Visible to the public CrackDex: Universal and automatic DEX extraction method

TitleCrackDex: Universal and automatic DEX extraction method
Publication TypeConference Paper
Year of Publication2017
AuthorsJiang, Z., Zhou, A., Liu, L., Jia, P., Liu, L., Zuo, Z.
Conference Name2017 7th IEEE International Conference on Electronics Information and Emergency Communication (ICEIEC)
Date PublishedJuly 2017
ISBN Number978-1-5090-3025-5
KeywordsAndroid (operating system), Android application packing, android encryption, Androids, antivirus software, app, automatic DEX extraction, CrackDex, DEX packing, DEX reassembling, DEX restoration, Encryption, Human Behavior, human factors, Humanoid robots, invasive software, Libraries, Manuals, Metrics, mobile computing, pubcrawl, resilience, Resiliency, Scalability, security of data, simulation execution, smart phones, universal DEX extraction, universal unpacking system, virtual machines

With Android application packing technology evolving, there are more and more ways to harden APPs. Manually unpacking APPs becomes more difficult as the time needed for analyzing increase exponentially. At the beginning, the packing technology is designed to prevent APPs from being easily decompiled, tampered and re-packed. But unfortunately, many malicious APPs start to use packing service to protect themselves. At present, most of the antivirus software focus on APPs that are unpacked, which means if malicious APPs apply the packing service, they can easily escape from a lot of antivirus software. Therefore, we should not only emphasize the importance of packing, but also concentrate on the unpacking technology. Only by doing this can we protect the normal APPs, and not miss any harmful APPs at the same time. In this paper, we first systematically study a lot of DEX packing and unpacking technologies, then propose and develop a universal unpacking system, named CrackDex, which is capable of extracting the original DEX file from the packed APP. We propose three core technologies: simulation execution, DEX reassembling, and DEX restoration, to get the unpacked DEX file. CrackDex is a part of the Dalvik virtual machine, and it monitors the execution of functions to locate the unpacking point in the portable interpreter, then launches the simulation execution, collects the data of original DEX file through corresponding structure pointer, finally fulfills the unpacking process by reassembling the data collected. The results of our experiments show that CrackDex can be used to effectively unpack APPs that are packed by packing service in a universal approach without any other knowledge of packing service.

Citation Keyjiang_crackdex:_2017