DE102007059798B3 - Executable program code i.e. executable file, coding method for computer, involves combining chains of sequential instructions to code fragments, and coding and storing detected code fragments belonging to methods in program library - Google Patents

Abstract

The method involves copying unmodified program code directly into a main memory of a processing unit. Structural data e.g. portable executable file format data, is evaluated directly for identification of methods of the program code. Volatile components are detected by parsing the program code of methods, which cause an interruption and/or a branching in a sequential process of the program code in a run time. Chains of sequential instructions are combined to code fragments in the code. Detected code fragments belonging to the methods are individually coded and stored in a program library.

Description

The The invention relates to a method for encrypting executable Program code. The program code may be z. For example, an executable file in the known EXE format or z. For example, a dynamic link library DLL is what machine code, data and resources in any Combinations may contain.

Known Method for protecting user programs against unauthorized Operation, manipulation and unauthorized duplication are based on the fact that with the help of a special protection software diverse Safety checks are carried out with a positive result have to, before these application programs can be executed. such Protective software lead this known security checks by, such. B. the verification of checksums, a debugger detection, u. s. w .. But like that program to protect These security checks are also implemented in software. Even if additional Hardware is used, such. B. a dongle, which for release the operation of programs at an interface of an executing Calculator must be plugged, check the Security checks thus the software to be protected with turn Software.

at such safety checks, the problem arises that this despite of all complexity lead to a conditional decision as to whether the program is actually executed or may be continued or blocked or aborted. Such a conditional decision, in turn, sets one yourself usually short, clearly demarcated area of program code. It is thus possible the range of program code which has such a final conditional Decision over execution or blocking a parent Program represents, even in a comprehensive program listing of a protection software to identify. It is then readily possible to selectively conditional Decision by manipulation ineffective, so to speak to override the condition so that the executable Program independent In any case, this condition is executed without restriction. In this way can be a security check independently from the variety and complexity the one from him while the test procedure made plausibility checks ineffective be made.

One further problem of a variety of commercial implementations of protection software z. B. against unauthorized duplication of a program is seen to be implemented in it Security checks are virtually static. This has the consequence that independently of which program is secured with a specific protection software should always be identical to the security checks implemented in it are. Such recurrent protection software is thus a kind from "digital Fingerprint "dar. This can be even if he is in the extensive listing of a any program is implemented, found and by a be replaced manipulated version. It is even possible, such Automating manipulations, so to speak. For this it is possible to have a so-called "crack" to create it is a computer program used for manipulation a specific, known protection software is used. Such a "crack" can, for example, over the Internet are distributed, and then stands for universal manipulation of every program available, where the known protection software is used.

to Avoiding the problems outlined above can be a first Step the protection software itself are protected from manipulation. This can be z. B. be achieved by the use of encryption. To can common Encryption standards, such as AES, d. H. Advanced Encryption Standard, to be used. However, it is known that the simple encryption of executable Programs, such. B. executable Files with file extension EXE or dynamically loadable Libraries, d. H. a dynamic link library DLL, under the operating system WINDOWS, too, is not safe against manipulation. To the legitimate execution of such programs these namely loaded into the memory of a computer and decoded there become. After these steps have been performed, the entire Program now unencrypted be read out of memory again. It is now in completely unprotected form before and can easily become the target of conventional Manipulations are.

From the US 2004/0193987 A1 Furthermore, a method and a device for the protection of software programs against unauthorized use are known. For this purpose, a software program is divided into two code parts. While the first part of the code is being executed on a first computer, the second part comprises one or more code fragments of the software program being processed by an external unit. The external unit is in a data communication with the computer. According to a continuation of this second part of the program code is encrypted. Before the actual program execution, the code fragments of this second part become a maniplulation for the purpose of decryption transferred to the external unit. These individual code fragments may also be distributed in the first part of the software program code.

Of the The invention is based on the object of an encryption method specify which program-specific and thus against attacks much more robust encryption result provides.

The The object of the invention is specified with the features of claim 1 solved. Further advantageous embodiments The invention are specified in the subclaims.

