CN104517044A - Method and device for protecting binary file from being decompiled - Google Patents
Method and device for protecting binary file from being decompiled Download PDFInfo
- Publication number
- CN104517044A CN104517044A CN201310450080.6A CN201310450080A CN104517044A CN 104517044 A CN104517044 A CN 104517044A CN 201310450080 A CN201310450080 A CN 201310450080A CN 104517044 A CN104517044 A CN 104517044A
- Authority
- CN
- China
- Prior art keywords
- instruction
- modified
- function
- address
- place
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000008859 change Effects 0.000 claims description 62
- 238000002347 injection Methods 0.000 claims description 23
- 239000007924 injection Substances 0.000 claims description 23
- 238000000151 deposition Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 5
- 238000012856 packing Methods 0.000 claims description 3
- 230000002708 enhancing effect Effects 0.000 abstract 2
- 230000006870 function Effects 0.000 description 151
- 238000010586 diagram Methods 0.000 description 14
- 230000008520 organization Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 238000013461 design Methods 0.000 description 3
- 238000007630 basic procedure Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
- Devices For Executing Special Programs (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method and a device for protecting a binary file from being decompiled, for enhancing the security of binary program in a simpler way. The method comprises the steps of: finding an execution entrance of a function to be modified in the binary file; determining a plurality of instructions in the function that an execution sequence of the instructions needs to be changed from the execution entrance of the function to be modified; changing the execution sequence of the determined instructions in the function to be modified, and changing the function to be modified into the function having the instructions with the mingled execution sequence. As the execution sequence of the instructions corresponding to the binary file is mingled, the difficulty of decompiling the binary file is greatly improved, and thereby the method provided by the embodiment of the invention can effectively protect the binary file from being decompiled in a simpler way, thus enhancing the security of software products.
Description
Technical field
The present invention relates to computer safety field, be specifically related to a kind of binary file sequence that prevents by the method and apparatus of decompiling.
Background technology
Decompiling belongs to computing machine reverse engineering (Reverse Engineering) the i.e. category of computer software reduction engineering, refer to and carry out conversed analysis, research work by the target program (executable file) to other people software, the design considerations such as the thinking used with the software product deriving other people, principle, structure, algorithm, processing procedure and operation method, reference when developing software as oneself, or be directly used in oneself software product.The process that high-level programming language source program becomes executable file (executable file) through compiling is exactly the process compiled, and decompiling is exactly the inverse process of compiling, namely by the process of machine code (usually being write by assembly language) → high-level programming language.So-called machine code is the set of a kind of machine instruction of calculating function Direct Recognition and the execution represented with binary code, and it is the deviser of computing machine gives computing machine operating function by hardware structure of computer.The features such as machine code has flexibly, directly perform and speed is fast.Article one, instruction is exactly a statement of machine code, it is one group of significant binary code, and the basic format of instruction is: opcode field+address code field, wherein, operational code specifies the character of operation and the function of instruction, and address code then gives the address of operand or operand.
Under normal circumstances, decompiling is not directly executable file is become higher level lanquage source code, but first converts it to assembly routine.Due to the computerese that machine code is comparatively bottom, generally can realize executable file (executable file) by amendment machine code, such as, the amendment of .exe file .sys file and .elf file etc.Therefore, no matter be from the direct angle revising machine code, or from can be obtained this angle of design considerations of software product by decompiling, software product manufacturer wish that its software product is that corresponding machine code has certain confidentiality.Only have machine code to have certain confidentiality, the difficulty of amendment machine code could be increased, also can increase the difficulty of decompiling.
At present, at computer safety field, also do not occur a kind of simple and binary program can be prevented by the technical scheme of decompiling.
Summary of the invention
The embodiment of the present invention provides a kind of binary file that prevents by the method and apparatus of decompiling, strengthens the security of binary program in comparatively simple mode.
