CN108334756B - Interference method and device for decompiling recursive descent type analyzer - Google Patents
Interference method and device for decompiling recursive descent type analyzer Download PDFInfo
- Publication number
- CN108334756B CN108334756B CN201710041552.0A CN201710041552A CN108334756B CN 108334756 B CN108334756 B CN 108334756B CN 201710041552 A CN201710041552 A CN 201710041552A CN 108334756 B CN108334756 B CN 108334756B
- Authority
- CN
- China
- Prior art keywords
- blx
- address
- instruction
- function
- instructions
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012545 processing Methods 0.000 claims abstract description 39
- 210000003813 thumb Anatomy 0.000 claims abstract description 26
- 230000006870 function Effects 0.000 claims description 154
- 238000003780 insertion Methods 0.000 claims description 10
- 230000037431 insertion Effects 0.000 claims description 10
- 238000002360 preparation method Methods 0.000 claims description 7
- 238000011084 recovery Methods 0.000 claims description 5
- 230000003094 perturbing effect Effects 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 11
- 230000002452 interceptive effect Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 239000012634 fragment Substances 0.000 description 8
- 230000011218 segmentation Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 230000009191 jumping Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 238000002054 transplantation Methods 0.000 description 2
- 206010016173 Fall Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000010191 image analysis Methods 0.000 description 1
- 230000036244 malformation Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001343 mnemonic effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a device for interfering decompilation of a recursive descent type analyzer, wherein the method comprises the following steps: setting the central processing unit to be in an ARM state; acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register; determining an absolute address of the objective function according to the relative address and the initial address; inserting a BLX instruction into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge a function boundary; and restoring the CPU to a Thumb state so as to enable the objective function to run. The method and the device provided by the application can solve the technical problems of greater risk of decompilation and embezzlement of software products in the prior art. The technical effects of effectively increasing the difficulty of decompilation and the cost of reversely extracting the function and reducing the risk of decompilation and embezzlement of the software product are achieved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for interfering decompiling of a recursive descent type analyzer.
Background
Currently, with the development of network technology, software products of various types and styles come into being endless, and after being released to the public, the software products face risks of being analyzed and attacked in a reverse direction, and a core algorithm may even be directly stripped from a software image and reused without authorization.
Typically, the stripping and re-use of algorithms relies on disassembling the original binary file and high-level language code reconstruction work. With the help of modern intelligent image analysis tools, disassembly and code reconstruction can be automatically carried out and have extremely high restoration degree. Even high-level language (e.g., C language) code that is automatically rebuilt by a tool in most cases can be compiled and run directly using a C compiler.
Therefore, the software product in the prior art has a great risk of being decompiled and stolen, so in order to maintain the benefits of software developers and companies, a method for protecting the software product from being decompiled is urgently needed.
Disclosure of Invention
The invention provides a method and a device for interfering decompilation of a recursive descent type analyzer, which are used for solving the technical problem that a software product in the prior art has higher risk of being decompilated and stolen.
In a first aspect, the present invention provides a method for interfering with decompilation of a recursive descent analyzer, comprising:
setting the central processing unit to be in an ARM state;
acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register;
determining an absolute address of the objective function according to the relative address and the initial address;
inserting a BLX instruction into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge a function boundary;
and restoring the CPU to a Thumb state so as to enable the objective function to run.
Optionally, the method is applied to a central processing unit of an ARMv7 architecture.
Optionally, the setting of the central processing unit to be in an ARM state includes: judging whether the central processing unit is in an ARM state or not; if the central processing unit is in an ARM state, keeping the central processing unit in the ARM state; if the central processor is not in the ARM state, then before and after the Thumb instructions of the preparation environment, pseudo operation instructions, code 16 and code32 are used respectively to guide the compiler to automatically insert alignment instructions when generating the machine code sequence to achieve address alignment so that the central processor is in the ARM state.
Optionally, the inserting the BLX instruction into the target function according to the preset rule includes: inserting N BLX instructions into the objective function, wherein a jump address of a first BLX instruction of the N BLX instructions points to a second BLX instruction of the N BLX instructions, and N is an integer greater than 2.
Optionally, the inserting the BLX instruction into the target function according to the preset rule includes: inserting a BLX instruction into the target function, wherein a jump address of the BLX instruction points to another BLX instruction inserted in another function; the other function is located before or after the objective function.
Optionally, the recovering the cpu to be in a Thumb state includes: code 16 pseudo instructions are used to direct the compiler to restore the CPU to Thumb state.
In a second aspect, the present invention provides an interference apparatus for decompiling a recursive descent analyzer, comprising:
the preparation module is used for setting the central processing unit to be in an ARM state;
the acquisition module is used for acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register;
a determining module, configured to determine an absolute address of the objective function according to the relative address and the initial address;
the inserting module is used for inserting a BLX instruction into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge the function boundary;
and the recovery module is used for recovering the CPU to be in a Thumb state so as to enable the target function to run.
Optionally, the central processor is an ARMv7 architecture central processor.
Optionally, the insertion module is further configured to: inserting N BLX instructions into the objective function, wherein a jump address of a first BLX instruction of the N BLX instructions points to a second BLX instruction of the N BLX instructions, and N is an integer greater than 2.
Optionally, the insertion module is further configured to: inserting a BLX instruction into the target function, wherein a jump address of the BLX instruction points to another BLX instruction inserted in another function; the other function is located before or after the objective function.
One or more technical solutions provided in the embodiments of the present invention have at least the following technical effects or advantages:
according to the method and the device provided by the embodiment of the application, after the central processing unit CPU is set to be in an ARM state, the absolute address of the target function is determined according to the initial address of the program counter register PC and the relative address of the target function relative to the PC, and the BLX instruction is inserted into the target function according to the absolute address and the preset rule so as to interfere the judgment of the recursion descending type decompiler on the function boundary, so that the function pseudo code generated by the decompiler is fragmented and is difficult to be directly compiled and executed after transplantation, the decompilation difficulty and the cost of reversely extracting the function are effectively increased, and the risks that a software product is decompilated and stolen are reduced.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart of a method of perturbing decompilation of a recursive descent analyzer in an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an interference apparatus for decompiling a recursive descent analyzer according to an embodiment of the present invention.
Detailed Description
The embodiment of the application provides a method and a device for interfering decompilation of a recursive descent type analyzer, so that the technical problem that a software product in the prior art has a large risk of being decompilated and stolen is solved. The technical effects of effectively increasing the difficulty of decompilation and the cost of reversely extracting the function and reducing the risk of decompilation and embezzlement of the software product are achieved.
The technical scheme in the embodiment of the application has the following general idea:
setting the central processing unit to be in an ARM state; acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register; determining an absolute address of the objective function according to the relative address and the initial address; inserting a BLX instruction into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge a function boundary; and restoring the CPU to a Thumb state so as to enable the objective function to run.
According to the method, after the central processing unit is set to be in an ARM state, the absolute address of the target function is determined according to the initial address of the program counter register PC and the relative address of the target function relative to the PC, the BLX instruction is inserted into the target function according to the absolute address and the preset rule so as to interfere the judgment of the recursion descending type decompiler on the function boundary, so that the function pseudo code generated by the decompiler is fragmented and is difficult to be transplanted and then directly compiled and executed, the decompilation difficulty and the cost of reversely extracting the function are effectively increased, and the risk that a software product is decompilated and stolen is reduced.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The present embodiment provides a method for disturbing decompilation of a recursive-descent analyzer, as shown in fig. 1, the method includes:
step S101, setting a central processing unit to be in an ARM state;
step S102, acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register;
step S103, determining an absolute address of the target function according to the relative address and the initial address;
step S104, inserting a BLX instruction into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge a function boundary;
and step S105, restoring the CPU to be in a Thumb state so as to enable the target function to run.
In the embodiment of the present application, the method is applied to a central processing unit of an ARMv7 architecture, where the ARMv7 is a set of names of instruction sets of a CPU of an arm (advanced RISC machine) architecture, and of course, the method may also be applied to other central processing units that can use BLX instructions, and is not limited herein.
Before describing the detailed implementation steps of the method provided by the present application, the principle that the method provided by the present application can interfere with the decompilation of the recursive descent analyzer is described:
specifically, the recursive falling-down disassembler is an analysis method for analyzing and reconstructing instructions with backtracking according to a control flow (sequence/branch/jump/function call/call return) in the process of analyzing a machine code to achieve a process of automatically deducing a syntax tree downwards. The recursive-descent disassembler, during decompilation, takes the BLX instruction as the last instruction of the current function, i.e., as the boundary of the current function. According to the method, the BLX instruction is inserted into the function according to the preset rule to serve as the trap, so that the disassembler identifies the function boundary wrongly, and the fragmented function pseudo code is extracted, and the effects of improving the decompilation difficulty and reducing the risk of program theft are achieved.
The following describes in detail a specific implementation process of the interference method for decompiling the recursive descent analyzer provided in the present application with reference to fig. 1.
First, step S101 is executed to set the central processing unit to ARM state.
It should be noted that there are some specific functions in the ARM architecture processor called variants of the ARM architecture, where variants of the Thumb instruction set are supported, called T variants. Thus, the ARM processor has two working states: an ARM state and a Thumb state and can be switched between the two states. And the insertion of the BLX instruction for function boundary fragmentation requires the CPU work to be implemented in the ARM state, so it is first necessary to ensure that the state of the CPU is switched to ARM.
In the specific implementation process, the setting of the central processing unit to be in an ARM state includes:
judging whether the central processing unit is in an ARM state or not;
if the central processing unit is in an ARM state, keeping the central processing unit in the ARM state;
if the central processor is not in the ARM state, then before and after the Thumb instructions of the preparation environment, pseudo operation instructions, code 16 and code32 are used respectively to guide a compiler to automatically insert an alignment instruction when generating a machine code sequence to realize address alignment so that the central processor is in the ARM state.
Specifically, if the central processing unit is not in the ARM state, the state can be switched to the ARM state by executing a Thumb no-operation instruction and loading and executing a first address instruction jumping to the algorithm corresponding to the method. Because the ARM CPU requires four-byte alignment of ARM instructions, the first instruction of the algorithm corresponding to the method may be compiled at a four-byte aligned address or a non-four-byte aligned address, and once the latter occurs, instruction fetching and decoding errors may be caused when an instruction stream is executed, and finally, the CPU is abnormally suspended. The present invention utilizes the pseudo-operation feature of the compiler to automatically solve the problem of using pseudo-operation instructions before and after the Thumb instruction of the preparation environment, code 16 and code32 guide the compiler to automatically insert the alignment instruction to realize address alignment when generating the machine code sequence, so that the central processing unit is in the ARM state.
Of course, in the specific implementation process, a manner of manually inserting an alignment instruction may also be used to make the central processing unit in the ARM state.
Then, executing step S102 and step S103, obtaining an initial address of a program counter register and a relative address of the target function with respect to the program counter register; and determining the absolute address of the target function according to the relative address and the initial address.
Specifically, since function division is realized by jumping, a target address of the jump needs to be determined before executing the jump. Generally, there are two ways to obtain the target address: absolute addresses and relative addresses. The absolute address can be obtained through the symbol or the label, but the compiler limits that the symbol or the label must be unique in the current program range, and the method of the invention needs to insert a large number of BLX instructions to set a large number of traps to receive better application effect, so that the target address needing to jump is preferably obtained through a relative address mode, and the program counting register PC is used as a reference point of the relative address. According to the architectural characteristics of the ARM CPU, when the current instruction is executed, the PC points to the address of the next instruction to be executed.
Therefore, in the embodiment of the present application, the generation of the absolute address of the objective function includes two steps, step S102 and step S103: firstly, relative offset positioning is carried out relative to a PC register of an initialization instruction, and the numerical value of the relative offset is the interval between a target function and the initialization instruction; and then, absolute positioning of the address of the jump target function is completed by using the absolute positioning of the PC to the current instruction. That is, the absolute address of the objective function is determined from the initial address of the PC and the relative address of the objective function with respect to the PC.
After the absolute address is calculated through the steps, the absolute address is loaded to an LR register, and then the next segmentation operation is performed.
Next, step S104 is executed, and a BLX instruction is inserted into the target function according to the absolute address and a preset rule, so as to mislead the analyzer to determine a function boundary.
It should be noted that the BLX instruction is a function call instruction of ARM, and in the 32-bit BLX { < condition > } < Rm > mode, the instruction may call an instruction sequence of ARM or Thumb pointed by the Rm register, and set a function return address into an R14 (commonly referred to as LR) register at the same time of the call. The BLX instruction does not place more restrictions on the Rm register than the R14 register, so the target address can be loaded using the R14 register, which creates a cascading effect: the R14 register is used to jump to the sequence of instructions to be executed while the return address is updated into the R14 register. When the BLX instruction sequence is called, the CPU automatically calculates the address of the next instruction with the return address being the address of the current execution calling instruction, namely: [ PC ] +4, where [ PC ] is the current value of the program counter register. Typically, the decompiler considers the jump to the instruction address pointed to by the R14 register as returning from the function call, and the subsequent instructions of the BLX instruction will not be executed in the current flow, i.e., the instruction that jumps to the instruction address pointed to by the R14 register is the last instruction of the current function, and thus the BLX instruction is typically bounded by the decompiler as a function.
In the embodiment of the present application, in order to enable the insertion of the BLX instruction to not only serve the functions of obfuscating function boundaries and fragmenting functions, but also serve the functions of misleading function sequences and disordering function fragments, in the present application, a plurality of inserted BLX instructions are set, where a jump address of a first BLX instruction points to a second BLX instruction, so as to not only enable a decompiler to extract a fragment function with a disordered boundary, but also to disorder the sequence of the fragment function, where the first BLX instruction and the second BLX instruction are BLX instructions inserted at different positions.
In a specific implementation process, the preset rule for inserting the BLX instruction may be set according to specific situations, and two examples are as follows:
first, the order of function fragments within the same objective function is shuffled.
Namely, the inserting the BLX instruction into the objective function according to the preset rule includes:
inserting N BLX instructions into the objective function, wherein a jump address of a first BLX instruction of the N BLX instructions points to a second BLX instruction of the N BLX instructions, and N is an integer greater than 2.
Second, the order of the function fragments of different objective functions is disturbed.
Namely, the inserting the BLX instruction into the objective function according to the preset rule includes:
inserting a BLX instruction into the target function, wherein a jump address of the BLX instruction points to another BLX instruction inserted in another function; the other function is located before or after the objective function.
In the specific implementation process, the two methods for inserting the BLX instruction can be mixed together and reused for many times, so that a large amount of functions to be protected are divided and disordered, and the difficulty and cost of decompilation are increased.
A specific partitioning example is listed below to help understand how to perform the insertion setup of the BLX instruction to partition the target function, where the following examples are the loading order of the code of the function to be protected from front to back:
the forward partitioning is performed first, i.e. the insertion of the first BLX instruction in the first function to be protected is arranged. So that executing a BLX instruction whose target address is loaded in the LR register implements a jump action after the instruction address of the split operation is determined. This operation will induce the parser to mark a function call return, which will cause the decompiler to cut the instructions before and after the jump instruction into two functions when generating the pseudo-code for the protected algorithm, resulting in the pseudo-code logic generated by the decompilation not being equivalent to the protected code logic.
And then performing backward segmentation, and inserting a second BLX instruction into a second function to be protected, wherein the second function is positioned in front of the first function, the jump address of the first BLX instruction points to the second BLX instruction, so that the order of the inversely-compiled function fragments is disordered, and the function fragments corresponding to the second BLX instruction are connected after the function fragments corresponding to the first BLX instruction are mistakenly considered. That is, the LR register value is updated using a side effect of the forward split, which points to the instruction following the forward split instruction, and a split, i.e., backward split, can be performed using this side effect. The addition of backward segmentation further disturbs the tracking process of the analyzer on the instruction stream, and the operation causes the analyzer to cut into different functions, so that the protection of the protection algorithm is realized.
And performing forward segmentation again, inserting a third BLX instruction into a third function to be protected, wherein the third function is positioned behind the second function, the jump address of the second BLX instruction points to the third BLX instruction, and the backward segmentation enables an instruction stream to reach a position between the forward segmentation and the backward segmentation. The target address of this step forward split instruction is still the target address generated by the side effect of the last step backward split execution. The forward segmentation again makes the tracing of the instruction stream more difficult, and further strengthens the protection effect.
Then, step S105 is executed to restore the cpu to the Thumb state, so that the objective function can be executed.
In this embodiment of the present application, the recovering the central processing unit to be in the Thumb state includes:
code 16 pseudo instructions are used to direct the compiler to restore the CPU to Thumb state.
Specifically, after performing multiple partitions, the protection operation has been completed and the program flow needs to exit the working environment of the protection action and move to the protected algorithm for execution. Preferably, the exit action requires the following operations: since the aforementioned cutting operations are all performed in the ARM state, the protected algorithm operates in the Thumb state. The protected code itself is operating in Thumb state by default, so it will not have responsibility for state recovery operations, which must be done by the protection algorithm. Code 16 pseudo-instructions inform the compiler that the subsequent code will operate in Thumb state; then, the protected algorithm is entered, that is, after the state recovery is completed, the instruction flow automatically enters the protected code to continue the operation interrupted by the protection process, and since the environment is completely recovered, the logic of the protected algorithm is equivalent to that when the protected algorithm is not protected, and therefore the final execution result is also completely equivalent.
It should be noted that, in the present application, the BLX instruction whose target address is the LR register is identified as a function boundary in the parser, so that the parser can be induced to make an erroneous function boundary determination by inserting the 'BLX LR' instruction. The method provided by the application can be realized as a macro in the concrete code writing, and in order to avoid algorithm malformation caused by the optimization action of a compiler, the instruction mnemonics are manually coded into byte sequences in the method so as to ensure that the algorithm semantics are accurately expressed. After macro definition writing is completed, any number of macro calls are inserted into any place in a high-level language function, and algorithm codes needing protection are added to protection.
In the high-level language compiling process, unlike a function which generates only one entity, the macro definition is expanded in an inline manner, namely, a statement sequence in the macro definition is copied when the macro is used, so that how many times the macro definition is used, how many parts exist in the finally generated object code. This feature allows the function code to accumulate in numbers, a greater number meaning that software infringers need to spend more cost against the function code. Therefore, the protection intensity of the software program is considered to be in direct proportion to the number of inserted algorithm macros corresponding to the method.
Based on the same inventive concept, the embodiment of the present invention further provides a device corresponding to the interference method for decompiling the recursive descent analyzer in the first embodiment, which is shown in the second embodiment.
Example two
The present embodiment provides an interference apparatus for decompiling a recursive descent analyzer, as shown in fig. 2, the apparatus includes:
a preparation module 201, configured to set the central processing unit to an ARM state;
an obtaining module 202, configured to obtain an initial address of a program count register and a relative address of an object function with respect to the program count register;
a determining module 203, configured to determine an absolute address of the objective function according to the relative address and the initial address;
an inserting module 204, configured to insert a BLX instruction into the target function according to a preset rule according to the absolute address, so as to mislead the analyzer to determine a function boundary;
a recovery module 205, configured to recover the cpu to be in a Thumb state, so that the objective function can run.
In the embodiment of the present application, the central processing unit is a central processing unit of an ARMv7 architecture, wherein the ARMv7 is a set of names of instruction sets of an arm (advanced RISC machine) architecture CPU, and the central processing unit is, of course, other central processing units that can use BLX instructions, and is not limited herein.
In this embodiment, the insertion module 204 is further configured to:
inserting N BLX instructions into the objective function, wherein a jump address of a first BLX instruction of the N BLX instructions points to a second BLX instruction of the N BLX instructions, and N is an integer greater than 2.
In this embodiment, the insertion module 204 is further configured to:
inserting a BLX instruction into the target function, wherein a jump address of the BLX instruction points to another BLX instruction inserted in another function; the other function is located before or after the objective function.
Since the apparatus described in the second embodiment of the present invention is an apparatus for implementing the interference method for decompiling the recursive descent analyzer in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and the deformation of the apparatus based on the method described in the first embodiment of the present invention, and thus the details are not described herein again. All the devices adopted in the method of the first embodiment of the present invention belong to the protection scope of the present invention.
The technical scheme provided in the embodiment of the application at least has the following technical effects or advantages:
according to the method and the device provided by the embodiment of the application, after the central processing unit CPU is set to be in an ARM state, the absolute address of the target function is determined according to the initial address of the program counter register PC and the relative address of the target function relative to the PC, and the BLX instruction is inserted into the target function according to the absolute address and the preset rule so as to interfere the judgment of the recursion descending type decompiler on the function boundary, so that the function pseudo code generated by the decompiler is fragmented and is difficult to be directly compiled and executed after transplantation, the decompilation difficulty and the cost of reversely extracting the function are effectively increased, and the risks that a software product is decompilated and stolen are reduced.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.
Claims (10)
1. A method of perturbing decompilation of a recursive descent analyzer, comprising:
setting the working state of the central processing unit as an ARM state;
acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register;
determining an absolute address of the objective function according to the relative address and the initial address;
according to the absolute address, inserting a plurality of BLX instructions at different positions into the target function according to a preset rule, so that the analyzer cuts the instructions before and after the BLX instruction into two functions by taking the position where the BLX instruction is inserted as the boundary of the target function;
and restoring the CPU to a Thumb state so as to enable the objective function to run.
2. The method of claim 1, wherein the method is applied to a central processor of the ARMv7 architecture.
3. The method of claim 1, wherein setting the central processor to the ARM state comprises:
judging whether the central processing unit is in an ARM state or not;
if the central processing unit is in an ARM state, keeping the central processing unit in the ARM state;
if the central processor is not in the ARM state, then before and after the Thumb instructions of the preparation environment, pseudo operation instructions, code 16 and code32 are used respectively to guide a compiler to automatically insert an alignment instruction when generating a machine code sequence to realize address alignment so that the central processor is in the ARM state.
4. The method of claim 1, wherein said inserting a BLX instruction into said objective function according to a predetermined rule comprises:
inserting N BLX instructions into the target function according to a preset rule, wherein the preset rule is a rule that a jump address of a first BLX instruction in the N BLX instructions points to a second BLX instruction in the N BLX instructions, and N is an integer larger than 2.
5. The method of claim 1, wherein said inserting a BLX instruction into said objective function according to a predetermined rule comprises:
inserting a BLX instruction into the target function according to a preset rule, wherein the preset rule is a rule which meets the condition that a jump address of the BLX instruction points to another BLX instruction inserted into another function; the other function is located before or after the objective function.
6. The method of claim 1, wherein the restoring the central processing unit to a Thumb state comprises:
code 16 pseudo instructions are used to direct the compiler to restore the CPU to Thumb state.
7. A perturbation apparatus for decompiling a recursive descent analyzer, comprising:
the preparation module is used for setting the working state of the central processing unit to be an ARM state;
the acquisition module is used for acquiring an initial address of a program counting register and a relative address of a target function relative to the program counting register;
a determining module, configured to determine an absolute address of the objective function according to the relative address and the initial address;
the inserting module is used for inserting a plurality of BLX instructions at different positions into the target function according to the absolute address and a preset rule so as to mislead the analyzer to judge the function boundary and cut the instructions before and after the BLX instruction into two functions;
and the recovery module is used for recovering the CPU to be in a Thumb state so as to enable the target function to run.
8. The apparatus of claim 7, wherein the central processor is an ARMv7 architecture central processor.
9. The apparatus of claim 7, wherein the insertion module is further to:
inserting N BLX instructions into the objective function, wherein a jump address of a first BLX instruction of the N BLX instructions points to a second BLX instruction of the N BLX instructions, and N is an integer greater than 2.
10. The apparatus of claim 7, wherein the insertion module is further to:
inserting a BLX instruction into the target function, wherein a jump address of the BLX instruction points to another BLX instruction inserted in another function; the other function is located before or after the objective function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710041552.0A CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710041552.0A CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108334756A CN108334756A (en) | 2018-07-27 |
| CN108334756B true CN108334756B (en) | 2020-05-12 |
Family
ID=62922255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710041552.0A Active CN108334756B (en) | 2017-01-20 | 2017-01-20 | Interference method and device for decompiling recursive descent type analyzer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108334756B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109739582B (en) * | 2018-12-12 | 2022-05-17 | 北京字节跳动网络技术有限公司 | Function calling method and device, electronic equipment and computer readable storage medium |
| CN112069467B (en) * | 2020-09-15 | 2022-02-01 | 常熟理工学院 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
| CN114138282B (en) * | 2021-11-30 | 2023-03-31 | 四川效率源信息安全技术股份有限公司 | Method and device for restoring pseudo code of iOS type code |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020603A1 (en) * | 2008-08-21 | 2010-02-25 | Thomson Licensing | Method and device for code obfuscation |
| CN102760219A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Android platform software protecting system, method and equipment |
| CN105005718A (en) * | 2015-06-23 | 2015-10-28 | 电子科技大学 | Method for implementing code obfuscation by Markov chain |
| CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
| CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
| CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
-
2017
- 2017-01-20 CN CN201710041552.0A patent/CN108334756B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020603A1 (en) * | 2008-08-21 | 2010-02-25 | Thomson Licensing | Method and device for code obfuscation |
| CN102760219A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Android platform software protecting system, method and equipment |
| CN106295327A (en) * | 2015-05-14 | 2017-01-04 | 腾讯科技(深圳)有限公司 | The reinforcement means of executable file and device |
| CN105005718A (en) * | 2015-06-23 | 2015-10-28 | 电子科技大学 | Method for implementing code obfuscation by Markov chain |
| CN105354009A (en) * | 2015-10-14 | 2016-02-24 | 北京深思数盾科技有限公司 | Protection method for firmware |
| CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
| CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108334756A (en) | 2018-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101719635B1 (en) | A system and method for aggressive self-modification in dynamic function call systems | |
| US10223528B2 (en) | Technologies for deterministic code flow integrity protection | |
| CN106096338B (en) | A kind of virtualization software guard method obscured with data flow | |
| CN100414504C (en) | Method and apparatus for recovering data values in dynamic runtime systems | |
| US8589897B2 (en) | System and method for branch extraction obfuscation | |
| CN108334756B (en) | Interference method and device for decompiling recursive descent type analyzer | |
| CN101084478B (en) | Watermarking computer program code | |
| Kalysch et al. | VMAttack: Deobfuscating virtualization-based packed binaries | |
| US20160196116A1 (en) | Method and Apparatus for Detecting Code Change | |
| Ma et al. | Mutation testing cost reduction by clustering overlapped mutants | |
| JP7154365B2 (en) | Methods for securing software code | |
| CN108509772B (en) | Source code reinforcement method and device based on execution sequence and single-point logic | |
| CN103348318A (en) | Controlling the execution of adjacent instructions that are dependent upon a same data condition | |
| CN109344612A (en) | The active defense method and system inversely attacked for program code static analysis | |
| Madou et al. | Loco: An interactive code (de) obfuscation tool | |
| JP2003280919A (en) | Compile method, compile device, and program for compile | |
| US20150310193A1 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| CN110673852B (en) | Method, system and equipment for realizing control flow flattening based on front end of compiler | |
| CN108446535B (en) | Source code reinforcement method and device based on code execution sequence | |
| CN104407968B (en) | A kind of method that the code command longest run time is calculated by static analysis | |
| EP2937803B1 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| Kuang et al. | Exploiting dynamic scheduling for VM-based code obfuscation | |
| Kim et al. | Open Source Software Detection using Function-level Static Software Birthmark. | |
| Menguy et al. | Ai-based blackbox code deobfuscation: Understand, improve and mitigate | |
| CN108460253B (en) | Source code reinforcing method and device based on sequence, symbolic execution and single-point logic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |