CN104517044B - It is a kind of to prevent method and apparatus of the binary file by decompiling - Google Patents
It is a kind of to prevent method and apparatus of the binary file by decompiling Download PDFInfo
- Publication number
- CN104517044B CN104517044B CN201310450080.6A CN201310450080A CN104517044B CN 104517044 B CN104517044 B CN 104517044B CN 201310450080 A CN201310450080 A CN 201310450080A CN 104517044 B CN104517044 B CN 104517044B
- Authority
- CN
- China
- Prior art keywords
- instruction
- function
- modified
- address
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000008859 change Effects 0.000 claims abstract description 48
- 238000002347 injection Methods 0.000 claims description 27
- 239000007924 injection Substances 0.000 claims description 27
- 230000009191 jumping Effects 0.000 claims 2
- 230000006870 function Effects 0.000 description 149
- 238000010276 construction Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 229910002056 binary alloy Inorganic materials 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000007630 basic procedure Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 235000015110 jellies Nutrition 0.000 description 1
- 239000008274 jelly Substances 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
Method and apparatus of the binary file by decompiling are prevented the invention discloses a kind of, enhance the safety of binary program in relatively simple mode.The described method includes: searching the execution entrance of function to be modified in binary file;Since the execution entrance of the function to be modified, some instructions that the execution in the function to be modified sequentially needs to change are determined;The some instructions for changing the determination execute sequence in the function to be modified, the function that the execution sequence that the function to be modified becomes instruction is upset.After the execution sequence multilated of the corresponding instruction of binary file, substantially increase the difficulty to the binary file decompiling, therefore, method provided in an embodiment of the present invention can effectively prevent binary file by decompiling by the way of fairly simple, to improve the safety of software product.
Description
Technical field
The present invention relates to computer safety fields, and in particular to a kind of to prevent method and dress of the binary file sequence by decompiling
It sets.
Background technique
Decompiling belongs to computer reverse engineering (Reverse Engineering) the i.e. model of computer software reduction engineering
Farmland refers to and carries out conversed analysis, research work by the target program (executable file) to other people softwares, to derive other people
Software product used in the design elements such as thinking, principle, structure, algorithm, treatment process and operation method, opened as oneself
Feel like jelly part when reference, or be directly used in the software product of oneself.High-level programming language source program becomes by compiling can
The process for executing file (executable file) is exactly the process compiled, and decompiling is exactly the inverse process compiled, i.e., by machine
The process of code (usually being write by assembler language) → high-level programming language.So-called machine code is the meter indicated with binary code
A kind of set of machine instruction of function Direct Recognition and execution is calculated, it is that the designer of computer passes through the hardware knot of computer
The operating function of structure imparting computer.Machine code has the characteristics that flexibly, directly to execute and speed is fast.One instruction is exactly machine
One sentence of code, it is one group of significant binary code, the basic format of instruction are as follows: opcode field+address code word
Section, wherein operation code specifies the character of operation and function of instruction, and address code then gives the address of operand or operand.
Under normal conditions, executable file is not instead of directly become high-level language source code by decompiling, it is first turned
Change assembler into.Since machine code is the computer language of more bottom, generally may be implemented by modifying machine code to can
It executes file (executable file), for example, the modification of .exe file .sys file and .elf file etc..Therefore, no matter
It is that can get this angle of the design element of software product from the angle of direct modification machine code, or from by decompiling, it is soft
Part product producer wishes that the i.e. corresponding machine code of its software product has certain confidentiality.Only machine code has certain
Confidentiality, just can increase modification machine code difficulty, the difficulty of decompiling can also be increased.
Currently, there are no occur a kind of simple and easy and binary program can be prevented anti-in computer safety field
The technical solution of compiling.
Summary of the invention
The embodiment of the present invention provides a kind of method and apparatus for preventing binary file by decompiling, with relatively simple side
The safety of formula enhancing binary program.
The embodiment of the present invention provides a kind of method for preventing binary file by decompiling, described to include:
Search the execution entrance of function to be modified in binary file;
Since the execution entrance of the function to be modified, determine that the execution sequence in the function to be modified needs more
The some instructions changed;
The some instructions for changing the determination execute sequence in the function to be modified, and the function to be modified is become
The function upset at the execution sequence of instruction.
Device of the binary file by decompiling is prevented another embodiment of the present invention provides a kind of, described device includes:
Entrance searching module, for searching the execution entrance of function to be modified in binary file;
Determining module, for determining in the function to be modified since the execution entrance of the function to be modified
The some instructions that execution sequentially needs to change;
Sequence change module, some instructions for changing the determination execute sequence in the function to be modified,
The function that the execution sequence that the function to be modified becomes instruction is upset.
It was found from the embodiments of the present invention, it is determined that several fingers that the execution in function to be modified sequentially needs to change
After order, the execution is sequentially needed the execution sequence for some instructions changed changed, thus by the letter to be modified
The function that several execution sequences for becoming instruction are upset, is equivalent to and has upset binary file correspondence by generating new machine code
Binary code.After the execution sequence multilated of the corresponding instruction of binary file, substantially increase to binary system text
The difficulty of part decompiling, therefore, method provided in an embodiment of the present invention can be effectively prevent by the way of fairly simple two into
File processed is by decompiling, to improve the safety of software product.
Detailed description of the invention
Fig. 1 is the basic procedure schematic diagram of the method by decompiling provided in an embodiment of the present invention that prevents binary file;
Fig. 2-a is the instruction and its storage address schematic diagram that function to be modified provided in an embodiment of the present invention includes;
Fig. 2-b is the instruction and jump instruction that white space provided in an embodiment of the present invention is added to that function to be modified includes
Schematic diagram;
Fig. 2-c is the schematic diagram after the execution sequence of the instruction in function to be modified provided in an embodiment of the present invention changes;
Fig. 3 is the device logical construction schematic diagram provided in an embodiment of the present invention for preventing binary file by decompiling;
Fig. 4 be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 5 be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 6 be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 7 be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 8-a be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 8-b be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 8-c be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 8-d be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure;
Fig. 8-e be another embodiment of the present invention provides prevent binary file by decompiling device logical construction signal
Figure.
Specific embodiment
The embodiment of the present invention provides a kind of method for preventing binary file by decompiling, which comprises searches two
The execution entrance of function to be modified in binary file;Since the execution entrance of the function to be modified, determine described to be repaired
Change some instructions that the execution in function sequentially needs to change;The some instructions of the determination are changed in the function to be modified
Execute sequence, the function to be modified is become to the function upset of execution sequence of instruction.The embodiment of the present invention also provides phase
A kind of device for preventing binary program by decompiling answered.It is described in detail separately below.
The embodiment of the present invention prevent binary file by the method for decompiling can be applied on smart phone using soft
Application software on part, such as Android intelligent, basic procedure can refer to Fig. 1, it is main comprising steps of
S101 searches the execution entrance of function to be modified in binary file.
For existing operating system, application program or executable file are largely binary file, binary system text
Part is made of function.In general, the execution entrance of function is first instruction execution position, therefore, either to executable text
Part is modified or dis-assembling, and the execution entrance of function is all an important break-through point.The execution entrance of function is found,
Mean to have found the function.It in embodiments of the present invention, can be by being in function beginning inserting instruction content to be modified
" mov r2, r2;" continuous several (for example, continuous 4) machine codes, to find function to be modified in binary file
Address executes entrance.It should be noted that in embodiments of the present invention, so-called function to be modified refers to instruction therein
Function to be modified is not necessarily referring to its execution logic or function needs to modify by execution sequence.
S102 determines that the execution sequence in function to be modified needs to change since the execution entrance of function to be modified
Some instructions.
Computer will be greatly increased once the execution sequence of instruction therein changes for the program that machine code is write
Therefore the enforcement difficulty of reverse engineering executes sequence by change directive, will improve the security performance of software product.
As one embodiment of the invention, since the execution entrance of function to be modified, determine in the function to be modified
In execution sequentially some instructions changed is needed to may is that since the execution entrance of the function to be modified, described in traversal
Instruction in function to be modified, if the instruction C of traversalpIt is present in preset instruction catalogue, it is determined that described instruction CpFor it is described to
The some instructions that execution in Modification growth function sequentially needs to change.That is, for binary file to be protected, it can be with thing
The instruction in its function is first investigated, some instructions that will wherein need the execution in the function to be modified sequentially to need to change
It is stored in an instruction catalogue in advance.The instruction for constantly obtaining traversal during traversing the instruction in function to be modified and finger
The instruction stored in advance in table is enabled to compare, if discovery instruction CpIt is present in preset instruction catalogue, it is determined that described instruction CpIt is described
One of some instructions that execution in the function to be modified sequentially needs to change.
In an alternative embodiment of the invention, it since the execution entrance of function to be modified, determines in the function to be modified
In execution sequentially some instructions changed is needed to may also is that since the execution entrance of function to be modified, traversal it is described to
Instruction in Modification growth function, if the instruction C of traversalkThe data of access are critical data Dk, it is determined that described instruction CkFor described
The some instructions that execution in function to be modified sequentially needs to change.
S103, some instructions for changing the determination execute sequence in the function to be modified, will be described to be modified
Function becomes the function that the execution sequence of instruction is upset.
When the execution entrance since function to be modified, the instruction in the function to be modified is traversed, if the instruction of traversal
CpIt is present in preset instruction catalogue, it is determined that described instruction CpIt needs to change for the execution sequence in the function to be modified
Some instructions, as the execution since the execution entrance of function to be modified, determined in the function to be modified sequentially needs
When one embodiment of some instructions of change, accordingly, as one embodiment of the invention, several fingers of the determination are changed
Order executes sequence in the function to be modified, and the function that the execution sequence that the function to be modified becomes instruction is upset can
To include following S1031 and S1032:
S1031 instructs CpFrom address Acp1Place is moved away to address Acp2Behind place, in the address Acp1Place's injection first jumps
Instruction, first jump instruction jump to the address A after executingcp2Place executes described instruction Cp;
S1032, close to the address Acp2The next address A at placecp3Place's the second jump instruction of injection, described second jumps
The address A is jumped to after instruction executioncp1The next address A at placecp4Place executes the address Acp4The instruction at place.Below in conjunction with
Attached drawing 2-a to attached drawing 2-c, illustrates the process of above-mentioned S1031 and S1032.