The embodiment of the present invention provides a kind of binary file that prevents by the method for decompiling, described in comprise:
Search the execution entrance of function to be modified in binary file;
From the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified;
Change the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
Another embodiment of the present invention provides a kind of binary file that prevents by the device of decompiling, and described device comprises:
Entrance searches module, for searching the execution entrance of function to be modified in binary file;
Determination module, for the execution entrance from described function to be modified, determines some instructions of the execution sequence needs change in described function to be modified;
Order changes module, for changing the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
From the invention described above embodiment, after the execution sequence determined in function to be modified needs some instructions of change, the execution sequence of some instructions of change is needed by described execution sequence to change, thus by the function that the execution sequence that described function to be modified becomes instruction is upset, be equivalent to upset binary code corresponding to binary file by generating new machine code.After execution sequence multilated due to instruction corresponding to binary file, substantially increase the difficulty to this binary file decompiling, therefore, the method that the embodiment of the present invention provides can adopt fairly simple mode effectively to prevent binary file by decompiling, thus improves the security of software product.
Accompanying drawing explanation
Fig. 1 be the embodiment of the present invention provide prevent binary file by the basic procedure schematic diagram of the method for decompiling;
Fig. 2-a is the instruction that comprises of function to be modified that the embodiment of the present invention provides and storage address schematic diagram thereof;
Fig. 2-b is the schematic diagram that white space that the embodiment of the present invention provides with the addition of instruction that function to be modified comprises and jump instruction;
Fig. 2-c is the schematic diagram after the execution sequence of instruction in the function to be modified that provides of the embodiment of the present invention changes;
Fig. 3 be the embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 4 be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 5 be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 6 be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 7 be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 8-a be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 8-b be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 8-c be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 8-d be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling;
Fig. 8-e be another embodiment of the present invention provide prevent binary file by the device logical organization schematic diagram of decompiling.
Embodiment
The embodiment of the present invention provides a kind of binary file that prevents by the method for decompiling, and described method comprises: the execution entrance searching function to be modified in binary file; From the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified; Change the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.The embodiment of the present invention also provide accordingly a kind of binary program that prevents by the device of decompiling.Below be described in detail respectively.
The application software preventing binary file to be can be applicable on smart mobile phone by the method for decompiling of the embodiment of the present invention, such as, application software in Android intelligent, its basic procedure with reference to figure 1, mainly can comprise step:
S101, searches the execution entrance of function to be modified in binary file.
For existing operating system, application program or executable file major part are binary files, and binary file is made up of function.Generally speaking, the execution entrance of function is first bar instruction executing location, therefore, no matter is modify or dis-assembling to executable file, and the execution entrance of function is all an important breakthrough point.Find the execution entrance of function, mean and have found this function.In embodiments of the present invention, can be " mov r2, r2 by inserting command content in function beginning to be modified; " some continuously (such as, continuous 4) machine codes, namely perform entrance with the address finding function to be modified in binary file.It should be noted that, in embodiments of the present invention, so-called function to be modified, refers to the function that the execution sequence of instruction wherein will be modified, and not refers to that its actuating logic or function need amendment.
S102, from the execution entrance of function to be modified, determines some instructions of the execution sequence needs change in function to be modified.
For the program that machine code is write, once the execution sequence of instruction wherein changes, will greatly increase the enforcement difficulty of computing machine reverse engineering, therefore, by the execution sequence of change directive, the security performance of software product can be improved.
As one embodiment of the invention, from the execution entrance of function to be modified, determine that some instructions of the execution sequence needs change in described function to be modified can be: from the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.That is, for binary file to be protected, the instruction in its function can be investigated in advance, some instructions that the execution sequence needs wherein needed in described function to be modified are changed are stored in an instruction list in advance.In the process of the instruction in traversal function to be modified, the instruction contrast of depositing in advance in the instruction and instruction table constantly traversal obtained, if find instruction C
pbe present in default instruction list, then determine described instruction C
pfor described execution sequence in described function to be modified needs one of some instructions of change.
In an alternative embodiment of the invention, from the execution entrance of function to be modified, determine that some instructions of the execution sequence needs change in described function to be modified can also be: from the execution entrance of function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
S103, changes the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
When from the execution entrance of function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change, as from the execution entrance of function to be modified, when determining an embodiment of some instructions of the execution sequence needs change in described function to be modified, correspondingly, as one embodiment of the invention, change the execution sequence of the described some instructions determined in described function to be modified, the function that the execution sequence that described function to be modified becomes instruction is upset can be comprised following S1031 and S1032:
S1031, instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
S1032, at the described address A of next-door neighbour
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.Below in conjunction with accompanying drawing 2-a to accompanying drawing 2-c, the process of above-mentioned S1031 and S1032 is described.
As shown in accompanying drawing 2-a, be the function body of function to be modified, suppose its 4 instructions " ADDR4, R4, #1 comprising; ", " MOV R0, R5; ", " BL puts; " and " CMP R4, #0x1E; " be the instruction needing to change execution sequence, the address that these 4 instruction correspondences are deposited is " 000086CC ", " 000086D0 ", " 000086D4 " and " 000086D8 " respectively, such as, " text:000086CC ADDR4, R4, #1; " presentation directives ADD R4, R4, #1 leave the position that address is 000086CC in.With " ADD R4, R4, #1; " this instruction is example; suppose outside the storage space of the function to be modified shown in accompanying drawing 2-a; also there is certain white space, as shown in accompanying drawing 2-b, the address of white space is followed successively by " 00008754 ", " 00008758 ", " 0000875C " and " 00008760 ".Suppose the instruction C that S1031 mentions
pspecifically instruction " ADD R4, R4, #1; ", the address A that S1031 mentions
cp1the specifically address 000086CC of accompanying drawing 2-a example, the address A that S1031 mentions
cp2the specifically address A that mentions of the address 00008754, S1032 of accompanying drawing 2-b example
cp3the specifically address A that mentions of the address 00008758 of accompanying drawing 2-b example and/or address 0000875C, S1032
cp4the specifically address 000086D0 of accompanying drawing 2-a or accompanying drawing 2-c example, then instruction " ADD R4, R4, #1; " move apart to address 00008754 from address 000086CC, at address 000086CC place injection first jump instruction i.e. " B loc_8754; ", as shown in accompanying drawing 2-c.First jump instruction " B loc_8754; " be a unconditional jump instruction, it jumps to address 00008754 place and performs instruction " ADD R4, R4, #1 after performing; ".At next address address 00008758 and/or the address 0000875C place injection second jump instruction i.e. " BEQloc_86D0 at address 00008754 place of next-door neighbour's accompanying drawing 2-b example; " and/or " BNE loc_86D0; ".Due to " BEQ loc_86D0; " expression " ADD R4, R4, #1; " result after execution jumps to 000086D0 place, address when being equal and perform instruction " MOV R0, R5; ", " BNE loc_86D0; " expression " ADD R4, R4, #1; " result after execution jumps to 000086D0 place, address when being unequal and perform instruction " MOV R0, R5; ", therefore, the second jump instruction " BEQ loc_86D0; " and/or " BNE loc_86D0; " after execution, consequently all can jump to instruction " MOV R0, the R5 at the executive address 000086D0 place of next address 000086D0 place at 000086CC place, address; ".As to change directive " BL puts; " and " CMP R4, #0x1E; " execution sequence, its method is similar.
As seen from the above description, instruction " ADD R4, R4, the #1 of accompanying drawing 2-a example; " and " MOV R0, R5; " former execution sequence in function to be modified (and namely function be modified before execution sequence) be execute " ADD R4, R4, #1; " after then perform " MOV R0, R5; ", through the change of the execution sequence of above-mentioned S1031 and S1032, become execution sequence in function after the modification for perform instruction " Bloc_8754 successively; ", " ADD R4, R4, #1; ", " BEQ loc_86D0; " (and/or " BNE loc_86D0; ") and " MOV R0, R5; ".
When from the execution entrance of function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change, as from the execution entrance of function to be modified, when determining another embodiment of some instructions of the execution sequence needs change in described function to be modified, correspondingly, as another embodiment of the present invention, change the execution sequence of the described some instructions determined in described function to be modified, the function that the execution sequence that described function to be modified becomes instruction is upset can be comprised following S ' 1031 and S ' 1032:
S ' 1031, by critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k.
S ' 1032, is depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
When instruction performs; its object performed can be accessed data; therefore; if certain critical data is protected by certain mode; be the instruction of another kind of type again by instruction transformation corresponding for this critical data; made the critical data protected by some way by the instruction access of this another kind of type, also can play and prevent binary file by the difficulty of decompiling, thus improve the safety of software product.Such as, the Dongle supposing in S ' 1031 is the good hardware cryptographic devices of encryption performance, by critical data D
kfrom described function to be modified, described critical data D is removed stored in this Dongle
kafter, if desired access described critical data D
k, then have to be used in and deposit instruction C
kaddress A
ck1the critical data access instruction that place is injected.From described Dongle, described critical data D is read owing to using this critical data access instruction
kshi Keneng needs certain authority, therefore, serves and prevents binary file by the difficulty of decompiling, thus improve the safety of software product.
In above-described embodiment, if the execution sequence in described function to be modified needs reserved address space between some instructions of change larger, and the instruction of function self-contained visit data is less, the method that then above-described embodiment is mentioned also comprises: fill rubbish instruction at described reserved address space, these rubbish instructions comprise the random statement of generation and/or the statement etc. of redirect random site, increase the complexity of function to be modified with this, thus also can effectively prevent binary file by decompiling.
What provide from the invention described above embodiment prevents binary file by the method for decompiling, after the execution sequence determined in function to be modified needs some instructions of change, the execution sequence of some instructions of change is needed by described execution sequence to change, thus by the function that the execution sequence that described function to be modified becomes instruction is upset, be equivalent to upset binary code corresponding to binary file by generating new machine code.After execution sequence multilated due to instruction corresponding to binary file, substantially increase the difficulty to this binary file decompiling, therefore, the method that the embodiment of the present invention provides can adopt fairly simple mode effectively to prevent binary file by decompiling, thus improves the security of software product.
Be described by the device of decompiling by the binary file that prevents of the embodiment of the present invention of the method for decompiling for performing the above-mentioned binary file that prevents below, its basic logical structure is with reference to figure 3.For convenience of explanation, illustrate only the part relevant to the embodiment of the present invention.Accompanying drawing 3 example prevent binary file by the device of decompiling mainly comprise entrance search module 301, determination module 302 and order change module 303, each module is described in detail as follows:
Entrance searches module 301, for searching the execution entrance of function to be modified in binary file;
Determination module 302, for the execution entrance from described function to be modified, determines some instructions of the execution sequence needs change in described function to be modified;
Order changes module 303, for changing the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
It should be noted that, above accompanying drawing 3 example prevent binary file by the embodiment of the device of decompiling, the division of each functional module only illustrates, can be as required in practical application, the facility of the such as configuration requirement of corresponding hardware or the realization of software is considered, and above-mentioned functions distribution is completed by different functional modules, binary file is prevented to be divided into different functional modules by the inner structure of the device of decompiling described in being about to, to complete all or part of function described above.And, in practical application, corresponding functional module in the present embodiment can be by corresponding hardware implementing, also can perform corresponding software by corresponding hardware to complete, such as, aforesaid entrance searches module, can be to have to perform the aforementioned hardware searching the execution entrance of function to be modified in binary file, such as entrance finger also can be general processor or other hardware devices that can perform corresponding computer program thus complete aforementioned function; For another example aforesaid order changes module, can be have perform aforementioned for changing the execution sequence of the described some instructions determined in described function to be modified, by the hardware of the function performance that the execution sequence that described function to be modified becomes instruction is upset, such as order change device, also can be general processor or other hardware devices (each embodiment that this instructions provides all can apply foregoing description principle) that can perform corresponding computer program thus complete aforementioned function.
Accompanying drawing 3 example prevent binary file by the device of decompiling, determination module 302 can comprise the first Traversal Unit 401, and what another embodiment of the present invention provided as shown in Figure 4 prevents binary file by the device of decompiling.First Traversal Unit 401, for the execution entrance from described function to be modified, travels through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.
Accompanying drawing 4 example prevent binary file by the device of decompiling, order changes module 303 can comprise the first instruction injection unit 501 and the second instruction injection unit 502, what another embodiment of the present invention provided as shown in Figure 5 prevents binary file by the device of decompiling, wherein:
First instruction injection unit 501, for described instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
Second instruction injection unit 502, for being close to described address A
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.
Accompanying drawing 3 example prevent binary file by the device of decompiling, determination module 302 can comprise the second Traversal Unit 601, and what another embodiment of the present invention provided as shown in Figure 6 prevents binary file by the device of decompiling.Second Traversal Unit 601, for the execution entrance from described function to be modified, travels through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
Accompanying drawing 6 example prevent binary file by the device of decompiling, order changes module 303 can comprise data processing unit 701 and the 3rd instruction injection unit 702, what another embodiment of the present invention provided as shown in Figure 7 prevents binary file by the device of decompiling, wherein:
Data processing unit 701, for by described critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k;
3rd instruction injection unit 702, for depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
If in above-described embodiment, execution sequence in described function to be modified needs reserved address space between some instructions of change larger, the binary file that prevents of the arbitrary example of accompanying drawing 3 to accompanying drawing 7 is also comprised rubbish instruction packing module 801 by the device of decompiling, prevents binary file by the device of decompiling as the arbitrary example of accompanying drawing 8-a to accompanying drawing 8-e.Rubbish instruction packing module 801 is for filling rubbish instruction at described reserved address space, and described rubbish instruction comprises the random statement of generation and/or the statement of redirect random site.
The embodiment of the present invention gives a kind of terminal, and what this terminal may be used for implementing providing in above-described embodiment prevents binary file by the method for decompiling.Specifically: terminal can include one or more computer-readable recording mediums storer, more than one or one process the parts such as the processor of core.It will be understood by those skilled in the art that the restriction of above-mentioned terminal structure not structure paired terminal, more or less parts can be comprised, or combine some parts, or different parts are arranged.Wherein:
Storer can be used for storing software program and module, and processor is stored in software program and the module of storer by running, thus performs the application of various function and data processing.Storer mainly can comprise storage program district and store data field, and wherein, storage program district can store operating system, application program (such as sound-playing function, image player function etc.) etc. needed at least one function; Store data field and can store the data etc. created according to the use of terminal.In addition, storer can comprise high-speed random access memory, can also comprise nonvolatile memory, such as at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, storer can also comprise Memory Controller, to provide processor to the access of storer.
Although not shown, terminal can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, the display unit of terminal is touch-screen display, terminal also includes storer, and one or more than one program, one of them or more than one program are stored in storer, and are configured to be performed by more than one or one processor state more than one or one routine package containing the instruction for carrying out following operation:
Search the execution entrance of function to be modified in binary file;
From the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified;
Change the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
Suppose that above-mentioned is the first possible embodiment, then, in the embodiment that the second provided based on the embodiment that the first is possible is possible, in the storer of described terminal, also comprise the instruction for performing following operation:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.
Suppose the above-mentioned embodiment possible for the second, then, in the third the possible embodiment provided based on the embodiment that the second is possible, in the storer of described terminal, also comprise to give an order:
Described instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
At the described address A of next-door neighbour
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.
Suppose the above-mentioned embodiment possible for the second, then, in the 4th kind of possible embodiment provided based on the embodiment that the second is possible, in the storer of described terminal, also comprise to give an order:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
Suppose that above-mentioned is the 4th kind of possible embodiment, then, in the 5th kind of possible embodiment provided based on the 4th kind of possible embodiment, in the storer of described terminal, also comprise to give an order:
By described critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k;
Depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
If described execution sequence in described function to be modified needs reserved address space between some instructions of change larger, based on first, second, third, fourth or the 5th kind of possible embodiment and in the 6th kind of possible embodiment provided, in the storer of described terminal, also comprise to give an order:
Fill rubbish instruction at described reserved address space, described rubbish instruction comprises the random statement of generation and/or the statement of redirect random site.
As another aspect, yet another embodiment of the invention additionally provides a kind of computer-readable recording medium, and this computer-readable recording medium can be the computer-readable recording medium comprised in the storer in above-described embodiment; Also can be individualism, be unkitted the computer-readable recording medium allocated in terminal.Described computer-readable recording medium stores more than one or one program, and described more than one or one program is used for execution one by one or more than one processor and prevents binary file by the method for decompiling, and described method comprises:
Search the execution entrance of function to be modified in binary file;
From the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified;
Change the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
Suppose that above-mentioned is the first possible embodiment, in the embodiment that the second then provided based on the embodiment that the first is possible is possible, described from the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified, comprising:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.
Suppose the above-mentioned embodiment possible for the second, in the third the possible embodiment then provided based on the embodiment that the second is possible, the execution sequence of the described some instructions determined of described change in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset, comprising:
Described instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
At the described address A of next-door neighbour
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.
Suppose the above-mentioned embodiment possible for the second, in the 4th kind of possible embodiment then provided based on the embodiment that the second is possible, described from the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified, comprising:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
Suppose that above-mentioned is the 4th kind of possible embodiment, in the 5th kind of possible embodiment then provided based on the 4th kind of possible embodiment, the execution sequence of the described some instructions determined of described change in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset, comprising:
By described critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k;
Depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
If described execution sequence in described function to be modified needs reserved address space between some instructions of change larger, based on first, second, third, fourth or the 5th kind of possible embodiment and in the 6th kind of possible embodiment provided, described method also comprises:
Fill rubbish instruction at described reserved address space, described rubbish instruction comprises the random statement of generation and/or the statement of redirect random site.
It should be noted that, the content such as information interaction, implementation between each module/unit of said apparatus, due to the inventive method embodiment based on same design, its technique effect brought is identical with the inventive method embodiment, particular content see describing in the inventive method embodiment, can repeat no more herein.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware that can carry out instruction relevant by program has come, this program can be stored in a computer-readable recording medium, storage medium can comprise: ROM (read-only memory) (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc.
Above a kind of binary file that prevents that the embodiment of the present invention provides is described in detail by the method and apparatus of decompiling, apply specific case herein to set forth principle of the present invention and embodiment, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. prevent binary file by a method for decompiling, it is characterized in that, described method comprises:
Search the execution entrance of function to be modified in binary file;
From the execution entrance of described function to be modified, determine some instructions of the execution sequence needs change in described function to be modified;
Change the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
2. method according to claim 1, is characterized in that, described from the execution entrance of described function to be modified, determines some instructions of the execution sequence needs change in described function to be modified, comprising:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.
3. method according to claim 2, is characterized in that, the execution sequence of the described some instructions determined of described change in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset, comprising:
Described instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
At the described address A of next-door neighbour
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.
4. method according to claim 1, is characterized in that, described from the execution entrance of described function to be modified, determines some instructions of the execution sequence needs change in described function to be modified, comprising:
From the execution entrance of described function to be modified, travel through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
5. method according to claim 4, is characterized in that, the execution sequence of the described some instructions determined of described change in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset, comprising:
By described critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k;
Depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
6. the method according to claim 1 to 5 any one, is characterized in that, if described execution sequence in described function to be modified needs reserved address space between some instructions of change comparatively large, then described method also comprises:
Fill rubbish instruction at described reserved address space, described rubbish instruction comprises the random statement of generation and/or the statement of redirect random site.
7. prevent binary file by a device for decompiling, it is characterized in that, described device comprises:
Entrance searches module, for searching the execution entrance of function to be modified in binary file;
Determination module, for the execution entrance from described function to be modified, determines some instructions of the execution sequence needs change in described function to be modified;
Order changes module, for changing the execution sequence of the described some instructions determined in described function to be modified, by the function that the execution sequence that described function to be modified becomes instruction is upset.
8. device according to claim 7, is characterized in that, described determination module comprises:
First Traversal Unit, for the execution entrance from described function to be modified, travels through the instruction in described function to be modified, if the instruction C of traversal
pbe present in default instruction list, then determine described instruction C
pfor the execution sequence in described function to be modified needs some instructions of change.
9. device according to claim 8, is characterized in that, described order changes module and comprises:
First instruction injection unit, for described instruction C
pfrom address A
cp1place moves apart to address A
cp2behind place, at described address A
cp1place's injection first jump instruction, jumps to described address A after described first jump instruction performs
cp2place performs described instruction C
p;
Second instruction injection unit, for being close to described address A
cp2the next address A at place
cp3place's injection second jump instruction, jumps to described address A after described second jump instruction performs
cp1the next address A at place
cp4place performs described address A
cp4the instruction at place.
10. device according to claim 7, is characterized in that, described determination module comprises:
Second Traversal Unit, for the execution entrance from described function to be modified, travels through the instruction in described function to be modified, if the instruction C of traversal
kthe data of access are critical data D
k, then described instruction C is determined
kfor the execution sequence in described function to be modified needs some instructions of change.
11. devices according to claim 10, is characterized in that, described order changes module and comprises:
Data processing unit, for by described critical data D
kfrom described function to be modified, described critical data D is removed stored in Dongle
k;
3rd instruction injection unit, for depositing described instruction C
kaddress A
ck1critical data access instruction is injected at place, for reading described critical data D from described Dongle after described critical data access instruction performs
k.
12. devices according to claim 7 to 11 any one, is characterized in that, if described execution sequence in described function to be modified needs reserved address space between some instructions of change comparatively large, then described device also comprises:
Rubbish instruction packing module, for filling rubbish instruction at described reserved address space, described rubbish instruction comprises the random statement of generation and/or the statement of redirect random site.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310450080.6A CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
TW103130631A TW201512877A (en) | 2013-09-27 | 2014-09-04 | Method for preventing binary files from being decompiled and apparatus thereof |
PCT/CN2014/086775 WO2015043408A1 (en) | 2013-09-27 | 2014-09-18 | Method of protecting binary file from being decompiled and device thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310450080.6A CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104517044A true CN104517044A (en) | 2015-04-15 |
CN104517044B CN104517044B (en) | 2019-02-26 |
Family
ID=52742036
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310450080.6A Active CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN104517044B (en) |
TW (1) | TW201512877A (en) |
WO (1) | WO2015043408A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
CN106529225A (en) * | 2016-10-27 | 2017-03-22 | 努比亚技术有限公司 | Device and method for protecting source code of application program |
CN107480479A (en) * | 2017-08-15 | 2017-12-15 | 北京奇虎科技有限公司 | Reinforcement means and device, computing device, the computer-readable storage medium of application program |
CN109558745A (en) * | 2017-09-25 | 2019-04-02 | 赖育承 | Method for protecting electronic file and computer program product thereof |
CN115048623A (en) * | 2022-04-01 | 2022-09-13 | 上海任意门科技有限公司 | Method, computing device and storage medium for encrypting code |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106055937B (en) * | 2016-05-25 | 2018-11-09 | 深圳创维数字技术有限公司 | A kind of encryption method and system of software static data |
CN108875320B (en) * | 2018-07-17 | 2021-10-08 | 北京元心科技有限公司 | Software security protection method and device, electronic equipment and computer storage medium |
WO2021095188A1 (en) * | 2019-11-14 | 2021-05-20 | 日本電気株式会社 | Obfuscation device, obfuscation method, and recording medium |
CN111651188B (en) * | 2020-06-01 | 2023-06-02 | 上海艾拉比智能科技有限公司 | Differential packet data result determining method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101807239A (en) * | 2010-03-29 | 2010-08-18 | 山东高效能服务器和存储研究院 | Method for preventing source code from decompiling |
CN102118512A (en) * | 2011-03-28 | 2011-07-06 | 阮晓迅 | Method and system for preventing application program of mobile phone from being cracked |
CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Software protection method based on shell technology |
CN103186746A (en) * | 2013-03-26 | 2013-07-03 | 北京深思数盾科技有限公司 | Protection method and system of executable file |
US20130232343A1 (en) * | 1999-07-29 | 2013-09-05 | Intertrust Technologies Corporation | Software self-defense systems and methods |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8056138B2 (en) * | 2005-02-26 | 2011-11-08 | International Business Machines Corporation | System, method, and service for detecting improper manipulation of an application |
US20070074046A1 (en) * | 2005-09-23 | 2007-03-29 | Czajkowski David R | Secure microprocessor and method |
US8615735B2 (en) * | 2011-05-03 | 2013-12-24 | Apple Inc. | System and method for blurring instructions and data via binary obfuscation |
US8751823B2 (en) * | 2011-08-01 | 2014-06-10 | Apple Inc. | System and method for branch function based obfuscation |
-
2013
- 2013-09-27 CN CN201310450080.6A patent/CN104517044B/en active Active
-
2014
- 2014-09-04 TW TW103130631A patent/TW201512877A/en unknown
- 2014-09-18 WO PCT/CN2014/086775 patent/WO2015043408A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130232343A1 (en) * | 1999-07-29 | 2013-09-05 | Intertrust Technologies Corporation | Software self-defense systems and methods |
CN101807239A (en) * | 2010-03-29 | 2010-08-18 | 山东高效能服务器和存储研究院 | Method for preventing source code from decompiling |
CN102118512A (en) * | 2011-03-28 | 2011-07-06 | 阮晓迅 | Method and system for preventing application program of mobile phone from being cracked |
CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Software protection method based on shell technology |
CN103186746A (en) * | 2013-03-26 | 2013-07-03 | 北京深思数盾科技有限公司 | Protection method and system of executable file |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
CN106295327B (en) * | 2015-05-14 | 2020-06-23 | 腾讯科技(深圳)有限公司 | Executable file reinforcing method and device |
CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
CN106529225A (en) * | 2016-10-27 | 2017-03-22 | 努比亚技术有限公司 | Device and method for protecting source code of application program |
CN107480479A (en) * | 2017-08-15 | 2017-12-15 | 北京奇虎科技有限公司 | Reinforcement means and device, computing device, the computer-readable storage medium of application program |
CN107480479B (en) * | 2017-08-15 | 2020-08-07 | 北京奇虎科技有限公司 | Application program reinforcing method and device, computing equipment and computer storage medium |
CN109558745A (en) * | 2017-09-25 | 2019-04-02 | 赖育承 | Method for protecting electronic file and computer program product thereof |
CN115048623A (en) * | 2022-04-01 | 2022-09-13 | 上海任意门科技有限公司 | Method, computing device and storage medium for encrypting code |
Also Published As
Publication number | Publication date |
---|---|
WO2015043408A1 (en) | 2015-04-02 |
CN104517044B (en) | 2019-02-26 |
TW201512877A (en) | 2015-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104517044A (en) | Method and device for protecting binary file from being decompiled | |
US10776087B2 (en) | Sequence optimizations in a high-performance computing environment | |
CN102934082B (en) | For the methods, devices and systems of binary translation | |
CN103413075B (en) | A kind of method and apparatus of protecting JAVA executable program by virtual machine | |
CN105303104A (en) | Dynamic execution prevention to inhibit return-oriented programming | |
CN109840410A (en) | The method and system of data isolation and protection in a kind of process | |
US20130036473A1 (en) | System and method for branch function based obfuscation | |
EP2942727B1 (en) | Return-oriented programming as an obfuscation technique | |
US20120284688A1 (en) | System and method for blurring instructions and data via binary obfuscation | |
CN105930694A (en) | Flexible Instruction Sets For Obfuscated Virtual Machines | |
CN104798075A (en) | Application randomization | |
US20110167407A1 (en) | System and method for software data reference obfuscation | |
CN103034544A (en) | Management method and device for user mode and kernel mode to share memory | |
CN101782868A (en) | Method and device for performance testing for local method call | |
US10809988B2 (en) | Processor emulation using multiple translations | |
CN105849698B (en) | Protection is executed in dynamic programming | |
Hui et al. | Cross-platform mobile applications for android and iOS | |
CN103677778A (en) | Method for analyzing Classref constant of CAP file | |
US8887142B2 (en) | Loop control flow diversion | |
CN104321774B (en) | For the anti-reversing engineering and/or method alterred program, system and equipment | |
CN103064654A (en) | Integrated circuit and electronic system and renewable method providing one time programmable (OTP) internal memory configuration | |
CN104090804A (en) | Virtual memory expansion method for real-time DSP embedded system | |
CN107180168A (en) | File loading, generation method and device, and intelligent terminal | |
CN104133668A (en) | Apparatus and method for translating multithread program code | |
CN107977577A (en) | access instruction access detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |