized, the above situation can be prevented. Even if it is dumped, IDA cannot read the virtualized code, because the virtual instruction set will not be restored to the native instruction set when the program is running. Therefore, attackers can only turn to analyze virtual machines with extremely high logical complexity. This greatly increases the difficulty and time required for code analysis. If it is combined with methods such as obfuscation, I believe that most attackers will be discouraged.
　　Of course, relative losses will also be paid for relative safety. The execution efficiency of the virtual instruction set is slightly lower than that of the native instruction set, so the code protected by virtualization is often the most critical and core part.

1.3 How to virtualize code?
　　Based on the above theory, we found that the two most critical parts are necessary, one is the new instruction set, and the other is the virtual machine. For the new instruction set, we can temporarily deform some instructions with opcode, and the generated data can be directly backfilled back to the original file. After dragging the file into IDA, you will find that the instructions have been messed up, which achieves the purpose of resisting static analysis. If you run the program at this time, a crash will occur because the virtual machine is still missing. Why is it called a virtual machine? Because it is necessary to simulate the environment required for the current code to run, including registers, stacks, etc. After initializing the required virtual environment, parse and execute virtual instructions, while paying attention to protecting and restoring the scene.

1.4 How to use related reinforcement technology?
　　The existing reinforcement products on the market, such as Yuan, have realized the code virtualization protection function of the ARM platform, and integrated mainstream functions such as Android encryption compression shell and Android apk code obfuscation, and have strong defense capabilities for dynamic and static analysis. . At the same time, the application security hardening service is completely based on binary file operations, and does not require mobile application developers to provide source code. Third-party security service providers with relatively reliable technology can recommend developers to use them.