CN108052806B - File protection method and device, computing equipment and computer storage medium - Google Patents
File protection method and device, computing equipment and computer storage medium Download PDFInfo
- Publication number
- CN108052806B CN108052806B CN201711455712.2A CN201711455712A CN108052806B CN 108052806 B CN108052806 B CN 108052806B CN 201711455712 A CN201711455712 A CN 201711455712A CN 108052806 B CN108052806 B CN 108052806B
- Authority
- CN
- China
- Prior art keywords
- instruction
- processed
- private key
- syntax tree
- abstract syntax
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012545 processing Methods 0.000 claims description 50
- 238000012546 transfer Methods 0.000 claims description 45
- 238000004891 communication Methods 0.000 claims description 13
- 238000011084 recovery Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 238000006073 displacement reaction Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Abstract
The invention discloses a file protection method, a file protection device, a computing device and a computer storage medium, wherein the file protection method comprises the following steps: constructing an abstract syntax tree corresponding to an instruction to be protected in an original program file; encrypting at least one instruction to be processed in the abstract syntax tree to obtain a processed abstract syntax tree; and compiling the processed abstract syntax tree to obtain a processed program file. The technical scheme provided by the invention can construct the abstract syntax tree corresponding to the instruction to be protected in the original program file, and encrypt the instruction to be processed in the abstract syntax tree to obtain the processed program file, thereby increasing the difficulty of decompilation, effectively preventing the instruction in the program file from being maliciously obtained by other people and ensuring the safety of the program file.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a file protection method, a file protection device, a computing device and a computer storage medium.
Background
With the continuous development of technology, users using smart terminals are growing explosively, and many applications installed on the smart terminals are becoming an indispensable part of daily life of the users. Therefore, how to secure the application used by the user has become the biggest problem when using the application. In the prior art, protection of an application program in an intelligent terminal is generally realized by performing shell-adding reinforcement on the application program, and specifically, files (for example, binary files such as so files and dex files) where the application program to be protected is located are directly encrypted and decrypted respectively, that is, a section of encryption code and a section of decryption code are added to the files respectively. When the user operates the file, the user can firstly decrypt and open the file once, and then encrypt the file once after the file is operated, so that the file can be ensured to be in a safe protection state all the time. By the method, the codes of the application program can be prevented from being decompiled and analyzed to a certain extent, and the safety of the application program is guaranteed.
However, in the file protection method in the prior art, all contents of a file in which a program to be protected is located are taken as a whole, and a section of encryption code is added to the whole to perform encryption protection once. Therefore, when a lawless person wants to maliciously acquire the program to be protected in the file, only one decryption process needs to be carried out on the encrypted code of the file. Therefore, the file protection mode in the prior art has the problems of low decryption difficulty and easy decompilation analysis.
Disclosure of Invention
In view of the above, the present invention has been made to provide a file protection method, apparatus, computing device and computer storage medium that overcome or at least partially address the above-mentioned problems.
According to an aspect of the present invention, there is provided a file protection method, including:
constructing an abstract syntax tree corresponding to an instruction to be protected in an original program file;
encrypting at least one instruction to be processed in the abstract syntax tree to obtain a processed abstract syntax tree;
and compiling the processed abstract syntax tree to obtain a processed program file.
According to another aspect of the present invention, there is provided a file protection apparatus, including:
the building module is used for building an abstract syntax tree corresponding to the instruction to be protected in the original program file;
the first processing module is used for encrypting at least one instruction to be processed in the abstract syntax tree to obtain a processed abstract syntax tree;
and the compiling module is used for compiling the processed abstract syntax tree to obtain a processed program file.
According to yet another aspect of the present invention, there is provided a computing device comprising: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the file protection method.
According to still another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to execute operations corresponding to the file protection method.
According to the technical scheme provided by the invention, an abstract syntax tree corresponding to the instruction to be protected in the original program file is constructed, at least one instruction to be processed in the abstract syntax tree is encrypted to obtain a processed abstract syntax tree, and the processed abstract syntax tree is compiled to obtain a processed program file. The technical scheme provided by the invention can construct the abstract syntax tree corresponding to the instruction to be protected in the original program file, and encrypt the instruction to be processed in the abstract syntax tree to obtain the processed program file, thereby increasing the difficulty of decompilation, effectively preventing the instruction in the program file from being maliciously obtained by other people and ensuring the safety of the program file.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a schematic flowchart of a first embodiment of a file protection method provided by the present invention;
FIG. 2 is a flowchart illustrating a second embodiment of a file protection method according to the present invention;
FIG. 3 is a block diagram of a first embodiment of a file protection apparatus according to the present invention;
FIG. 4 is a block diagram illustrating a second embodiment of a file protection device according to the present invention;
fig. 5 is a schematic structural diagram of an embodiment of a computing device provided by the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The present invention can protect the program file in the application program, the program file is an executable file, and the type of the program file can be a so file, a Linux platform executable file, an ios platform executable file, an osx platform executable file, an android platform executable file, etc., which is not limited in the present invention.
Fig. 1 shows a schematic flow diagram of a first embodiment of a file protection method provided by the present invention, and as shown in fig. 1, the method includes the following steps:
step S100, constructing an abstract syntax tree corresponding to the instruction to be protected in the original program file.
The original program file refers to an original program file in the application program, the original program file includes a plurality of instructions, and in order to prevent malicious acquisition by others, part or all of the instructions in the original program file need to be protected. In the invention, the instruction needing protection in the original program file is called as the instruction to be protected. In step S100, the file content of the original program file is parsed, and an abstract syntax tree corresponding to the instruction to be protected in the original program file is constructed according to the instruction to be protected in the original program file, where the abstract syntax tree is a tree representation of an abstract syntax structure of the instruction to be protected. A grammar is said to be "abstract" in that the grammar in the abstract syntax tree does not represent every detail that appears in the real grammar, and every node in the abstract syntax tree represents a structure.
Step S101, at least one instruction to be processed in the abstract syntax tree is encrypted to obtain a processed abstract syntax tree.
The instructions in the abstract syntax tree correspond to the instructions to be protected in the original program file, and the instructions in the abstract syntax tree and the instructions to be protected in the original program file substantially represent the same instruction content through different expression forms. In order to distinguish from the instruction to be protected in the original program file, in the present invention, the instruction that needs to be encrypted in the abstract syntax tree is referred to as the instruction to be processed, in step S101, at least one instruction to be processed in the abstract syntax tree is encrypted, and the processed abstract syntax tree is obtained according to the encryption processing. The skilled person in the art may select one or more to-be-processed instructions to be encrypted from the abstract syntax tree according to actual needs, or may encrypt all the to-be-processed instructions in the abstract syntax tree, which is not limited herein.
And step S102, compiling the processed abstract syntax tree to obtain a processed program file.
After the processed abstract syntax tree is obtained, the processed abstract syntax tree can be compiled, so that a processed program file is obtained. The processed program file may be a binary file. Because the processed program file is compiled according to the processed abstract syntax tree, and the processed abstract syntax tree is obtained by encrypting at least one instruction to be processed in the abstract syntax tree, the obtained processed program file has higher decryption difficulty, when other people perform decompilation processing on the processed program file, multiple times of decryption processing are required, the decompilation difficulty is increased, and the safety of the program file is effectively ensured.
According to the file protection method provided by the embodiment, an abstract syntax tree corresponding to a to-be-protected instruction in an original program file is constructed, at least one to-be-processed instruction in the abstract syntax tree is encrypted to obtain a processed abstract syntax tree, and the processed abstract syntax tree is compiled to obtain a processed program file. The technical scheme provided by the invention can construct the abstract syntax tree corresponding to the instruction to be protected in the original program file, and encrypt the instruction to be processed in the abstract syntax tree to obtain the processed program file, thereby increasing the difficulty of decompilation, effectively preventing the instruction in the program file from being maliciously obtained by other people and ensuring the safety of the program file.
Fig. 2 shows a schematic flow diagram of a second embodiment of the file protection method provided by the present invention, and as shown in fig. 2, the method includes the following steps:
and step S200, storing the operating environment of the instruction to be protected in the original program file.
In order to keep the operating environments before and after processing consistent, it is necessary to save the operating environment of the instruction to be protected in the original program file of the application program. Specifically, the data in all registers when the instruction to be protected in the original program file is executed may be saved, for example, the data in all registers may be saved in a memory of a computing device such as a computer.
Step S201, performing decompilation processing on the instruction to be protected in the original program file to obtain a decompilation result.
Specifically, a decompilation tool can be used to perform decompilation processing on the instruction to be protected in the original program file to obtain a decompilation result. The decompilation tool can be selected by those skilled in the art according to actual needs, and is not limited herein.
Step S202, according to the decompilation result, generating an abstract syntax tree corresponding to the instruction to be protected.
After the decompilation result is obtained, a tree representation form of the abstract syntax structure of the instruction to be protected can be generated according to the decompilation result, that is, an abstract syntax tree corresponding to the instruction to be protected is generated.
Step S203, at least one instruction to be processed is determined and obtained from the abstract syntax tree.
The abstract syntax tree comprises a plurality of instructions, and at least one instruction to be processed can be determined from the instructions in the abstract syntax tree according to instruction types or random functions and the like. It will be appreciated that all instructions in the abstract syntax tree may also be determined as pending instructions.
Step S204, aiming at each instruction to be processed in at least one instruction to be processed, a first private key corresponding to the instruction to be processed and a first encryption code mapped with the first private key are generated.
After the at least one instruction to be processed is determined, a corresponding first private key and a first encryption code mapped with the first private key are generated for each instruction to be processed in the at least one instruction to be processed. Specifically, for each instruction to be processed, a first private key corresponding to the instruction to be processed and a first encryption code mapped with the first private key are generated. The generated first private key may be an encryption key such as a random number, and a person skilled in the art may set the first private key according to actual needs, which is not limited herein.
Optionally, the generated first private key and the encrypted code may be different for different instructions to be processed, thereby contributing to increased decompilation difficulty. For example, for an instruction 1 to be processed, a first private key corresponding to the instruction 1 to be processed and a first encryption code mapped to the first private key are respectively a private key 1 and an encryption code 1; for the instruction to be processed 2, the generated first private key corresponding to the instruction to be processed 2 and the generated first encryption code mapped with the first private key are the private key 2 and the encryption code 2, respectively, where the private key 1 is different from the private key 2, and the encryption code 1 is also different from the encryption code 2.
Step S205, encrypt the instruction to be processed by using the first private key and the first encryption code, to obtain an instruction encryption ciphertext corresponding to the instruction to be processed.
And encrypting each instruction to be processed in at least one instruction to be processed by using the corresponding first private key and the corresponding first encryption code, so as to obtain an instruction encryption ciphertext corresponding to the instruction to be processed. Specifically, the first private key may be input into a first encryption code mapped with the first private key, and then the instruction to be processed is encrypted to obtain an instruction encryption ciphertext corresponding to the instruction to be processed. In the invention, the instruction to be processed corresponds to the encrypted ciphertext of the encrypted instruction through the first private key. For example, the first private key and the first encryption code generated for the instruction to be processed 1 are respectively the private key 1 and the encryption code 1, and the first private key and the first encryption code generated for the instruction to be processed 2 are respectively the private key 2 and the encryption code 2, then in step S205, the instruction to be processed 1 is encrypted by using the private key 1 and the encryption code 1, so as to obtain an instruction encryption ciphertext 1 corresponding to the instruction to be processed 1; and encrypting the instruction 2 to be processed by using the private key 2 and the encryption code 2 to obtain an instruction encryption ciphertext 2 corresponding to the instruction 2 to be processed.
And step S206, encrypting the ciphertext according to the instruction corresponding to the at least one instruction to be processed to obtain the processed abstract syntax tree.
After each instruction to be processed in the at least one instruction to be processed is encrypted to obtain a corresponding instruction encryption ciphertext, the ciphertext is encrypted according to the instruction corresponding to the at least one instruction to be processed to obtain a processed abstract syntax tree.
Further, after the encryption processing is performed, in order to facilitate a user to smoothly run an application program, for each instruction to be processed of at least one instruction to be processed, a first public key corresponding to the first private key and a first decryption code mapped to the first public key may be generated, where the first public key and the first decryption code are used to decrypt an instruction encrypted ciphertext, and in this case, each instruction to be processed has the corresponding first public key and the corresponding first decryption code, so that a plurality of first public keys and first decryption codes exist, which may cause a certain influence on the running speed of the application program, but due to the existence of the plurality of first public keys and the first decryption codes, multiple times of decryption processing are required, thereby effectively increasing the difficulty in decompilation.
In an alternative embodiment, the first public key and the first decryption code may also be generated from all the first private key and the first encryption code, in which case only one first decryption code is required.
Specifically, the code obtained by processing the first decryption code by using the first public key can be used for decrypting the instruction encryption ciphertext to obtain the instruction in the form of the plaintext, so that the user can be ensured to smoothly run the application program without influencing the normal use of the application program by the user.
To further increase the difficulty of decompilation, after step S206, the method may further include a step of performing encryption processing on the processed abstract syntax tree. The method specifically comprises the following steps: and generating a second private key according to the first private key corresponding to the at least one instruction to be processed. Specifically, the second private key may be obtained by performing arithmetic operations (such as addition, subtraction, multiplication, division, and the like), displacement operations, and exclusive-or operations on the first private key, and generating a second encryption code mapped to the second private key, and then encrypting the processed abstract syntax tree by using the second private key and the second encryption code. For example, when the first private key is a random number, a random array formed by the first private keys corresponding to the instructions to be processed may be used as the second private key, and a second encryption code mapped to the second private key is generated, and then the second private key and the second encryption code are used to encrypt the processed abstract syntax tree.
After the above encryption processing is performed on the processed abstract syntax tree, in order to facilitate the user to smoothly run the application program, a second public key corresponding to the second private key and a second decryption code mapped to the second public key may be generated, where the second public key and the second decryption code are used to decrypt the processed abstract syntax tree.
And step S207, compiling the processed abstract syntax tree to obtain a processed program file.
Optionally, after step S207, the method may further include a step of performing encryption processing on the processed program file. The method specifically comprises the following steps: specifically, the third private key is obtained by performing arithmetic operation (such as addition, subtraction, multiplication, division, and the like), displacement operation, exclusive or operation, and the like on the first private key, and a third encryption code mapped with the third private key is generated, and then the processed program file is encrypted by using the third private key and the third encryption code. For example, when the first private key is a random number, a random array formed by the first private keys corresponding to the instructions to be processed may be used as a third private key, and a third encryption code mapped to the third private key is generated, and then the third private key and the third encryption code are used to encrypt the processed program file.
After the encryption processing is performed on the processed program file, in order to facilitate the user to smoothly run the application program, a third public key corresponding to the third private key and a third decryption code mapped with the third public key may be generated, where the third public key and the third decryption code are used to decrypt the processed program file.
In step S208, repair processing is performed on the execution logic of the control transfer instruction in the processed program file.
Because the content of the processed program file is changed (for example, the code length is changed) compared with the original program file, the execution logic of the control transfer instruction is changed, wherein the control transfer instruction includes but is not limited to: since jcc instructions, jmp instructions, ret instructions, call instructions, and the like are required, repair processing needs to be performed on the execution logic of control transfer instructions in the processed program file.
Specifically, whether a control transfer instruction exists in the processed program file is detected. If the control transfer instruction does not exist in the processed program file, the execution logic is not repaired. If the control transfer instruction exists in the processed program file, analyzing the control transfer instruction in the processed program file to obtain the own address of the control transfer instruction and the own jump address corresponding to the control transfer instruction, determining the own jump address as the target virtual address of the control transfer instruction, then calculating the offset between the target virtual address of the control transfer instruction and the own address of the control transfer instruction, wherein the offset can be the difference between the target virtual address of the control transfer instruction and the own address of the control transfer instruction, and then taking the calculated offset as the operand of the control transfer instruction, thereby completing the repair processing of the execution logic of the control transfer instruction.
Taking the control branch instruction existing in the processed program file as an example of a jmp instruction, assuming that analysis of the jmp instruction reveals that the own address of the jmp instruction is 10, the own jump address of the jmp instruction is 30, that is, the control branch instruction target virtual address is 30, then the offset between the control branch instruction target virtual address of the jmp instruction and the control branch instruction own address is 20, so that 20 is used as an operand of the jmp instruction, and repair processing on execution logic of the jmp instruction is completed, so that the jmp instruction can jump according to the original execution logic.
In step S209, when the processed program file is executed, the execution environment is restored.
Because the processed program file is compiled according to the processed abstract syntax tree, and the processed abstract syntax tree is obtained by encrypting at least one instruction to be processed in the abstract syntax tree, in order to keep the operating environments before and after processing consistent, when the processed program file is executed, the operating environment is restored to the stored operating environment.
Specifically, when the user runs the processed program file, the processed program file needs to be decrypted layer by layer to obtain a decrypted instruction to be protected, then the running environment is restored, after the running environment is restored to the running environment stored last time, the instruction to be protected is run, and the current running environment is stored, so that the instruction to be protected is used when the running environment is restored next time. After the instruction to be protected is operated, the encryption processing in the embodiment is carried out on the decrypted instruction to be protected again, so that the instruction to be protected is ensured to be always in a safe protection state, the decompilation difficulty is increased, and the instruction to be protected is not easy to decompilate.
According to the file protection method provided by the embodiment of the invention, the abstract syntax tree corresponding to the to-be-protected instruction in the original program file can be constructed, each to-be-processed instruction in the abstract syntax tree is encrypted respectively, and the processed program file is obtained, so that the decompiling difficulty is greatly increased, the instruction in the program file is effectively prevented from being maliciously obtained by others, and the safety of the program file is ensured; in addition, the technical scheme also carries out repair processing on the execution logic of the control transfer instruction in the processed program file, and effectively ensures that the execution logic of the control transfer instruction before and after processing is unchanged.
Fig. 3 shows a block diagram of a first embodiment of a file protection device provided in the present invention, and as shown in fig. 3, the device includes: a build module 310, a first processing module 320, and a compile module 330.
The building block 310 is configured to: and constructing an abstract syntax tree corresponding to the instruction to be protected in the original program file.
The first processing module 320 is configured to: and encrypting at least one instruction to be processed in the abstract syntax tree to obtain the processed abstract syntax tree.
The compiling module 330 is configured to: and compiling the processed abstract syntax tree to obtain a processed program file.
According to the file protection device provided by the embodiment, the construction module constructs an abstract syntax tree corresponding to a to-be-protected instruction in an original program file, the first processing module encrypts at least one to-be-processed instruction in the abstract syntax tree to obtain a processed abstract syntax tree, and the compiling module compiles the processed abstract syntax tree to obtain a processed program file. According to the technical scheme provided by the invention, the abstract syntax tree corresponding to the instruction to be protected can be generated according to the original program file, the instruction to be processed in the abstract syntax tree is encrypted to obtain the processed program file, the decompilation difficulty is increased, the instruction in the program file is effectively prevented from being maliciously obtained by other people, and the safety of the program file is ensured.
Fig. 4 shows a block diagram of a second embodiment of the file protection apparatus provided by the present invention, and as shown in fig. 4, the apparatus includes: an environment saving module 410, a building module 420, a first processing module 430, a compiling module 440, a second processing module 450, a logic repair module 460, and an environment restoration module 470.
The environment saving module 410 is configured to: and storing the operating environment of the instruction to be protected in the original program file.
The building module 420 is configured to: performing decompiling processing on the instruction to be protected in the original program file to obtain a decompiling result; and generating an abstract syntax tree corresponding to the instruction to be protected according to the decompilation result.
The first processing module 430 is configured to: determining at least one instruction to be processed from the abstract syntax tree; generating a first private key corresponding to the instruction to be processed and a first encryption code mapped with the first private key for each instruction to be processed in at least one instruction to be processed; encrypting the instruction to be processed by using a first private key and a first encryption code to obtain an instruction encryption ciphertext corresponding to the instruction to be processed; and encrypting the ciphertext according to the instruction corresponding to the at least one instruction to be processed to obtain the processed abstract syntax tree.
After the encryption process is performed, in order to facilitate the user to smoothly run the application, the first processing module 430 is further configured to: and generating a first public key corresponding to the first private key and a first decryption code mapped with the first public key, wherein the first public key and the first decryption code are used for decrypting the instruction encrypted ciphertext.
To further increase the difficulty of decompilation, the first processing module 430 is further configured to: generating a second private key according to the first private key corresponding to at least one instruction to be processed, and generating a second encryption code mapped with the second private key; and encrypting the processed abstract syntax tree by using a second private key and a second encryption code.
After the above encryption processing is performed on the processed abstract syntax tree, in order to facilitate the user to smoothly run the application program, the first processing module 430 is further configured to: and generating a second public key corresponding to the second private key and a second decryption code mapped with the second public key, wherein the second public key and the second decryption code are used for decrypting the processed abstract syntax tree.
The compiling module 440 is configured to: and compiling the processed abstract syntax tree to obtain a processed program file.
The second processing module 450 is configured to: and generating a third private key according to the first private key corresponding to at least one instruction to be processed, generating a third encryption code mapped with the third private key, and encrypting the processed program file by using the third private key and the third encryption code.
After the above encryption processing is performed on the processed program file, in order to facilitate the user to smoothly run the application program, the second processing module 450 is further configured to: and generating a third public key corresponding to the third private key and a third decryption code mapped with the third public key, wherein the third public key and the third decryption code are used for decrypting the processed program file.
The logic repair module 460 is configured to: and performing repair processing on the execution logic of the control transfer instruction in the processed program file.
Specifically, the logic repair module 460 is further configured to: detecting whether a control transfer instruction exists in the processed program file; if so, analyzing the control transfer instruction in the processed program file to obtain the own address of the control transfer instruction and the own jump address corresponding to the control transfer instruction, and determining the own jump address as the target virtual address of the control transfer instruction; calculating the offset between the control transfer instruction target virtual address and the control transfer instruction self address; the offset is used as an operand of the control transfer instruction.
The environment recovery module 470 is used to: and when the processed program file is executed, restoring the operating environment.
According to the file protection device provided by the embodiment of the invention, the abstract syntax tree corresponding to the to-be-protected instruction in the original program file can be constructed, each to-be-processed instruction in the abstract syntax tree is encrypted respectively, and the processed program file is obtained, so that the decompiling difficulty is greatly increased, the instruction in the program file is effectively prevented from being maliciously obtained by others, and the safety of the program file is ensured; in addition, the technical scheme also carries out repair processing on the execution logic of the control transfer instruction in the processed program file, and effectively ensures that the execution logic of the control transfer instruction before and after processing is unchanged.
The invention also provides a nonvolatile computer storage medium, and the computer storage medium stores at least one executable instruction which can execute the file protection method in any method embodiment.
Fig. 5 is a schematic structural diagram of an embodiment of a computing device provided in the present invention, and a specific embodiment of the present invention does not limit a specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein:
the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically perform relevant steps in the above-described file protection method embodiment.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be configured to cause the processor 502 to execute a file protection method in any of the above-described method embodiments. For specific implementation of each step in the program 510, reference may be made to corresponding steps and corresponding descriptions in units in the above file protection embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (24)
1. A method of file protection, comprising:
constructing an abstract syntax tree corresponding to an instruction to be protected in an original program file;
encrypting at least one instruction to be processed in the abstract syntax tree to obtain a processed abstract syntax tree;
compiling the processed abstract syntax tree to obtain a processed program file;
wherein, the encrypting at least one instruction to be processed in the abstract syntax tree to obtain the processed abstract syntax tree further comprises: determining at least one instruction to be processed from the abstract syntax tree; generating a first private key corresponding to the instruction to be processed and a first encryption code mapped with the first private key for each instruction to be processed in the at least one instruction to be processed; encrypting the instruction to be processed by using the first private key and the first encryption code to obtain an instruction encryption ciphertext corresponding to the instruction to be processed; and encrypting the ciphertext according to the instruction corresponding to the at least one instruction to be processed to obtain the processed abstract syntax tree.
2. The file protection method according to claim 1, wherein the constructing an abstract syntax tree corresponding to the instruction to be protected in the original program file further comprises:
performing decompiling processing on the instruction to be protected in the original program file to obtain a decompiling result;
and generating an abstract syntax tree corresponding to the instruction to be protected according to the decompilation result.
3. The file protection method according to claim 2, wherein before performing decompilation processing on the instruction to be protected in the original program file to obtain a decompilation result, the method further comprises:
and storing the operating environment of the instruction to be protected in the original program file.
4. The file protection method according to claim 1, wherein after the generating a first private key corresponding to the instruction to be processed and an encryption code mapped to the first private key, the method further comprises:
and generating a first public key corresponding to the first private key and a first decryption code mapped with the first public key, wherein the first public key and the first decryption code are used for decrypting the instruction encrypted ciphertext.
5. The file protection method according to claim 1, wherein after the encrypting the ciphertext according to the instruction corresponding to the at least one instruction to be processed to obtain the processed abstract syntax tree, the method further comprises:
generating a second private key according to a first private key corresponding to at least one instruction to be processed, and generating a second encryption code mapped with the second private key;
and encrypting the processed abstract syntax tree by using the second private key and the second encryption code.
6. The file protection method of claim 5, wherein after generating a second private key from the first private key corresponding to the at least one instruction to be processed and generating a second encryption code mapped to the second private key, the method further comprises:
and generating a second public key corresponding to the second private key and a second decryption code mapped with the second public key, wherein the second public key and the second decryption code are used for decrypting the processed abstract syntax tree.
7. The file protection method according to claim 1, wherein after compiling the processed abstract syntax tree to obtain a processed program file, the method further comprises:
generating a third private key according to a first private key corresponding to at least one instruction to be processed, and generating a third encryption code mapped with the third private key;
and encrypting the processed program file by using the third private key and the third encryption code.
8. The file protection method of claim 7, wherein after generating a third private key from the first private key corresponding to the at least one instruction to be processed and generating a third encrypted code mapped to the third private key, the method further comprises:
and generating a third public key corresponding to the third private key and a third decryption code mapped with the third public key, wherein the third public key and the third decryption code are used for decrypting the processed program file.
9. The file protection method according to any one of claims 1 to 3, wherein after compiling the processed abstract syntax tree to obtain a processed program file, the method further comprises:
and repairing the execution logic of the control transfer instruction in the processed program file.
10. The file protection method according to claim 9, wherein the repairing the execution logic of the control transfer instruction in the processed program file further comprises:
detecting whether a control transfer instruction exists in the processed program file;
if so, analyzing the control transfer instruction in the processed program file to obtain the address of the control transfer instruction and a jump address corresponding to the control transfer instruction, and determining the jump address as a control transfer instruction target virtual address;
calculating the offset between the control branch instruction target virtual address and the control branch instruction self address;
the offset is used as an operand of the control transfer instruction.
11. The file protection method according to claim 1, wherein after compiling the processed abstract syntax tree to obtain a processed program file, the method further comprises:
and when the processed program file is executed, restoring the operating environment.
12. A file protection device, comprising:
the building module is used for building an abstract syntax tree corresponding to the instruction to be protected in the original program file;
the first processing module is used for encrypting at least one instruction to be processed in the abstract syntax tree to obtain a processed abstract syntax tree;
the compiling module is used for compiling the processed abstract syntax tree to obtain a processed program file;
wherein the first processing module is further configured to: determining at least one instruction to be processed from the abstract syntax tree; generating a first private key corresponding to the instruction to be processed and a first encryption code mapped with the first private key for each instruction to be processed in the at least one instruction to be processed; encrypting the instruction to be processed by using the first private key and the first encryption code to obtain an instruction encryption ciphertext corresponding to the instruction to be processed; and encrypting the ciphertext according to the instruction corresponding to the at least one instruction to be processed to obtain the processed abstract syntax tree.
13. The file protection device of claim 12, wherein the build module is further configured to:
performing decompiling processing on the instruction to be protected in the original program file to obtain a decompiling result;
and generating an abstract syntax tree corresponding to the instruction to be protected according to the decompilation result.
14. The file protection device of claim 13, wherein the device further comprises: and the environment saving module is used for saving the operating environment of the instruction to be protected in the original program file.
15. The file protection device of claim 12, wherein the first processing module is further configured to:
and generating a first public key corresponding to the first private key and a first decryption code mapped with the first public key, wherein the first public key and the first decryption code are used for decrypting the instruction encrypted ciphertext.
16. The file protection device of claim 12, wherein the first processing module is further configured to:
generating a second private key according to a first private key corresponding to at least one instruction to be processed, and generating a second encryption code mapped with the second private key;
and encrypting the processed abstract syntax tree by using the second private key and the second encryption code.
17. The file protection device of claim 16, wherein the first processing module is further configured to:
and generating a second public key corresponding to the second private key and a second decryption code mapped with the second public key, wherein the second public key and the second decryption code are used for decrypting the processed abstract syntax tree.
18. The file protection device of claim 12, wherein the device further comprises: and the second processing module is used for generating a third private key according to the first private key corresponding to at least one instruction to be processed, generating a third encryption code mapped with the third private key, and encrypting the processed program file by using the third private key and the third encryption code.
19. The file protection device of claim 18, wherein the second processing module is further configured to:
and generating a third public key corresponding to the third private key and a third decryption code mapped with the third public key, wherein the third public key and the third decryption code are used for decrypting the processed program file.
20. The file protection apparatus according to any one of claims 12 to 14, wherein the apparatus further comprises: and the logic repair module is used for repairing the execution logic of the control transfer instruction in the processed program file.
21. The file protection device of claim 20, wherein the logical repair module is further configured to:
detecting whether a control transfer instruction exists in the processed program file;
if so, analyzing the control transfer instruction in the processed program file to obtain the address of the control transfer instruction and a jump address corresponding to the control transfer instruction, and determining the jump address as a control transfer instruction target virtual address;
calculating the offset between the control branch instruction target virtual address and the control branch instruction self address;
the offset is used as an operand of the control transfer instruction.
22. The file protection device of claim 12, wherein the device further comprises: and the environment recovery module is used for recovering the running environment when the processed program file is executed.
23. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the file protection method according to any one of claims 1-11.
24. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the file protection method of any one of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711455712.2A CN108052806B (en) | 2017-12-28 | 2017-12-28 | File protection method and device, computing equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711455712.2A CN108052806B (en) | 2017-12-28 | 2017-12-28 | File protection method and device, computing equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108052806A CN108052806A (en) | 2018-05-18 |
| CN108052806B true CN108052806B (en) | 2020-09-29 |
Family
ID=62128760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711455712.2A Active CN108052806B (en) | 2017-12-28 | 2017-12-28 | File protection method and device, computing equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108052806B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063635A (en) * | 2014-07-02 | 2014-09-24 | 北京深思数盾科技有限公司 | Method and system for protecting object files |
| CN107122634A (en) * | 2017-04-26 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | The method for reinforcing and protecting and device of software installation bag |
| CN107229848A (en) * | 2017-06-12 | 2017-10-03 | 北京洋浦伟业科技发展有限公司 | A kind of code reinforcement means and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8176337B2 (en) * | 2008-03-12 | 2012-05-08 | Apple Inc. | Computer object code obfuscation using boot installation |
-
2017
- 2017-12-28 CN CN201711455712.2A patent/CN108052806B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063635A (en) * | 2014-07-02 | 2014-09-24 | 北京深思数盾科技有限公司 | Method and system for protecting object files |
| CN107122634A (en) * | 2017-04-26 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | The method for reinforcing and protecting and device of software installation bag |
| CN107229848A (en) * | 2017-06-12 | 2017-10-03 | 北京洋浦伟业科技发展有限公司 | A kind of code reinforcement means and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108052806A (en) | 2018-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10223528B2 (en) | Technologies for deterministic code flow integrity protection | |
| CN107346401B (en) | Information security system for securely executing program | |
| JP6227772B2 (en) | Method and apparatus for protecting a dynamic library | |
| CN104680039B (en) | A kind of data guard method and device of application program installation kit | |
| US8918768B2 (en) | Methods and apparatus for correlation protected processing of data operations | |
| JP7154365B2 (en) | Methods for securing software code | |
| CN108399319B (en) | Source code protection method, application server and computer readable storage medium | |
| TW201227394A (en) | Security through opcode randomization | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| CN104486355A (en) | Method and device for preventing malicious manipulation of codes | |
| CN109284585B (en) | Script encryption method, script decryption operation method and related device | |
| EP3035228B1 (en) | Code integrity protection by computing target addresses from checksums | |
| CN108182358B (en) | File protection method and device, computing equipment and computer storage medium | |
| Kim et al. | Design and performance evaluation of binary code packing for protecting embedded software against reverse engineering | |
| CN111819542A (en) | Compiling apparatus and method | |
| EP2937803B1 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| US20200074077A1 (en) | Method for Providing a Security-Critical Software Application on a Computer Unit | |
| CN108021790B (en) | File protection method and device, computing equipment and computer storage medium | |
| CN108052806B (en) | File protection method and device, computing equipment and computer storage medium | |
| JP2010134644A (en) | Ic card and patch execution method | |
| EP2947590B1 (en) | Program code obfuscation based upon recently executed program code | |
| CN111538988A (en) | Anti-attack program running method and device, storage medium and electronic device | |
| CN109426703B (en) | Method and device for protecting core code on IOS platform | |
| EP3009952A1 (en) | System and method for protecting a device against attacks on procedure calls by encrypting arguments | |
| WO2023156571A1 (en) | Protecting software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 4f, building C2, Suzhou 2.5 Industrial Park, 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province, 215000 Applicant after: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. Address before: Suzhou City, Jiangsu province 215021 East Road, Suzhou Industrial Park, No. 88 Suzhou 2.5 Industrial Park C2 building room 3F-301 Applicant before: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |