소프트웨어 브레이크 포인트의 특성을 이용한 안드로이드 공유 라이브러리 보호 기법

Abstract

Bytecode-based Android applications are easily decompiled and repackaged, potentially leaking some or all of the source. Therefore, important core modules are written in C / C ++ based binary code and used in the form of a shared library. However, increasing the complexity of analysis by using binary code is not absolutely safe for analysis, and it is possible to analyze core modules through continuous static analysis and dynamic analysis. Therefore, additional static and dynamic protection techniques must be applied together to further enhance safety. Traditional anti-debugging techniques that use software breakpoints to disrupt software dynamic analysis are focused on detection. And post-detection processing simply stops the program or changes the execution flow, and the technique of disabling the breakpoint itself is not used. Software breakpoints operate by injecting an interrupt instruction (0xCC) directly into the original instruction and passing the execution routine to the debugger. In this paper, we use Packer's execution compression technique as a whole, protect code against static analysis with obfuscation technique and block dynamic analysis with anti-debugging technique. The core technique is to block breakpoints and hinder dynamic analysis. The breakpoints are disabled by storing the instructions of frequently used debugging expected points together with the hash values in the map table and overwriting the original instructions stored when the breakpoints are detected. Using IDA Pro, one of the most widely used analytical tools, the technique worked well. As a result, the analyst will not be able to move at once even if the analysis has already been completed, and the analysis time will be delayed.