Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In the existing mode protected to software, mainly software is protected using encryption lock, encryption lock is one
The security product for the software and hardware combining kind being inserted in parallel port of computer or USB port, generally have tens or several hundred bytes it is non-
Volatile memory preserves the partial code in software for reading and writing in the memory space, software developer can pass through
Interface function and encryption lock carry out data exchange, i.e., are written and read to the code in encryption lock.But make in this way
With encryption lock must be carried when software, makes troubles to user and encryption lock is also easily lost.In addition, using hardware encryption lock
It is at high cost, since limited storage space causes its practical size of code transplanted limited, this is reduced encryption lock to a certain extent
Encryption lock cracks difficulty.
In order to solve in the prior art to carry out software by encryption lock, protection bring is inconvenient for use and protection intensity is low
The problem of, the embodiment of the present invention provides a kind of method for protecting software, as shown in Figure 1, this method comprises:
101, P-code is obtained from the code of application program to be protected and obtains encryption P-code for transplanting code encryption.
When the application program to software is protected, in order to make the application program of software by unauthorized user
With, need to transplant a part of code from the code of application program and protected into encryption lock, only by authorization (have plus
Close lock) user can just pass through the P-code normal use software in encryption lock.But it after encryption lock is lost, will lead to not
The other users of authorization use protected software.In order to overcome drawbacks described above, the embodiment of the present invention need to be implemented step 101 from
P-code is obtained in the code of application program to be protected and obtains encryption P-code for transplanting code encryption.
102, the driver interacted with application program to be protected is created, driver is for decrypting encryption P-code
And execute P-code.
Due to carrying the encryption lock higher cost of partial code in application program to be protected and being easily lost, and encrypt
The memory space and operational efficiency of lock are limited, and the practical size of code transplanted from application program to be protected is very limited, this is one
That determines to also reduce code in degree cracks difficulty.Therefore, the embodiment of the present invention does not use encryption lock, but needs to be implemented step
The driver that 102 creations are interacted with application program to be protected, driver is for decrypting encryption P-code and executing shifting
Plant code.Wherein, the program for having interactive interface is created between the driver and the application program to be protected;The driving
Program can explain encryption P-code under kernel mode i.e. system model and execute P-code.Due to the embodiment of the present invention
Partial code in application program to be protected is transplanted in driver and is executed, and at present almost without for cracking driving
The debugger of program exists, along with the virtual machine protection (as carried out shell adding to code using VMProtect) of code, so that right
Transplanting code analyze extremely difficult.
103, driver receives the execution P-code request that application program to be protected is sent, and executes and takes in P-code request
Band encryption P-code.
Since the embodiment of the present invention has got P-code simultaneously from the code of application program to be protected in a step 101
Encryption P-code is obtained for transplanting code encryption, and creates the drive interacted with application program to be protected in a step 102
Dynamic program, the driver is for decrypting the encryption P-code and executing the P-code;Therefore when needs use is wait protect
When protecting application program, need to send execution to driver by the interactive interface between application program to be protected and driver
P-code request, request driver execute P-code.Therefore the embodiment of the present invention after step 102, needs to be implemented step
103 drivers receive the execution P-code request that application program to be protected is sent, and execute carrying encryption in P-code request and move
Plant code.
104, encryption P-code is decrypted in driver, is determined whether to execute P-code according to decrypted result.
After driver receives the execution P-code request that application program to be protected is sent, driver is from execution
The encryption P-code carried in the request is obtained in P-code request, and encryption P-code is decrypted, according to decrypted result
Determine whether to execute P-code.If decrypted result is correct, the P-code is executed by driver, if decrypted result is not just
Really, then the P-code can not be executed to not be available the application program to be protected.Driver is to encryption P-code
When being decrypted, it can be decrypted according to the encryption rule of encryption P-code, the encryption rule can be opened by software
Hair quotient sets in advance and can set the encryption rule in driver when creating driver.
Method for protecting software provided in an embodiment of the present invention can create the driving interacted with application program to be protected
Program, the driver received after the execution P-code that application program to be protected is sent is requested to adding in application program to be protected
Close P-code is decrypted and executes P-code, determines whether to execute according to the decrypted result to encryption P-code by driver
The P-code, without (soft to application program to be protected by the encryption lock in the prior art for being stored with P-code
Part) it is protected.Simultaneously as driver executes effect much higher than the hardware of encryption lock itself to the operational efficiency of complicated algorithm
Rate, and the limitation of lock memory space not encrypted, therefore the present invention can be by the code of code logic complexity and than encrypting
The more codes of size of code that lock carries protect application program to be protected (software) as P-code, considerably increase
Application program (software) to be protected cracks difficulty.
In order to preferably understand above-mentioned method shown in FIG. 1, the embodiment of the present invention will be for each step in Fig. 1
It is described in detail.
It, can be by the part in application program to be protected due in the prior art in order to which the application program to software is protected
For code migrating into encryption lock, the user for being authorized to use software can be by encryption lock normal use software.But due to encryption
The limited storage space of lock and lower to the operational efficiency of complicated algorithm, therefore the code logic that code is transplanted in encryption lock is most
The size of code actually transplanted in all relatively simple and encryption lock of number is relatively small, this reduces code to a certain extent
Crack difficulty.In order to overcome drawbacks described above, the embodiment of the present invention does not use the mode of encryption lock to protect in application program
P-code, but by creating the driver interacted with application program to be protected, by executing institute in driver
State P-code.Since driver is not limited and driver is higher to the operational efficiency of complicated algorithm by memory space,
Therefore the embodiment of the present invention can be obtained from application program to be protected code logic complexity P-code and available generation
The biggish P-code of code amount.The embodiment of the present invention, can be with when reality obtains P-code from the code of application program to be protected
P-code is obtained from the code of application program to be protected using the acquisition modes of dot-dividing type, that is, in application program to be protected
Code in different location obtain multiple P-codes.The embodiment of the present invention obtains P-code by dot-dividing type and can not only obtain
The biggish P-code of size of code, but also the different code of the available different location into application source code to be protected is patrolled
Volume code, by improving the size of code of P-code and the complexity of P-code, so that improve P-code cracks difficulty
Degree.
Since the P-code obtained from the code of application program to be protected is only stored in encryption lock by the prior art,
P-code is not encrypted, therefore after encryption lock is lost, any user for getting encryption lock can be normal
Use application program to be protected.Therefore, the embodiment of the present invention got in the code from application program to be protected P-code it
Afterwards, it is also necessary to which P-code is encrypted.Since the embodiment of the invention provides a kind of sides for obtaining P-code using dot-dividing type
Formula is not in entanglement to make the P-code obtained, therefore the difference that the embodiment of the present invention can will be obtained by dot-dividing type
The P-code of code logic is built into code block, and the P-code of different code logic can be distinguished by code block, to avoid
There is entanglement in the P-code of different code logic.After P-code is built into code block, need that code block encrypt
To encryption P-code.When encrypting to code block, the embodiment of the invention provides a kind of optional embodiments, can be right
The code block carries out asymmetric encryption and obtains encryption P-code.Code block is being encrypted using asymmet-ric encryption method
When, it needs using two keys: public-key cryptography and private cipher key.Public-key cryptography and private cipher key are a pair of, if using open
Key pair code block is encrypted, then only corresponding private cipher key could be decrypted;If using private cipher key pair code block
It is encrypted, then only corresponding public-key cryptography could be decrypted.For example, the embodiment of the present invention can be by a pair of secret keys
Public-key cryptography encrypts code block to obtain encryption P-code, and when creating driver, it can be set in driver
The fixed encryption rule, therefore when the external world needs to be implemented application program to be protected, it can carry and add to driver transmission
The execution P-code of close P-code is requested, and driver needs after receiving the execution P-code request according to setting
Encryption rule is decrypted using private cipher key pair encryption P-code.Due to having between application program to be protected and driver
Interactive interface, so if driver needs to reply encryption information to application program to be protected, then driver is needed to make
Return information is encrypted with the public-key cryptography in a pair of secret keys of application setting to be protected, by application program to be protected
It is decrypted using the encryption information that private cipher key pair is replied.Code block is encrypted above by asymmetric encryption mode
Mode is a kind of optional embodiment, can also use other cipher modes certainly, such as use symmetric cryptography mode pair
Code block is encrypted, that is, is encrypted and decrypted using the same key pair code block.Though using symmetric cryptography mode
Faster encryption and decryption speed can so be reached, but the process due to encrypting and decrypting uses the same key, when any
Just not can guarantee the safety of encryption information after the Key Exposure of one side, although therefore can also be played using symmetric cryptography mode plus
The purpose of close code block, but its cryptographic security is not so good as to symmetric cryptography mode.Since the embodiment of the present invention is without using encryption
Lock saves encryption P-code, therefore after being encrypted code block to obtain encryption P-code by above-mentioned each mode, this hair
Encryption P-code can be carried out local preservation by bright embodiment.During actually saving encryption P-code, it can will encrypt
P-code is stored under the catalogue of application program to be protected, can be quickly from its mesh so as to when using application program to be protected
Record is lower to obtain encryption P-code, and encryption P-code is carried and is sent to driver in executing P-code request.Alternatively,
Where application program to be protected being stored in by P-code is encrypted in other memory spaces of client.
In order to improve the degree of protection to application program to be protected, in addition to carrying out encryption to P-code and in driver
Realize that a set of code interpretative device is able to carry out driver outside P-code, the embodiment of the present invention also needs real in driver
Existing a set of empowerment management logic, that is, the access right of application program to be protected is set, only with the machine of access right
The application program to be protected can be run.Specifically when the access right of application program to be protected is arranged, the present invention is real
Applying example can be realized by way of digital signature.Its process includes: that the hardware information of the machine with access right is raw
A string of sequence numbers are formed by a series of encryptions, hash at machine code, such as by the hard disk serial number of machine, mainboard information etc.,
The sequence number is to the machine code of unique identification machine;After obtaining the machine code with the machine of access right, need
Hash operation is carried out to the machine code and obtains cryptographic Hash, and cryptographic Hash is used to indicate the unique of the fixed size of the machine code
Value.Hash operation can be carried out to the machine code using SHA256 algorithm when reality carries out Hash operation to machine code to obtain
256 cryptographic Hash, naturally it is also possible to Hash operation be carried out to machine code using other hash algorithms.When obtaining unique Hash
After value, the embodiment of the present invention also needs to be encrypted to obtain to the cryptographic Hash by preset private key described with access right
Machine hardware information digital signature, that is, by the private key of application program to be protected to the machine with access right
Hardware information abstract (carrying out Hash operation to hardware information to obtain) encrypt, and by the cryptographic Hash of encryption (digital signature)
It is sent to driver, driver only could decrypt encrypted cryptographic Hash (number with the public key of application program to be protected
Signature).Due to providing in the embodiment of the present invention, this processing mode of the access right of application program to be protected is set, and
Number has been carried out to the cryptographic Hash of the machine hardware information with access right when the access right of application program to be protected is set
Signature processing, therefore the driver in the embodiment of the present invention executes shifting what the reception application program to be protected was sent
It plants in code request, further includes the cryptographic Hash of the machine hardware information with access right in the execution P-code request
Digital signature.
After carrying out encryption to P-code through the above way and being provided with access right to application program to be protected,
The embodiment of the present invention not only needs that the P-code is decrypted according to the encryption rule of P-code by driver, but also
It needs to be verified and (namely verified the digital signature) by authorization privilege of the driver to machine, judges that it is
The no access right (namely judging whether digital signature is legal) with application program to be protected.It is exactly specifically by driving journey
The digital signature of the machine code of ordered pair current machine is verified, and is determined whether to execute the P-code according to verification result.
For example, when using application program to be protected, application program to be protected can by its interactive interface between driver to
Driver, which is sent, executes P-code request, carries encryption P-code in the execution P-code request and has the right to use
The digital signature of the cryptographic Hash of the machine hardware information of limit.It, can be with after driver receives execution P-code request
Public key that the private key used when processing matches is first passed through and is digitally signed to carrying in the execution P-code request
Digital signature is verified, if verifying digital signature is legal, illustrates that the sender of the cryptographic Hash of machine hardware information is legal,
It is legal in verifying digital signature but since the cryptographic Hash of the machine hardware information obtained by hash algorithm is irreversible
Afterwards, the embodiment of the present invention also needs to calculate the cryptographic Hash of the machine code of current machine using same hash algorithm, if calculated
Cryptographic Hash it is identical as the cryptographic Hash for demonstrating digital signature before, then can be by driver according to the encryption rule of P-code
It is decrypted and executes the P-code to encryption P-code, so as to normal use application program to be protected;If calculated
Cryptographic Hash and the cryptographic Hash that demonstrates digital signature before it is not identical, then machine does not have the right to use of application program to be protected
Limit, can not normal use application program to be protected.
The embodiment of the present invention carries out the hardware information of authorized machine by the access right of setting application program to be protected
Hash operation is simultaneously digitally signed processing, by driver using the preset encryption of software developer and verification method to current
The hash signature of the machine code of machine is verified, and could only be opened by driver using software in the case where signing legal
The hair preset encryption method of quotient is decrypted and executes the P-code to encryption P-code, to be protected so as to normal use
Application program.It is realized by encryption P-code and authorized signature and the high intensity of application program to be protected is protected.
As the application to method shown in above-mentioned Fig. 1, the embodiment of the invention provides a kind of software protecting equipments, such as Fig. 2
Shown, described device includes: acquiring unit 21, creating unit 22, receiving unit 23 and decryption unit 24, wherein
Acquiring unit 21, for obtaining P-code from the code of application program to be protected and being obtained for the transplanting code encryption
To encryption P-code;
Creating unit 22, for creating the driver interacted with the application program to be protected, the driving journey
Sequence is for decrypting the encryption P-code and executing the P-code;
Receiving unit 23, the execution P-code request sent for receiving the application program to be protected are described to execute shifting
It plants in code request and carries the encryption P-code;
Decryption unit 24, for the encryption P-code to be decrypted, execution is determined whether according to decrypted result described in
P-code.
Further, acquiring unit 21 is used for the dot-dividing type from the code of application program to be protected and obtains P-code, described
It includes the transplanting that the different location in the code of application program to be protected obtains different code logic that dot-dividing type, which obtains P-code,
Code.
Further, as shown in figure 3, acquiring unit 21 includes:
Module 211 is constructed, for the P-code to be built into code block;
Encrypting module 212 obtains encryption P-code for carrying out asymmetric encryption to the code block;
Preserving module 213, for the encryption P-code to be carried out local preservation.
Further, as shown in figure 4, described device further include:
Setting unit 25, for the access right of application program to be protected to be arranged.
Further, setting unit 25 includes:
Generation module 251, for that will have the hardware information of the machine of access right to generate machine code;
Computing module 252 obtains cryptographic Hash for carrying out Hash operation to the machine code;
Signature blocks 253, it is described with the right to use for being encrypted to obtain to the cryptographic Hash by preset private key
The digital signature of the hardware information of the machine of limit.
Further, decryption unit 24 is also used for public key corresponding with preset private key to digital signature progress
Verifying, determines whether to execute the P-code according to verification result.
Software protecting equipment provided in an embodiment of the present invention can create the driving interacted with application program to be protected
Program, the driver received after the execution P-code that application program to be protected is sent is requested to adding in application program to be protected
Close P-code is decrypted and executes P-code, determines whether to execute according to the decrypted result to encryption P-code by driver
The P-code, without (soft to application program to be protected by the encryption lock in the prior art for being stored with P-code
Part) it is protected.Simultaneously as driver executes effect much higher than the hardware of encryption lock itself to the operational efficiency of complicated algorithm
Rate, and the limitation of lock memory space not encrypted, therefore the present invention can be by the code of code logic complexity and than encrypting
The more codes of size of code that lock carries protect application program to be protected (software) as P-code, considerably increase
Application program (software) to be protected cracks difficulty.
In addition, software protecting equipment provided in an embodiment of the present invention can pass through the right to use of setting application program to be protected
Limit, carries out Hash operation to the hardware information of authorized machine and is digitally signed processing, uses software development by driver
The preset encryption of quotient and verification method verify the hash signature of the machine code of current machine, only in legal feelings of signing
Encryption P-code could be decrypted using software developer's preset encryption method by driver and be executed described under condition
P-code, so as to normal use application program to be protected.It is realized by encryption P-code and authorized signature to be protected
The high-intensitive protection of application program.
For above-mentioned software protecting equipment it should be noted that each unit mould used in all embodiment of the present invention
The function of block can be realized by hardware processor (hardware processor).
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.