Summary of the invention
Technical matters to be solved by this invention is that a kind of method that provides code dynamically to generate, no longer fixes the position of object code and content, thereby increase, cracks difficulty, has improved security.
In order to solve the problems of the technologies described above, the invention provides a kind of method that code dynamically generates, comprise the following steps:
S1: choose source code;
S2: the sequence that described source code is decomposed into multistage basic operation;
S3: with function corresponding in script and each section of basic operation of parameter replacement to obtain the script through conversion;
S4: the described script through conversion is compiled, generate masterplate program;
S5: operation masterplate program, each script function is sequentially called, wherein, when calling each script function, chooses at random the implementation of this script function and moves this script function and generate first object code;
S6: choose at random and obscure mode, first object code is obscured, generate the second object code fragment;
S7: be the second object code by the second object code fragment assembly.
As preferably, step S1 is specially the key code of manually choosing in source code.
As preferably, step S2 specifically comprises source code is done to grammatical analysis, to all operations node in syntax tree, according to precedence of operator rule, finds corresponding script function and carries out stipulations, thereby described source code is decomposed into the sequence of multistage basic operation.
As preferably, the script in step S3 comprises higher level lanquage or custom script language.
As preferably, the described implementation in step S5 is selected from the predefined multiple implementation of called script function at random.
Fake preferably, that obscures that mode is selected from described first object code at random described in step S6 predefined multiplely obscures mode.
Compared with prior art, the beneficial effect of the method that code of the present invention dynamically generates is: by making masterplate program, masterplate program is exported first object code when operation, and this first object code has been added and obscured with randomness to obtain the second object code, position and the content of the second object code are no longer fixed, its content is also difficult to analyze because obscuring, and has increased the difficulty that cracker analyzes and cracks, and has improved security.
Embodiment
The method code of embodiments of the invention dynamically being generated below in conjunction with the drawings and specific embodiments is described in further detail, but not as a limitation of the invention.
Fig. 1 is the schematic flow sheet of the dynamic method generating of code of embodiments of the invention.The method that the code of embodiments of the invention dynamically generates, comprises the following steps:
S1: choose source code;
S2: the sequence that described source code is decomposed into multistage basic operation.Can described source code be decomposed into by automatic or manual mode to the sequence of basic operation.The control transfer operations such as arithmetical operation, function call, logic branch such as described basic operation comprises and adding, subtracts, multiplication and division, and get the internal storage access operations such as address, dereference, storehouse.As the present embodiment preferred version, the implementation method of automated manner is for to do grammatical analysis to source code, to all operations node in syntax tree, according to precedence of operator rule, find corresponding script function and carry out stipulations, thereby described source code is decomposed into the sequence of multistage basic operation;
S3: with function corresponding in script and each section of basic operation of parameter replacement to obtain the script through conversion;
S4: the described script through conversion is compiled, generate masterplate program;
S5: operation masterplate program, each script function is sequentially called, wherein, when calling each script function, chooses at random the implementation of this script function and moves this script function and generate first object code;
S6: choose at random and obscure mode, first object code is obscured, generate the second object code fragment;
S7: be the second object code by the second object code fragment assembly.
Wherein:
Step S1 can be preferably the key code of manually choosing in source code, and key code is dealt with, and has simplified program runtime when having ensured code safety.
The control transfer operations such as arithmetical operation, function call, logic branch such as in step S2, described basic operation comprises and adding, subtracts, multiplication and division, and get the internal storage access operations such as address, dereference, storehouse.As the present embodiment preferred version, the implementation method of automated manner is for to do grammatical analysis to source code, to all operations node in syntax tree, according to precedence of operator rule, find corresponding script function and carry out stipulations, thereby described source code is decomposed into the sequence of multistage basic operation.As automatic analysis i+5*k, grammer seeds, the priority of operational symbol " * " is higher than "+", so " * " node (child node is " 5 " and " k ") of first stipulations grammer seeds, find the script function that " * " is corresponding, output-scr IPT_MUL (temp1,5, k), continue "+" node (child node becomes " i " and " temp1 ") in stipulations syntax tree, output-scr IPT_ADD (temp2, i, temp1).
Except by automated manner, the realization that above-mentioned implementation also can be manually, method is manual read's source code.As source code lines i=fun (); By artificial cognition, be call function and preserve two operations of rreturn value, can utilize SCRIPT_CALL and SCRIPT_MOV two this replacement of traveling far and wide.
Script in step S3 comprises higher level lanquage or custom script language, and higher level lanquage includes but not limited to C, Python, and the function of described correspondence and parameter refer to that SCRIPT_ADD represents that addition, SCRIPT_CALL representative function call etc.
In step S4, each script function in masterplate program is sequentially called, and each script function can generate a bit of random object code of obscuring, and splicing is exactly the object code of having realized the function of the source code of choosing before.Masterplate program has randomness, and described randomness refers to repeatedly move masterplate with same input, and the object code obtaining is different.Masterplate program can seen to be a kind of code that can generating code, it in function and compiler (as VMP) basic identical.Template program can be the corresponding executable program of script or one section of code.Masterplate program structure is the source code fragment of choosing to be decomposed and pass through the sequential combination of the code after other equivalent scripts are replaced.During operation, being also sequentially to carry out according to the script of storage inside, is when carrying out each script function, can select at random a kind of predefined implementation (as directly or indirectly called), then selects at random a kind of mode of obscuring, and generates final code.For example, for example in script, the content of certain a line is operation masterplate:
SCRIPT_ADD(I,J,5);
Wherein SCRIPT_ADD is an auxiliary function, is defined in the subsidiary Runtime Library of script, and its function is, to the code of output " completing add operation " in buffer zone, its realization can schematically as follows (be take C language as example):
One section of code such as unsigned SCRIPT_ADD (BYTE*buf, void*param1Addr, void*param2Addr, void*param3Addr); Therefore when operation template, SCRIPT_ADD function will be performed, and exports several bytes, as bytes such as " B8xx xx xx xx ", realizes the corresponding function of source code.
Described implementation in step S5 is selected from the predefined multiple implementation of called script function at random.The implementation of choosing at random script function in this step is through predefined, and each script function has predefined multiple implementation.As SCRIPT_CALL can adopt directly, call, the mode such as indirect call realizes, and chooses at random a kind of implementation during operation.
That described in step S6, obscures that mode is selected from described first object code at random predefined multiplely obscures mode.In this step, can adopt any existing obfuscator or mode to realize.In the object code of above-mentioned generation, a lot of common basic operations, have the predefined multiple mode of obscuring.The present embodiment obscure mode, as MOV, r32, imm (immediate is sent to 32 bit register instructions) can obscure for PUSH imm and POP r32, also can obscure for MOVrRand, imm and MOV r32, rRand (immediate is delivered to random register, then deliver to and specify register from random register), during operation, choose at random a kind of mode of obscuring, generate the second object code fragment.
Fig. 2 is for being applied to a schematic diagram in embodiment by the dynamic method generating of the code of embodiments of the invention.By an embodiment, further illustrate implementation method of the present invention below.
Choose following source code fragment (as a certain section of key code):
j=func1();
i=j+5;
func2(i);
This source code fragment is the in the situation that of general compiled, and the object code of generation is substantially fixing:
E878000000//call403250 (address of func1)
A348114000//mov[j], eax is saved in variable j by function return value
83C005//add?eax,5
A34C114000//mov[i], eax is saved in variable i by the value of j+5
50//push eax is by function parameter pop down
E8D0000000//call401170 (address of func2)
Source code fragment is decomposed into basic operation sequence, and is converted to following script:
SCRIPT_CALL(func1);
SCRIPT_MOV(i,RET_VAL);
SCRIPT_ADD(i,j,5);
SCRIPT_CALL(func2,i);
After script compile, produce following template program:
Call SCRIPT_CALL//generate with certain random fashion after the obscuring code that calls func1
Call SCRIPT_MOV//generate with certain random fashion after the obscuring code that func1 rreturn value is saved in to variable i
Call SCRIPT_ADD//generate with certain random fashion after the obscuring code that the result of i+5 is saved in to j
Call SCRIPT_CALL//generate with certain random fashion after the obscuring code that calls func2.
Operation template, produces following first object code:
C70540... // func1 address is saved in to function address table the x item
C70544... // func2 address is saved in to function address table the y item
FF15 ... // call function address table x item
89C3//rreturn value is saved in random register
891E ... the value of // random register is saved in variable i
83C307//random register +=7 (random number)
83EB02//random register-=2 (be equal to+5)
8B3E//be saved in variable j
FF36... // use direct stack accessing simulation PUSH, by parameter pop down
FF15 ... // call function address table y item.
First object code is obscured, generated the second object code fragment, the second object code fragment assembly is gone out to the second object code.This process does not repeat them here.
Above embodiment is only exemplary embodiment of the present invention, is not used in restriction the present invention, and protection scope of the present invention is defined by the claims.Those skilled in the art can make various modifications or be equal to replacement the present invention in essence of the present invention and protection domain, this modification or be equal to replacement and also should be considered as dropping in protection scope of the present invention.