CN108334756A - A kind of interference method and device to recursive decrease formula analyzer decompiling - Google Patents
A kind of interference method and device to recursive decrease formula analyzer decompiling Download PDFInfo
- Publication number
- CN108334756A CN108334756A CN201710041552.0A CN201710041552A CN108334756A CN 108334756 A CN108334756 A CN 108334756A CN 201710041552 A CN201710041552 A CN 201710041552A CN 108334756 A CN108334756 A CN 108334756A
- Authority
- CN
- China
- Prior art keywords
- blx
- object function
- address
- central processing
- processing unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 62
- 210000003813 thumb Anatomy 0.000 claims abstract description 26
- 238000003780 insertion Methods 0.000 claims description 11
- 230000037431 insertion Effects 0.000 claims description 11
- 238000011084 recovery Methods 0.000 claims description 4
- 238000002360 preparation method Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 11
- 238000000605 extraction Methods 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 120
- 230000011218 segmentation Effects 0.000 description 14
- 230000008569 process Effects 0.000 description 10
- 238000004422 calculation algorithm Methods 0.000 description 9
- 239000012634 fragment Substances 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000013467 fragmentation Methods 0.000 description 5
- 238000006062 fragmentation reaction Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000035772 mutation Effects 0.000 description 3
- 238000003556 assay Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005520 cutting process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006698 induction Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 210000003811 finger Anatomy 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001343 mnemonic effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002633 protecting effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention discloses a kind of interference method and device to recursive decrease formula analyzer decompiling, and this method includes:Setting central processing unit is ARM states;Obtain the relative address of the initial address and object function of program counter register relative to described program counter register;According to the relative address and the initial address, the absolute address of the object function is determined;According to the absolute address, BLX instructions are inserted into the object function by preset rules, to mislead analyzer discriminant function boundary;It is Thumb states to restore the central processing unit, so that the object function can be run.Method and apparatus provided by the present application can solve existing for software product in the prior art it is larger by decompiling, stolen risk the technical issues of.The cost for realizing the difficulty for being effectively increased decompiling and reverse extraction function, reduces software product by decompiling, the technique effect of stolen risk.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of disturbers to recursive decrease formula analyzer decompiling
Method and device.
Background technology
Currently, with the development of network technology, various types of and style software product emerges one after another, software product
It is faced with the risk by conversed analysis and attack after being published to public field, core algorithm is possibly even directly by from software
Reusing for unauthorized is removed and carried out in mirror image.
Under normal circumstances, the stripping of algorithm and reuse dependent on to original binary file dis-assembling and high-level language
Code reconstruction.Under the assistance of modern intellimirror analysis tool, dis-assembling and code reconstruction can carry out and have automatically
There is high reduction degree.Even in most cases high-level language (such as C language) code of tool automatic Reconstruction can be direct
It is compiled and runs using C compilers.
As it can be seen that software product in the prior art is there are the larger risk by decompiling, stolen, thus it is soft in order to safeguard
The interests of part developer and company, it is current to be badly in need of that software product be protected by the method for decompiling.
Invention content
The present invention provides a kind of interference method and device to recursive decrease formula analyzer decompiling, to solve existing skill
Software product in art there is technical issues that it is larger by decompiling, it is stolen.
In a first aspect, the present invention provides a kind of interference methods to recursive decrease formula analyzer decompiling, including:
Setting central processing unit is ARM states;
The initial address and object function of acquisition program counter register are relative to the opposite of described program counter register
Address;
According to the relative address and the initial address, the absolute address of the object function is determined;
According to the absolute address, BLX instructions are inserted into the object function by preset rules, to mislead the analysis
Device discriminant function boundary;
It is Thumb states to restore the central processing unit, so that the object function can be run.
Optionally, the method is applied to the central processing unit of ARMv7 frameworks.
Optionally, the setting central processing unit is ARM states, including:Judge whether the central processing unit is ARM shapes
State;If the central processing unit is ARM states, it is ARM states to keep the central processing unit;If the central processing
Device is not that ARM states use pseudo-operation to instruct .code 16 and .code respectively then before and after the Thumb of preparing environment instructions
32 guiding compilers are automatically inserted into aligned instruction to realize address align, so that the central processing when generating machine code sequence
Device is ARM states.
Optionally, described that BLX instructions are inserted into the object function by preset rules, including:To the object function
It is middle to be inserted into N number of BLX instructions, wherein the jump address of the first BLX instructions in N number of BLX instructions is directed toward N number of BLX and is referred to
The 2nd BLX instructions in order, N are the integer more than 2.
Optionally, described that BLX instructions are inserted into the object function by preset rules, including:To the object function
Middle insertion BLX instructions, wherein the jump address of the BLX instructions is directed toward another BLX instructions being inserted into another function;It is described
Another function is located at before or after the object function.
Optionally, described to restore the central processing unit as Thumb states, including:It is guided using 16 dummy orders of .code
Compiler, to restore the central processing unit as Thumb states.
Second aspect, the present invention provide a kind of countermeasure set to recursive decrease formula analyzer decompiling, including:
Preparation module is ARM states for central processing unit to be arranged;
Acquisition module, initial address and object function for obtaining program counter register are counted relative to described program
The relative address of register;
Determining module, for according to the relative address and the initial address, determining the object function utterly
Location;
It is inserted into module, for according to the absolute address, BLX instructions to be inserted into the object function by preset rules,
To mislead analyzer discriminant function boundary;
Recovery module is Thumb states for restoring the central processing unit, so that the object function can be run.
Optionally, the central processing unit is the central processing unit of ARMv7 frameworks.
Optionally, the insertion module is additionally operable to:N number of BLX instructions are inserted into the object function, wherein described N number of
The jump address of the first BLX instructions in BLX instructions is directed toward the 2nd BLX instructions in N number of BLX instructions, and N is more than 2
Integer.
Optionally, the insertion module is additionally operable to:BLX instructions are inserted into the object function, wherein the BLX refers to
The jump address of order is directed toward another BLX instructions being inserted into another function;Another function is located at before the object function
Or later.
The one or more technical solutions provided in the embodiment of the present invention, have at least the following technical effects or advantages:
Method and device provided by the embodiments of the present application, after setting central processor CPU is ARM states, according to program
Relative address of the initial address and object function of counter register PC relative to PC, determines the object function utterly
Location, and according to the absolute address, BLX instructions are inserted into the object function by preset rules, to interfere with recursive decrease
Judgement of the formula decompiler for functional boundary so that the function pseudocode fragmentation that decompiler generates, it is difficult to straight after transplanting
Connect Complied executing, effectively increase the cost of the difficulty and reverse extraction function of decompiling, reduce software product by decompiling,
Stolen risk.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart of the interference method to recursive decrease formula analyzer decompiling in the embodiment of the present invention;
Fig. 2 is the structural schematic diagram of the countermeasure set to recursive decrease formula analyzer decompiling in the embodiment of the present invention.
Specific implementation mode
The embodiment of the present application is solved by providing a kind of interference method and device to recursive decrease formula analyzer decompiling
Existing for software product in the prior art it is larger by decompiling, stolen risk the technical issues of.It realizes effectively
The cost for increasing the difficulty and reverse extraction function of decompiling, reduces software product by decompiling, the skill of stolen risk
Art effect.
Technical solution in the embodiment of the present application, general thought are as follows:
Setting central processing unit is ARM states;Obtain program counter register initial address and object function relative to
The relative address of described program counter register;According to the relative address and the initial address, the object function is determined
Absolute address;According to the absolute address, BLX instructions are inserted into the object function by preset rules, described in misleading
Analyzer discriminant function boundary;It is Thumb states to restore the central processing unit, so that the object function can be run.
The above method after setting central processing unit is ARM states, according to the initial address of program counter register PC and
Relative address of the object function relative to PC determines the absolute address of the object function, and according to the absolute address, by pre-
If rule is inserted into BLX instructions into the object function, to interfere with recursive decrease formula decompiler sentencing for functional boundary
It is disconnected so that the function pseudocode fragmentation that decompiler generates, it is difficult to which that direct compilation executes after transplanting, effectively increases decompiling
Difficulty and reverse extraction function cost, reduce software product by decompiling, stolen risk.
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Embodiment one
The present embodiment provides a kind of interference methods to recursive decrease formula analyzer decompiling, as shown in Figure 1, the method
Including:
Step S101, setting central processing unit are ARM states;
Step S102, obtain program counter register initial address and object function relative to described program count register
The relative address of device;
Step S103 determines the absolute address of the object function according to the relative address and the initial address;
Step S104 is inserted into BLX instructions by preset rules, with accidentally according to the absolute address into the object function
Lead analyzer discriminant function boundary;
Step S105, it is Thumb states to restore the central processing unit, so that the object function can be run.
In the embodiment of the present application, the method is applied to the central processing unit of ARMv7 frameworks, wherein ARMv7 is ARM
A set of instruction set title of (Advanced RISC Machine) framework CPU, certainly, the method can also apply to other
In the central processing unit that BLX instructions can be used, this is not restricted.
Before introducing the detailed implementation steps of method provided by the present application, first introduces the application providing method and can interfere and pass
Return the principle of descending manner analyzer decompiling:
Specifically, recursive decrease formula disassembler be during analyzing machine code according to control stream (sequence/point
Prop up/redirect/function call/calling return) instruction analysis with backtracking and reconstruction are carried out, reach simulation syntax tree and pushes down on automatically
The analysis method for the process led, compared with linear scan is analyzed, the decompiling of recursive decrease formula can more accurately tracking instruction stream,
Its analysis result wants much more accurate.Recursive decrease formula disassembler can be instructed as current function most in decompiling using BLX
Latter item instruction, i.e., as the boundary of current function.And the application is inserted into BLX instructions as sunken in function by preset rules
Trap so that the recognition function boundary of disassembler mistake extracts the function pseudocode of fragmentation, and decompiling hardly possible is improved to reach
Degree reduces the effect that program is stolen risk.
With reference to Fig. 1, the interference method provided by the present application to recursive decrease formula analyzer decompiling is discussed in detail
Specific implementation process.
First, step S101 is executed, setting central processing unit is ARM states.
It should be noted that having the mutation that some specific functions are known as ARM systems in ARM system processors, wherein propping up
Hold the mutation of Thumb instruction set, referred to as T mutation.Just there are two types of working conditions for arm processor in this way:ARM states and Thumb shapes
State, and can switch between the two states.And the insertion for being used for the broken BLX instructions of functional boundary needs CPU to be operated in ARM shapes
Implement under state, so firstly the need of ensuring that the state of CPU is switched to ARM.
In specific implementation process, the setting central processing unit is ARM states, including:
Judge whether the central processing unit is ARM states;
If the central processing unit is ARM states, it is ARM states to keep the central processing unit;
If the central processing unit is not ARM states, before and after the Thumb instructions of preparing environment, use respectively
It is next real that pseudo-operation instructs .code 16 and .code 32 that compiler is guided to be automatically inserted into aligned instruction when generating machine code sequence
Existing address align, so that the central processing unit is ARM states.
Specifically, if the central processing unit is not ARM states, the non-operation instruction of execution Thumb can be passed through
It instructs with loading and executing to jump to this method and correspond to the first address of algorithm and is switched to ARM states.Due to ARM CPU requirements
ARM instruction nybble is aligned, and the first item instruction that this method corresponds to algorithm may be both compiled on the address of nybble alignment
Non- nybble may also be compiled in that on its address, once there is a situation where the latter, can cause to take when executing instruction stream
Finger and decoding error eventually result in CPU and hang up extremely.Therefore the present invention is automatically solved using the pseudo-operation characteristic of compiler
This problem is instructed in the Thumb of preparing environment and front and back is compiled using pseudo-operation instruction .code 16 and .code 32 guiding
It translates when device generates machine code sequence and is automatically inserted into aligned instruction to realize address align, so that the central processing unit is ARM shapes
State.
Certainly, in specific implementation process, the mode for being manually inserted aligned instruction can also be used, so that the centre
Reason device is ARM states.
Then, step S102 and step S103 is executed, the initial address and object function phase of program counter register are obtained
For the relative address of described program counter register;According to the relative address and the initial address, the target is determined
The absolute address of function.
Specifically, divided due to function and realized by redirecting, it needs to be determined that redirecting before execution redirects
Destination address.Under normal circumstances, there are two types of acquisition modes for destination address:Absolute address and relative address.Pass through symbol or mark
It number can obtain absolute address, but limit must be unique in present procedure range internal symbol or label for compiler, and this hair
Bright method needs a large amount of a large amount of traps of BLX instruction settings that are inserted into that can just receive better application effect, therefore preferably by phase
The destination address for needing to redirect is obtained to the mode of address, therefore the present invention uses program counter register PC as relative address
Reference point.According to the architected features of ARM CPU, when executing present instruction, PC is directed toward the ground for the instruction that next will execute
Location.
Therefore in the embodiment of the present application, the generation of the absolute address of object function includes step S102 and step S103 two
Step:First the PC registers of opposite initialization directive do the positioning of opposite offset, numerical value, that is, object function of opposite offset with initially
Change the interval of instruction;Then PC is utilized to complete the absolute fix of jump target function address to the absolute fix of present instruction.
That is determining the absolute of the object function relative to the relative address of PC according to the initial address of PC and object function
Address.
After calculating the absolute address through the above steps, the absolute address is loaded into LR registers, then
The cutting operation of next step is carried out again.
It is inserted into the object function by preset rules according to the absolute address next, executing step S104
BLX is instructed, to mislead analyzer discriminant function boundary.
It should be noted that BLX instruction be ARM function call instruction, 32 BLX<condition>}<Rm>
Under pattern, which can call the instruction sequence of the ARM or Thumb of Rm registers direction, return function while calling
It returns in address setting to R14 (commonly referred to as LR) register.In addition to R14 registers, BLX instructions do not do more limits to Rm registers
System, therefore destination address can be loaded with R14 registers, a kind of cascade effect can be formed in this case:Utilize R14
Register jumps to the instruction sequence that will be executed, while will be in the update to R14 registers of return address.BLX instruction sequence tune
Used time CPU calculates the address for the next instruction that return address is the current address for executing call instruction automatically, i.e.,:[PC]+4.
Wherein [PC] is the current value of program counter register.Decompiler will jump to pointed by R14 registers under normal circumstances
IA is considered to return from function call, and the subsequent instructions of BLX instructions will not execute in current process, that is, jump to
The instruction of IA pointed by R14 registers is that the last item of current function instructs, therefore BLX instructions are generally compiled by counter
Translate boundary of the device as function.
In the embodiment of the present application, in order to make the insertion that BLX is instructed not only act as ambiguity function boundary, fragmentation function
Effect, moreover it is possible to play the role of misleading function order, upset function fragment, the application is arranged in the multiple BLX instructions being inserted into, deposits
The case where the jump address of the first BLX instructions is directed toward the 2nd BLX instructions, not only to make decompiler extract boundary entanglement
Fragment function, also so that the sequence entanglement of fragment function, wherein the first BLX instructions and the 2nd BLX instruct to be inserted into
It is instructed in the BLX of different location.
In specific implementation process, being inserted into the preset rules of BLX instructions can be arranged as the case may be, be set forth below
For two kinds:
The first, upsets the function fragment sequence in same object function.
It is i.e. described that BLX instructions are inserted into the object function by preset rules, including:
N number of BLX instructions are inserted into the object function, wherein the jump of the first BLX instructions in N number of BLX instructions
Turn the 2nd BLX instructions that address is directed toward in N number of BLX instructions, N is the integer more than 2.
Second, upset the sequence of the function fragment of different target function.
It is i.e. described that BLX instructions are inserted into the object function by preset rules, including:
BLX instructions are inserted into the object function, wherein the jump address of the BLX instructions is directed toward in another function
Another BLX instructions being inserted into;Another function is located at before or after the object function.
In specific implementation process, the method that above two is inserted into BLX instructions may be mixed together, and multiplicating makes
With the function that need to be protected largely is divided and be upset, increasing the difficulty and cost of decompiling.
A specific segmentation example is set forth below, to help to understand how that the insertion setting for carrying out BLX instructions carrys out segmentation object
Function, the loading sequence of the front and back code for the function that need to be protected from front to back in following examples:
To segmentation before first carrying out, that is, it is arranged and is inserted into the first BLX instructions in the first function that need to be protected.So that dividing
After the IA of operation determines, execute the BLX instructions that a destination address is loaded in LR registers implement once to redirect it is dynamic
Make.Induction assays device label linear function is called and is returned by the operation, which will cause decompiler to protected calculation
The instruction before and after jump instruction is cut into two functions when method generates pseudocode, the pseudocode generated so as to cause decompiling is patrolled
It collects and protected code logic non-equivalence.
To segmentation after executing again, the 2nd BLX instructions are inserted into the second function that need to be protected, the second function is located at institute
Before stating first function, the jump address of the first BLX instructions is directed toward the 2nd BLX instructions, so that decompiling went out
Function fragment sequence is upset, and is mistakenly considered to be connected to the 2nd BLX instructions pair after the first BLX instructs corresponding function fragment
The function fragment answered.Utilize a preceding side effect to segmentation, the value of LR registers to be updated, updated value be directed toward it is preceding to
Instruction after split order can do primary segmentation using this side effect, i.e., after to segmentation.It can be into one to segmentation after addition
Step upsets tracking process of the analyzer to instruction stream, which will cause analyzer to cut in different functions, this step
Realize the protection of protection algorism itself.
Forward direction is divided again, and the 3rd BLX instructions are inserted into the third function that need to be protected, and the third function is located at described
After second function, the jump address of the 2nd BLX instructions is directed toward the 3rd BLX instructions, and backward segmentation is so that instruction stream
It needs to jump out guarantor in order to finally execute protected primal algorithm to the position between segmentation and backward segmentation before reaching
It protects algorithm itself and enters by the space of protection code, it is therefore desirable to execute a forward direction segmentation again to reach protected code
Space.Mesh caused by side effect when being executed to segmentation after remaining as previous step to the destination address of split order before this step
Mark address.Forward direction, which is divided, again makes the tracking of instruction stream more difficult, and protecting effect is further strengthened.
Subsequently, step S105 is executed, it is Thumb states to restore the central processing unit, so that the object function energy
Operation.
In the embodiment of the present application, described to restore the central processing unit as Thumb states, including:
Compiler is guided using 16 dummy orders of .code, to restore the central processing unit as Thumb states.
Specifically, after executing repeated segmentation, protection operation has been completed, and program circuit needs to exit protection act
Working environment and be transferred to and gone to execute by protection algorism.Preferably, action is exited to need to proceed as follows:Due to aforementioned cutting
Operation executes under ARM states, and protected algorithm is operated under Thumb states.Work is given tacit consent to by protection code itself
Under Thumb states, thus its will not also without responsibility carry out state recovery operation, state restore must by protection algorism Lai
It completes.The application informs that the follow-up code of compiler would operate in Thumb states using 16 dummy orders of .code;Then, into quilt
Protection algorism, i.e., after the completion of state is restored, instruction stream continues automatically into protected code previously by protection process interrupt
Operation, it is of equal value when unprotected by the logical AND of protection algorism since environment is always completely recovered, therefore final implementing result
Equivalent.
It should be noted that the application is that the BLX that destination address is LR registers is utilized to instruct the meeting quilt in analyzer
It is identified as functional boundary, therefore the functional boundary to make mistake can be done with induction assays device by insertion ' BLX LR' instructions and judged.
Method provided by the present application can be implemented as on specific code is write one it is macro, for avoid compiler optimization act cause to calculate
Method deformity, byte sequence is encoded into ensure that algorithm semanteme is accurately expressed in invention by instruction mnemonic by hand.Using this Shen
Please method realize macrodefinition write after the completion of, being Anywhere inserted into any number of macro-call in high-level language function will
Protection, which adds, needs algorithmic code to be protected.
In high-level language compilation process, and function only generates an entity difference, macrodefinition can be existed by inline expansion
The statement sequence in a macrodefinition can be replicated using macro place, this makes macrodefinition be used how many times will be most throughout one's life
At object code in there are how many parts.The characteristic allows function code quantitatively to accumulate, and more quantity mean
Software piracy person needs to expend more at fighting these function codes originally.Therefore it can consider the protection intensity to software program
The macro quantity being inserted into of algorithm corresponding with the application method is proportional.
Based on same inventive concept, the embodiment of the present invention additionally provides counter to recursive decrease formula analyzer in embodiment one compile
The corresponding device of interference method translated, is shown in embodiment two.
Embodiment two
A kind of countermeasure set to recursive decrease formula analyzer decompiling is present embodiments provided, as shown in Fig. 2, the dress
Set including:
Preparation module 201 is ARM states for central processing unit to be arranged;
Acquisition module 202, the initial address and object function for obtaining program counter register are relative to described program
The relative address of counter register;
Determining module 203, for according to the relative address and the initial address, determining the absolute of the object function
Address;
It is inserted into module 204, for according to the absolute address, being inserted into BLX into the object function by preset rules and referring to
It enables, to mislead analyzer discriminant function boundary;
Recovery module 205 is Thumb states for restoring the central processing unit, so that the object function can be run.
In the embodiment of the present application, the central processing unit is the central processing unit of ARMv7 frameworks, wherein ARMv7 is
A set of instruction set title of ARM (Advanced RISC Machine) framework CPU, certainly, the central processing unit are that other can
In central processing unit with BLX instructions, this is not restricted.
In the embodiment of the present application, the insertion module 204 is additionally operable to:
N number of BLX instructions are inserted into the object function, wherein the jump of the first BLX instructions in N number of BLX instructions
Turn the 2nd BLX instructions that address is directed toward in N number of BLX instructions, N is the integer more than 2.
In the embodiment of the present application, the insertion module 204 is additionally operable to:
BLX instructions are inserted into the object function, wherein the jump address of the BLX instructions is directed toward in another function
Another BLX instructions being inserted into;Another function is located at before or after the object function.
By the device that the embodiment of the present invention two is introduced, to implement analyzing recursive decrease formula for the embodiment of the present invention one
Device used by the interference method of device decompiling, so based on the method that the embodiment of the present invention one is introduced, belonging to this field
Personnel can understand concrete structure and the deformation of the device, so details are not described herein.The method of every embodiment of the present invention one
Used device belongs to the range of the invention to be protected.
The technical solution provided in the embodiment of the present application, has at least the following technical effects or advantages:
Method and device provided by the embodiments of the present application, after setting central processor CPU is ARM states, according to program
Relative address of the initial address and object function of counter register PC relative to PC, determines the object function utterly
Location, and according to the absolute address, BLX instructions are inserted into the object function by preset rules, to interfere with recursive decrease
Judgement of the formula decompiler for functional boundary so that the function pseudocode fragmentation that decompiler generates, it is difficult to straight after transplanting
Connect Complied executing, effectively increase the cost of the difficulty and reverse extraction function of decompiling, reduce software product by decompiling,
Stolen risk.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair
The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of interference method to recursive decrease formula analyzer decompiling, which is characterized in that including:
The working condition that central processing unit is arranged is ARM states;
Obtain the relative address of the initial address and object function of program counter register relative to described program counter register;
According to the relative address and the initial address, the absolute address of the object function is determined;
According to the absolute address, BLX instructions are inserted into the object function by preset rules, so that the analyzer is to insert
Enter boundary of the position of the BLX instructions as the object function;
It is Thumb states to restore the central processing unit, so that the object function can be run.
2. the method as described in claim 1, which is characterized in that the method is applied to the central processing unit of ARMv7 frameworks.
3. the method as described in claim 1, which is characterized in that the setting central processing unit is ARM states, including:
Judge whether the central processing unit is ARM states;
If the central processing unit is ARM states, it is ARM states to keep the central processing unit;
If the central processing unit is not ARM states, before and after the Thumb instructions of preparing environment, respectively using pseudo- behaviour
Making instruction .code 16 and .code 32 guides compiler to be automatically inserted into aligned instruction when generating machine code sequence to realize ground
Location is aligned, so that the central processing unit is ARM states.
4. the method as described in claim 1, which is characterized in that described to be inserted into BLX into the object function by preset rules
Instruction, including:
N number of BLX instructions are inserted into the object function by preset rules, wherein the preset rules are described N number of to meet
The jump address of the first BLX instructions in BLX instructions is directed toward the rule of the 2nd BLX instructions in N number of BLX instructions, and N is big
In 2 integer.
5. the method as described in claim 1, which is characterized in that described to be inserted into BLX into the object function by preset rules
Instruction, including:
BLX instructions are inserted into the object function by preset rules, wherein the preset rules are to meet the BLX instructions
Jump address be directed toward be inserted into another function another BLX instruction rule;Another function is located at the object function
Before or after.
6. the method as described in claim 1, which is characterized in that it is described to restore the central processing unit as Thumb states, it wraps
It includes:
Compiler is guided using 16 dummy orders of .code, to restore the central processing unit as Thumb states.
7. a kind of countermeasure set to recursive decrease formula analyzer decompiling, which is characterized in that including:
Preparation module, the working condition for central processing unit to be arranged are ARM states;
Acquisition module, the initial address and object function for obtaining program counter register are relative to described program count register
The relative address of device;
Determining module, for according to the relative address and the initial address, determining the absolute address of the object function;
It is inserted into module, for according to the absolute address, BLX instructions being inserted into the object function by preset rules, with accidentally
Lead analyzer discriminant function boundary;
Recovery module is Thumb states for restoring the central processing unit, so that the object function can be run.
8. device as claimed in claim 7, which is characterized in that the central processing unit is the central processing unit of ARMv7 frameworks.
9. device as claimed in claim 7, which is characterized in that the insertion module is additionally operable to:
N number of BLX instructions are inserted into the object function, wherein what the first BLX in N number of BLX instructions was instructed redirects ground
The 2nd BLX instructions in N number of BLX instructions are directed toward in location, and N is the integer more than 2.
10. device as claimed in claim 7, which is characterized in that the insertion module is additionally operable to:
BLX instructions are inserted into the object function, wherein the jump address of the BLX instructions, which is directed toward in another function, to be inserted into
Another BLX instruction;Another function is located at before or after the object function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710041552.0A CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710041552.0A CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108334756A true CN108334756A (en) | 2018-07-27 |
| CN108334756B CN108334756B (en) | 2020-05-12 |
Family
ID=62922255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710041552.0A Active CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108334756B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109739582A (en) * | 2018-12-12 | 2019-05-10 | 北京字节跳动网络技术有限公司 | Function calling method, device, electronic equipment and computer readable storage medium |
| CN112069467A (en) * | 2020-09-15 | 2020-12-11 | 常熟理工学院 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
| CN114138282A (en) * | 2021-11-30 | 2022-03-04 | 四川效率源信息安全技术股份有限公司 | Method and device for restoring pseudo code of iOS type code |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020603A1 (en) * | 2008-08-21 | 2010-02-25 | Thomson Licensing | Method and device for code obfuscation |
| CN102760219A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Android platform software protecting system, method and equipment |
| CN105005718A (en) * | 2015-06-23 | 2015-10-28 | 电子科技大学 | Method for implementing code obfuscation by Markov chain |
| CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
| CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
| CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
-
2017
- 2017-01-20 CN CN201710041552.0A patent/CN108334756B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020603A1 (en) * | 2008-08-21 | 2010-02-25 | Thomson Licensing | Method and device for code obfuscation |
| CN102760219A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Android platform software protecting system, method and equipment |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
| CN105005718A (en) * | 2015-06-23 | 2015-10-28 | 电子科技大学 | Method for implementing code obfuscation by Markov chain |
| CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
| CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
| CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109739582A (en) * | 2018-12-12 | 2019-05-10 | 北京字节跳动网络技术有限公司 | Function calling method, device, electronic equipment and computer readable storage medium |
| CN109739582B (en) * | 2018-12-12 | 2022-05-17 | 北京字节跳动网络技术有限公司 | Function calling method and device, electronic equipment and computer readable storage medium |
| CN112069467A (en) * | 2020-09-15 | 2020-12-11 | 常熟理工学院 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
| CN114138282A (en) * | 2021-11-30 | 2022-03-04 | 四川效率源信息安全技术股份有限公司 | Method and device for restoring pseudo code of iOS type code |
| CN114138282B (en) * | 2021-11-30 | 2023-03-31 | 四川效率源信息安全技术股份有限公司 | Method and device for restoring pseudo code of iOS type code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108334756B (en) | 2020-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111125716B (en) | Method and device for detecting Ethernet intelligent contract vulnerability | |
| US9645803B2 (en) | Methods and systems for forming an adjusted perform range | |
| CN108614960B (en) | JavaScript virtualization protection method based on front-end byte code technology | |
| CN111177733B (en) | Software patch detection method and device based on data flow analysis | |
| CN102713839A (en) | A system and method for aggressive self-modification in dynamic function call systems | |
| JP2003280919A (en) | Compile method, compile device, and program for compile | |
| CN108334756A (en) | A kind of interference method and device to recursive decrease formula analyzer decompiling | |
| JP2015130152A (en) | Information processing device and program | |
| CN104407968A (en) | Method for measuring and calculating longest operation time of code instructions through static analysis | |
| US8117604B2 (en) | Architecture cloning for power PC processors | |
| US8037464B2 (en) | Generating optimized SIMD code in the presence of data dependences | |
| JP2009528611A (en) | Optimized compilation method during conditional branching | |
| Avalos Baddouh et al. | Principal kernel analysis: A tractable methodology to simulate scaled GPU workloads | |
| US20140082325A1 (en) | Intelligent architecture creator | |
| WO2014117668A1 (en) | Method for generating codes in secure environment to improve software protection strength | |
| Hayashi et al. | Search-based refactoring detection from source code revisions | |
| Lim et al. | A worst case timing analysis technique for optimized programs | |
| US9606779B2 (en) | Data processing system and data simulation method in the system | |
| Shou et al. | LLM4Fuzz: Guided Fuzzing of Smart Contracts with Large Language Models | |
| Matoussi et al. | IR-level annotation strategy dealing with aggressive loop optimizations for performance estimation in native simulation: work-in-progress | |
| CN113761540B (en) | Branchscope and verification method of compiler protection method thereof | |
| Becker et al. | WCET analysis meets virtual prototyping: improving source-level timing annotations | |
| Matoussi et al. | Loop aware CFG matching strategy for accurate performance estimation in IR-level native simulation | |
| EP3547141B1 (en) | Information processing apparatus, information processing method, and information processing program | |
| US20160209835A1 (en) | Control system having function for optimizing control software of numerical controller in accordance with machining program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |