1.1 What is code virtualization? We know that the execution of a program relies on the CPU's parsing and processing of instruction sets that comply with specifications. If the original instruction set is transformed through a custom specification to generate a new instruction set (called a virtual instruction set), the CPU will not be able to recognize the virtual instructions. At this time, if you cooperate with an interpreter that can parse the virtual instruction set (called a virtual machine), you can execute virtual instructions not directly through the CPU but through the virtual machine. This process is called code virtualization.
Virtualization of ARM platform code protection 1.2 Why virtualize code? In order to avoid App resources being stolen, network protocols being cracked, and games being destroyed by plug-ins, more and more developers have to invest more time and energy in considering code security issues. But on mobile platforms, attack and defense are not equal. Attackers often have higher-level permissions than defenders. With the popularization of technical materials, reverse analysis of mobile platforms has become easier, and many security experts have launched many packer products. Although packers have a good effect against static analysis, after running, the original content will be exposed in the memory. code, allowing the attacker to seize the window dump memory, make necessary repairs, and then read and analyze it in IDA. After virtualizing the code, the above situation can be prevented. Even if it is dumped, IDA cannot read the virtualized code because the virtual instruction set will not be restored to the native instruction set when the program is running. Therefore, attackers can only turn to analyze virtual machines with extremely high logical complexity. This greatly increases the difficulty and time required for code analysis. If combined with obfuscation and other means, I believe most attackers will be deterred. Of course, for relative safety, you will also have to pay relative losses. The execution efficiency of the virtual instruction set will be slightly lower than that of the native instruction set, so the code protected by virtualization is often the most critical and core part.
1.3 How to virtualize code? Based on the above theory, we found that the two most critical parts are necessary, one is the new instruction set, and the other is the virtual machine. For the new instruction set, we can temporarily transform some instructions with opcode, and the generated data can be directly backfilled into the original file. After dragging the file into IDA, you will find that the instructions have been confused, achieving the purpose of resisting static analysis. If you run the program at this time, a crash will occur because the virtual machine is still missing. Why is it called a virtual machine? Because it is necessary to simulate the environment required for the current code to run, including registers, stacks, etc. After initializing the required virtual environment, parse and execute virtual instructions while paying attention to protecting and restoring the scene.
1.4 How to use related reinforcement technology? Existing reinforcement products on the market, such as Tencent Royal Security, have implemented the code virtualization protection function of the ARM platform, and integrated mainstream functions such as Android encryption compression shell and Android apk code obfuscation, and have strong dynamic and static analysis capabilities. Defense capabilities. At the same time, the application security hardening service is completely based on binary file operations and does not require mobile application developers to provide source code. Third-party security service providers with relatively reliable technology can recommend developers to use it.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
No source code is required, there are related tools to help you do it. Just search it.
1.1 What is code virtualization?
We know that the execution of a program relies on the CPU's parsing and processing of instruction sets that comply with specifications. If the original instruction set is transformed through a custom specification to generate a new instruction set (called a virtual instruction set), the CPU will not be able to recognize the virtual instructions. At this time, if you cooperate with an interpreter that can parse the virtual instruction set (called a virtual machine), you can execute virtual instructions not directly through the CPU but through the virtual machine. This process is called code virtualization.
Virtualization of ARM platform code protection
1.2 Why virtualize code?
In order to avoid App resources being stolen, network protocols being cracked, and games being destroyed by plug-ins, more and more developers have to invest more time and energy in considering code security issues. But on mobile platforms, attack and defense are not equal. Attackers often have higher-level permissions than defenders. With the popularization of technical materials, reverse analysis of mobile platforms has become easier, and many security experts have launched many packer products. Although packers have a good effect against static analysis, after running, the original content will be exposed in the memory. code, allowing the attacker to seize the window dump memory, make necessary repairs, and then read and analyze it in IDA. After virtualizing the code, the above situation can be prevented. Even if it is dumped, IDA cannot read the virtualized code because the virtual instruction set will not be restored to the native instruction set when the program is running. Therefore, attackers can only turn to analyze virtual machines with extremely high logical complexity. This greatly increases the difficulty and time required for code analysis. If combined with obfuscation and other means, I believe most attackers will be deterred.
Of course, for relative safety, you will also have to pay relative losses. The execution efficiency of the virtual instruction set will be slightly lower than that of the native instruction set, so the code protected by virtualization is often the most critical and core part.
1.3 How to virtualize code?
Based on the above theory, we found that the two most critical parts are necessary, one is the new instruction set, and the other is the virtual machine. For the new instruction set, we can temporarily transform some instructions with opcode, and the generated data can be directly backfilled into the original file. After dragging the file into IDA, you will find that the instructions have been confused, achieving the purpose of resisting static analysis. If you run the program at this time, a crash will occur because the virtual machine is still missing. Why is it called a virtual machine? Because it is necessary to simulate the environment required for the current code to run, including registers, stacks, etc. After initializing the required virtual environment, parse and execute virtual instructions while paying attention to protecting and restoring the scene.
1.4 How to use related reinforcement technology?
Existing reinforcement products on the market, such as Tencent Royal Security, have implemented the code virtualization protection function of the ARM platform, and integrated mainstream functions such as Android encryption compression shell and Android apk code obfuscation, and have strong dynamic and static analysis capabilities. Defense capabilities. At the same time, the application security hardening service is completely based on binary file operations and does not require mobile application developers to provide source code. Third-party security service providers with relatively reliable technology can recommend developers to use it.