CN103413073B - A kind of method and apparatus protecting JAVA executable program - Google Patents
A kind of method and apparatus protecting JAVA executable program Download PDFInfo
- Publication number
- CN103413073B CN103413073B CN201310284248.0A CN201310284248A CN103413073B CN 103413073 B CN103413073 B CN 103413073B CN 201310284248 A CN201310284248 A CN 201310284248A CN 103413073 B CN103413073 B CN 103413073B
- Authority
- CN
- China
- Prior art keywords
- code
- jvm
- local
- executable program
- java
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of method and apparatus protecting JAVA executable program.The method creates a local dynamic link library file; enumerate the .class file in protected JAVA software; analyze the JVM code in this .class file; randomly draw code snippet; the original position of the code snippet be extracted replaces with calling native method; in local dynamic link library, generate derivative function, realize the function extracting code snippet.By method provided by the invention, the code of JAVA software and logic effectively can be prevented by reverse and crack, improve the security intensity of software.
Description
Technical field
The present invention relates to field of software protection, particularly a kind of method and apparatus protecting JAVA executable program.
Background technology
JAVA software is generally made up of some resource files and JAVA executable file (independent .class file or the .class file be packaged in .jar or .war bag).JAVA executable file is the binary file that can be performed by JAVA virtual machine, its code has nothing to do with platform, form follows JAVA virtual machine specification, is easy to be reduced to JAVA source code by some decompiling analysis tools, causes the logic of software and flow process to be revealed and steal.
In JAVA language, the method function of class object has two types: commonsense method and nation method.Commonsense method is write by JAVA language to be compiled into JAVA instruction code, performed during operation by JAVA virtual machine (JAVAVirtualMachine, JVM); Another kind of nation method (NativeMethod), it is called by JNI(JAVANativeInterface, JAVA this locality) the storehouse operating in native operating sys-tern of interface accessing outside.JNI achieves mutually calling between JAVA program and external libraries, is commonly used to the function for JAVA program provides non-JAVA language to realize.
Software is made up of one or more JAVA executable file (as .jar .war or .class) and one or more local dynamic link library file (as forms such as .dll or .so).Code in executable file in JAVA can call export interface in dynamic link library (interface), realizes specific function.Class (class) is the key concept of JAVA, and .jar file comprises multiple .class file (jar bag and war bag etc. are all made up of some .class files and resource file), is no longer described in detail it.
JAVA software protection means common are at present to the JVM(JAVAVirtualMachineJAVA in .class file; virtual machine) code carries out obscuring process; or by means of self-defining ClassLoader .class file encryption is stored, just decipher when being loaded into JVM.The former processes in the aspect of JVM instruction, is subject to the restriction of JVM specification, and the effect of automation algorithm desirable not enough (common automation algorithm comprises title and symbol is obscured, but not easily automatically realizes complicated flow process and class relation); And the latter is after JVM loads .class file, just have original .class code in internal memory, be easily subject to internal memory DUMP(namely, content when being run by JVM in proceeding internal memory is carried out " snapshot " and is saved in file) attack.
Summary of the invention
In order to prevent the code of JAVA software and logic by reverse and crack, the invention provides a kind of method and apparatus protecting JAVA executable program.First a local dynamic link library file is created; enumerate the .class file in protected JAVA software; analyze the JVM code in this .class file; randomly draw the partial code fragment in JVM code; replace with to native method (namely in the situ of extracted partial code fragment; nation method) call, in local dynamic link library, generate derivative function, the function of the partial code fragment be extracted described in realization.By method provided by the invention, the security intensity of software can be improved.
The present invention is not only applicable to windows platform, is applicable to the operating system that other use dynamic base mechanism yet.
Protect a method for JAVA executable program, concrete steps comprise:
1. create a local Dynamic link library library file;
2. enumerate the .class file in shielded JAVA software;
3. analyze the JVM code in this .class file, random selecting code snippet;
4. pumped from .class file by the code snippet chosen, original position replaces with calling native method;
5., in local dynamic link library in step 1, generate a derivative function, function name is corresponding with the native method in step 4, and the instruction one by one in simulation code fragment, realizes the function of the code snippet extracted in step 4.
6. get back to step 2, continue to enumerate, until terminate.
According to an aspect of the present invention, the local dynamic link library file title in described step 1 is random.
According to an aspect of the present invention, realize for ease of robotization in described step 3, extract code snippet and follow single-input single-output and storehouse balance principle.Described single-input single-output and storehouse balance principle, refer to that performing flow process can only enter this section of code from described code snippet beginning, cannot jump in the middle of described code snippet from described code snippet, and this section of code can only be left from described code snippet ending, cannot jump to outside code snippet from described code snippet; Fundamental operation in described code snippet is complete, does not relate to the temporary variable in JVM storehouse when passing in and out described code snippet.These two principles can be realized by static analysis JVM instruction.
According to an aspect of the present invention, in step 4, native method name is random.
According to an aspect of the present invention, the instruction in step 5 one by one in simulation code fragment comprise use JNI(JAVANativeInterfaceJAVA this locality to call to the instruction such as access classes, object) simulation; Arithmetic sum controls transfer and uses local code simulation.
Protect a device for JAVA executable program, specifically comprise:
Enumeration module, for enumerating the .class file in shielded JAVA software, and can extract .class file from .jar .war bag;
Analysis module, for analyzing the JVM code in .class file, chooses code snippet according to single-input single-output and storehouse balance principle;
Replacing code module, for being extracted away from .class file by the code snippet chosen, replacing with calling the native method that is named at random in the situ of the code snippet be extracted;
Generate local code module, for generating a local code derivative function, the function of the code snippet be extracted described in realization.
Use in the JAVA software after the present invention's protection; the logic of code is dispersed in local dynamic library file, can take precautions against the decompiling static analysis of JVM aspect preferably, and is replaced by local code due to partial logic; flow process is dispersed in inside and outside JVM, adds the difficulty analyzed and crack.In addition, the code in local dynamic base directly runs, and can not have the code before replacement, like this from the attack of DUMP in JVM.Therefore the present invention protects logic and the flow process of software preferably, and code when running and data security, and can provide the algorithm realization of robotization, improve the security of software.
Accompanying drawing explanation
Fig. 1 is according to a kind of process flow diagram protecting the embodiment 1 of the method and apparatus of JAVA executable program of the present invention.
Fig. 2 is according to a kind of overall flow schematic diagram protecting a preferred embodiment of the method and apparatus of JAVA executable program of the present invention.
Fig. 3 is according to a kind of structured flowchart protecting the method and apparatus of JAVA executable program of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, the present invention is described in more detail.
According to one embodiment of present invention, as shown in Figure 2, provide a kind of method protecting JAVA executable program, concrete steps comprise:
1. create a local Dynamic link library library file
2. enumerate the .class file in shielded JAVA software
3. analyze the JVM code in this .class file, random selecting code snippet
4. pumped from .class file by the code snippet chosen, original position replaces with calling native method
5., in local dynamic link library in step 1, generate a derivative function, function name is corresponding with the native method in step 4, and the instruction one by one in simulation code fragment, realizes the function of the code snippet extracted in step 4.
6. get back to step 2, continue to enumerate, until terminate.
According to an aspect of the present invention, the local dynamic link library file title in described step 1 can be random.
According to an aspect of the present invention, realize for ease of robotization in described step 3, extract code snippet and follow single-input single-output and storehouse balance principle.
According to an aspect of the present invention, in step 4, native method name can be random.
According to an aspect of the present invention, the instruction in step 5 one by one in simulation code fragment comprise use JNI(JAVANativeInterfaceJAVA this locality to call to the instruction such as access classes, object) simulation; Arithmetic sum controls transfer and uses local code simulation.
Described single-input single-output and storehouse balance principle, namely performing flow process is can only enter this section of code from fragment beginning, cannot jump in the middle of fragment from fragment, can only leave this section of code, cannot jump to outside in fragment from fragment ending.And fundamental operation is complete in fragment, during turnover fragment, do not relate to the temporary variable in JVM storehouse.These two principles can be realized by static analysis JVM instruction.
According to one embodiment of present invention, as shown in Figure 3, a kind of equipment protecting JAVA executable program is provided, specifically comprises:
Enumeration module, for enumerating the .class file in shielded JAVA software, and can extract .class file from .jar .war bag.
Analysis module, for analyzing the JVM code in .class file, the principle according to single-input single-output and storehouse balance chooses code snippet.
Replace code module, for being extracted away from .class file by the code snippet chosen, original position replaces with calling the native method that is named at random.
Generating local code module, for generating a local code derivative function, realizing the function of the JAVA code snippet extracted.As preferably, the equipment of the protection executable program of the present embodiment also comprises encrypting module, for being encrypted the information such as function or supplemental characteristic.As shown in Figure 3, in Fig. 3, encrypting module is encrypted for local code generation module.According to one embodiment of present invention, concrete cipher mode includes but not limited to: Custom Encryption algorithm, or disclosed symmetry, rivest, shamir, adelman.According to one embodiment of present invention, decipher during running software after protection.Code and the relevant key etc. of deciphering are placed in local code derivative function.
The present invention creates a local dynamic link library file; enumerate the .class file in protected JAVA software; analyze the JVM code in this .class file; randomly draw code snippet; former extraction position replaces with calling native (nation method) method; in local dynamic link library, generate derivative function, realize the function extracting code snippet.According to one embodiment of present invention, create local dynamic link library file and automatically generate by software programming instrument, create local dynamic link library and belong to the state of the art, and non-invention emphasis, the application is not described in detail.
。Use in the JAVA software after the present invention's protection; the logic of code is dispersed in local dynamic library file, can take precautions against the decompiling static analysis of JVM aspect preferably, and is replaced by local code due to partial logic; flow process is dispersed in inside and outside JVM, adds the difficulty analyzed and crack.In addition, the code in dynamic base at the bottom of cup directly runs, and can not have the code before replacement, so, from the attack of DUMP in JVM.Therefore the present invention protects logic and the flow process of software preferably, and code when running and data security, and can provide the algorithm realization of robotization, improve the security of software.
Embodiment 1
According to one embodiment of present invention, as shown in Figure 1, Fig. 1 comprises the code signal fragment of each several part in the present embodiment.Instantiation is as follows: certain software write by JAVA, has a class MyClass in source code, there is defined three field a, b, c and a case method Mul, and the logic of the method is multiplied at the value of field b and c, and result is assigned to field a.
Java source code is when compiling, and can generate a .class file for each class, the structure of this .class file defines in JVM document, is the set of a series of attribute and value.By resolving the class title association attributes in .class file, can learn it comes from which class in source code; Analytic method Table Properties again, can obtain methodical list in class; Resolve the Code attribute of each method, the JVM bytecode of method can be obtained.
Such as, after compilation of source code shown in Fig. 1, corresponding MyClass.class file, has Mul method in the method table parsed, and bytecode (JVM instruction) is as follows:
(be only signal, actual JVM instruction can be more complicated)
LoadMyClass.a//a the field of existing object is loaded into JVM run storehouse
LoadMyClass.c//c the field of existing object is loaded into JVM run storehouse
Mul//two numbers in storehouse are ejected and are multiplied, by operation result pop down
SetFieldMyClass.b//by the number in storehouse ejects and is saved in the b field of existing object
According to JVM document, the jump instruction in bytecode is all only limited to method inside, namely can not to jump in the code of additive method (call instruction also can only transfer to additive method code initial), because the method is " singly entering "; Again because the target location of all jump instructions staticly (namely just to determine when compiling, there is no register and indirect branch, it is also static for comprising abnormality processing etc.), so each JVM instruction column in method can be become a table, whether whether analyzing and marking each instruction is redirect or call instruction, and be possible redirect destination.Consider the code snippet be made up of continuous print some JVM instructions, if they are not redirect or call instruction (or have redirect but destination in fragment) yet, neither redirect destination (or destination but all from interval), then this fragment is single-input single-output.
JVM is based on storehouse, and the impact of execution on storehouse of each instruction has regulation in a document.As loadint instruction can be pressed into a word in storehouse, and mulint can eject 2, then is pressed into 1, amounts to and is equivalent to minimizing word, can static determine when these also all compile.To JVM instruction list in method, and record the impact of every bar instruction execution on storehouse with a stack pointer.If some the JVM instructions continuously in certain single-input single-output interval, after performing, stack pointer is constant, then this sub-range is storehouse balance.Between the JVM instruction area illustrated above, be namely single-input single-output and storehouse balance.
After protecting by method of the present invention, the above JVM instruction in .class file is pumped, and replaces with calling nation method native_fun123.And be derived native_fun123 function in newly-increased local dynamic link library, the above JVM instruction of instruction simulation one by one.According to the definition in JVM document, to each JVM instruction, finish writing one section of local code all in advance to simulate its function.As access object field JNI simulates, multiplying then uses local cpu multiplying order to simulate.Local code fragment assembly corresponding for all instructions in JVM instruction fragment is got up, just becomes the code of nation method.
Can see not had the JVM instruction of Mul method in the software after protection, operationally the key logic of the method is also realized by local code and JNI.
This method is not only applicable to windows platform, is also applicable to the operating system that other use dynamic base mechanism.When other operating system uses, method step is substantially identical with windows platform step, repeats no more herein.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1. protect a method for JAVA executable program, it is characterized in that, comprise the steps:
Step 1: create local dynamic link library file;
Step 2: enumerate the .class file in shielded JAVA executable program;
Step 3: analyze the JVM code in described .class file, then chooses the code snippet in JVM code automatically according to single-input single-output and storehouse balance principle;
Step 4: the described code snippet chosen is extracted from .class file, replaces to calling nation method in the situ of described code snippet;
Step 5: in described local dynamic link library, generate local code derivative function, the title of described local code derivative function is corresponding with described nation method, and the instruction of simulating one by one in described local code derivative function in described code snippet, and the identical function making the code snippet extracted described in the realization of described local code derivative function; JNI simulation is used to access classes, subject instructions;
Step 6: return step 2, continues to enumerate, until terminate.
2. method according to claim 1, is characterized in that, the local dynamic link library file title in described step 1 is random, or in step 4, nation method title is random.
3. method according to claim 1, is characterized in that, the arithmetic sum of the instruction in step 5 one by one in simulation code fragment controls transfer and uses local code simulation.
4. protect an equipment for JAVA executable program, it is characterized in that, comprising:
Enumeration module, for enumerating the .class file in shielded JAVA software;
Analysis module, for analyzing the JVM code in .class file, the principle according to single-input single-output and storehouse balance chooses code snippet in JVM code;
Replace code module, the described code snippet chosen is extracted from described .class file, replaces to calling nation method in the situ of described code snippet; Nation method title is random;
Generate local code module, for generating local code derivative function, the identical function of the code snippet extracted described in realization.
5. the equipment of protection JAVA executable program according to claim 4, is characterized in that, also comprise: encrypting module, for being encrypted local code generation module.
6. the equipment of protection JAVA executable program according to claim 5, is characterized in that, is decrypted when the operation of shielded executable program.
7. the equipment of protection JAVA executable program according to claim 6, is characterized in that, code and the relevant key of deciphering leave in described local code derivative function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284248.0A CN103413073B (en) | 2013-07-09 | 2013-07-09 | A kind of method and apparatus protecting JAVA executable program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284248.0A CN103413073B (en) | 2013-07-09 | 2013-07-09 | A kind of method and apparatus protecting JAVA executable program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103413073A CN103413073A (en) | 2013-11-27 |
| CN103413073B true CN103413073B (en) | 2016-01-20 |
Family
ID=49606084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310284248.0A Active CN103413073B (en) | 2013-07-09 | 2013-07-09 | A kind of method and apparatus protecting JAVA executable program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103413073B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103902859A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | Code protecting method and system based on hook technology in JAVA |
| CN104866740A (en) * | 2014-02-25 | 2015-08-26 | 北京娜迦信息科技发展有限公司 | Static analysis preventing method and device for files |
| CN105404794B (en) * | 2014-09-04 | 2019-09-20 | 腾讯科技(深圳)有限公司 | The guard method of Java application software and device |
| CN105183490B (en) * | 2015-10-16 | 2019-07-23 | 百度在线网络技术(北京)有限公司 | Processed offline logic is migrated to the method and apparatus of real-time processing frame |
| CN106909356A (en) * | 2015-12-22 | 2017-06-30 | 阿里巴巴集团控股有限公司 | The replacement method and device of method in java class |
| CN106096404B (en) * | 2016-08-18 | 2019-05-21 | 北京深思数盾科技股份有限公司 | A kind of data guard method and system |
| CN106650340B (en) * | 2016-11-16 | 2019-12-06 | 中国人民解放军国防科学技术大学 | binary software protection method adopting dynamic fine-grained code hiding and obfuscating technology |
| CN107229848A (en) * | 2017-06-12 | 2017-10-03 | 北京洋浦伟业科技发展有限公司 | A kind of code reinforcement means and device |
| CN107506651B (en) * | 2017-07-04 | 2021-10-22 | 环玺信息科技(上海)有限公司 | Code encryption method and system |
| CN108446541B (en) * | 2018-02-12 | 2021-10-29 | 北京梆梆安全科技有限公司 | Source code reinforcing method and device based on finite-state machine and symbol execution |
| CN108537012B (en) * | 2018-02-12 | 2021-11-16 | 北京梆梆安全科技有限公司 | Source code obfuscation method and device based on variables and code execution sequence |
| CN108446536B (en) * | 2018-02-12 | 2021-08-13 | 北京梆梆安全科技有限公司 | Source code reinforcing method and device based on symbolic execution and single-point logic |
| CN110531965A (en) * | 2018-05-23 | 2019-12-03 | 阿里巴巴集团控股有限公司 | A kind of data processing method, program operating method and equipment |
| CN109343855B (en) * | 2018-09-29 | 2020-12-29 | 清华大学 | Program compiling and grabbing system and method based on instruction camouflage |
| CN110866226B (en) * | 2019-11-15 | 2022-05-24 | 中博信息技术研究院有限公司 | JAVA application software copyright protection method based on encryption technology |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101356535A (en) * | 2005-11-10 | 2009-01-28 | 株式会社Ntt都科摩 | A method and apparatus for detecting and preventing unsafe behavior of javascript programs |
| CN102081546A (en) * | 2009-11-30 | 2011-06-01 | 国际商业机器公司 | Memory optimization of virtual machine code by partitioning extraneous information |
| CN102708322A (en) * | 2012-05-12 | 2012-10-03 | 北京深思洛克软件技术股份有限公司 | Method for protecting JAVA application programs in Android system |
| CN102831343A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Target program processing method, processing device and cloud service equipment |
-
2013
- 2013-07-09 CN CN201310284248.0A patent/CN103413073B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101356535A (en) * | 2005-11-10 | 2009-01-28 | 株式会社Ntt都科摩 | A method and apparatus for detecting and preventing unsafe behavior of javascript programs |
| CN102081546A (en) * | 2009-11-30 | 2011-06-01 | 国际商业机器公司 | Memory optimization of virtual machine code by partitioning extraneous information |
| CN102708322A (en) * | 2012-05-12 | 2012-10-03 | 北京深思洛克软件技术股份有限公司 | Method for protecting JAVA application programs in Android system |
| CN102831343A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Target program processing method, processing device and cloud service equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103413073A (en) | 2013-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
| CN103413075B (en) | A kind of method and apparatus of protecting JAVA executable program by virtual machine | |
| Balachandran et al. | Control flow obfuscation for android applications | |
| CN102598017B (en) | Improve the system and method for its tamper-proof capabilities of Java bytecode | |
| Banescu et al. | A tutorial on software obfuscation | |
| KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
| CN106096338B (en) | A kind of virtualization software guard method obscured with data flow | |
| CN103914637B (en) | A kind of executable program encryption method of Android platform | |
| CN105683990B (en) | Method and apparatus for protecting dynamic base | |
| US8589897B2 (en) | System and method for branch extraction obfuscation | |
| CN108733988A (en) | The guard method of executable program on Android platform | |
| US20170024230A1 (en) | Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine | |
| WO2015058620A1 (en) | Method and apparatus for generating installation package corresponding to an application and executing application | |
| US8615735B2 (en) | System and method for blurring instructions and data via binary obfuscation | |
| CN108363911B (en) | Python script obfuscating and watermarking method and device | |
| CN108932406A (en) | Virtualization software guard method and device | |
| JP7154365B2 (en) | Methods for securing software code | |
| CN112052433B (en) | Virtual protection method, terminal and storage medium for Jar file | |
| JP2016525760A (en) | Identify irrelevant code | |
| CN105653905A (en) | Software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring | |
| CN104834838B (en) | Prevent the method and device of DEX file unloading from internal memory | |
| US8775826B2 (en) | Counteracting memory tracing on computing systems by code obfuscation | |
| CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
| CN104866734A (en) | DEX (Dalvik VM executes) file protecting method and device | |
| Tamboli et al. | Metamorphic code generation from LLVM bytecode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 100193 Beijing, Haidian District, East West Road, No. 10, East Hospital, building No. 5, floor 5, layer 510 Patentee after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Patentee before: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |