CN103065069A - Software protection method based on shell technology - Google Patents
Software protection method based on shell technology Download PDFInfo
- Publication number
- CN103065069A CN103065069A CN2013100315242A CN201310031524A CN103065069A CN 103065069 A CN103065069 A CN 103065069A CN 2013100315242 A CN2013100315242 A CN 2013100315242A CN 201310031524 A CN201310031524 A CN 201310031524A CN 103065069 A CN103065069 A CN 103065069A
- Authority
- CN
- China
- Prior art keywords
- shell
- file
- instruction
- data
- software based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000005516 engineering process Methods 0.000 title claims abstract description 22
- 230000003068 static effect Effects 0.000 claims abstract description 3
- 238000012545 processing Methods 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 2
- 230000008676 import Effects 0.000 claims description 2
- 230000004927 fusion Effects 0.000 abstract description 2
- 238000012795 verification Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 101150095407 Bfar gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a software protection method based on a shell technology, which relates to the technical field of software encryption, and is based on a code disorder mechanism, the original program and a shell program code are disorder to achieve the purpose of fusion, and a floral instruction is added to defend static decompilation while the code is disorder; and uses SHE techniques in the shell to counter dynamic tracking. The software protected by the invention can remove part of the original program when a cracker takes off the shell, thereby achieving the purpose of protecting the software.
Description
Technical field
The present invention relates to the software encryption technique field, be specifically related to a kind of method for protecting software based on shell technology.
Background technology
Development along with computer software technology; Malware infects the enhancing of damage capability, the significantly lifting of cracker's level; traditional soft encryption and hardware encryption scheme are for the high software of security requirement; the protection DeGrain has developed into other a lot of ripe modes now: registration checking, software watermark, anti-tracking technology, encryption technology etc.Its mesochite encryption technology is the most common in the software cryptography, safest a kind of technology.
The encryption technology protected mode refers to: utilize certain algorithm, transplantable executable file PE is encrypted, compresses, add a shell for the PE file.The software shell in fact be one section for prevent that software from illegally being used, distort, the program of copy etc.Usually this part code so just plays the effect of protection software than the preferential execution of original program and acquire the right of control.The PE file that has added shell still can directly move, and this shell is responsible for a PE file original program and is unziped in the internal memory, and control is returned original program after the decompress(ion) deciphering.Whole process all is to operate in the internal memory, and program operation speed do not have impact substantially, and deciphering, decompression procedure is fully transparent.
The PE file layout
The PE binary file format is the subset in the microsoft operation system series.PE file layout binary data stream is linear.It is since a MS-DOS head construction, the program remnants of a pattern following closely, the PE file header with that, wherein the PE file header comprises image file head (File Header) and optional file head (Optional Header), the structure of this part back is exactly the block gauge outfit, closelying follow is exactly whole blocks (Selection) after the block gauge outfit, the afterbody of PE file is other data, wherein comprises Code View Debugging message, COFF symbol table information, COFF line number information etc.PE file layout general structure is from being divided into substantially five major parts: DOS stem (DOS Header), PE file header (PE Header), block piece table (Section Table), piece (Section), Debugging message.
Wherein, the PE file format structure comprises three very important gauge outfits: DOS Header: for the platform before the compatibility; PE Header:PE file relevant configuration information; The relevant information of each block of Section Header:PE file.
When the PE loading bin loaded the PE file, the fileinfo that provides according to these three gauge outfits exactly loaded the file each several part and is mapped in the internal memory separately corresponding position, guarantees the consistance with the data in magnetic disk topology layout.Decide which part mapped by traversal PE file internal information in disk, in case after file is loaded in the internal memory, the consistance of the data structure layout on the data structure layout in the internal memory and the external memory (disk).Therefore, if know the content that in external memory (disk), exists in the data structure, so basically can in Memory Mapping File and its, find the same data; But in memory mapped file, usually changed the relative position between these data, the data-bias address and different on external memory, in any case these whole data can be changed external memory document misregistration and memory mapped file skew.Added the PE file of shell if realize shelling, the first step also is that a most important step is exactly to find PE file original program entry address, then grasps the reflection of internal memory PE file, reducing program.
Summary of the invention
For above-mentioned prior art, the technical problem to be solved in the present invention is: the existing PE file that has added shell, shell loading itself just provides an obvious breakpoint to the sheller, and namely shell is successfully taken off in the entry address of the shell original program that finally all will turn whatsoever then; It finally all will return original program to control; therefore this separation of entry address can not be hidden; therefore can only be for the second step of shelling, even the internal memory PE file map of taking certain safeguard measure to allow the sheller obtain does not have good way to be reduced into original program yet.
In order to solve the problems of the technologies described above, the present invention adopts following technical scheme:
A kind of method for protecting software based on shell technology is characterized in that, may further comprise the steps,
One, encrypting step: block data, resource data to image file in the internal memory are encrypted;
Two, shell step: shell at first moves, and deciphers encrypted data, revises relevant information, the original program of reduction PE file.
Three, shell adds step: newly-built block be used to depositing the housing parts data in the PE file, partly add the former block table of PE file to this block gauge outfit simultaneously;
Four, PE file processing step: with the internal memory that the PE file reads in, then additional data, Import Tabel, the resource data of PE document memory reflection are processed.
Further improve as the present invention, the PE file original program in the described shell step is carried out out of order processing.
Further, described out of order processing comprises following three steps:
1. find out jump instruction jmp, function call instruction call and condition special instruction jcc in the program code; 2. screen 1. middle instruction address of step, if redirect directly not considering below 16 if equal 16, sees whether skew enough jumps to the VAR of colored instruction.If be higher than 16, directly redirect;
3. when running into skew, preserve the address that redirect is wanted in former instruction.Then jump to the colored instruction space, then increase one in the place that the flower instruction executes and jump to that address of originally wanting redirect.
Further improve as the present invention, add the colored instruction that is used for defending static decompiling in when described out of order process;
Further improve as the present invention, in shell, used the SHE technology to come anti-dynamic tracing.
The detailed processing procedure of described encrypting step is: the PE file that will add shell is loaded into the internal memory the inside from disk, then to the PE document memory video each relevant header, block is processed, and mainly is that reflection file area blocks of data is encrypted.
The detailed processing procedure that described shell adds step is: the CRC32 value of calculation code segment also is written to the in front face of PE file, special data is processed, the structure of input table finally appends to shell in the memory mapping of this PE file, has so just formed the new PE file that has added shell.
At last, the PE file that the has added shell part of shell side order that brings into operation, it will be to the just CRC32 verification of former PE file routine, the deciphering block data, the reconstruction of input table, program is out of order, jumps at last the original program entrance, and control is transferred to original program.
VAR: be writing a Chinese character in simplified form of variable variable, variable, in multiple computer programming language, var is used as the key word of defining variable.
Compared with prior art, the present invention has following beneficial effect:
One, the present invention carries out original program and Finish Code out of order, arrives the fusion of original program and shell, greatly strengthens the ability of protecting software; By the software of encipherment protection of the present invention, even the sheller has found the original program entry address, grasped PE document memory reflection, will take off shell, also be difficult to reduction PE file original program; Because in case shell is taken off, the part of original program has also been taken off so, just original program can not have been reduced so like this, thereby arrive the purpose of protecting software;
Two, the present invention adds in the shell process and can also strengthen the ability of resisting analysis, cracking in conjunction with the various software resist technology what realize, arrives the better purpose of protection software.
Description of drawings
Fig. 1 is site-plan of the present invention;
Fig. 2 is frame construction drawing of the present invention;
Fig. 3 is based on the software protection model that merges.
Embodiment
The invention will be further described below in conjunction with the drawings and the specific embodiments.
The present invention includes former PE file processing and shell, described former PE file processing comprises the regrouping process of cryptor and PE file: the PE file that will add shell is loaded into the internal memory the inside from disk, then video each relevant header, block of PE document memory processed, mainly be that reflection file area blocks of data is encrypted, the CRC32 value of calculation code segment also is written to the in front face of PE file, special data is processed, the structure of input table, finally shell is appended in the memory mapping of this PE file, so just formed and new added shell PE file.
Described shell, the PE file that the has added shell part of shell side order that brings into operation, it will be to the just CRC32 verification of former PE file routine, the deciphering block data, the reconstruction of input table, program is out of order, jumps at last the original program entrance, and control is transferred to original program.
From the file layout distribution angle, the PE file that has added shell is comprised of four parts.Be respectively: PE file header, encrypted file area blocks of data, shell, additional data.The block data of former PE file is deposited in the mode of encrypting.Former PE file will increase a block newly, be used for depositing the shell data.Wherein in this newly-increased block data, take ShellEnd0 as the boundary line, data before this (mainly being some data in the resource such as icon etc.) are deposited in the mode of encrypting, and after data do not do any processing, namely deposit in the mode of plaintext.The entry address of shell: ShellStart0 is pointed in the PE file routine entry address that has added shell.Leader carries out some initial work, if sometimes encrypted back part shell, that will carry out decompress(ion) here.Be used to afterwards carry out the integrality of verification PE file, prevent that the sheller from dynamically following the tracks of, shelling, dis-assembling.If verification succeeds, shell continue to carry out that decompress(ion) reduction PE file routine, code are out of order, input table is processed etc. so.
Embodiment
The structure of the out of order instruction in the described out of order processing is as follows:
typedef?struct?_CODE_FLOW_NODE
{
Struct _ CODE_FLOW_NODE * pNext; // next node
BOOL bGoDown; // whether jump downwards
DWORD dwBits; // jump range
DWORD dwType; // instruction type
BOOL bFar; // whether far jump
DWORD dwMemoryAddress; // current memory address
LPBYTE pFileAddress; // current file address
DWORD dwGotoMemoryAddress; Memory address after the // redirect
LPBYTE pGotoFileAddress; File address after the // redirect
DWORD dwInsLen; // instruction length
union
{
BYTE?bOffset;
WORD?wOffset;
DWORD?dwOffset;
; // skew
}?CODE_FLOW_NODE,?*PCODE_FLOW_NODE;
Take to test way of contrast, add with other that shell software adds shell to the PE file and the present invention adds shell to the PE file, then come respectively these PE files that added shell to be detected or shell with shelling, debugging software.The comparing result that draws by experiment is as shown in table 1, and " fail " expression can not be by conversed analysis in the table, and " success " expression can be by conversed analysis.
Other add shell software: ACProtect, ASPack, ASProtect, PECompact.
Shelling instrument: File Scanner, FileInfo_V4.02, PEid.
Table 1 result data
| ? | ACProtect | ASPack | ASProtect | PECompact | The present invention |
| File Scanner | success | success | success | success | fail |
| PEid | success | success | success | success | fail |
| FileInfo_V4.02 | success | success | success | success | fail |
Experimental result data from table, native system has promoted the defence capability of software to a great extent, has reacted from the side based on the shell software protection model that merges to have very strong software protection ability.
Claims (7)
1. the method for protecting software based on shell technology is characterized in that, may further comprise the steps,
One, encrypting step: block data, resource data to image file in the internal memory are encrypted;
Two, shell step: shell at first moves, and deciphers encrypted data, revises relevant information, the original program of reduction PE file.
Three, shell adds step: newly-built block be used to depositing the housing parts data in the PE file, partly add the former block table of PE file to this block gauge outfit simultaneously;
Four, PE file processing step: with the internal memory that the PE file reads in, then additional data, Import Tabel, the resource data of PE document memory reflection are processed.
2. the method for protecting software based on shell technology according to claim 1 is characterized in that, the PE file original program in the described shell step is carried out out of order processing.
3. the method for protecting software based on shell technology according to claim 2 is characterized in that, described out of order processing comprises following three steps:
1. find out jump instruction jmp, function call instruction call and condition special instruction jcc in the program code;
2. screen the instruction address of step in 1., if redirect directly not considering below 16 if equal 16, sees whether skew enough jumps to the VAR of colored instruction, if be higher than 16, directly redirect;
3. when running into skew, preserve the address that redirect is wanted in former instruction.Then jump to the colored instruction space, then increase one in the place that the flower instruction executes and jump to that address of originally wanting redirect.
4. the method for protecting software based on shell technology according to claim 3 is characterized in that, adds the colored instruction that is used for defending static decompiling in when described out of order process.
5. the method for protecting software based on shell technology according to claim 1 is characterized in that, comes anti-dynamic tracing with the SHE technology in shell.