The function body of function to be modified as shown in attached drawing 2-a, it is assumed that it includes 4 instructions " ADD R4, R4, #
1;", " MOV R0, R5;","BL puts;" and " CMP R4, #0x1E;" it is the instruction for needing to change execution sequence, this 4 fingers
The address for enabling corresponding storage is " 000086CC ", " 000086D0 ", " 000086D4 " and " 000086D8 " respectively, for example,
" text:000086CC ADD R4, R4, #1;" indicate that instruction ADD R4, R4, #1 are stored in the position that address is 000086CC.
With " ADD R4, R4, #1;" for this instruction, it is assumed that except the memory space of the function to be modified shown in the attached drawing 2-a, also
There are certain white spaces, as shown in attached drawing 2-b, the address of white space be followed successively by " 00008754 ", " 00008758 ",
" 0000875C " and " 00008760 ".Assuming that the instruction C that S1031 is referred topSpecifically instruct " ADD R4, R4, #1;", S1031 is mentioned
And address Acp1Specifically attached drawing 2-a exemplary address 000086CC, the address A that S1031 is referred tocp2Specifically attached drawing 2-b shows
The address 00008754 of example, the address A that S1032 is referred tocp3The exemplary address 00008758 specifically attached drawing 2-b and/or address
The address A that 0000875C, S1032 are referred tocp4The exemplary address 000086D0 of specifically attached drawing 2-a or attached drawing 2-c, then instruct
" ADD R4, R4, #1;" be moved away from from address 000086CC to address 00008754, first is injected at the 000086CC of address jumps
Turning instruction is " B loc_8754;", as shown in attached drawing 2-c.First jump instruction " B loc_8754;" it is a unconditional jump
Instruction jumps at address 00008754 after executing and executes instruction " ADD R4, R4, #1;".Exemplary close to attached drawing 2-b
It is " BEQ that the second jump instruction is injected at next address address 00008758 and/or address 0000875C at address 00008754
loc_86D0;" and/or " BNE loc_86D0;".Due to " BEQ loc_86D0;" expression " ADD R4, R4, #1;" after execution
It is jumped at the 000086D0 of address when being as a result equal and executes instruction " MOV R0, R5;", " BNE loc_86D0;" expression " ADD
R4, R4, #1;" result after execution jumps at the 000086D0 of address when being unequal and execute instruction " MOV R0, R5;", because
This, the second jump instruction " BEQ loc_86D0;" and/or " BNE loc_86D0;" after execution, as a result, can jump to ground
Instruction " the MOV R0, R5 at the 000086D0 of address are executed at next address 000086D0 at the 000086CC of location;".Such as to more
Change instruction " BL puts;" and " CMP R4, #0x1E;" execute sequence, method is similar.
From the foregoing it may be appreciated that exemplary instruction " the ADD R4, R4, #1 of attached drawing 2-a;" and " MOV R0, R5;" to be modified
Former in function execute sequence (i.e. function modified before execute sequence) be to have executed " ADD R4, R4, #1;" followed by execute
" MOV R0, R5;", by the change of the execution sequence of above-mentioned S1031 and S1032, become holding in function after the modification
Row sequence is successively to execute instruction " B loc_8754;", " ADD R4, R4, #1;","BEQ loc_86D0;" (and/or " BNE
loc_86D0;") and " MOV R0, R5;".
When the execution entrance since function to be modified, the instruction in the function to be modified is traversed, if the instruction of traversal
CkThe data of access are critical data Dk, it is determined that described instruction CkIt is needed more for the execution sequence in the function to be modified
The some instructions changed, as since the execution entrance of function to be modified, determination executes sequence in the function to be modified
When another embodiment for some instructions for needing to change, accordingly, as another embodiment of the present invention, if changing the determination
Dry instruction executes sequence in the function to be modified, the letter that the execution sequence that the function to be modified becomes instruction is upset
Number may include following S ' 1031 and S ' 1032:
S ' 1031, by critical data DkDeposit Dongle simultaneously removes the critical data from the function to be modified
Dk。
S ' 1032, in storage described instruction CkAddress Ack1Place's injection critical data access instruction, the critical data are visited
It is used to read the critical data D from the Dongle after asking instruction executionk。
When instruction execution, the object executed can be accessed data, therefore, if some critical data is passed through certain
Kind mode protects, then the corresponding instruction of the critical data is converted to another type of instruction, passes through another type
The instruction access of type makes the critical data protected by some way, can also play the difficulty for preventing binary file by decompiling
Degree, to improve the safety of software product.For example, it is assumed that the Dongle in S ' 1031 is that the good hardware of encryption performance adds
Close device, by critical data DkIt is stored in the Dongle and removes the critical data D from the function to be modifiedkAfterwards,
If desired the critical data D is accessedk, then storage instruction C is had to be used inkAddress Ack1The critical data access of place's injection refers to
It enables.Due to using the critical data access instruction to read the critical data D from the DonglekShi Keneng needs one
Therefore fixed permission plays the difficulty for preventing binary file by decompiling, to improve the safety of software product.
In above-described embodiment, if being reserved between some instructions that the execution in the function to be modified sequentially needs to change
Address space is larger, and the self-contained access data command of function is less, then the method that above-described embodiment refers to further include:
The reserved address space filling rubbish instruction, the instruction of these rubbish include the sentence being randomly generated and/or jump random site
Sentence etc., increase the complexity of function to be modified with this, to also can effectively prevent binary file by decompiling.
From the embodiments of the present invention provide prevent binary file by the method for decompiling it was found from, it is determined that be repaired
After changing some instructions that the execution in function sequentially needs to change, the execution for some instructions that the execution sequentially is needed to change
Sequence is changed, so that the function that the execution sequence that the function to be modified becomes instruction is upset, is equivalent to and passes through
It generates new machine code and has upset the corresponding binary code of binary file.Since the execution of the corresponding instruction of binary file is suitable
After sequence multilated, the difficulty to the binary file decompiling is substantially increased, therefore, method energy provided in an embodiment of the present invention
Enough it effectively prevent binary file by decompiling by the way of fairly simple, to improve the safety of software product.
Two are prevented to the embodiment of the present invention for executing the above-mentioned method by decompiling that prevents binary file below
Binary file is illustrated by the device of decompiling, and basic logical structure refers to Fig. 3.For ease of description, it illustrate only
Part related to the embodiment of the present invention.Attached drawing 3 is exemplary, and to prevent binary file by the device of decompiling mainly include entrance
Searching module 301, determining module 302 and sequence change module 303, detailed description are as follows for each module:
Entrance searching module 301, for searching the execution entrance of function to be modified in binary file;
Determining module 302, for determining in the function to be modified since the execution entrance of the function to be modified
The execution some instructions that sequentially need to change;
Sequence change module 303, it is suitable for changing execution of some instructions of the determination in the function to be modified
Sequence, the function that the execution sequence that the function to be modified becomes instruction is upset.
Prevent binary file by the embodiment of the device of decompiling it should be noted that the figures above 3 is exemplary,
The division of each functional module is merely illustrative of, and can according to need in practical application, for example, corresponding hardware configuration requirement or
The convenient of the realization of person's software considers, and above-mentioned function distribution is completed by different functional modules, i.e., by it is described prevent two into
File processed is divided into different functional modules by the internal structure of the device of decompiling, to complete whole described above or portion
Divide function.Moreover, the corresponding functional module in the present embodiment can be by corresponding hardware realization in practical application, it can also
It is completed with executing corresponding software by corresponding hardware, for example, entrance searching module above-mentioned, can be has execution is aforementioned to look into
The hardware of the execution entrance of function to be modified in binary file, such as entrance finder are looked for, is also possible to be able to carry out corresponding
Computer program is to complete the general processor or other hardware devices of aforementioned function;For another example sequence above-mentioned changes mould
Block can be some instructions for being previously used for changing the determination with execution and execute sequence in the function to be modified,
The hardware of function performance that the execution sequence that the function to be modified becomes instruction is upset, such as sequence change device, can also be with
It is to be able to carry out corresponding computer program to complete the general processor or other hardware device (this specification of aforementioned function
The each embodiment provided can all apply foregoing description principle).
Attached drawing 3 is exemplary to prevent binary file by the device of decompiling, and determining module 302 may include the first traversal
Unit 401, as shown in Fig. 4 another embodiment of the present invention provides prevent device of the binary file by decompiling.First pass
Unit 401 is gone through for traversing the instruction in the function to be modified since the execution entrance of the function to be modified, if traversal
Instruction CpIt is present in preset instruction catalogue, it is determined that described instruction CpIt is needed for the execution sequence in the function to be modified
The some instructions of change.
Attached drawing 4 is exemplary to prevent binary file by the device of decompiling, and it may include first that sequence, which changes module 303,
Instruct injection unit 501 and second instruction injection unit 502, as shown in Fig. 5 another embodiment of the present invention provides prevent two
Binary file is by the device of decompiling, in which:
First instruction injection unit 501, is used for described instruction CpFrom address Acp1Place is moved away to address Acp2Behind place, described
Address Acp1Place's the first jump instruction of injection, first jump instruction jump to the address A after executingcp2Place executes the finger
Enable Cp;
Second instruction injection unit 502, for close to the address Acp2The next address A at placecp3Place's injection second is jumped
Turn instruction, second jump instruction jumps to the address A after executingcp1The next address A at placecp4Place executes the address
Acp4The instruction at place.
Attached drawing 3 is exemplary to prevent binary file by the device of decompiling, and determining module 302 may include the second traversal
Unit 601, as shown in Fig. 6 another embodiment of the present invention provides prevent device of the binary file by decompiling.Second time
Unit 601 is gone through for traversing the instruction in the function to be modified since the execution entrance of the function to be modified, if traversal
Instruction CkThe data of access are critical data Dk, it is determined that described instruction CkTo execute sequence in the function to be modified
The some instructions for needing to change.
Attached drawing 6 is exemplary to prevent binary file by the device of decompiling, and it may include data that sequence, which changes module 303,
Processing unit 701 and third instruct injection unit 702, as shown in Fig. 7 another embodiment of the present invention provides prevent binary system
File is by the device of decompiling, in which:
Data processing unit 701 is used for the critical data DkIt is stored in Dongle and from the function to be modified
It is middle to remove the critical data Dk;
Third instructs injection unit 702, in storage described instruction CkAddress Ack1Injection critical data access in place's refers to
It enables, the critical data access instruction is used to read the critical data D from the Dongle after executingk。
If in above-described embodiment, being reserved between some instructions that the execution in the function to be modified sequentially needs to change
Address space is larger, attached drawing 3 to 7 any example of attached drawing prevent binary file by the device of decompiling further include rubbish instruction
Module 801 is filled, as attached drawing 8-a prevents device of the binary file by decompiling to attached drawing 8-e any example.Rubbish instruction
It fills module 801 to be used in the reserved address space filling rubbish instruction, the rubbish instruction includes the sentence being randomly generated
And/or jump the sentence of random site.
The embodiment of the present invention gives a kind of terminal, and what which can be used for implementing providing in above-described embodiment prevents two
Binary file is by the method for decompiling.Specifically: terminal may include having one or more computer-readable storage mediums
The components such as processor of the memory of matter, one or more than one processing core.It will be understood by those skilled in the art that above-mentioned
The restriction of terminal structure not structure paired terminal, may include more or fewer components, perhaps combine certain components or not
Same component layout.Wherein:
Memory can be used for storing software program and module, and processor is stored in the software program of memory by operation
And module, thereby executing various function application and data processing.Memory can mainly include storing program area and storage number
According to area, wherein storing program area can application program needed for storage program area, at least one function (for example sound plays function
Energy, image player function etc.) etc.;Storage data area, which can be stored, uses created data etc. according to terminal.In addition, memory
May include high-speed random access memory, can also include nonvolatile memory, a for example, at least disk memory,
Flush memory device or other volatile solid-state parts.Correspondingly, memory can also include Memory Controller, to provide
Access of the processor to memory.
Although being not shown, terminal can also include camera, bluetooth module etc., and details are not described herein.Specifically in this implementation
In example, the display unit of terminal is touch-screen display, and terminal further includes having memory and one or more than one journey
Sequence, perhaps more than one program is stored in memory and is configured to by one or more than one processor for one of them
Execution states one or more than one program includes the instruction for performing the following operation:
Search the execution entrance of function to be modified in binary file;
Since the execution entrance of the function to be modified, determine that the execution sequence in the function to be modified needs more
The some instructions changed;
The some instructions for changing the determination execute sequence in the function to be modified, and the function to be modified is become
The function upset at the execution sequence of instruction.
Assuming that above-mentioned is the first possible embodiment, then provided based on the first possible embodiment
Second of possible embodiment in, in the memory of the terminal, also include instructions for performing the following operations:
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, if the finger of traversal
Enable CpIt is present in preset instruction catalogue, it is determined that described instruction CpIt needs to change for the execution sequence in the function to be modified
Some instructions.
Assuming that above-mentioned is second of possible embodiment, then provided based on second of possible embodiment
The third possible embodiment in, in the memory of the terminal, also comprising to give an order:
Described instruction CpFrom address Acp1Place is moved away to address Acp2Behind place, in the address Acp1Place's injection first jumps finger
It enables, first jump instruction jumps to the address A after executingcp2Place executes described instruction Cp;
Close to the address Acp2The next address A at placecp3Place's the second jump instruction of injection, second jump instruction are held
The address A is jumped to after rowcp1The next address A at placecp4Place executes the address Acp4The instruction at place.
Assuming that above-mentioned is second of possible embodiment, then provided based on second of possible embodiment
The 4th kind of possible embodiment in, in the memory of the terminal, also comprising to give an order:
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, if the finger of traversal
Enable CkThe data of access are critical data Dk, it is determined that described instruction CkIt is needed for the execution sequence in the function to be modified
The some instructions of change.
Assuming that above-mentioned is the 4th kind of possible embodiment, then provided based on the 4th kind of possible embodiment
The 5th kind of possible embodiment in, in the memory of the terminal, also comprising to give an order:
By the critical data DkDeposit Dongle simultaneously removes the critical data D from the function to be modifiedk;
In storage described instruction CkAddress Ack1Place's injection critical data access instruction, the critical data access instruction
For reading the critical data D from the Dongle after executionk。
If reserving address space between some instructions that the execution in the function to be modified sequentially needs to change
The 6th kind of possibility that be larger, being provided based on first, second, third, fourth or the 5th kind of possible embodiment
Embodiment in, in the memory of the terminal, also comprising to give an order:
In the reserved address space filling rubbish instruction, the rubbish instruction includes the sentence being randomly generated and/or jump
Turn the sentence of random site.
As on the other hand, yet another embodiment of the invention additionally provides a kind of computer readable storage medium, the computer
Readable storage medium storing program for executing can be computer readable storage medium included in the memory in above-described embodiment;It is also possible to list
Solely exist, without the computer readable storage medium in supplying terminal.The computer-readable recording medium storage have one or
More than one program of person, the one or more programs are used to execute one by one or more than one processor
Prevent method of the binary file by decompiling, which comprises
Search the execution entrance of function to be modified in binary file;
Since the execution entrance of the function to be modified, determine that the execution sequence in the function to be modified needs more
The some instructions changed;
The some instructions for changing the determination execute sequence in the function to be modified, and the function to be modified is become
The function upset at the execution sequence of instruction.
Assuming that above-mentioned is the first possible embodiment, then provided based on the first possible embodiment
Second of possible embodiment in, it is described since the execution entrance of the function to be modified, determine described to be modified
The some instructions that execution in function sequentially needs to change, comprising:
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, if the finger of traversal
Enable CpIt is present in preset instruction catalogue, it is determined that described instruction CpIt needs to change for the execution sequence in the function to be modified
Some instructions.
Assuming that above-mentioned is second of possible embodiment, then provided based on second of possible embodiment
The third possible embodiment in, execution of some instructions of the change determination in the function to be modified is suitable
Sequence, the function that the execution sequence that the function to be modified becomes instruction is upset, comprising:
Described instruction CpFrom address Acp1Place is moved away to address Acp2Behind place, in the address Acp1Place's injection first jumps finger
It enables, first jump instruction jumps to the address A after executingcp2Place executes described instruction Cp;
Close to the address Acp2The next address A at placecp3Place's the second jump instruction of injection, second jump instruction are held
The address A is jumped to after rowcp1The next address A at placecp4Place executes the address Acp4The instruction at place.
Assuming that above-mentioned is second of possible embodiment, then provided based on second of possible embodiment
The 4th kind of possible embodiment in, it is described since the execution entrance of the function to be modified, determine described to be modified
The some instructions that execution in function sequentially needs to change, comprising:
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, if the finger of traversal
Enable CkThe data of access are critical data Dk, it is determined that described instruction CkIt is needed for the execution sequence in the function to be modified
The some instructions of change.
Assuming that above-mentioned is the 4th kind of possible embodiment, then provided based on the 4th kind of possible embodiment
The 5th kind of possible embodiment in, execution of some instructions of the change determination in the function to be modified is suitable
Sequence, the function that the execution sequence that the function to be modified becomes instruction is upset, comprising:
By the critical data DkDeposit Dongle simultaneously removes the critical data D from the function to be modifiedk;
In storage described instruction CkAddress Ack1Place's injection critical data access instruction, the critical data access instruction
For reading the critical data D from the Dongle after executionk。
If reserving address space between some instructions that the execution in the function to be modified sequentially needs to change
The 6th kind of possibility that be larger, being provided based on first, second, third, fourth or the 5th kind of possible embodiment
Embodiment in, the method also includes:
In the reserved address space filling rubbish instruction, the rubbish instruction includes the sentence being randomly generated and/or jump
Turn the sentence of random site.
It should be noted that the contents such as information exchange, implementation procedure between each module/unit of above-mentioned apparatus, due to
Embodiment of the present invention method is based on same design, and bring technical effect is identical as embodiment of the present invention method, particular content
It can be found in the narration in embodiment of the present invention method, details are not described herein again.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random
Access Memory), disk or CD etc..
It is provided for the embodiments of the invention a kind of method and apparatus progress for preventing binary file by decompiling above
It is discussed in detail, used herein a specific example illustrates the principle and implementation of the invention, above embodiments
Explanation be merely used to help understand method and its core concept of the invention;At the same time, for those skilled in the art,
According to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion in this specification
Appearance should not be construed as limiting the invention.
Claims (6)
1. a kind of prevent method of the binary file by decompiling, which is characterized in that the described method includes:
Search the execution entrance of function to be modified in binary file;
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, in the instruction C of traversalkIt visits
The data asked are critical data DkIn the case where, it is determined that described instruction CkIt is needed for the execution sequence in the function to be modified
The some instructions to be changed;
If it is larger to reserve address space between some instructions that the execution in the function to be modified sequentially needs to change, and letter
The self-contained access data command of number is less, then rubbish instruction is filled at the reserved address space, wherein the rubbish
Instruction includes the sentence being randomly generated and/or the sentence for jumping random site;
The some instructions for changing the determination execute sequence in the function to be modified, and the function to be modified is become to refer to
The function upset of execution sequence of order includes:
By the critical data DkDeposit Dongle simultaneously removes the critical data D from the function to be modifiedk;
In storage described instruction CkAddress Ack1Place's injection critical data access instruction, after the critical data access instruction executes
For reading the critical data D from the Donglek。
2. the method according to claim 1, wherein described since the execution entrance of the function to be modified,
Determine some instructions that the execution in the function to be modified sequentially needs to change, comprising:
Since the execution entrance of the function to be modified, the instruction in the function to be modified is traversed, in the instruction C of traversalpIt visits
The data asked are non-critical data Dk, but the instruction C traversedpIn the case where being present in preset instruction catalogue, it is determined that the finger
Enable CpThe some instructions for sequentially needing to change for the execution in the function to be modified.
3. according to the method described in claim 2, it is characterized in that, some instructions of the change determination are described to be repaired
Change in function and executes sequence, the function that the execution sequence that the function to be modified becomes instruction is upset, comprising:
Described instruction CpFrom address Acp1Place is moved away to address Acp2Behind place, in the address Acp1Place's the first jump instruction of injection, institute
It states after the first jump instruction executes and jumps to the address Acp2Place executes described instruction Cp;
Close to the address Acp2The next address A at placecp3Place's the second jump instruction of injection, after second jump instruction executes
Jump to the address Acp1The next address A at placecp4Place executes the address Acp4The instruction at place.
4. a kind of prevent device of the binary file by decompiling, which is characterized in that described device includes:
Entrance searching module, for searching the execution entrance of function to be modified in binary file;
Determining module, for traversing the instruction in the function to be modified since the execution entrance of the function to be modified,
The instruction C of traversalkThe data of access are critical data DkIn the case where, it is determined that described instruction CkFor in the function to be modified
In the execution some instructions that sequentially need to change;
Sequence change module, some instructions for changing the determination execute sequence in the function to be modified, by institute
Stating function to be modified to become the function that the execution instructed sequence is upset includes: by the critical data DkIt is stored in Dongle simultaneously
The critical data D is removed from the function to be modifiedk;In storage described instruction CkAddress Ack1Place's injection critical data is visited
It asks and is used to read the critical data D from the Dongle after instruction, the critical data access instruction executek;
Wherein, described device is also used to: if between some instructions that the execution in the function to be modified sequentially needs to change
Reserved address space is larger, and the self-contained access data command of function is less, then fills at the reserved address space
Rubbish instruction, wherein the rubbish instruction includes the sentence being randomly generated and/or the sentence for jumping random site.
5. device according to claim 4, which is characterized in that the determining module includes:
First Traversal Unit, for traversing the finger in the function to be modified since the execution entrance of the function to be modified
It enables, in the instruction C of traversalpThe data of access are non-critical data Dk, but the instruction C traversedpIt is present in preset instruction catalogue
In the case of, it is determined that described instruction CpThe some instructions for sequentially needing to change for the execution in the function to be modified.
6. device according to claim 5, which is characterized in that the sequence changes module and includes:
First instruction injection unit, is used for described instruction CpFrom address Acp1Place is moved away to address Acp2Behind place, in the address Acp1
Place's the first jump instruction of injection, first jump instruction jump to the address A after executingcp2Place executes described instruction Cp;
Second instruction injection unit, for close to the address Acp2The next address A at placecp3Place's the second jump instruction of injection,
Second jump instruction jumps to the address A after executingcp1The next address A at placecp4Place executes the address Acp4The finger at place
It enables.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310450080.6A CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
| TW103130631A TW201512877A (en) | 2013-09-27 | 2014-09-04 | Method for preventing binary files from being decompiled and apparatus thereof |
| PCT/CN2014/086775 WO2015043408A1 (en) | 2013-09-27 | 2014-09-18 | Method of protecting binary file from being decompiled and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310450080.6A CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104517044A CN104517044A (en) | 2015-04-15 |
| CN104517044B true CN104517044B (en) | 2019-02-26 |
Family
ID=52742036
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310450080.6A Active CN104517044B (en) | 2013-09-27 | 2013-09-27 | It is a kind of to prevent method and apparatus of the binary file by decompiling |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN104517044B (en) |
| TW (1) | TW201512877A (en) |
| WO (1) | WO2015043408A1 (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295327B (en) * | 2015-05-14 | 2020-06-23 | 腾讯科技(深圳)有限公司 | Executable file reinforcing method and device |
| CN105354009B (en) * | 2015-10-14 | 2021-01-01 | 北京深思数盾科技股份有限公司 | Protection method for firmware |
| CN106055937B (en) * | 2016-05-25 | 2018-11-09 | 深圳创维数字技术有限公司 | A kind of encryption method and system of software static data |
| CN106529225A (en) * | 2016-10-27 | 2017-03-22 | 努比亚技术有限公司 | Device and method for protecting source code of application program |
| CN107480479B (en) * | 2017-08-15 | 2020-08-07 | 北京奇虎科技有限公司 | Application program reinforcing method and device, computing equipment and computer storage medium |
| TW201915810A (en) * | 2017-09-25 | 2019-04-16 | 英屬維爾京群島商伊格拉斯控股有限公司 新竹市新安路5號4樓之1 107,206室 | A method of protecting a electronic file and a computer program product that completes the method |
| CN108875320B (en) * | 2018-07-17 | 2021-10-08 | 北京元心科技有限公司 | Software security protection method and device, electronic equipment and computer storage medium |
| WO2021095188A1 (en) * | 2019-11-14 | 2021-05-20 | 日本電気株式会社 | Obfuscation device, obfuscation method, and recording medium |
| CN111651188B (en) * | 2020-06-01 | 2023-06-02 | 上海艾拉比智能科技有限公司 | Differential packet data result determining method, device, equipment and storage medium |
| CN115048623A (en) * | 2022-04-01 | 2022-09-13 | 上海任意门科技有限公司 | Method, computing device and storage medium for encrypting code |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101807239A (en) * | 2010-03-29 | 2010-08-18 | 山东高效能服务器和存储研究院 | Method for preventing source code from decompiling |
| CN102118512A (en) * | 2011-03-28 | 2011-07-06 | 阮晓迅 | Method and system for preventing application program of mobile phone from being cracked |
| CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Shell technology based software protection method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7430670B1 (en) * | 1999-07-29 | 2008-09-30 | Intertrust Technologies Corp. | Software self-defense systems and methods |
| US8056138B2 (en) * | 2005-02-26 | 2011-11-08 | International Business Machines Corporation | System, method, and service for detecting improper manipulation of an application |
| US20070074046A1 (en) * | 2005-09-23 | 2007-03-29 | Czajkowski David R | Secure microprocessor and method |
| US8615735B2 (en) * | 2011-05-03 | 2013-12-24 | Apple Inc. | System and method for blurring instructions and data via binary obfuscation |
| US8751823B2 (en) * | 2011-08-01 | 2014-06-10 | Apple Inc. | System and method for branch function based obfuscation |
| CN103186746B (en) * | 2013-03-26 | 2016-05-18 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable file and system |
-
2013
- 2013-09-27 CN CN201310450080.6A patent/CN104517044B/en active Active
-
2014
- 2014-09-04 TW TW103130631A patent/TW201512877A/en unknown
- 2014-09-18 WO PCT/CN2014/086775 patent/WO2015043408A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101807239A (en) * | 2010-03-29 | 2010-08-18 | 山东高效能服务器和存储研究院 | Method for preventing source code from decompiling |
| CN102118512A (en) * | 2011-03-28 | 2011-07-06 | 阮晓迅 | Method and system for preventing application program of mobile phone from being cracked |
| CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Shell technology based software protection method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015043408A1 (en) | 2015-04-02 |
| CN104517044A (en) | 2015-04-15 |
| TW201512877A (en) | 2015-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104517044B (en) | It is a kind of to prevent method and apparatus of the binary file by decompiling | |
| CN109840410A (en) | The method and system of data isolation and protection in a kind of process | |
| US20130262092A1 (en) | Narrative Generator | |
| CN105117621B (en) | The control levelling exhibitionization of Code obfuscation | |
| CN103927187B (en) | Program execution method of embedded system | |
| CN104636275B (en) | The information protecting method and device of a kind of MCU chip | |
| US10926181B2 (en) | Method, apparatus, computer program and recording medium for providing game service | |
| US20110167407A1 (en) | System and method for software data reference obfuscation | |
| EP2942727B1 (en) | Return-oriented programming as an obfuscation technique | |
| CN105930694A (en) | Flexible Instruction Sets For Obfuscated Virtual Machines | |
| CN106293669A (en) | A kind of generation method and apparatus of web pages component | |
| CN110050258A (en) | The application program piracy of safe prefecture protection with automated modular function prevents | |
| CN107977577A (en) | access instruction access detection method and device | |
| CN106126225B (en) | A kind of object code reverse engineering approach based on program evolution model | |
| US8423974B2 (en) | System and method for call replacement | |
| KR102270789B1 (en) | Processor and method for processing command of processor | |
| CN104573421B (en) | A kind of MCU chip information protecting method and device based on some subregions | |
| Horton et al. | Android: Game Programming | |
| CN102799434B (en) | A kind of method utilizing software protecting equipment to realize automatic code transplanting | |
| Ilinkin | Opportunities for android projects in a CS1 course | |
| CN105653954B (en) | A kind of method and device detecting malicious code | |
| CN102902548B (en) | The generation method and device of assembly level internal memory reproducing standards built-in function | |
| CN107533478A (en) | The migration of computer system | |
| Horton | Beginning C++ Game Programming: Learn to program with C++ by building fun games | |
| Martinez et al. | Freedom in Video Game Dialog: An Improvement on Player Immersion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |