CN114090964A - Code processing method and device, electronic equipment and readable medium - Google Patents
Code processing method and device, electronic equipment and readable medium Download PDFInfo
- Publication number
- CN114090964A CN114090964A CN202111370133.4A CN202111370133A CN114090964A CN 114090964 A CN114090964 A CN 114090964A CN 202111370133 A CN202111370133 A CN 202111370133A CN 114090964 A CN114090964 A CN 114090964A
- Authority
- CN
- China
- Prior art keywords
- plug
- target
- code
- obfuscation
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 68
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000006870 function Effects 0.000 claims description 120
- 238000001514 detection method Methods 0.000 claims description 37
- 230000008569 process Effects 0.000 claims description 17
- 238000006243 chemical reaction Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims 1
- 238000012360 testing method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000003252 repetitive effect Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention provides a code processing method and a device, wherein the method comprises the following steps: compiling the code to be obfuscated into an abstract syntax tree through a client; calling a preset confusion plug-in, and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree; compiling the target abstract syntax tree into a target obfuscating code, and sending the target obfuscating code to a server; and receiving a virtual instruction generated by the server aiming at the target obfuscation code and a corresponding interpreter, and operating the target obfuscation code according to the virtual instruction and the corresponding interpreter. The embodiment of the invention confuses the code through various obfuscating plug-ins, so that the code is difficult to read and analyze, and virtualizes the code, so that the code cannot be checked, thereby avoiding the potential safety hazard that an attacker reads, analyzes, copies, embezzles or even tampers the code, providing effective protection for the running code, and greatly improving the safety of code processing.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a code processing method, a code processing apparatus, an electronic device, and a computer-readable medium.
Background
Javascript is a dynamic, weak, prototype-based language that is widely used in client scripting languages, and was originally used on HTML (an application under standard universal markup language) web pages to add dynamic functionality to HTML web pages.
Many new characteristics and functions of Javascript allow developers to easily create powerful WEB applications, but also bring new potential safety hazards, for example, Javascript codes run on a client, that is, it must be loaded and run at a user browser, and Javascript codes are publicly transparent, that is, a browser can directly obtain the source code of running Javascript, so that anyone can read, analyze, copy, steal, and even tamper, therefore, the current Javascript codes have great potential safety hazards.
Disclosure of Invention
The embodiment of the invention provides a code processing method, a code processing device, electronic equipment and a readable medium, which are used for improving the safety of code processing to a certain extent.
The embodiment of the invention discloses a code processing method, which is applied to a client, wherein the client communicates with a server, and the method comprises the following steps:
compiling the code to be obfuscated into an abstract syntax tree;
calling a preset confusion plug-in, and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree;
compiling the target abstract syntax tree into a target obfuscated code, and sending the target obfuscated code to the server;
and receiving a virtual instruction and a corresponding interpreter which are generated by the server aiming at the target obfuscated code, and operating the target obfuscated code according to the virtual instruction and the corresponding interpreter.
Optionally, the invoking a preset obfuscation plug-in, and processing each node in the abstract syntax tree through the obfuscation plug-in includes:
calling a preset confusion plug-in, and when each node in the abstract syntax tree is traversed, if a target node comprises a preset object or is a preset type node, carrying out corresponding processing on the target node through the corresponding confusion plug-in.
Optionally, the method further comprises:
and calling a preset detection plug-in, and inserting the detection plug-in into the target abstract syntax tree so as to detect the running condition of the target obfuscated code through the detection plug-in.
Optionally, the obfuscation plug-in comprises a variable obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
and if the target node comprises the variable name, converting the variable name at the target node through the variable confusion plug-in.
Optionally, the obfuscation plug-in comprises a string obfuscation plug-in and/or an array obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node comprises a character string, encrypting the character string at the target node through the character string confusion plug-in, and inserting a decryption mark; the decryption mark is used for indicating the client to call a corresponding decryption function for decryption when the target obfuscation code is operated; and/or the presence of a gas in the gas,
if a target node comprises a character string, extracting the character string at the target node to a global variable array for storage through the array obfuscation plug-in, and obfuscating the storage position of the character string.
Optionally, the obfuscation plug-in comprises a function conversion plug-in and an array obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node comprises a global variable function, converting the global variable function at the target node into a first preset function through the function conversion plug-in; and the number of the first and second groups,
and extracting the first preset function to a global variable array for storage through the array obfuscation plug-in, and obfuscating a storage position of the first preset function.
Optionally, the obfuscation plug-in comprises a flow obfuscation plug-in; if a target node is a node of a preset type, performing corresponding processing on the target node through the corresponding confusion plugin, including:
if a target node is a node of a function statement type or a node of a function expression type, the position sequence of each sub-node connected below the target node is obfuscated through the process obfuscation plug-in.
Optionally, the obfuscation plug-in includes a variable obfuscation plug-in, a call mode changing plug-in, a character string obfuscation plug-in, and an operation obfuscation plug-in; if a target node is a node of a preset type, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node is a node of a function call type, replacing a function at the target node with a second preset function through the variable obfuscating plug-in, the call mode changing plug-in, the character string obfuscating plug-in and the operation obfuscating plug-in.
Optionally, the detection plug-in includes at least one of an anti-debugging plug-in, an anti-formatting plug-in, and a domain name locking plug-in; the detecting, by the detection plug-in, the running condition of the target obfuscated code includes:
detecting whether the client opens a debugging page or not through the anti-debugging plug-in, and indicating the client to stop running the target obfuscated code when detecting that the client opens the debugging page; and/or the presence of a gas in the gas,
detecting, by the anti-formatting plugin, whether the target obfuscated code is secondarily formatted, and instructing the client to stop running the target obfuscated code when it is detected that the target obfuscated code is secondarily formatted; and/or the presence of a gas in the gas,
and detecting whether the target domain name of the client running the target confusion code is in a preset domain name list or not through the domain name locking plug-in, and indicating the client to stop running the target confusion code when detecting that the target domain name is not in the preset domain name list.
The embodiment of the invention also discloses a code processing device, which is applied to a client, the client communicates with a server, and the device comprises:
the first compiling module is used for compiling the codes to be obfuscated into an abstract syntax tree;
the confusion plug-in calling module is used for calling a preset confusion plug-in and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree;
the second compiling module is used for compiling the target abstract syntax tree into a target obfuscated code and sending the target obfuscated code to the server;
and the target obfuscation code running module is used for receiving a virtual instruction and a corresponding interpreter which are generated by the server aiming at the target obfuscation code, and running the target obfuscation code according to the virtual instruction and the corresponding interpreter.
Optionally, the obfuscating plug-in calling module includes:
and the confusion plug-in calling submodule is used for calling a preset confusion plug-in and carrying out corresponding processing on a target node through the corresponding confusion plug-in if the target node comprises a preset object or is a preset type node when each node in the abstract syntax tree is traversed.
Optionally, the apparatus further comprises:
and the detection plug-in calling module is used for calling a preset detection plug-in and inserting the detection plug-in into the target abstract syntax tree so as to detect the running condition of the target obfuscated code through the detection plug-in.
Optionally, the obfuscation plug-in comprises a variable obfuscation plug-in; the confusion plug-in calling submodule comprises:
and the first obfuscating plug-in processing unit is used for converting the variable name at a target node through the variable obfuscating plug-in if the target node comprises the variable name.
Optionally, the obfuscation plug-in comprises a string obfuscation plug-in and/or an array obfuscation plug-in; the confusion plug-in calling submodule comprises:
the second obfuscation plug-in processing unit is used for encrypting the character string at a target node and inserting a decryption mark through the character string obfuscation plug-in if the target node comprises the character string; the decryption mark is used for indicating the client to call a corresponding decryption function for decryption when the target obfuscation code is operated; and/or the presence of a gas in the gas,
and the third obfuscation plug-in processing unit is used for extracting the character string at the target node to the global variable array for storage and obfuscating the storage position of the character string through the array obfuscation plug-in if the target node comprises the character string.
Optionally, the obfuscation plug-in comprises a function conversion plug-in and an array obfuscation plug-in; the confusion plug-in calling submodule comprises:
a fourth confusion plug-in processing unit, if a target node comprises a global variable function, converting the global variable function at the target node into a first preset function through the function conversion plug-in; and the number of the first and second groups,
and the fifth confusion plug-in processing unit extracts the first preset function to the global variable array for storage through the array confusion plug-in, and confuses the storage position of the first preset function.
Optionally, the obfuscation plug-in comprises a flow obfuscation plug-in; the confusion plug-in calling submodule comprises:
and a sixth obfuscating plug-in processing unit, configured to obfuscate, if a target node is a node of a function declaration type or a node of a function expression type, a position order of each child node connected to the target node through the flow obfuscating plug-in.
Optionally, the obfuscation plug-in includes a variable obfuscation plug-in, a call mode changing plug-in, a character string obfuscation plug-in, and an operation obfuscation plug-in; the confusion plug-in calling submodule comprises:
and the seventh obfuscating plug-in processing unit is used for replacing the function at the target node with a second preset function through the variable obfuscating plug-in, the calling mode changing plug-in, the character string obfuscating plug-in and the operation obfuscating plug-in if the target node is a node of a function calling type.
Optionally, the detection plug-in includes at least one of an anti-debugging plug-in, an anti-formatting plug-in, and a domain name locking plug-in; the detection plug-in calling module comprises:
the first detection plug-in processing submodule is used for detecting whether the client opens a debugging page through the anti-debugging plug-in and indicating the client to stop running the target obfuscated code when detecting that the client opens the debugging page; and/or the presence of a gas in the gas,
the second detection plug-in processing submodule is used for detecting whether the target obfuscated code is secondarily formatted through the anti-formatting plug-in and instructing the client to stop running the target obfuscated code when the target obfuscated code is secondarily formatted; and/or the presence of a gas in the gas,
and the third detection plug-in processing submodule is used for detecting whether the target domain name of the client running the target confusion code is in a preset domain name list or not through the domain name locking plug-in and indicating the client to stop running the target confusion code when detecting that the target domain name is not in the preset domain name list.
The embodiment of the invention also discloses electronic equipment which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory finish mutual communication through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method according to the embodiment of the present invention when executing the program stored in the memory.
Also disclosed are one or more computer-readable media having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform a method according to an embodiment of the invention.
Compared with the prior art, the embodiment of the invention has the following advantages:
in the embodiment of the invention, a client compiles a code to be obfuscated into an abstract syntax tree, then a preset obfuscating plug-in is called, each node in the abstract syntax tree is processed through the obfuscating plug-in to obtain a target abstract syntax tree, then the target abstract syntax tree is compiled into a target obfuscating code, the target obfuscating code is sent to a server, finally a virtual instruction and a corresponding interpreter which are generated by the server aiming at the target obfuscating code are received, and the target obfuscating code is operated according to the virtual instruction and the corresponding interpreter. The embodiment of the invention confuses the code through various obfuscating plug-ins, so that the code is difficult to read and analyze, and virtualizes the code, so that the code cannot be checked, thereby avoiding the potential safety hazard that an attacker reads, analyzes, copies, embezzles or even tampers the code, providing effective protection for the running code, and greatly improving the safety of code processing.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart illustrating steps of a method for processing code according to an embodiment of the present invention;
FIG. 2 is a flow diagram illustrating obfuscation of an array obfuscation plug-in according to an embodiment of the present invention;
FIG. 3 is an obfuscation flow diagram of a flow obfuscation plug-in provided by an embodiment of the invention;
FIG. 4 is a diagram of server and client interaction provided by an embodiment of the invention;
fig. 5 is a block diagram of a code processing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Due to the cross-platform advantage of the HTML5, various requirements of users can be met, and the user experience is greatly improved, so that various HTML5 application scenes are more and more, and HTML5 webpage logic is realized based on JavaScript codes, but some security problems exist: for an HTML5 website, the method can be debugged at will, analyze related Javascript scripts at will, and tamper, replace or even hijack related pages; for HTML5 video applications, related Javascript scripts can be exchanged at will, and counterfeit applications are generated through embezzlement; for HTML5 financial applications, the business logic and system interface are exposed, and an attacker can help assist in plug-ins or tamper with or attack embedded services. Therefore, the security issues associated with Javascript are as follows: the Javascript code is an open source code and can be easily read and understood by an attacker; the Javascript codes can be easily debugged and analyzed by a debugging tool; the character strings in the Javascript code are all plaintext, and no protective measures are provided; the service logic of the Javascript code can be easily debugged and analyzed by an attacker; the Javascript file can be easily reused and embezzled; the service interface address within the Javascript file can be easily identified.
In view of the above problems, embodiments of the present invention provide a code processing method, which obfuscates a code through various obfuscation plug-ins, so that the code is difficult to read and analyze, and virtualizes the code, so that the code cannot be viewed, thereby avoiding a potential safety hazard that an attacker reads, analyzes, copies, embezzles, and even tampers the code, providing effective protection for the running code, and greatly improving the security of code processing.
Referring to fig. 1, a flowchart illustrating steps of a code processing method provided in an embodiment of the present invention is shown, and is applied to a client, where the client communicates with a server, and the method specifically includes the following steps:
In the embodiment of the present invention, the present invention may be applied to a client, and the client may be a computer device used in mobile, for example, a mobile phone, an iPad (tablet computer), a notebook computer, and the like, which is not limited in this respect. These clients can support operating systems such as Android, iOS (apple operating System), and Windows.
It should be noted that the code to be obfuscated may be source code written by a developer, and may include Javascript code. An Abstract Syntax Tree (AST) is an Abstract representation of the Syntax structure of the source code, and can represent the Syntax structure of the programming language in the form of a Tree, and each node on the Tree can represent a structure in the source code, so the Syntax is said to be "Abstract" because the Abstract Syntax Tree does not represent every detail appearing in the real Syntax, for example, the nesting brackets are hidden in the structure of the Tree and are not represented in the form of nodes, for example, the if-condition-then conditional jump statement can be represented by using a node with two branches.
The embodiment of the invention can realize the compiling of the code to be confused into the abstract syntax tree by the compiler Babel of the JavaScript code. The compilation process may generally include two phases: a lexical analysis phase and a syntactic analysis phase. The lexical analysis stage can convert the code to be obfuscated in the form of a character string into a token (tokens) flow, the token is similar to a node in an abstract syntax tree, the syntax analysis stage can convert one token flow into the form of the abstract syntax tree, and meanwhile, information in the token can be converted into a representation structure of the abstract syntax tree, so that the abstract syntax tree can be obtained.
And 102, calling a preset confusion plug-in, and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree.
It should be noted that IOC (Inversion of Control) is a design principle in object-oriented programming, and can be used to reduce the coupling degree between computer codes. According to the embodiment of the invention, various preset confusion plug-ins can be called through the IOC to process each node in the abstract syntax tree, so that the target abstract syntax tree can be obtained. When each node is processed, the reference relationship between different obfuscation plug-ins can be realized through the IOC, for example, for a certain node, on the basis that the obfuscation plug-in a is used for processing the node, the obfuscation plug-in B can be referred to for further processing the node, and then the IOC realizes the reference relationship between the obfuscation plug-in a and the obfuscation plug-in B for the node.
In an alternative embodiment of the present invention, step 102 may comprise the following sub-steps:
calling a preset confusion plug-in, and when each node in the abstract syntax tree is traversed, if a target node comprises a preset object or is a preset type node, carrying out corresponding processing on the target node through the corresponding confusion plug-in.
As an example, each node in the abstract syntax tree may be traversed with depth first, specifically, after entering a node, traversal is performed from top to bottom, and after the traversal is completed, the current node is returned from bottom to top, and then another node at the same level is entered. For example, assume an abstract syntax tree as follows:
the traversal process is as follows: 1) entering function declaration; 2) entering an identifier (id); 3) walking to the end; 4) exiting the identifier (id); 5) entering into Identifier (params [0 ]); 6) walking to the end; 7) withdraw the Identifier (params [0 ]); 8) enter BlockStatement (body); 9) enter Return State (body); 10) entering binaryexpression (acquisition); 11) entering an identifier (left); 12) walking to the end; 13) exiting the identifier (left); 14) enter identifier (right); 15) walking to the end; 16) exiting identifier (right); 17) exit binary expression (identification); 18) exiting Return State (body); 19) exit the blockatcrement (body); 20) the function declaration is exited.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
The embodiment of the invention can set the mapping relation between the confusion plug-in and the preset object and the mapping relation between the confusion plug-in and the preset type node. When traversing each node in the abstract syntax tree according to the depth first, if a certain target node comprises a preset object, performing corresponding processing on the target node through a confusion plug-in corresponding to the preset object; or, if a certain target node is a node of a preset type, the target node may be processed correspondingly through a obfuscation plug-in corresponding to the node of the preset type.
In an alternative embodiment of the invention, the obfuscation plug-in comprises a variable obfuscation plug-in; step 102 may include the following sub-steps:
and if the target node comprises the variable name, converting the variable name at the target node through the variable confusion plug-in.
As an example, the obfuscation plug-in may include a variable obfuscation plug-in by which variable names at the target node may be converted if the target node includes variable names. The conversion manner may include converting the variable name at the target node into hexadecimal, for example, for a code to be obfuscated: after compiling the code to be obfuscated into an abstract syntax tree, the variable name "test" may be used as a node, and when traversing to the node, the node is read to include the variable name "test", and then the variable name "test" may be converted into "_ 0x7deb by the variable obfuscation plug-in. In addition, the conversion mode can also include converting the variable name at the target node into a short name, for example, the variable name "test" can be converted into a short name such as "t" or "e" or "st" through the variable obfuscation plug-in. The present invention does not limit the manner in which variable names are converted.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
In an optional embodiment of the invention, the obfuscation plug-in comprises a character string obfuscation plug-in and/or an array obfuscation plug-in; step 102 may include the following sub-steps:
if a target node comprises a character string, encrypting the character string at the target node through the character string confusion plug-in, and inserting a decryption mark; the decryption mark is used for indicating the client to call a corresponding decryption function for decryption when the target obfuscation code is operated; and/or the presence of a gas in the gas,
if a target node comprises a character string, extracting the character string at the target node to a global variable array for storage through the array obfuscation plug-in, and obfuscating the storage position of the character string.
As an example, the obfuscation plug-in may include a string obfuscation plug-in, and if the target node includes a string, for example, the code var test ═ the string "hello" in the 'hello', the string "hello" at the target node may be encrypted by the string obfuscation plug-in, and a decryption flag may be inserted in the string "hello", so that when the target obfuscation code corresponding to the string "hello" is run, the client may call a corresponding decryption function to decrypt.
As another example, the obfuscation plug-in may include an array obfuscation plug-in, which may obfuscate if the target node includes a string, such as the string "hello" in the code var test ═ hello'. Referring to fig. 2, which shows a confusion flow chart of an array confusion plugin according to an embodiment of the present invention, a process of traversing an abstract syntax tree is performed, if a target node is read to include a character string, for example, a character string "hello" in a code var test ═ hello', a global variable array may be declared first, and then it is determined whether a repetitive value is stored in the global variable array, that is, it is determined whether the character string "hello" is stored in the global variable array, and if the character string "hello" is originally stored in the global variable array, the character string "hello" may not be extracted from the target node, but a storage address of the repetitive value may be recorded; if the global variable array does not store the character string "hello", the character string "hello" can be extracted from the target node and stored in the global variable array, and the storage address of the character string "hello" in the global variable array can be recorded; the memory address of the string "hello" or the memory address of the repetitive value may then be put into the target node to replace the string "hello" at the target node; then, the storage positions of all character strings in the global variable array can be mixed, and restoring codes can be inserted; and finally, putting the global variable array into the global environment of the abstract syntax tree. Therefore, when the client runs the target confusion code corresponding to the character string 'hello', the character string corresponding to the storage address can be found from the global variable array according to the storage address at the target node, and since the storage positions of all the character strings in the global variable array are confused, the storage positions of all the character strings can be restored through the restoration code, so that the original character string 'hello' of the target node can be found.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
In an optional embodiment of the invention, the obfuscation plug-in comprises a function conversion plug-in and an array obfuscation plug-in; step 102 may include the following sub-steps:
if a target node comprises a global variable function, converting the global variable function at the target node into a first preset function through the function conversion plug-in; and the number of the first and second groups,
and extracting the first preset function to a global variable array for storage through the array obfuscation plug-in, and obfuscating a storage position of the first preset function.
As an example, obfuscation plug-ins may include flow obfuscation plug-ins and array obfuscation plug-ins, and if a target node includes a global variable function, such as eval, Object, Boolean, etc., the global variable function may be obfuscated via a function transformation plug-in and an array obfuscation plug-in turn.
Because the global variable function belongs to the built-in function of the Javascript, the array confusion plug-in extracts the global variable function into the global variable array, and finally the global variable array is put into the global environment of the abstract syntax tree, the problem of incompatibility between the global variable array and the global environment is easy to occur, namely, incompatibility with the operation environment of the client is caused.
In order to avoid the above problem, before the global variable function at the target node is extracted by the array obfuscation plug-in, the global variable function may be converted into a first preset function by the function conversion plug-in, where the expression of the first preset function may be window [ "global variable function" ]. For example, the eval function may be converted into window [ "eval" ], the Object function may be converted into window [ "Object" ], and the like, so that the problem of incompatibility may be solved.
After the first preset function is converted, the first preset function can be extracted to the global variable array through the array confusion plug-in, before extraction, one global variable array can be declared firstly, then whether repetitive values are stored in the global variable array or not is judged, if the repetitive values exist, the first preset function does not need to be extracted from the target node, and the storage addresses of the repetitive values can be recorded; if the repeated value does not exist, extracting a first preset function from the target node to the global variable array for storage, and recording the storage address of the first preset function in the global variable array; the memory address of the first preset function or the memory address of the repetitive value may then be put into the target node to replace the first preset function at the target node.
It should be noted that the array obfuscating plug-in may extract not only the character string to the global variable array, but also the first preset function to the global variable array, where the character string and the first preset function may be extracted to the same global variable array, and may also be extracted to different global variable arrays, which is not limited in this embodiment of the present invention.
If the character strings and the first preset functions are extracted into the same global variable array, the storage positions of the character strings and the first preset functions in the global variable array can be mixed, and a reduction code can be inserted; if the character string and the first preset function are extracted into different global variable arrays, the storage positions of the first preset functions can be mixed in the global variable array stored with the first preset function, the restoring code can be inserted, and finally the global variable array can be placed in the global environment of the abstract syntax tree.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
In an optional embodiment of the invention, the obfuscation plug-in comprises a flow obfuscation plug-in; step 102 may include the following sub-steps:
if a target node is a node of a function statement type or a node of a function expression type, the position sequence of each sub-node connected below the target node is obfuscated through the process obfuscation plug-in.
As an example, the obfuscation plug-in may include a flow obfuscation plug-in, and if the target node is a function declaration type node, i.e., a function declaration node, or if the target node is a function expression type node, i.e., a function expression node, the positional order of the respective child nodes connected below the target node may be obfuscated by the flow obfuscation plug-in. For example, in the above example of traversing the abstract syntax tree, if a target node is read to be a functional declaration node, and there are three sub-nodes connected below the functional declaration node, which are respectively an Identifier (id) sub-node, an Identifier (params [0]) sub-node, and a blockastate (body) sub-node, and the initial position sequences of the three sub-nodes are Identifier (id) -Identifier (params [0]) -blockastatement (body), through process obfuscation, the initial position sequences of the three sub-nodes may be obfuscated, so that an attacker cannot know the initial position sequences of the three sub-nodes, thereby increasing the difficulty of reading and analyzing.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
Before the obfuscating the position order of each child node connected to the target node by the flow obfuscation plug-in, the method may further include:
establishing corresponding indexes according to the position sequence of each child node connected under the target node, and establishing a distributor according to the indexes; and the distributor is used for indicating the client to run the sequence of the codes corresponding to the sub nodes based on the position sequence.
As an example, since the position order of each child node connected below the target node is obfuscated in the embodiment of the present invention, the client cannot know the initial position order of the child nodes when running the target obfuscating code. Therefore, before confusion, the embodiment of the present invention may establish corresponding indexes according to the position sequence of each child node connected under the target node, and then may establish a distributor according to the indexes, and the client may learn the sequence of running the codes corresponding to each child node according to the distributor. By taking the above example of traversing the abstract syntax tree as an illustration, referring to fig. 3, an obfuscated flow diagram of a flow obfuscation plug-in provided by an embodiment of the present invention is shown, where, container.log (a) is identified (id), container.log (B) is identified (params [0]), and container.log (C) is blocked state (body), and corresponding indexes are established according to the position order of the three child nodes, such as an index of container.log (a) -container.log (B) -container.log (C), and then a distributor may be established according to the indexes, and then the position order of the three child nodes may be obfuscated by the flow obfuscation plug-in, as shown in the left flow diagram in fig. 3, the position order of the obfuscated three child nodes may be container.log (B) -container.log (C) -container.log (a). When the client runs the target obfuscated codes corresponding to each child node, the client may learn the sequence of the running codes according to the distributor, as shown in the right flow chart in fig. 3, and may learn to execute the code of console.log (a) first according to index ═ 0; log (a) is executed, and after encountering continue, and returning to flow [ index + + ], and after adding 1 to index itself, the client can know the code to execute continole. Log (B) is executed, and when a continue is encountered, the flow is returned to [ index + + ], and when the index is added by 1, the index is 2, and the client can know the code for executing the continue.log (C) next; log (C) is executed, and when continue is encountered, flow is returned to [ index + + ], and when index is self-incremented by 1, index is 3, and since the code with index has been executed, the client flows to break, and the flow of instructions of the distributor is jumped out.
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
In an optional embodiment of the present invention, the obfuscation plug-in includes a variable obfuscation plug-in, a call mode changing plug-in, a character string obfuscation plug-in, and an operation obfuscation plug-in; step 102 may include the following sub-steps:
if a target node is a node of a function call type, replacing a function at the target node with a second preset function through the variable obfuscating plug-in, the call mode changing plug-in, the character string obfuscating plug-in and the operation obfuscating plug-in.
As an example, the obfuscation plug-in may include a variable obfuscation plug-in, a calling mode changing plug-in, a string obfuscation plug-in, and an operation obfuscation plug-in, if the target node is a node of a function call type, i.e., a CallExpression node, the function at the target node may be replaced by the variable obfuscation plug-in, the calling mode changing plug-in, the string obfuscation plug-in, and the operation obfuscation plug-in, and the function at the target node may be replaced by a second preset function, where a function call expression in the second preset function may be (0, function name) (a, b), and when the function needs to be called, the function may be uniformly replaced by the second preset function. For example, the following code is a node of the function call type:
int test=c(1,2);
int c(a,b){return a+b};
the code may include a variable name "test", a character string "1", "2", and an operator "+", and "int test ═ c (1, 2)" may call the function c, so that the function at the target node may be replaced by a second preset function through a variable obfuscation plug-in, a call change plug-in, a character string obfuscation plug-in, and an operation obfuscation plug-in, and become the following code:
int_0x7deb=(0,c)(1,2);
when the client runs the second preset function corresponding to the target node, the client may call the function int c (a, b) { return a + b }, according to the function name c, and then may call the decryption function to decrypt the character strings "1" and "2".
The above examples are only for the purpose of better understanding the embodiments of the present invention to those skilled in the art, and the present invention is not limited thereto.
And 103, compiling the target abstract syntax tree into a target obfuscated code, and sending the target obfuscated code to the server.
In the embodiment of the invention, each node in the abstract syntax tree is processed through various obfuscation plug-ins, so that a target abstract syntax tree can be obtained, then the target abstract syntax tree can be compiled into a target obfuscated code, and target code obfuscation can make an attacker difficult to read and analyze, so that the potential safety hazards of anyone reading, analyzing, copying, embezzlement and tampering the code can be avoided, effective protection is provided for the running code, and the safety of code processing is greatly improved.
In order to further increase the protection on the running target obfuscated code, the embodiment of the present invention may change the target obfuscated code into a virtual instruction, so that an attacker cannot view the running target obfuscated code on a client page, and therefore, the client may send the target obfuscated code to the server, and the server virtualizes the target obfuscated code.
And 104, receiving a virtual instruction and a corresponding interpreter generated by the server aiming at the target obfuscation code, and operating the target obfuscation code according to the virtual instruction and the corresponding interpreter.
As an example, referring to fig. 4, which illustrates an interaction diagram between a server and a client according to an embodiment of the present invention, after the server reads a target obfuscating code sent by the client, the target obfuscating code may be analyzed, then the target obfuscating code may be virtualized to obtain a virtual instruction, and the virtual instruction may be further encrypted, and then a corresponding interpreter may be generated for the encrypted virtual instruction, and the server may return the virtual instruction and the corresponding interpreter to the client.
In addition, the code to be obfuscated may originally have an error code, so that the target obfuscated code may also have an error code, and thus the server cannot virtualize the target obfuscated code to obtain a virtual instruction, so the server directly jumps to the ending step, and then the target obfuscated code may be returned to the client, so that the user modifies and perfects the error code.
After the client loads the virtual instruction and the corresponding interpreter, the interpreter can be adopted to decrypt the virtual instruction, then the interpreter can be adopted to restore the decrypted virtual instruction, the target obfuscated code can be obtained, and the client can load the virtual instruction and the corresponding interpreter and run the target obfuscated code at the same time, so that the condition that an attacker checks the running target obfuscated code on a client page can be avoided, the protection of the running target obfuscated code is further increased, and the safety of code processing is further improved.
In an optional embodiment of the invention, the method may further comprise:
and calling a preset detection plug-in, and inserting the detection plug-in into the target abstract syntax tree so as to detect the running condition of the target obfuscated code through the detection plug-in.
The embodiment of the invention can also set a preset detection plug-in, can call the preset detection plug-in through the IOC, and then can randomly or regularly insert the detection plug-in into the target abstract syntax tree, so that when the client runs the target obfuscated code, the running condition of the target obfuscated code can be detected through the detection plug-in, and the safety of code processing can be further improved.
In an optional embodiment of the present invention, the detection plug-in includes at least one of an anti-debugging plug-in, an anti-formatting plug-in, and a domain name locking plug-in; the step of detecting the operational condition of the target obfuscated code by the detection plug-in may include the sub-steps of:
detecting whether the client opens a debugging page or not through the anti-debugging plug-in, and indicating the client to stop running the target obfuscated code when detecting that the client opens the debugging page; and/or the presence of a gas in the gas,
detecting, by the anti-formatting plugin, whether the target obfuscated code is secondarily formatted, and instructing the client to stop running the target obfuscated code when it is detected that the target obfuscated code is secondarily formatted; and/or the presence of a gas in the gas,
and detecting whether the target domain name of the client running the target confusion code is in a preset domain name list or not through the domain name locking plug-in, and indicating the client to stop running the target confusion code when detecting that the target domain name is not in the preset domain name list.
In the embodiment of the invention, the detection plug-in can comprise at least one of an anti-debugging plug-in, an anti-formatting plug-in and a domain name locking plug-in, and the running condition of the target obfuscated code can be detected through the anti-debugging plug-in, the anti-formatting plug-in and the domain name locking plug-in, so that the safety of code processing can be further improved.
As an example, the anti-debugging plug-in may include a debug instruction, where the debug instruction is a debugging tool in JavaScript, and in the embodiment of the present invention, whether a debugging page is opened by a client may be detected by the debug instruction, and once a debugging behavior is found, that is, it is detected that the debugging page is opened, the anti-debugging plug-in may control a target obfuscating code to be always a debug breakpoint, so that the client stops running the target obfuscating code, thereby implementing effective protection on the running target obfuscating code, and improving security of code processing.
As an example, since the obfuscating is performed on the obfuscated target obfuscated code, and the obtained target obfuscated code is already formatted once, in the embodiment of the present invention, it may be detected by the anti-formatting plug-in whether the target obfuscated code is formatted twice, and if it is detected that the target obfuscated code is formatted twice, it indicates that an attacker attempts to format the target obfuscated code, the anti-formatting plug-in may instruct the client to stop running the target obfuscated code, so as to implement effective protection on the running target obfuscated code, and improve the security of code processing.
As an example, in the embodiment of the present invention, a preset domain name list is set, and a domain name in the preset domain name list allows a client to run a target obfuscating code; and the domain name which is not in the preset domain name list does not allow the client to run the target confusion code, so that the domain name binding of the target confusion code can be realized. The embodiment of the invention can detect whether the target domain name of the client running the target confusion code is in the preset domain name list or not through the domain name locking plug-in, and when the target domain name is detected not to be in the preset domain name list, the domain name locking plug-in can instruct the client to stop running the target confusion code, thereby realizing effective protection on the running target confusion code and improving the safety of code processing.
In the embodiment of the invention, a client compiles a code to be obfuscated into an abstract syntax tree, then a preset obfuscating plug-in is called, each node in the abstract syntax tree is processed through the obfuscating plug-in to obtain a target abstract syntax tree, then the target abstract syntax tree is compiled into a target obfuscating code, the target obfuscating code is sent to a server, finally a virtual instruction and a corresponding interpreter which are generated by the server aiming at the target obfuscating code are received, and the target obfuscating code is operated according to the virtual instruction and the corresponding interpreter. The embodiment of the invention confuses the code through various obfuscating plug-ins, so that the code is difficult to read and analyze, and virtualizes the code, so that the code cannot be checked, thereby avoiding the potential safety hazard that an attacker reads, analyzes, copies, embezzles or even tampers the code, providing effective protection for the running code, and greatly improving the safety of code processing.
It should be noted that for simplicity of description, the method embodiments are shown as a series of combinations of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those of skill in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the embodiments of the invention.
Referring to fig. 5, a block diagram of a code processing apparatus provided in an embodiment of the present invention is shown, and is applied to a client, where the client communicates with a server, and the code processing apparatus specifically includes the following modules:
a first compiling module 501, configured to compile a code to be obfuscated into an abstract syntax tree;
a obfuscation plug-in calling module 502, configured to call a preset obfuscation plug-in, and process each node in the abstract syntax tree through the obfuscation plug-in to obtain a target abstract syntax tree;
a second compiling module 503, configured to compile the target abstract syntax tree into a target obfuscated code, and send the target obfuscated code to the server;
the target obfuscated code execution module 504 is configured to receive a virtual instruction and a corresponding interpreter generated by the server for the target obfuscated code, and execute the target obfuscated code according to the virtual instruction and the corresponding interpreter.
In an optional embodiment of the present invention, the obfuscating plug-in invoking module 502 may include:
and the confusion plug-in calling submodule is used for calling a preset confusion plug-in and carrying out corresponding processing on a target node through the corresponding confusion plug-in if the target node comprises a preset object or is a preset type node when each node in the abstract syntax tree is traversed.
In an optional embodiment of the present invention, the apparatus may further comprise:
and the detection plug-in calling module is used for calling a preset detection plug-in and inserting the detection plug-in into the target abstract syntax tree so as to detect the running condition of the target obfuscated code through the detection plug-in.
In an alternative embodiment of the invention, the obfuscation plug-in comprises a variable obfuscation plug-in; the obfuscating plug-in invoking sub-module may include:
and the first obfuscating plug-in processing unit is used for converting the variable name at a target node through the variable obfuscating plug-in if the target node comprises the variable name.
In an optional embodiment of the invention, the obfuscation plug-in comprises a character string obfuscation plug-in and/or an array obfuscation plug-in; the obfuscation plug-in invocation sub-module may include:
the second confusion plug-in processing unit is used for encrypting the character string at a target node and inserting a decryption mark through the character string confusion plug-in if the target node comprises the character string; the decryption mark is used for indicating the client to call a corresponding decryption function for decryption when the target obfuscation code is operated; and/or the presence of a gas in the gas,
and the third obfuscation plug-in processing unit is used for extracting the character string at the target node to the global variable array for storage and obfuscating the storage position of the character string through the array obfuscation plug-in if the target node comprises the character string.
In an optional embodiment of the invention, the obfuscation plug-in comprises a function conversion plug-in and an array obfuscation plug-in; the obfuscation plug-in invocation sub-module may include:
a fourth obfuscation plug-in processing unit, configured to, if a target node includes a global variable function, convert the global variable function at the target node into a first preset function through the function conversion plug-in; and the number of the first and second groups,
and the fifth confusion plug-in processing unit extracts the first preset function to the global variable array for storage through the array confusion plug-in, and confuses the storage position of the first preset function.
In an optional embodiment of the invention, the obfuscation plug-in comprises a flow obfuscation plug-in; the obfuscation plug-in invocation sub-module may include:
a sixth obfuscating plug-in processing unit, configured to obfuscate, if a target node is a node of a function declaration type or a node of a function expression type, a position sequence of each child node connected to the target node through the process obfuscating plug-in;
before the obfuscating the position sequence of each child node connected to the target node by the flow obfuscation plug-in, the apparatus may further include:
the distributor establishing module is used for establishing corresponding indexes according to the position sequence of each child node connected under the target node and establishing a distributor according to the indexes; and the distributor is used for indicating the client to run the sequence of the codes corresponding to the sub nodes based on the position sequence.
In an optional embodiment of the present invention, the obfuscation plug-in includes a variable obfuscation plug-in, a call mode changing plug-in, a character string obfuscation plug-in, and an operation obfuscation plug-in; the obfuscating plug-in invoking sub-module may include:
and the seventh obfuscating plug-in processing unit is used for replacing the function at the target node with a second preset function through the variable obfuscating plug-in, the calling mode changing plug-in, the character string obfuscating plug-in and the operation obfuscating plug-in if the target node is a node of a function calling type.
In an optional embodiment of the present invention, the detection plug-in includes at least one of an anti-debugging plug-in, an anti-formatting plug-in, and a domain name locking plug-in; the detect plug-in invocation module may include:
the first detection plug-in processing submodule is used for detecting whether the client opens a debugging page through the anti-debugging plug-in and indicating the client to stop running the target obfuscated code when detecting that the client opens the debugging page; and/or the presence of a gas in the gas,
the second detection plug-in processing submodule is used for detecting whether the target obfuscated code is secondarily formatted through the anti-formatting plug-in and instructing the client to stop running the target obfuscated code when the target obfuscated code is secondarily formatted; and/or the presence of a gas in the gas,
and the third detection plug-in processing submodule is used for detecting whether the target domain name of the client running the target confusion code is in a preset domain name list or not through the domain name locking plug-in and indicating the client to stop running the target confusion code when detecting that the target domain name is not in the preset domain name list.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
Preferably, an embodiment of the present invention further provides an electronic device, including: the processor, the memory, and the computer program stored in the memory and capable of running on the processor, when being executed by the processor, implement each process of the code processing method embodiments, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program implements each process of the code processing method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A code processing method applied to a client, the client communicating with a server, the method comprising:
compiling the code to be obfuscated into an abstract syntax tree;
calling a preset confusion plug-in, and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree;
compiling the target abstract syntax tree into a target obfuscating code, and sending the target obfuscating code to the server;
and receiving a virtual instruction and a corresponding interpreter generated by the server aiming at the target obfuscation code, and operating the target obfuscation code according to the virtual instruction and the corresponding interpreter.
2. The method according to claim 1, wherein the calling a preset obfuscation plug-in and processing each node in the abstract syntax tree by the obfuscation plug-in comprises:
calling a preset confusion plug-in, and when each node in the abstract syntax tree is traversed, if a target node comprises a preset object or is a preset type node, carrying out corresponding processing on the target node through the corresponding confusion plug-in.
3. The method of claim 1, further comprising:
and calling a preset detection plug-in, and inserting the detection plug-in into the target abstract syntax tree so as to detect the running condition of the target obfuscated code through the detection plug-in.
4. The method of claim 2, wherein the obfuscation plug-in comprises a variable obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding confusion plug-in, wherein the processing comprises the following steps:
and if the target node comprises the variable name, converting the variable name at the target node through the variable confusion plug-in.
5. The method of claim 2, wherein the obfuscation plug-in comprises a string obfuscation plug-in and/or an array obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node comprises a character string, encrypting the character string at the target node through the character string confusion plug-in, and inserting a decryption mark; the decryption mark is used for indicating the client to call a corresponding decryption function for decryption when the target obfuscation code is operated; and/or the presence of a gas in the gas,
if a target node comprises a character string, extracting the character string at the target node to a global variable array for storage through the array obfuscation plug-in, and obfuscating the storage position of the character string.
6. The method of claim 2, wherein the obfuscation plug-ins include a function conversion plug-in and an array obfuscation plug-in; if a target node comprises a preset object, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node comprises a global variable function, converting the global variable function at the target node into a first preset function through the function conversion plug-in; and the number of the first and second groups,
and extracting the first preset function to a global variable array for storage through the array obfuscation plug-in, and obfuscating a storage position of the first preset function.
7. The method of claim 2, wherein the obfuscation plug-in comprises a flow obfuscation plug-in; if a target node is a node of a preset type, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node is a node of a function statement type or a node of a function expression type, the position sequence of each sub-node connected below the target node is obfuscated through the process obfuscation plug-in.
8. The method of claim 2, wherein the obfuscation plug-ins include a variable obfuscation plug-in, a call change plug-in, a string obfuscation plug-in, and a calculation obfuscation plug-in; if a target node is a node of a preset type, performing corresponding processing on the target node through the corresponding obfuscation plug-in, including:
if a target node is a node of a function call type, replacing a function at the target node with a second preset function through the variable confusion plug-in, the call mode change plug-in, the character string confusion plug-in and the operation confusion plug-in.
9. The method of claim 3, wherein the detection plug-in comprises at least one of an anti-debug plug-in, an anti-format plug-in, a domain name lock plug-in; the detecting, by the detection plug-in, the running condition of the target obfuscated code includes:
detecting whether the client opens a debugging page or not through the anti-debugging plug-in, and indicating the client to stop running the target obfuscated code when detecting that the client opens the debugging page; and/or the presence of a gas in the gas,
detecting, by the anti-formatting plugin, whether the target obfuscated code is secondarily formatted, and instructing the client to stop running the target obfuscated code when it is detected that the target obfuscated code is secondarily formatted; and/or the presence of a gas in the gas,
and detecting whether a target domain name of the client running the target confusion code is in a preset domain name list or not through the domain name locking plug-in, and indicating the client to stop running the target confusion code when detecting that the target domain name is not in the preset domain name list.
10. A code processing apparatus applied to a client which communicates with a server, the apparatus comprising:
the first compiling module is used for compiling the codes to be obfuscated into an abstract syntax tree;
the confusion plug-in calling module is used for calling a preset confusion plug-in and processing each node in the abstract syntax tree through the confusion plug-in to obtain a target abstract syntax tree;
the second compiling module is used for compiling the target abstract syntax tree into a target obfuscated code and sending the target obfuscated code to the server;
and the target obfuscation code running module is used for receiving a virtual instruction and a corresponding interpreter which are generated by the server aiming at the target obfuscation code, and running the target obfuscation code according to the virtual instruction and the corresponding interpreter.
11. An electronic device, comprising: processor, memory and a computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the code processing method according to any of claims 1 to 9.
12. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, realizes the steps of the code processing method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111370133.4A CN114090964A (en) | 2021-11-18 | 2021-11-18 | Code processing method and device, electronic equipment and readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111370133.4A CN114090964A (en) | 2021-11-18 | 2021-11-18 | Code processing method and device, electronic equipment and readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114090964A true CN114090964A (en) | 2022-02-25 |
Family
ID=80301767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111370133.4A Pending CN114090964A (en) | 2021-11-18 | 2021-11-18 | Code processing method and device, electronic equipment and readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114090964A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117349803A (en) * | 2023-12-06 | 2024-01-05 | 浙江大学 | Code confusion method, device, electronic equipment and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120006288A (en) * | 2010-07-12 | 2012-01-18 | 엔에이치엔(주) | Method, system and computer readable recording medium for desultory change to protect source code of javascript |
| US20140245271A1 (en) * | 2013-02-28 | 2014-08-28 | Microsoft Corporation | Compiler Based Obfuscation |
| WO2016163901A1 (en) * | 2015-04-07 | 2016-10-13 | Huawei Technologies Co., Ltd. | An apparatus for processing an abstract syntax tree being associated with a source code of a source program |
| KR102105020B1 (en) * | 2019-08-30 | 2020-04-27 | (유)아홉 | Dynamic self mutation system using virtual machine based code transformation technology |
| CN112597454A (en) * | 2020-12-28 | 2021-04-02 | 深圳市欢太科技有限公司 | Code obfuscation method, code operation method, device, medium, and apparatus |
-
2021
- 2021-11-18 CN CN202111370133.4A patent/CN114090964A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120006288A (en) * | 2010-07-12 | 2012-01-18 | 엔에이치엔(주) | Method, system and computer readable recording medium for desultory change to protect source code of javascript |
| US20140245271A1 (en) * | 2013-02-28 | 2014-08-28 | Microsoft Corporation | Compiler Based Obfuscation |
| WO2016163901A1 (en) * | 2015-04-07 | 2016-10-13 | Huawei Technologies Co., Ltd. | An apparatus for processing an abstract syntax tree being associated with a source code of a source program |
| KR102105020B1 (en) * | 2019-08-30 | 2020-04-27 | (유)아홉 | Dynamic self mutation system using virtual machine based code transformation technology |
| CN112597454A (en) * | 2020-12-28 | 2021-04-02 | 深圳市欢太科技有限公司 | Code obfuscation method, code operation method, device, medium, and apparatus |
Non-Patent Citations (1)
| Title |
|---|
| 叶林华: "防逆向技术简史:从代码混淆到虚拟机保护技术", pages 2, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/28122525> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117349803A (en) * | 2023-12-06 | 2024-01-05 | 浙江大学 | Code confusion method, device, electronic equipment and computer readable storage medium |
| CN117349803B (en) * | 2023-12-06 | 2024-03-19 | 浙江大学 | Code confusion method, device, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106161381B (en) | Device and method and computer-readable medium for removing to obscure scripting language | |
| Caballero et al. | Binary Code Extraction and Interface Identification for Security Applications. | |
| Kalysch et al. | VMAttack: deobfuscating virtualization-based packed binaries | |
| Lee et al. | Design and implementation of the secure compiler and virtual machine for developing secure IoT services | |
| JP2018181350A (en) | Method and system for evaluating security of application | |
| Martinelli et al. | Evaluating model checking for cyber threats code obfuscation identification | |
| EP3287930A1 (en) | Javascript security testing | |
| CN110245467A (en) | Android application program guard method based on Dex2C and LLVM | |
| Liang et al. | Deobfuscation of virtualization-obfuscated code through symbolic execution and compilation optimization | |
| Zhao et al. | Compile-time code virtualization for android applications | |
| Lan et al. | Lambda obfuscation | |
| CN111753302A (en) | Method and device for detecting code bugs, computer readable medium and electronic equipment | |
| CN114090964A (en) | Code processing method and device, electronic equipment and readable medium | |
| Suk et al. | SCORE: source code optimization & reconstruction | |
| CN115774865A (en) | Front-end code operation method and device, electronic equipment and storage medium | |
| KR101436741B1 (en) | The method and system for applying security solution program | |
| US11256786B2 (en) | Method to secure a software code | |
| CN116361793A (en) | Code detection method, device, electronic equipment and storage medium | |
| CN115688108A (en) | Webshell static detection method and system | |
| Prakash et al. | Opaque predicate detection by static analysis of binary executables | |
| Lim et al. | Visualizing JIT compiler graphs | |
| Liu et al. | Software obfuscation with non-linear mixed boolean-arithmetic expressions | |
| EP2947590A1 (en) | Program code obfuscation based upon recently executed program code | |
| CN111651781A (en) | Log content protection method and device, computer equipment and storage medium | |
| Groß et al. | Protecting JavaScript apps from code analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |