CN114020278B

CN114020278B - Data processing method, device, equipment and storage medium

Info

Publication number: CN114020278B
Application number: CN202010696529.7A
Authority: CN
Inventors: 夏胜飞
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-07-19
Filing date: 2020-07-19
Publication date: 2024-06-18
Anticipated expiration: 2040-07-19
Also published as: CN114020278A

Abstract

The embodiment of the invention discloses a data processing method, a device, equipment and a storage medium, wherein the data processing method comprises the following steps: and acquiring an installation data packet of the application program, and analyzing the installation data packet to obtain method signature information of the application program. And acquiring method operation log data generated by operating the installation data packet, and decompiling the application program by adopting the method signature information of the application program and the method operation log data to obtain a code file of the application program. According to the method signature information and the method operation log data of the application program, the method signature information and the method operation log data of the application program can be decompiled, information loss in a code file is avoided, and the readability of the code file of the application program can be improved.

Description

Data processing method, device, equipment and storage medium

Technical Field

The present invention relates to the field of internet technologies, and in particular, to the field of data processing technologies, and in particular, to a data processing method, apparatus, device, and storage medium.

Background

Decompilation technology was first developed in the 60 s, mainly to realize cross-platform migration of code, and has been widely used in various aspects of program understanding, source code recovery, program debugging, security analysis, etc. Decompilation, i.e., reverse compilation, computer software reverse engineering (REVERSE ENGINEERING), also known as computer software restoration engineering, refers to the process of "reverse analysis, research" of a target program (herein referred to as an application installation package) of other software to derive design elements such as ideas, principles, structures, algorithms, processes, running methods used by a software product, and in some specific cases, source code. Decompilation is the inverse of compilation, and executable files are decompiled to generate code files. In the prior art, static decompilation is performed on an executable file of an application program directly according to decompilation software, so that partial information in the executable file is lost, and the readability of the decompiled code file is poor.

Disclosure of Invention

The embodiment of the invention provides a data processing method, a device, equipment and a storage medium, which can avoid information loss in a code file and improve the readability of the code file of an application program.

In one aspect, an embodiment of the present invention provides a data processing method, where the data processing method includes:

Acquiring an installation data packet of an application program;

Analyzing the installation data packet to obtain method signature information of the application program;

acquiring method operation log data generated by operating the installation data packet;

And decompiling the application program by adopting the method signature information of the application program and the method operation log data to obtain a code file of the application program.

The method signature information of the application program comprises function identification of an objective function and function parameters of the objective function; the method operation log data comprises operation log data of at least one function, and the target function is any function in the at least one function;

The decompiling the application program by adopting the method signature information of the application program and the method running log data to obtain a code file of the application program, which comprises the following steps:

Identifying the operation log data matched with the objective function from the method operation log data according to the function identification of the objective function;

analyzing the operation log data matched with the objective function to obtain the type information of the function parameters of the objective function and the operation result of the objective function;

And adding the type information of the function parameters of the objective function and the running result of the objective function into the method signature information of the application program to obtain a code file of the application program.

The step of adding the type information of the function parameters of the objective function and the running result of the objective function to the method signature information of the application program to obtain a code file of the application program includes:

determining, in method signature information of the application, object code instructions regarding the object function;

And adding type information of function parameters of the objective function and a running result of the objective function into the object code instruction of the method signature information of the application program to obtain a code file of the application program.

The installation data packet comprises an operation result acquisition pointer; the method operation log data comprises operation log data matched with the objective function;

the method for obtaining and operating the installation data packet generation method operation log data comprises the following steps:

Constructing a log data acquisition function, wherein the log data acquisition function comprises an object type acquisition interface and a function acquisition pointer;

Operating the installation data packet;

calling the function acquisition pointer to acquire the function identification of the target function from the installation data packet;

invoking the object type acquisition interface to acquire the type information of the function parameters of the objective function from the installation data packet;

Calling the operation result obtaining pointer to obtain the operation result of the objective function;

and generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function.

The analyzing the installation data packet to obtain the method signature information of the application program includes:

acquiring a class list in the installation data packet from a data field in the installation data packet, wherein the class list comprises a function address of at least one function;

Acquiring method signature information of each function from the installation data packet according to the function address of each function in the at least one function;

and generating the method signature information of the application program according to the method signature information of each function.

Wherein the obtaining the method signature information of each function from the installation data packet according to the function address of each function in the at least one function includes:

acquiring the structural content of each function from the installation package according to the function address of each function;

Acquiring a function identifier of each function and a function parameter of each function from the structural content of each function;

And generating the method signature information of each function according to the function identification of each function and the function parameters of each function.

Wherein the generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameter of the objective function and the operation result of the objective function includes:

creating a candidate function structure body corresponding to the objective function;

after the object type acquisition interface and the function acquisition pointer are called, storing the function identifier of the target function and the type information of the function parameters of the target function into the candidate function structure body to obtain a first function structure body;

After the operation result is called to obtain a pointer, storing the operation result of the objective function into the first function structure body to obtain a second function structure body;

Storing function identification of the objective function, type information of function parameters of the objective function and operation results of the objective function in the second function structure body into a database;

The function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function in the database are used as running log data matched with the objective function;

the identifying the operation log data matched with the objective function from the method operation log data according to the function identification of the objective function comprises the following steps:

And identifying the operation log data matched with the objective function from the database according to the function identification of the objective function.

In one aspect, an embodiment of the present application provides a data processing apparatus, including:

the first acquisition module is used for acquiring an installation data packet of the application program;

The analysis module is used for analyzing the installation data packet to obtain the method signature information of the application program;

the second acquisition module is used for acquiring method operation log data generated by operating the installation data packet;

And the decompilation module is used for decompiling the application program by adopting the method signature information of the application program and the method operation log data to obtain a code file of the application program.

The decompilation module includes:

The identification unit is used for identifying the operation log data matched with the objective function from the method operation log data according to the function identification of the objective function;

the analysis unit is used for analyzing the operation log data matched with the objective function to obtain the type information of the function parameters of the objective function and the operation result of the objective function;

and the adding unit is used for adding the type information of the function parameters of the objective function and the running result of the objective function into the method signature information of the application program to obtain the code file of the application program.

Wherein, the adding unit is specifically used for:

The second acquisition module includes:

the construction unit is used for constructing a log data acquisition function, wherein the log data acquisition function comprises an object type acquisition interface and a function acquisition pointer;

the operation unit is used for operating the installation data packet;

The first calling unit is used for calling the function acquisition pointer to acquire the function identification of the target function from the installation data packet;

the second calling unit is used for calling the object type obtaining interface to obtain the type information of the function parameters of the target function from the installation data packet;

The third calling unit is used for calling the running result obtaining pointer to obtain the running result of the target function;

the first generation unit is used for generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function.

Wherein, the above-mentioned analysis module includes:

A first obtaining unit, configured to obtain a class list in the installation data packet from a data field in the installation data packet, where the class list includes a function address of at least one function;

The second acquisition unit is used for acquiring the method signature information of each function from the installation data packet according to the function address of each function in the at least one function;

and the second generating unit is used for generating the method signature information of the application program according to the method signature information of each function.

The second obtaining unit is specifically configured to:

Wherein the first generating unit is specifically configured to:

An embodiment of the present application provides a computer apparatus including: a processor, a memory, a network interface;

The processor is connected to a memory and a network interface, wherein the network interface is used for providing a data communication function, the memory is used for storing a computer program, and the processor is used for calling the computer program to execute the method in the embodiment of the application.

The present application provides a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, perform a method as in the present application.

In the embodiment of the invention, the installation data packet of the application program is operated to obtain the method operation log data generated by operating the installation data packet, and the installation data packet is analyzed to obtain the method signature information of the application program. Decompiling the application program according to the method running log data and the method signature information of the application program to obtain a code file of the application program. The method signature information comprises static data of the application program, and the method running log data comprises dynamic data of the application program. Therefore, according to the method signature information and the method running log data of the application program, the installation data packet of the application program is decompiled, so that the information loss in the code file can be avoided, the readability of the code file of the application program is improved, and the application program can be understood and applied conveniently.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of a data processing method according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of Macho files according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of obtaining method signature information of an application according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of a code file for obtaining an application program according to an embodiment of the present application;

FIG. 5 is a flow chart of a data processing method according to another embodiment of the present invention;

FIG. 6 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Please refer to fig. 1, which is a flowchart of a data processing method according to an embodiment of the present application, wherein the data processing method includes the following steps S101 to S104.

S101, acquiring an installation data packet of an application program.

S102, analyzing the installation data packet to obtain method signature information of the application program.

In an embodiment of the present application, the application program may include, but is not limited to: game applications, shopping applications, social applications, audiovisual playback applications, taxi taking applications, payment applications, and the like. The installation package of the application may be Macho files, macho is an abbreviation for Mach Object, a file format executable on Mac OS and iOS, including but not limited to: executable file (.out.o), dynamic library, static library, dyld, object file, etc. The installation data package of the application program comprises at least one function, wherein the function is an ordered combination of codes used by the application program to solve a certain problem, and is a functional module. The function actually corresponds to a pointer address, i.e., a memory address, within the application. And decompiling is carried out according to the installation data packet of the application program, so that method signature information corresponding to the function in the application program is obtained. The method signature information corresponding to the function in the application program comprises parameter information such as function identification of the function, function parameters of the function and the like. Decompilation refers to the work of "reverse analysis and research" on a target program (such as an executable program) of other software to deduce design elements such as ideas, principles, structures, algorithms, processing procedures, running methods and the like used by other software products, and in some specific cases, source codes may be deduced. Decompilation is the inverse of compilation, and executable files are decompiled to generate code files. The method is widely applied to various aspects of program understanding, source code recovery, program debugging, security analysis and the like.

Optionally, a class list in the installation data packet is obtained from a data field in the installation data packet, the class list includes a function address of at least one function, and the method signature information of each function is obtained from the installation data packet according to the function address of each function in the at least one function. And generating the method signature information of the application program according to the method signature information of each function.

The __ objc _ classlist, __ objc _ classlist can be found in the DATA segment (__ DATA segment) of the installation DATA packet of the application program, which is a objc class list in the installation DATA packet, and class information is saved, and the address of __ objc _data is mapped. The installation data packet comprises a plurality of class lists Objc which is abbreviated as Objective-C, is a programming language corresponding to the installation data packet of the application program, is formed by adding object-oriented characteristics on the basis of the C language for expansion, and is a general, high-level and object-oriented programming language. A list of all classes (classes) corresponding to the application is obtained from __ objc _ classlist of the data segment. And traversing class (class) addresses in all class lists, obtaining structural content information of the classes according to specific address information in the class addresses, and extracting data (data) parts in the structural content of the classes. A list of functions (methods) in the class list can be obtained in the data part of the class structure content. Traversing all functions in the function list, and acquiring signature strings and type codes of the functions according to the function address of each function (TypeEncodings). And obtaining method signature information corresponding to the party according to the signature character string and the type code of the function, and obtaining the method signature information corresponding to at least one function in the installation data packet by using the function.

Alternatively, the structural content of each function may be obtained from the installation data packet according to the function address of each function. And acquiring the function identification of each function and the function parameter of each function from the structural content of each function, and generating the method signature information of each function according to the function identification of each function and the function parameter of each function.

The function address of each function can be used for knowing a certain section of a certain area of the function in the installation data packet, so that the corresponding structure content of each function is obtained, and the corresponding structure content of the function comprises code information for realizing the function. And obtaining signature character strings of each function in the structural content corresponding to each function, thereby obtaining the function identification of each function. And obtaining the type code of each function in the corresponding structural content of each function, thereby obtaining the function parameters of each function. And generating the method signature information of each function according to the function identification of each function and the function parameters of each function.

For example, decompilation may be performed on the header file in the Macho file to obtain the code file of the header file in the Macho file. The Macho file consists of three parts, namely a Header part, a load command (loadCommends) part, and a Data (Data) part. As shown in FIG. 2, a schematic structure of Macho files provided in the embodiment of the present invention is shown in FIG. 2, where the header file portion includes carrier files for function and data interface declarations, and is mainly used for saving declarations of programs, and some basic information of the files, such as a platform, a file type, the number of loading commands, etc. are saved; the loading command part describes how the operating system should load the data in Macho files, and plays a role in guiding the system kernel loader and the dynamic linker; the data portion is used to store specific codes and data.

Fig. 3 is a schematic diagram of a method for obtaining signature information of an application program according to an embodiment of the present invention, where, as shown in fig. 3, a_data segment in a header file of a Macho file may be obtained, where the_data segment is a readable/writable DATA segment in a Macho file, and the content in the segment may be read or written. The_data field contains programming DATA for the application, such as a class list. And acquiring __ objc-classlist in the_DATA field, storing a class (class) list of objc in __ objc-classlist in the_DATA field, storing related information such as a class address, and mapping the address of DATA in objc. The class list is obtained according to __ objc _ classlist in the_DATA section, specific class addresses in the class list are traversed one by one, the structural content of the class is obtained according to the specific class addresses, the DATA (DATA) part of the structural content of the class, namely __ objc _data, is extracted and used for storing DATA needed by the class, and __ objc _const addresses are mapped and used for finding relevant DATA of the class. And obtaining a function (method) list from the data part of the structural content of the class, traversing each function in the function list, obtaining the structural content of each function according to the address in each function in the function list, obtaining a signature character string and a parameter list (TypeEncodings) of the function according to the structural content of each function, and combining the signature character string and the parameter list in the function to restore the method signature information of the function in the header file of Macho.

S103, acquiring method operation log data generated by the operation installation data packet.

And S104, decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program.

And (3) using an Xcode development tool and a script to package an installation data packet corresponding to the application program into an executable file, installing the executable file into a mobile phone for running, and performing any operation to obtain method running log data. For example, for a common short video application, various operations such as video playing, recording, video switching, comment and the like can be performed, and then method operation log data corresponding to operation functions such as video playing, recording, video switching, comment and the like can be obtained. The installation data packet includes at least one function corresponding to the application program for implementing some functions, for example, the installation data packet corresponding to the short video includes at least one function such as a video playing function, a recording function, a video switching function, etc. The method operation log data comprises identification information of functions called in an installation data packet, type information of function parameters of the functions and operation results of the functions. And decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program. The method signature information comprises static data of the application program, the method running log data comprises dynamic data of the application program, decompilation is carried out on the application program according to the method signature information of the application program and the target running data, some unclear information in a code file of the application program can be optimized, and the readability of the code file of the application program can be improved.

Optionally, after the method running log data of the function in the installation data of the application program is obtained, static decompilation is performed on the installation data packet of the application program by using decompilation software to obtain method signature information of the objective function in the installation data packet of the application program, the running log data matched with the objective function is identified in the method running log data, type information of the function parameter in the running log data matched with the objective function is taken as type information of the function parameter of the objective function, and the type information is added into the method signature information of the objective function, and decompilation is performed on the installation data packet continuously to obtain a code file of the application program. The method can also perform static decompilation on the installation data packet of the application program to obtain method signature information of the objective function, then obtain operation log data of the objective function after operating the installation data packet, obtain type information of function parameters of the objective function according to the operation log data of the objective function, and add the type information of the objective function to the method signature information of the objective function. And (3) signing information according to the method after adding the type information of the function parameters, decompiling the installation data packet of the application program, and obtaining the code file of the application program. It should be noted that, the present application does not limit the order of acquiring the method signature information of the application program and the method signature information of the application program.

As shown in fig. 4, a schematic diagram of a method for obtaining a code file of an application according to an embodiment of the present application, as shown in fig. 4, the method for obtaining a code file of an application may include steps S21 to S23.

S21, identifying the operation log data matched with the objective function from the method operation log data according to the function identification of the objective function.

The method signature information of the application program comprises function identification of an objective function and function parameters of the objective function, the method operation log data comprise operation log data of at least one function, and the objective function is any function of the at least one function in the method operation log data. The function of the method running log data is a function called in an installation data packet when the installation data packet of the application program is run, namely, the function in the method running log data is a function called in the installation data packet. The operation log data of a function comprises the function identification of the function, the function parameters of the function and the operation result of the function. And identifying the function matched with the function identifier of the objective function in the method operation log data according to the function identifier of the objective function, and acquiring the operation log data of the function matched with the function identifier of the objective function.

S22, analyzing the operation log data matched with the objective function to obtain the type information of the function parameters of the objective function and the operation result of the objective function.

S23, adding the type information of the function parameters of the objective function and the running result of the objective function into the method signature information of the application program to obtain a code file of the application program.

Analyzing the operation log data matched with the objective function to obtain the type information of the function parameters in the operation log data of the function matched with the objective function and the operation result of the function. And taking the type information of the function parameters of the function in the operation log data of the function matched with the objective function and the operation result of the function as the type information of the function parameters of the objective function and the operation result of the objective function. And adding the type information of the function parameters of the objective function and the running result of the objective function into the method signature information of the application program to obtain the code file of the application program, so that the obtained code file has more readability, and the reader can understand the code file conveniently.

Alternatively, the object code instructions for the object function may be determined in the method signature information of the application. And adding the type information of the function parameters of the objective function and the running result of the objective function into the objective code instruction of the method signature information of the application program to obtain the code file of the application program.

The signature character string and parameter list of the function are included in the signature information of the method of the application program, and the function is an ordered combination of codes used by the application program to solve a certain problem and is a functional module. The function actually corresponds to a pointer address, i.e., a memory address, within the application program, essentially a string of numbers. The object code instructions for the object function may be determined in the method signature information of the application. And adding the type information of the function parameters of the objective function and the running result of the objective function into the objective code instruction of the method signature information of the application program to obtain the code file of the application program.

Optionally, in the method signature information of the application program, according to the identification information of the objective function, the type information of the function parameter of the objective function in the method signature information and the running result of the objective function may be added to the back of the objective code instruction of the objective function in the method signature information of the application program. Wherein, the type information of the function parameters of the objective function and the running result of the objective function can be added to the back of the objective code instruction of the objective function. The corresponding relation between the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function can also be obtained. According to the corresponding relation between the identification function of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function are added into all the method signature information in the application program. It should be noted that, in the embodiment of the present application, the manner of adding the type information of the function parameter of the objective function and the execution result of the objective function to the method signature information of the application program is not limited, and only the reader needs to obtain the type information of the function parameter of the objective function and the operation result of the objective function when reading the code file of the application program.

When decompiling a function in an installation data packet of an application program in the prior art, the content of the obtained method signature information of the function is- (void) setMediaItemCollection (id) arg0, the parameter arg0 is a parameter of a certain object type, and the specific type information of the parameter arg0 is unknown, so that the decompiled header file has poor readability, and is inconvenient for readers to understand and use the code file. In the embodiment of the application, the installation data packet of the application program can be operated to obtain the operation log data of the function in the installation data packet, namely, the type information of the function parameters of the function and the execution result of the function are obtained. The method can optimize the method signature information of the application program according to the operation log data obtained when the installation data packet is operated, perfects the type information of the function parameters of the function in the method signature information and the execution result of the function, and obtains a code file with more readability. According to the technical scheme provided by the embodiment of the application, a function in an installation data packet is decompiled, and the method signature information of the function is obtained by the following steps: - (UIView) PREFERREDPARENTVIEW (TTAdFeedLearnMoreView) arg1, PREFERREDPARENTVIEW. Name of the function called when the installation packet is run, UIView is the result of running the function, TTAdFeedLearnMoreView is the type information of parameter arg 1. The type information of the arg0 and the arg1 can be obtained when the installation data packet runs, and can be various custom classes in the whole application, such as Person class, student class, bird class and the like, and when the installation data packet runs, the type information of the arg0 and the arg1 can be obtained by calling a system api according to a specific pointer. According to the code file of the application program obtained by the embodiment of the application, readers can more intuitively know the obtained result of each function in the code file and the type information of the function parameters in the function, so that the decompiled code file has more readability.

Fig. 5 is a schematic diagram of a data processing method according to another embodiment of the present application, and as shown in fig. 5, steps of the data processing method include S201 to S208.

S201, acquiring an installation data packet of an application program.

S202, analyzing the installation data packet to obtain method signature information of the application program.

The contents of steps S201, S202, and S208 may be described with reference to fig. 1, and will not be described here.

S203, constructing a log data acquisition function, wherein the log data acquisition function comprises an object type acquisition interface and a function acquisition pointer.

The installation data packet of the application program comprises an operation result acquisition pointer, wherein the operation result acquisition pointer is used for acquiring an operation result of a function in the installation data packet, and the operation result obtained after the function in the installation data packet is operated can be acquired according to the operation result pointer. The method operation log data comprises operation log data matched with the objective function. The log data acquisition function can be constructed and used for acquiring the running log data of the function in the installation data packet when the installation data packet is run, and the log data acquisition function comprises an object type acquisition interface and a function acquisition pointer.

S204, running the installation data packet.

S205, calling the function acquisition pointer to acquire the function identification of the target function from the installation data packet, and acquiring the type information of the function parameters of the target function from the installation data packet by the function parameter type acquisition interface.

When an application program is started and an installation data packet of the application program is operated, a log data acquisition function is called, a pointer is acquired according to the function in the log data acquisition function, and a function identifier of an objective function is acquired from the installation data packet. And acquiring the type information of the function parameters of the objective function in the installation data packet according to the object type acquisition interface in the log data acquisition function. And calling an operation result acquisition pointer in the installation data packet, acquiring an operation result of the objective function from the installation data packet, and generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function.

When the function identification of the target function and the type information of the function parameters of the function are acquired from the installation data packet, the function identification of the target function and the type information of the function parameters can be acquired in the memory according to the address information corresponding to the pointer. Because the information in the installation data packet is loaded into the memory of the terminal during the operation of the installation data packet, when the function identifier of the target function is acquired according to the function acquisition pointer, the address information corresponding to the pointer can be acquired according to the function, and the function identifier of the target function can be acquired in the memory of the terminal.

S206, calling an operation result acquisition pointer to acquire an operation result of the objective function.

S207, generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function.

And S208, decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program.

Similarly, the pointer can be obtained according to the operation result, the address information corresponding to the operation result obtaining pointer can be obtained, and the execution result of the objective function can be obtained in the terminal according to the address information corresponding to the operation result obtaining pointer. And generating operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameters of the objective function and the operation result of the objective function. And decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program.

Alternatively, a candidate function structure corresponding to the objective function may be created, and after the function parameter type obtaining interface and the function obtaining pointer, the function identifier of the objective function and the type information of the function parameter of the objective function are stored in the candidate function structure to obtain the first function structure. After the operation result acquiring pointer is called, the operation result of the objective function is stored in the first function structure body, and a second function structure body is obtained. And storing the function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function in the second function structure body into a database. And using the function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function in the database as running log data matched with the objective function. And identifying the operation log data matched with the objective function from the database according to the function identification of the objective function.

The candidate function structure body corresponding to the objective function can be created according to the log data acquisition function, the function identification of the objective function is acquired according to the function acquisition pointer, the type information of the function parameters of the objective function is acquired according to the object type acquisition interface, and then the function identification of the objective function and the type information of the function parameters of the objective function are stored in the candidate function structure body to obtain the first function structure body. And calling an operation result acquisition pointer in the installation data packet to acquire an operation result of the objective function, and then storing the operation structure of the objective function into the first function structure body to acquire a second function structure body. After the operation of the installation data packet is finished, the function identification of the objective function in the second function structure body, the type information of the function parameters of the objective function and the operation result of the objective function are stored into a database. The first function structure body is used for temporarily storing function identification of the objective function and type information of function parameters of the objective function, acquiring a pointer according to the operation result to acquire the operation result of the objective function, storing the operation result of the objective function into the first function structure body to obtain a second function structure body, and storing the second function structure body into the database. And using the function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function in the database as running log data matched with the objective function. Upon obtaining the log data matching the objective function, the log data matching the objective function may be identified from the database.

For example, when an application is started and an installation data packet corresponding to the application is run, a database is initialized, a database file is created, and a necessary data table is created. The log data acquisition function is constructed, namely, a HOOK objc _msgsend function is started, the programming language (OjbC) corresponding to the application program is a dynamic language, all function calls in ObjC are finally converted into calls to the functions objc _ msgSend (arg 0, arg1, …), wherein the parameter arg0 is an object for receiving the Objc function, and arg1 is a function name to be called. oSend functions are the core engines of all function calls, which are responsible for finding the implementation methods of the functions in the application and executing these functions. The objc _ msgSend function is essentially that the function parameters send a message, so that the function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function are obtained. Hook objc _ msgSend is to replace the original function objc _ msgSend, namely, the function A, with a function hook_ objc _ msgSend which can be run on own equipment, namely, a function B, wherein the function B is a log data acquisition function, and the function B obtained after Hook processing can be run on own equipment. The purpose of the HOOK process is to enable the application's installation package to run on its own device and save the original function a as orig_ objc _ msgSend. All calls to function a become calls to function B, i.e., all Objc function calls become calls to function B. Initiating a call to the target function in the application triggers a call to function B.

When a call is initiated to an objective function in an application program and the call to the function B is triggered, registers q 0-q 6 and x 0-x 9 are stacked, and the original environment of the objective function is saved. The original environment of the objective function comprises the input parameters, the return address after the execution of the function and the like, and the input parameters of the objective function, the return address after the execution of the function and the like are stored in a register. And calling the function B, creating a candidate function structure body associated with the thread, and acquiring type information of function parameters of the target function and function identification of the target function according to two parameters in the function B, namely an object type acquisition interface and a function acquisition pointer in the log data acquisition function. The method comprises the steps of sequentially analyzing the type information of the input parameters when the target function is called according to the function call transfer parameter convention of ARM, taking the type information of the parameters as the type information of the function parameters if the input parameters are objects, and storing the type information of the function parameters obtained through analysis and the function identification of the target function into candidate function structures to obtain a first function structure. The first function structure is stored in a stack associated with the thread. The thread is the minimum unit of operation scheduling of the operating system, and is the actual operation unit in the process, namely, the call of the target function in the application program.

And then the registers q 0-q 6 and x 0-x 9 are popped off the stack to obtain the original function of the function A stored in the register, and the environment for restoring the function A is the environment for restoring the original objc _ msgSend function call. And then, stacking registers q 0-q 6 and x 0-x 9, and storing the environment after the function B returns. And calling the function A, and popping the first function structure body at the stack top related to the thread, namely the first function structure body which stores the type information of the function parameters of the objective function and the function identification of the objective function. The purpose of the function a is to obtain the running result of the objective function. And receiving a return value of the objective function according to the original function A, namely acquiring a pointer according to the operation result to obtain the operation result of the objective function. Analyzing the type information of the operation result of the objective function, and storing the type information of the operation result of the objective function into the first function structure body to obtain the second function structure body. And calling a storage interface of the database, and constructing a corresponding relation between the fields of the second function structure body and the fields of the data table in the database. And according to the corresponding relation between the fields of the second function structure body and the fields of the data table in the database, storing the function identification of the objective function, the type information of the function parameters of the objective function and the running result of the objective function stored in the second function structure body into the database. And calling at least one function in the installation data packet of the application program according to the operation function for acquiring the function identification of the target function, the type information of the function parameter of the target function and the operation result of the target function, so as to acquire the operation log data of at least one function in the installation data packet of the application program, and acquiring the method operation log data according to the operation log data of the at least one function.

Optionally, after the function identifier of the objective function in the second function structure body, the type information of the function parameter of the objective function, and the running result of the objective function are stored in the database, the function structure body associated with the objective function thread may be deleted, so that the storage space is saved.

The sqlite3 database may be used to store the running log data of at least one function in the installation package of the application. In order to ensure the correctness of data, the operation of the database needs to consider thread synchronization, and in the embodiment of the application, the thread synchronization can be ensured by using a spin lock. The spin lock is used for keeping that when one thread operates the memory, other threads cannot operate the memory address until the thread finishes operating, and the other threads cannot operate the memory address. sqlite3 is a database used to organize, store, and manage data. In the implementation of the present application, the database for storing the function call structure corresponding to the call function may be a database other than the sqlite3 database. Other thread synchronization schemes may be selected to ensure thread synchronization, such as a mutex lock scheme, and the like, which is not limited in embodiments of the present application.

In the embodiment of the application, the installation data packet of the application program is acquired, and the installation data packet is analyzed to obtain the method signature information of the application program; acquiring method operation log data generated by operating the installation data packet; and decompiling the application program by adopting the method signature information of the application program and the method operation log data to obtain a code file of the application program. In the embodiment of the application, the operation is carried out on the installation data packet of the application program to obtain the method operation log data generated by operating the installation data packet. The method operation log data can comprise type information of function parameters of at least one function in the installation data packet and operation results of the at least one function. The log data acquisition function can be constructed, and the type information of the function parameters of the function is obtained in the process of installing the data packet to run. And analyzing the installation data packet to obtain the method signature information of the application program. And adding the type information of the function parameters of the function in the method operation log data and the operation result of the function into the method signature information of the application program according to the method operation log data to obtain a code file of the application program. The method signature information comprises static data of the application program, and the method running log data comprises dynamic data of the application program. Therefore, according to the method signature information and the method running log data of the application program, decompilation is carried out on the installation data packet of the application program, so that information loss in a code file can be avoided, the result obtained by each function in the code file and the type information of the called function parameters can be more intuitively known, the decompiled code file has more readability, and the application program can be conveniently understood and applied.

Fig. 6 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application, where the data processing apparatus according to the embodiment of the present application may be in an electronic device. In this embodiment, the data processing apparatus includes:

The first obtaining module 11 is configured to obtain an installation data packet of an application program.

And the analysis module 12 is used for analyzing the installation data packet to obtain the method signature information of the application program.

Wherein, the above-mentioned analysis module includes: the device comprises a first acquisition unit, a second acquisition unit and a second generation unit.

The second obtaining unit is specifically configured to:

And a second obtaining module 13, configured to obtain method running log data generated by running the installation data packet.

The second acquisition module includes: the device comprises a construction unit, an operation unit, a first calling unit, a second calling unit, a third calling unit and a first generation unit.

the operation unit is used for operating the installation data packet;

Wherein the first generating unit is specifically configured to:

Decompilation module 14, configured to decompilate the application program using the method signature information of the application program and the method running log data, to obtain a code file of the application program.

The decompilation module includes: the device comprises an identification unit, an analysis unit and an addition unit.

Wherein, the adding unit is specifically used for:

In the embodiment of the application, the installation data packet of the application program is acquired, and the installation data packet is analyzed to obtain the method signature information of the application program; acquiring method operation log data generated by operating the installation data packet; and decompiling the application program by adopting the method signature information of the application program and the method operation log data to obtain a code file of the application program. In the embodiment of the application, the operation is carried out on the installation data packet of the application program to obtain the method operation log data generated by operating the installation data packet. The method operation log data can comprise type information of function parameters of at least one function in the installation data packet and operation results of the at least one function. The log data acquisition function can be constructed, and the type information of the function parameters of the function is obtained in the process of installing the data packet to run. And analyzing the installation data packet to obtain the method signature information of the application program. And adding the type information of the function parameters of the function in the method operation log data and the operation result of the function into the method signature information of the application program according to the method operation log data to obtain a code file of the application program. The method signature information comprises static data of the application program, and the method running log data comprises dynamic data of the application program. Therefore, according to the method signature information and the method running log data of the application program, decompilation is carried out on the installation data packet of the application program, so that information loss in a code file can be avoided, readers can more intuitively know the result obtained by each function in the code file and the type information of the called function parameters, the decompiled code file has more readability, and the application program can be conveniently understood and applied.

Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 7, the above-mentioned computer device 1000 may include: processor 1001, network interface 1004, and memory 1005, and in addition, the above-described computer device 1000 may further include: a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface, among others. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one magnetic disk memory. The memory 1005 may also optionally be at least one storage device located remotely from the processor 1001. As shown in fig. 7, an operating system, a network communication module, a user interface module, and a device control application may be included in a memory 1005, which is a type of computer-readable storage medium.

In the computer device 1000 shown in FIG. 7, the network interface 1004 may provide network communication functions; while user interface 1003 is primarily used as an interface for providing input to a user; and the processor 1001 may be used to invoke a device control application stored in the memory 1005 to implement:

Acquiring an installation data packet of an application program;

Operating the installation data packet;

Furthermore, it should be noted here that: the embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores a computer program executed by the aforementioned data processing apparatus, where the computer program includes program instructions, when executed by the processor, can execute the description of the data processing method in the corresponding embodiment of fig. 1 or fig. 5, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application. As an example, the program instructions may be executed on one computer device or on multiple computer devices located at one site, or on multiple computer devices distributed across multiple sites and interconnected by a communication network, which may constitute a blockchain network.

Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of computer programs, which may be stored on a computer-readable storage medium, and which, when executed, may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.

The foregoing disclosure is illustrative of the present invention and is not to be construed as limiting the scope of the invention, which is defined by the appended claims.

Claims

1. A method of data processing, comprising:

Acquiring an installation data packet of an application program; the installation data packet comprises an operation result acquisition pointer and at least one function;

Constructing a log data acquisition function, operating the installation data packet, calling a function acquisition pointer in the log data acquisition function, acquiring a function identifier of a target function from the installation data packet, calling an object type acquisition interface in the log data acquisition function, acquiring type information of a function parameter of the target function from the installation data packet, calling an operation result acquisition pointer, acquiring an operation result of the target function, and generating operation log data matched with the target function according to the function identifier of the target function, the type information of the function parameter of the target function and the operation result of the target function; the objective function is any one of the at least one function;

decompiling the application program by adopting method signature information and method running log data of the application program to obtain a code file of the application program; the method operation log data comprises operation log data corresponding to the at least one function respectively.

2. The method of claim 1, wherein the method signature information of the application program includes a function identification of the objective function and a function parameter of the objective function;

The decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program, which comprises the following steps:

3. The method according to claim 2, wherein adding the type information of the function parameters of the objective function and the running result of the objective function to the method signature information of the application program to obtain the code file of the application program includes:

4. The method of claim 1, wherein parsing the installation data packet to obtain method signature information of the application program comprises:

5. The method of claim 4, wherein the obtaining the method signature information of each function from the installation data packet according to the function address of each function in the at least one function includes:

Acquiring the structural content of each function from the installation data packet according to the function address of each function;

6. The method according to claim 1, wherein the generating the operation log data matched with the objective function according to the function identification of the objective function, the type information of the function parameter of the objective function, and the operation result of the objective function includes:

7.A data processing apparatus, comprising:

The first acquisition module is used for acquiring an installation data packet of the application program; the installation data packet comprises an operation result acquisition pointer and at least one function;

The second acquisition module is used for constructing a log data acquisition function, operating the installation data packet, calling a function acquisition pointer in the log data acquisition function, acquiring a function identifier of a target function from the installation data packet, calling an object type acquisition interface in the log data acquisition function, acquiring type information of a function parameter of the target function from the installation data packet, calling the operation result acquisition pointer, acquiring an operation result of the target function, and generating operation log data matched with the target function according to the function identifier of the target function, the type information of the function parameter of the target function and the operation result of the target function; the objective function is any one of the at least one function;

The decompilation module is used for decompiling the application program by adopting the method signature information and the method running log data of the application program to obtain a code file of the application program; the method operation log data comprises operation log data corresponding to the at least one function respectively.

8. A computer device, comprising: a processor, a memory, and a network interface;

the processor is connected to a memory for providing data communication functions, a network interface for storing program code, and for invoking the program code to perform the method according to any of claims 1 to 6.

9. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, perform the steps of the method according to any of claims 1 to 6.