6. the method for protecting software based on shell technology according to claim 1; it is characterized in that; the detailed processing procedure of described encrypting step is: the PE file that will add shell is loaded into the internal memory the inside from disk; then to the PE document memory video each relevant header, block is processed, and mainly is that reflection file area blocks of data is encrypted.
7. the method for protecting software based on shell technology according to claim 1; it is characterized in that; the detailed processing procedure that described shell adds step is: the CRC32 value of calculation code segment also is written to the in front face of PE file; special data is processed; the structure of input table finally appends to shell and forms the new PE file that has added shell in the memory mapping of this PE file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100315242A CN103065069A (en) | 2013-01-28 | 2013-01-28 | Software protection method based on shell technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100315242A CN103065069A (en) | 2013-01-28 | 2013-01-28 | Software protection method based on shell technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103065069A true CN103065069A (en) | 2013-04-24 |
Family
ID=48107697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100315242A Pending CN103065069A (en) | 2013-01-28 | 2013-01-28 | Software protection method based on shell technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103065069A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514027A (en) * | 2013-11-12 | 2014-01-15 | 北京深思数盾科技有限公司 | Method for enhancing usability of software protection |
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN103699820A (en) * | 2013-12-25 | 2014-04-02 | 北京深思数盾科技有限公司 | Obfuscating method for relative jump instruction |
| CN104517044A (en) * | 2013-09-27 | 2015-04-15 | 腾讯科技(深圳)有限公司 | Method and device for protecting binary file from being decompiled |
| WO2015078252A1 (en) * | 2013-11-26 | 2015-06-04 | Tencent Technology (Shenzhen) Company Limited | Method and device for processing a file |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
| CN107423586A (en) * | 2017-07-31 | 2017-12-01 | 北京深思数盾科技股份有限公司 | Method for protecting software and software protecting equipment |
| CN107908964A (en) * | 2017-10-17 | 2018-04-13 | 珠海金山网络游戏科技有限公司 | The safety detection method and device of shell adding file in a kind of game for Android platform Unity3D |
| CN107944233A (en) * | 2017-12-11 | 2018-04-20 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable file and device |
| CN108064382A (en) * | 2017-10-27 | 2018-05-22 | 福建联迪商用设备有限公司 | A kind of method and terminal of the software decryption based on Ukey |
| CN108763878A (en) * | 2018-04-18 | 2018-11-06 | 北京奇虎科技有限公司 | A kind of program protection method and device |
| CN110968870A (en) * | 2019-11-28 | 2020-04-07 | 广发证券股份有限公司 | Method for detecting safety of software in operation |
| CN112818359B (en) * | 2020-12-31 | 2022-06-03 | 北京深思数盾科技股份有限公司 | File protection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020112158A1 (en) * | 2001-02-14 | 2002-08-15 | Golchikov Andrey Vladimirovich | Executable file protection |
| CN101504656A (en) * | 2009-03-26 | 2009-08-12 | 成都磐石软件有限责任公司 | Combined execution method for PE document code |
-
2013
- 2013-01-28 CN CN2013100315242A patent/CN103065069A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020112158A1 (en) * | 2001-02-14 | 2002-08-15 | Golchikov Andrey Vladimirovich | Executable file protection |
| CN101504656A (en) * | 2009-03-26 | 2009-08-12 | 成都磐石软件有限责任公司 | Combined execution method for PE document code |
Non-Patent Citations (2)
| Title |
|---|
| 李露: "目标代码混淆加壳关键技术的设计与分析", 《万方数据库》, 2 September 2009 (2009-09-02), pages 13 - 63 * |
| 赵东方: "基于壳技术的软件保护技术研究", 《万方数据库》, 30 June 2010 (2010-06-30), pages 22 - 49 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517044A (en) * | 2013-09-27 | 2015-04-15 | 腾讯科技(深圳)有限公司 | Method and device for protecting binary file from being decompiled |
| CN104517044B (en) * | 2013-09-27 | 2019-02-26 | 腾讯科技(深圳)有限公司 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN103514027A (en) * | 2013-11-12 | 2014-01-15 | 北京深思数盾科技有限公司 | Method for enhancing usability of software protection |
| CN103514027B (en) * | 2013-11-12 | 2017-04-26 | 北京深思数盾科技股份有限公司 | Method for enhancing usability of software protection |
| WO2015078252A1 (en) * | 2013-11-26 | 2015-06-04 | Tencent Technology (Shenzhen) Company Limited | Method and device for processing a file |
| CN103699820A (en) * | 2013-12-25 | 2014-04-02 | 北京深思数盾科技有限公司 | Obfuscating method for relative jump instruction |
| CN103699820B (en) * | 2013-12-25 | 2017-02-15 | 北京深思数盾科技股份有限公司 | Obfuscating method for relative jump instruction |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
| CN106295327B (en) * | 2015-05-14 | 2020-06-23 | 腾讯科技(深圳)有限公司 | Executable file reinforcing method and device |
| CN107423586A (en) * | 2017-07-31 | 2017-12-01 | 北京深思数盾科技股份有限公司 | Method for protecting software and software protecting equipment |
| CN107908964A (en) * | 2017-10-17 | 2018-04-13 | 珠海金山网络游戏科技有限公司 | The safety detection method and device of shell adding file in a kind of game for Android platform Unity3D |
| CN107908964B (en) * | 2017-10-17 | 2021-06-08 | 珠海金山网络游戏科技有限公司 | Security detection method and device for shell files in Android platform Unity3D game |
| CN108064382A (en) * | 2017-10-27 | 2018-05-22 | 福建联迪商用设备有限公司 | A kind of method and terminal of the software decryption based on Ukey |
| CN108064382B (en) * | 2017-10-27 | 2021-11-09 | 福建联迪商用设备有限公司 | Ukey-based software decryption method and terminal |
| WO2019080112A1 (en) * | 2017-10-27 | 2019-05-02 | 福建联迪商用设备有限公司 | Ukey-based software decryption method and terminal |
| CN107944233A (en) * | 2017-12-11 | 2018-04-20 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable file and device |
| CN108763878A (en) * | 2018-04-18 | 2018-11-06 | 北京奇虎科技有限公司 | A kind of program protection method and device |
| CN110968870A (en) * | 2019-11-28 | 2020-04-07 | 广发证券股份有限公司 | Method for detecting safety of software in operation |
| CN112818359B (en) * | 2020-12-31 | 2022-06-03 | 北京深思数盾科技股份有限公司 | File protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103065069A (en) | Software protection method based on shell technology | |
| CN105354449B (en) | Method and decryption method are obscured in a kind of scrambling towards Lua language | |
| JP5458184B2 (en) | System and method for aggressive automatic correction in a dynamic function call system | |
| CN103778355B (en) | Code morphing-based binary code obfuscation method | |
| CN104680039B (en) | A kind of data guard method and device of application program installation kit | |
| CN103473104B (en) | Bag discriminating conduct is beaten again in a kind of application based on keyword context frequency matrix | |
| CN104318135B (en) | A kind of Java code Safety actuality loading method based on credible performing environment | |
| CN105787305B (en) | A kind of method for protecting software for resisting semiology analysis and stain analysis | |
| CN107908933A (en) | A kind of character string encryption method based on intermediate language | |
| CN106960156B (en) | Data encryption and access method and device based on application program | |
| CN108363911B (en) | Python script obfuscating and watermarking method and device | |
| CN104866734B (en) | A kind of guard method of DEX file and device | |
| CN107480476B (en) | Android native layer instruction compiling virtualization shell adding method based on ELF infection | |
| CN104834838B (en) | Prevent the method and device of DEX file unloading from internal memory | |
| CN101964040B (en) | PE loader-based software packing protection method | |
| CN104751024B (en) | A kind of method and device that core source code is encrypted | |
| CN105184118A (en) | Code fragmentization based Android application program packing protection method and apparatus | |
| CN108491235A (en) | In conjunction with the DEX guard methods of dynamic load and function Nativeization | |
| CN112115427A (en) | Code obfuscation method, device, electronic device and storage medium | |
| CN108830049A (en) | A kind of software similarity detection method based on dynamic controlling stream graph weight sequence birthmark | |
| US20180307838A1 (en) | Return-oriented programming mitigation | |
| CN106775843B (en) | Dalvik byte code optimization method based on memory loading | |
| EP2657873B1 (en) | Electronic book content protection | |
| CN110298175A (en) | A kind of processing method and relevant apparatus of dll file | |
| CN104751026B (en) | Method for protecting software, software application method and the relevant apparatus of Android system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130424 |