For the definition the invention and the explanation of examples shown in the figures is hereinafter the Term METHODS used. Below are those of a programming language understood functions or procedures. These it is z. B. to an object-oriented programming language, so correspond the METHODS are the algorithms associated with a class of objects.

to execution the method according to the invention becomes more executable by a processing unit in a first step Program code unmodified directly into the memory of a processing unit copied. This is advantageously done by manually loading the to be extracted program codes in the memory. This has the purpose to prevent the program code to be extracted by the Charging process is changed in any way. Would instead the charging process by means of a Betriebsssys stems, z. With the loader of an operating system, so would while the machine code already for later execution by the operating system be prepared, d. H. Machine code relocation would be done and so that the machine code can be modified. But that would be hindering for a successful operation of the method according to the invention.

In a second step will be to identify the individual methods of the program code structure data is evaluated directly. Suitable for this purpose Structure data are in particular z. B. PE Header Data, d. H. Portable Executable file format data that uses a symbolic addressing a real addressing can be assigned, and z. Eg relocation Tables. In this second step, the complete data technology Structuring the program code into its individual functions or Methods analyzed. In particular, the function entry addresses the DLL detects. To preserve the original form of the data is it also necessary here that the evaluation of the structural data directly and not with the help of commands from an operating system he follows.

To this identification of the methods, d. H. in particular the detection of their entry addresses, in a third step, a full Analysis or disassembly of the program code performed. This Operation will also static machine code analysis or parsing of Machine code called. This will be the program code of each method or function scanned for components, which at runtime a Interruption in the sequential processing of the program code would cause. at these components are in particular conditional and unconditional jump instructions and return instructions, which terminate the program. Conditional jumps correspond to logical branches. If such branches are detected in the machine code, then also pursued all outgoing program paths and in searched accordingly.

In The practice is parsing usually starting from the entry address each method of the subsequent machine code by reading of the memory disassembled and on the above elements which interrupts the linear program sequence, d. H. an interruption of the processing of in immediate succession following memory cells of the main memory contained machine code, cause.

To Completing the trace of the program code will be in one fourth step formed code fragments. This can also be as an extraction be designated. Such code fragments are chains of immediate successive, to the Rumtime linear consecutively executed instructions in the program code. Code fragments are thus contiguous groups of machine code. In practice, here are the code fragments usually extracted in such a way from the original program code, that these z. B. are interconnected by appropriate address references, so that at expiration of these code fragments at runtime the same Functions are provided, as in the expiration of the original, not with the method according to the invention treated program codes would occur.

The result of the method according to the invention is that a code fragment formed according to the invention can be used in particular either with the entry address belonging to the respective method or with the destination address of a branch begins. Furthermore, a code fragment ends, in particular, when during program tracing either a common program-technical end condition, such. As a RET command, or an absolute jump command such. As a JMP command were detected. According to a further embodiment of the invention, these code fragments can be advantageously defined by their start address and length. As a LENGTH z. B. serve the number of lying between the end and start address of a code fragment bytes of machine code. So it is for each of the methods that z. For example, to represent a program or a DLL, a complete tree is created from the code fragments that represent the single method.

The Extraction of the code fragments from the machine code of a program or a DLL in the manner according to the invention now offers the special Advantage that in a fifth and last step, the found code fragments, which to a Include method, individually encrypted and can be stored in a program library. Advantageous In turn, this library can be self specific in addition encoded become.

in the The result is therefore subjected to the process according to the invention executable Program or a dynamic link library dll through the program library the individually encrypted Represents code fragments. This has the special advantage that this program library just as individual as the original program code itself. The type of encryption So depends on the particular structure of the program code and thus leads with each program code to a completely different result. This makes it for an attacker compared to the prior art described above much heavier in the encrypted program library of individually encrypted Code fragments of an individual program code.

Summarized be in the inventive method executable Subjected files or programs to a static machine code analysis, and methodically extracted and encrypted. For this becomes a to be encrypted Program with the method according to the invention so fragmented that all the methods contained in it in form extracted from closed code fragments, encrypted separately and then be stored separately. It represents a closed Code fragment a sequence of commands e.g. In an assembler programming language whose machine code in a working memory a gapless Chain of instructions to be processed sequentially. Depending on Scope of the program to be encrypted can of course Methods of the same type but with different parameters, in big Variety occur. All these methods are inventively in individual, extracted method-related and separately encrypted code fragments, by the sum then the executable File or program represents becomes.

The inventive method has the advantage of being executable Files or programs neither linear nor fully encrypted, then again decoded linearly and closed by a processor. Rather, be this according to the inventive method methodically divided into separately encrypted code snippets. Only the while program fragments are currently required code fragments decrypted for runtime and executed separately. Even if an attacker reading a currently decrypted Method, so this does not allow any manipulation of the encrypted Library, one more conclusion on the whole of the program in which this method in addition to many other is included.

The inventive method has the further advantage that in the later execution of one according to the invention encrypted Program whose method-related subroutines only when needed to a random one Place in the memory loaded, decoded and executed can. Subsequently these subprograms are removed from memory again. On this type is at no time the entire machine code unencrypted in memory and therefore can not be read closed become. Even individual method-related subroutines can only be read with effort, as these are only for the time the execution, d. H. at runtime, in memory and not predicted can be where they are loaded into memory were.

In exceptional cases, when carrying out the method according to the invention, it may happen that during the parsing of a method not only absolute, but also dynamic jump addresses to specific code functions are detected. The actual address values of these jump destinations are not yet available during the execution of the method, but can only be determined dynamically at the moment the program is running. Such exceptional cases which occur when using function pointers, according to an advantageous, further embodiment of the invention by an explicit Referenzie correcting the dynamic jump targets. As a result, functions which are called by function pointers can also be included in the machine code extraction according to the invention, and are available at runtime.

Farther the case may arise that after the implementation of the inventive method overlap resulting code fragments. Such an overlap especially occurs when a jump command is not the beginning referenced an already known code fragment, but subsequent commands referenced. This means that the beginning and / or End address of a code fragment inside another code fragment lies. This would lead to an incorrect result, which is not executable would. According to one Another embodiment of the invention, such an overlap of Code snippets are avoided by overlapping code snippets a resulting code fragment.

Finally, can the further exceptional case occur that after completion of the inventive method a code fragment inside has an entry address which comes from another code fragment. Such, between the Start and end address of the code fragment lying entry address can be from a program call in the other code snippet, z. A CALL command, or a jump command, e.g. B. one JNE or JMP command, caused.

According to one particularly advantageous embodiment The invention can do this by taking into account a so-called Addresses OFFSETs solved become. The code fragment in the other branch instruction in the respective branch instruction contained absolute entry address is then by a reference on the target code fragment and a the relative distance between the start address and the entry address descriptive OFFSET considered.

Further advantageous embodiments The invention are specified in the subclaims. The invention and the other embodiments be on hand of the short listed Figures explained in more detail below. there demonstrate

1 a first, exemplary method with the name HELLO, wherein the instructions of the program code are shown in the programming language C,

2 the commands of the first method of 1 in the form of a program schedule,

3 the first method of 1 and 2 wherein the instructions of the program code are shown in assembly language and with exemplary address assignments which may result when the instructions are loaded into a working memory,

4 which after execution of a program trace of the particular in 3 written in assembler language first method according to the method resulting code fragments,

5 a second, exemplary method wherein the instructions of the program code are also shown in assembly language and again with exemplary address assignments resulting from loading the instructions into a working memory,

6 which, after performing a program trace of the in 5 in assembly language illustrated second method by the method according to the invention resulting code fragments, and

7 in accordance with a further embodiment of the method according to the invention after summarizing overlapping code fragments resulting final code fragments for the second method of 5 ,

• – Die Nummern von Speicherzellen in einem Arbeitsspeicher, welche bei den in den Figuren dargestellten Beispielen achtstellige Hexadezimalzahlen darstellen, werden mit dem Begriff ADRESSE abgekürzt.
• – Die Anzahl der von einem Codefragment in einem Arbeitsspeicher belegten Speicherzellen wird mit dem Begriff LÄNGE abgekürzt
• – Die in Hexadezimalcode vorliegende Differenz zwischen einer, im Inneren eines Codefragments liegenden Einsprungadresse von einem anderen Codefragment und der Anfangsadresse des Codefragments wird mit dem Begriff OFFSET abgekürzt.

To simplify the following explanations of the embodiments shown in the figures, short terms have been introduced. Where:

• - The numbers of memory cells in a random access memory, which represent eight-digit hexadecimal numbers in the examples shown in the figures, are abbreviated by the term ADDRESS.
• The number of memory cells occupied by a code fragment in a working memory is abbreviated by the term LENGTH
• - The difference in hexadecimal code between one, inside a code fragment the entry address of another code fragment and the start address of the code fragment is abbreviated by the term OFFSET.

One OFFSET = 0 thus means that the entry address into a code fragment matches the start address of the code fragment. this is the Normal case after expiration of the method according to the invention.

It does not matter at which point the command, which has an entry address, is located in the code of the calling code fragment. So he can, as from the examples of the 3 and 5 will be apparent inside a calling code fragment. On the other hand, he can, as in other places also from the examples of the 3 and 5 will also be at the end or even at the beginning of the calling code fragment.

So shows 1 a first, exemplary method called HELLO, the commands of the program code in the programming language C are shown. Further shows 2 the commands of the method of 1 in the form of a program schedule. In this particularly simple, exemplary example, the inventive method is to be illustrated. To facilitate understanding, both figures are explained together below.

The HELLO method is called with the program call 1 started. The reference variable a is first defined and assigned a reference value of 0. With the following statement 3 Furthermore, a variable x is introduced whose current value should be changed during the further processing of the method depending on the result of a comparison of the reference variable with the reference value 0. This is a conditional comparison 5 intended. If in one case the result of this comparison 5 is positive, ie the reference variable a assumes the desired reference value 0, then the variable x becomes a multiplier 7 multiplied by the value 5.

If, on the other hand, the result of the comparison 5 should be negative, so the reference size a should have a value other than 0, then a conditional jump 9 executed. This branches to an addition operation 11 , whereby the current value of the variable x is increased by the value 3. The conditional jump 11 is now programmatically via appropriate instructions 13 again with the to the multiplier 7 following instructions combined and a program end or return command 15 fed.

In 3 Now the commands of the program code of this first method in assembly language with the associated operation codes are shown. Furthermore, in the column offset exemplary address assignments are listed, which can result when loading the commands into a working memory. The numbers from 1 to 54 in the left column represent line numbers for the program listing 3 which, after performing a program trace of the in 3 are in code language shown first method according to the method resulting code fragments are in 4 shown. To facilitate understanding, these two figures will be explained together below.

Thus the method in line 1 starts with the start address 1000100A in hexadecimal coding. This represents an entry address. The jump instruction JMP loaded there branches off to the address 1001050. This is on the left side of the program listing in 3 marked with a solid arrow. The instructions following this branch from address 1001050 up to and including line 27 serve for the program-technical preparation of the conditional branch instruction JNE, ie jump if not equal, with the address 100106F in line 28. With these preparatory instructions, it is determined whether the condition a = 0 is satisfied or not.

If the condition is not met, the JNE command becomes active, suspends further processing of the following instructions, and continues program execution at address 1000107C. This is on the left side of the program listing in 3 marked with a dotted arrow. As a result, the commands following the address 1000106F are skipped up to and including the command with the address 1000107A. When executing the command jumped from address 1000107C to the address 10001084 in line 43, the variable x is as shown in the flowchart of 2 increased by the value 3. The commands which follow from the address 10001085 complete the program run of the HELLO method and end in the return command RET at the address 1000108E.

If, on the other hand, with the preparatory commands between the addresses 100001050 to before 1000106F If it is determined that the condition a = 0 is fulfilled, the command JNE does not become active and the program sequence is continued with the commands following the address 1000106F. In this case, the variable x corresponding to the representation in the flowchart of 2 multiplied by the value 5. This program ends at the address 1000107A with the absolute jump command JMP. This stops further processing of the following commands and continues the program at address 10001085. As described above, the commands that follow from address 10001085 close the program run of the HELLO method and end at the address 1000108E in the return command RET.

Will be on the in 3 program code used the method according to the invention applied, it is found in particular when parsing the program code that various interruptions and branches are present, which lead to a non-successive processing of the machine code at runtime. Thus, on the one hand, the absolute jump command JMP with the entry address 10001050 is available at address 1000100A. Furthermore, an absolute branch instruction JMP with the entry address 10001085 is available at address 1000107A. Finally, the address 1000106F contains the conditional jump instruction JNE with the entry address 1000107C.

If, according to the method of the invention, chains of consecutive instructions which can be executed linearly one after the other in runtime are combined in the program code into code fragments, this results in three code fragments 1, 2 and 3, which in the 3 already represented by frames.

In detail, these code fragments can be described by the following values: start address end address Length in bytes Code fragment 1 1000100A 1000100E 5 Code fragment 2 10001050 1000107B 2C Code fragment 3 1000107C 1000108E 13 Table 1

So Code fragment 1 starts at entry address 1000100A and immediately ends with the absolute jump command JMP 1000100E. Furthermore, the code fragment 2 starts at the entry address 10001050, which is the destination address of the branch instruction JMP, and ends with the further jump command JMP at address 1000107B. After all the code fragment 3 starts at the entry address 1000107C, which is the destination address of the conditional jump instruction 1000106F, and ends at the program end condition RET at the address 1000108E.

These code fragments formed by the method according to the invention are in 4 shown again and described according to an advantageous further embodiment of the invention by their starting addresses and lengths, as listed in the above table. Offset = 0 means that a jump instruction references the beginning of the code fragment. At least one reference with offset 0 must exist.

On However, the reason for the conditional branch instruction JNE described above is also a program sequence possible, in which only a part of the code fragment 3 is processed, as in Code fragment 2 of this jump instruction one inside the code fragment 3 lying entry address at 100010085 has. This case can according to a advantageous, further embodiment the invention best be solved by this Code fragment considered an offset becomes.

Since the starting address of the code fragment 3 at 1000107C and the original destination address of the conditional branch instruction before carrying out the fragmentation according to the invention was 10001085, the relative address distance within code fragment 3 for the conditional branch from code fragment 2, ie the offset, is determined as follows: Offset = 10001085 - 1000107C = 9.

The Code fragments 1 to 3 formed in this way, which correspond to the Method "HELLO" belong now extracted and encrypted together and in a program library deposited, which in turn is advantageous itself encrypted.

5 shows a second, exemplary method. The commands of the program code are also shown in assembly language and again with exemplary address assignments, which result when loading the commands into a main memory. 6 shows after running a program trace on the second method of 5 Code fragments resulting from the process according to the invention. To facilitate understanding, these figures will be explained together below.

Thus, this method starts at the address 1000100A with a program call CALL, which branches to the address 10001010E. This is on the left side of the program listing in 5 marked with an outside, solid arrow. The program run is now continued with the commands from address 1000101E and ends in the return command RET at address 10001020.

Now the program code will follow with the address 1000100A Commands continued. In this editing occurs at the address 10001010 Another program call CALL on, the address 1000101B branched.

This is on the left side of the program listing in 5 marked with an inside, solid arrow. The program run is now continued with the commands from address 1000101B and ends again with the return command RET at the address 10001020. The program run is finally continued with the commands following the address 10001010 and finally ends in the return command RET at the address 10001016.

If, in accordance with the inventive method, chains of consecutive instructions which can be executed linearly one after the other in runtime are thus combined in the program code to form code fragments, this results in three code fragments 1, 2 and 3, which in the 5 also already represented by frames.

In detail, these code fragments can be described by the following values: start address end address Length in bytes Code fragment 1 1000100A 10001016 C Code fragment 2 1000101E 10001020 3 Code fragment 3 1000101B 10001020 6 Code fragment 2 * 1000101B 10001020 6 Table 2

In 6 These code fragments formed by the method according to the invention are shown again and described according to an advantageous further embodiment of the invention by their starting addresses and lengths, as they are listed in the above table.

So Code fragment 1 starts at entry address 1000100A and ends with the program-technical end condition RET at the address 10,001,016th

Farther Code fragment 2 begins at the entry address 1000101E, which the destination address of the first program call CALL at address 1000100A is, and ends with the program end condition RET at the address 10001020. Finally the code fragment 3 starts at the entry address 1000101B, which the destination address of the second program call CALL at the address 10001010, and also ends with the program-technical end condition RET at the address 10001020.

How out 5 can be seen overlap in this case, the code fragments 2 and 3 such that the code fragment 2 is even completely in the code fragment 3. In a processing of the code fragments 1 to 3, therefore, the program code of the code fragment 2 is executed twice. This can be avoided according to an advantageous further embodiment of the invention in that the code fragments 2 and 3 are combined to form a resulting code fragment 2 *. This is in the example of 5 framed.

After this formation of the code fragments 1 and 2 * is again off 5 It can be seen that the code fragment at the address 1000100A has a program call CALL, which now has an entry address located inside the code fragment 2 *. It is therefore also necessary to determine the offset, ie the relative address spacing of the entry address 1000101E to the start address 1000101B of the code fragment 2 *. This is calculated as follows: Offset = 1000101E - 1000101B = 3

As shown in 7 Thus, both code fragments 1 and 2 * can be processed one after the other without relative address spacing, ie their offset is 0. On the other hand, a program sequence may result in which an offset is generated in code segment 1 for code segment 2 * due to the second program call CALL of 3 is to be considered.

The Code fragments 1 and 2 * formed in this way eventually become separate encoded and stored in a program library, which in turn advantageous even encrypted is.

Claims (14)

Method for encrypting executable Program code, where a) in a first step the program code unmodified directly into a working memory of a processing unit is copied, b) in a second step for identification the methods of the program code structure data directly evaluated become, c) in a third step by parsing in the program code From each method, components are captured which are at runtime a break in sequential processing of the program code would cause d) in a fourth step, chains of consecutive, at runtime linear consecutively executed instructions in the program code to code fragments, and e) in a fifth Step the found code fragments belonging to a method individually encoded and stored in a program library. The method of claim 1, wherein the program library as such in addition encoded becomes. Method according to claim 1 or 2, wherein the program code by manual loading, in particular without the help of loading means an operating system, unmodified directly into a working memory is copied. The method of claim 1, 2 or 3, wherein as structural data PE header data, d. H. Portable Executable File Format data, to be evaluated. Method according to one of the preceding claims, wherein be evaluated as structural data relocation tables. Method according to one of the preceding claims, wherein when parsing the program code from each method as components the addresses of absolute branch instructions and / or return instructions which to end the program. Method according to one of the preceding claims, wherein when parsing the program code from each method as components the entry addresses of branches are detected. A method according to claim 7, wherein as constituents the entry addresses of branching program calls, absolute and / or relative jump commands are detected. Method according to one of the preceding claims, wherein a code fragment either with an entry address detected during parsing a method or a destination address of a branch begins. Method according to one of the preceding claims, wherein a code fragment either with a program detected during parsing End condition or an absolute jump instruction ends. Method according to one of the preceding claims, wherein a code fragment is defined by its start address and length. Method according to one of the preceding claims, wherein a dynamic jump address detected during parsing by a explicit referencing is replaced. Method according to one of the preceding claims, wherein Code fragments are combined into a resulting code fragment when the code fragments overlap. Method according to one of the preceding claims, wherein in a code snippet one to a jump command or program call associated Entry address, which refers to another code fragment, by reference to the further code fragment and the relative one Address distance between entry and start address in the following Code fragment characteristic offset is taken into account.