一种基于Huffman和LZW编码的移动应用混淆方法

二进制混淆技术在规避恶意软件分析、防止利用逆向工程篡改中发挥着重要的角色。一些广泛使用的混淆技术关注于基于语法的检测，基于语义的分析技术在很多年前也已经被提出以防止逃避检测。近年一些考虑到统计特征和基于语义的二进制混淆技术开始被提出，这些方法开始关注混淆的隐蔽性，但总体来说效率较低或无法同时考虑到安全性的要求。本文提出一种针对Android移动应用的、基于Huffman编码和LZW编码的二进制混淆技术，同时将强度、开销和隐蔽性等考虑在内，具备规避基于统计特性和语义特征检测的能力。该技术构造混淆所需的指令编码表，一方面利用编码表对原始指令序列进行置乱，提高混淆技术的隐蔽性；另一方面将核心编码表从代码执行数据段分离，通过白盒AES加密的方式在提高混淆技术本身安全性的同时隐藏密钥及密钥查找算法。我们研发出该技术工具原型ObfusDroid，最后本文从安全强度、开销、平台适应性和隐蔽性几方面，对该技术进行评估、阐述。

Obfuscation Tool for Mobile Apps Based on Huffman and LZW Encoding

Binary obfuscation plays an essential role in evading malware analysis and tampering with reverse engineering. Some widely used code obfuscation techniques focus on evading syntax based detection, however semantic analysis techniques have been developed to thwart their evasion attempts. Recently some binary obfuscation techniques with potential of evading both statistical and semantic detections have been proposed, taking concealment into account but lacking efficiency or security strength. We propose a binary obfuscation technique for mobile apps based on LZW and Huffman encoding, with the potential of evading both statistical and semantic detections, taking intensity and concealment into account. This technique constructs the requiredinstruction encoding tables. On one hand, it scramblesthe sequence of original instructions with encoding tables to improves the intensity and concealment. On the other hand, it reinforces intensity by separatingencoding tablesencryptedbyWhite-box AESfrom code segment, concealing the key and lookup algorithm, in order to evading attacks on keys. We put forward to a prototype tool for thistechniquecalled ObfusDroid, and evaluate ObfusDroid from aspects of intensity, cost, resilience and concealment, demonstrating its capability of evading statistical analysis.