JP6917150B2 - Code protection methods and computer programs - Google Patents

Description

The following description relates to code protection methods, computer programs, and the like.

An intermediate language (Intermediate Language or InterLanguage: IL) means a language that goes through as an intermediate stage when a source language program is translated by a compiler to generate a target language program. For example, after changing a high-level language program to assembly language, when trying to assemble it to generate a machine language program, the intermediate assembly language becomes the intermediate language.

Korean Publication No. 10-2007-0067953 relates to an intermediate language converter for mobile platforms and methods thereof, and requires a mobile platform source code developed in C or C ++ language as an interpreter for a mobile communication terminal. A C / C ++ compiler that converts an intermediate language code and an intermediate language assembler that converts an intermediate language code into a format executed by an interpreter of a mobile communication terminal are disclosed.

The application code that undergoes such conversion to an intermediate language is weakly resistant to decompilation due to its characteristics. For example, the code of an application written in a programming language like C-sharp (C #) through a tool like Unity is compiled into an intermediate language form like DLL (Dynamic Linking Library). It may be provided to the client's electronic device and executed in the electronic device framework. At this time, since it is possible to decompile the DLL according to such characteristics of the intermediate language, modify the code, and then compile it to the DLL again, there is a problem that the application can be forged or altered. ..

If the intermediate language form file is simply encrypted and provided to the client in order to prevent such falsification / alteration, the client's electronic device will not be able to execute the encrypted file, and the application will not be executed. It becomes impossible. However, when the client is provided with the means (or information, for example, the decryption key) for decrypting the encrypted file, the problem of fake / tampering with the application will appear again.

There is also a prior art that protects the code by adding a protection module file realized in binary code that is difficult to analyze to the application package. However, such a conventional technique has a problem that the code can be forged or altered by a method of removing the protection module file from the package.

Further, in the conventional technique of encrypting a file, the file can be manipulated little by little before the protection module is loaded, so that the protection module cannot detect the file in this case. In other words, there is a problem that the file can be forged or altered by bypassing the protection module.

By coupling the code of the application to be protected with the protection module, it provides a code protection method and system that can prevent the application from running without the protection module and prevent the protection module from being removed.

It provides a code protection method and system that allows protection to be selected by processing the coupling with the protection module only for the code that is absolutely necessary, rather than applying protection to the entire code.

By encrypting the code coupled with the protection module, decrypting the encrypted code only at the time of execution of the corresponding code, and re-encrypting the decrypted code, the protection module can be used even at the time of application execution. Provide code protection methods and systems that can protect the code so that at least part of the coupled code is always encrypted.

By moving the code of the protected application to the protection module to protect it, the code of the application cannot be analyzed statically, and the code of the application moved to the protection module is executed first. It provides code protection methods and systems that can provide protection against dynamic analysis as they are sometimes decrypted or periodically re-encrypted.

Since the code of the application stored in the protection module changes at each moment of runtime, it provides a code protection method and system that can disable the analysis method such as memory dump, especially for dynamic analysis.

Convert or remove the library file with the package file to prevent users from accessing the library file directly, add a protection module containing the encrypted library file to the package file, and make it into the library file encrypted through the protection module. By providing access, it provides code protection methods and systems that can prevent falsification or alteration of files by removing or bypassing protection modules.

A code protection method executed by a computer, in which the processor of the computer stores a package file containing a file for an application in the storage device of the computer, and the processor executes the execution code of the file. The step of transforming a protected method or function that is screened in a file that contains, or converting or removing a library file from the file, first protection to restore the transformed protected method or function. The stage of adding the module file or the second protection module file for restoring the library file to the package file to regenerate the package file, and the stage of providing the regenerated package file via the network. Provide code protection methods, including.

According to one side, the step of transforming a protected method or function in the processor that is selected by the file containing the executable code in the file is the protected method in the file containing the executable code. Alternatively, the stage of selecting a function and replicating it to the first protection module file, the stage of transforming the code contained in the selected protected method or function into the execution code, and the protection duplicated in the first protection module file. It may include a step of adding a search code for finding the target method or function to the execution code.

According to another aspect, the step of selecting the protected method or function and replicating it to the first protection module file is to select a method or function of a preset function from the whole method or function of the execution code. It may be screened as the protected method or function, or the method or function corresponding to the information entered by the developer of the application may be screened as the protected method or function.

According to another aspect, the step of transforming the code contained in the selected protected method or function into the executable code transforms the instruction of the code into an unrecognizable instruction or any random instruction. It may be transformed into an instruction that jumps to an address.

According to another aspect, the step of adding the search code for finding the protected method or function duplicated in the first protection module file to the execution code is to provide a gateway to the selected protected method or function. The first code for calling may be added, and the second code for obtaining the memory address of the protected method or function duplicated in the first protection module file as the gateway may be added to the execution code.

According to another aspect, the memory address is a factor of the program counter (Program Counter: PC) in the electronic device in which the application is installed and executed and the remote address value provided by the first protection module file. , May be calculated according to the second code.

According to another aspect, in the processor, the step of transforming the protected method or function selected by the file containing the execution code among the files is the protected method duplicated in the first protection module file. Alternatively, the step of encrypting the instruction of the function by the first key or the first encryption algorithm, and the decryption for decrypting the encrypted instruction to the protected method or function duplicated in the first protection module file. It may further include the step of adding the conversion code.

According to another aspect, the first protection module file is decrypted by the instruction of the protected method or function duplicated in the first protection module file when the application is executed on the electronic device in which the application is installed. When decrypted by the encryption code, it may include a function of re-encrypting the instruction by a second key or a second encryption algorithm according to preset conditions.

According to another aspect, in the processor, the step of converting or removing the library file among the files is the step of encrypting the library file to generate the encrypted library file, and whether the library file is converted. , Or removing from the package file, and adding the encrypted library file to the second protection module file, wherein the application was installed through the package file. The electronic device intercepts the control command for the converted or removed library file, and processes the intercepted control command using the encrypted library file included in the second protection module file. It may include a module.

According to another aspect, when the application is executed in the electronic device, a detour linker is generated according to an open instruction for the second protection module file loaded in the memory of the electronic device, and the detour linker is generated. The control command for the library file may be intercepted by the electronic device according to the control of.

According to another aspect, the control instruction for the converted or removed library file includes an open instruction for the library file, and the encrypted library according to the open instruction intercepted by the second protection module file. After decoding the file, a fake handle parameter indicating a buffer containing the contents of the decrypted library file may be generated and returned.

According to another aspect, the control instruction for the converted or removed library file further includes at least one instruction of a read instruction, a write instruction, and a search instruction for the library file, and the second protection module file. At least one instruction may be processed by accessing a buffer containing the contents of the decrypted library file based on the fake handle parameter according to the intercepted at least one instruction.

According to still another aspect, the contents corresponding to the read instruction are copied and returned in the buffer according to the read instruction in the second protection module file, or the contents corresponding to the write instruction are corresponded to the buffer in the buffer according to the write instruction. The content may be written or the position of the file pointer corresponding to the search instruction may be returned in the buffer according to the search instruction.

A computer program stored in a recording medium in order to execute a code protection method in combination with an electronic device realized by a computer, wherein the code protection method is a processor of the electronic device and a storage device of the electronic device. At the stage of storing the package file containing the files for the application in (the package file is the first protection module file for restoring the deformed protected method or function or the second protection module file for restoring the library file. The protected method or function that contains the protection module file and is screened in the file that contains the executable code is modified, or the library file in the file is converted or removed), and In the processor of the electronic device, the protected method or function modified according to the execution of the application is restored through the first protection module file to execute the execution code, or when the application is executed, the modification is performed. Alternatively, a computer program is provided that includes a step of restoring the removed library file through the second protection module file and processing control instructions for the modified or removed library file.

According to one side, the protected method or function selected by the execution code is duplicated in the first protection module file, and the protection target method or function duplicated in the first protection module file is duplicated in the execution code. A search code for finding the function is added, and the processor of the electronic device restores the modified protected method or function through the first protection module file according to the execution of the application and executes the execution code. The step may use the search code to find the duplicated protected method or function in the first protection module file and execute the execution code for the selected protected method or function. ..

According to another aspect, the library file is encrypted and added to the second protection module file, and the modified or removed library file is added to the second protection module file when the application is executed by the processor of the electronic device. The step of restoring through the protection module file and processing the control command for the deformed or removed library file is the step of loading the protection module contained in the second protection module file into the memory of the electronic device when the application is executed. , The step of intercepting control instructions for the converted or removed library file under the control of the loaded protection module, and added to the second protection module file under the control of the loaded protection module. It may include a step of processing the intercepted control instruction by utilizing the encrypted library file.

A code protection method for an electronic device realized by a computer, in which the processor of the electronic device stores a package file containing a file for an application in the storage device of the electronic device (the package file is a stage). Protection that includes a first protection module file for restoring a modified protected method or function or a second protection module file for restoring a library file, and is sorted by the file containing the executable code. The target method or function has been modified, or the library file of the file has been converted or removed), and the computer of the electronic device has the modified protected method or function according to the execution of the application. Is restored through the first protection module file to execute the execution code, or when the application is executed, the deformed or removed library file is restored through the second protection module file and the deformation or removal is performed. It provides a code protection method that includes the steps of processing control instructions for a library file.

By providing a coupling between the code of the application to be protected and the protection module, it is possible to prevent the application from running without the protection module and prevent the protection module from being removed.

Rather than applying protection to the entire code, it is possible to handle the coupling with the protection module only for the code that is absolutely necessary and select the code to be protected.

By encrypting the code coupled with the protection module, decrypting the encrypted code only at the time of execution of the corresponding code, and re-encrypting the decrypted code, the protection module can be used even at the time of application execution. You can protect your code so that at least part of the coupled code is always encrypted.

By moving the protected application code to a protection module to protect it, the application code can be prevented from being analyzed statically, and the application code moved to the protection module is decrypted at the first execution. It is encrypted and periodically re-encrypted, which can provide protection against dynamic analysis.

Since the application code stored in the protection module changes at each runtime, it is possible to disable the analysis method such as memory dump, especially for dynamic analysis.

Convert or remove the library file with the package file to prevent users from accessing the library file directly, add a protection module containing the encrypted library file to the package file, and make it into the library file encrypted through the protection module. By accessing the file, it is possible to prevent falsification / alteration of the file due to removal of the protection module and bypass.

It is a figure which showed the example of the network environment in one Embodiment of this invention. It is a block diagram for demonstrating the internal structure of an electronic device and a server in one Embodiment of this invention. It is a figure which showed the example of the component which the processor of the server can include in one Embodiment of this invention. It is a flowchart which showed the example of the method which a server can execute in one Embodiment of this invention. It is a flowchart which showed the example of the process for adding the encryption and decryption code of the protected method or function in one Embodiment of this invention. It is a figure which showed the example of the component which can include the processor of the electronic device in one Embodiment of this invention. It is a flowchart which showed the example of the method which an electronic device can perform in one Embodiment of this invention. It is a figure which showed the example of the process in which a server adds a protection module file to a package and sends it to an electronic device in one Embodiment of this invention. It is a figure which showed the example of the process of selecting the protected method or function in one Embodiment of this invention. It is a figure which showed the example of the process of duplicating a protected method or function into a protected module file in one Embodiment of this invention. It is a figure which showed the example of the process of changing the instruction of a code by adding a gateway in one Embodiment of this invention. It is a figure which showed the example of the process of encrypting the instruction of the duplicated protected method or function in one Embodiment of this invention. It is a figure which showed the example of the whole flow of protection operation in one Embodiment of this invention. It is a figure for demonstrating the encryption and decryption of an instruction at the time of execution in one Embodiment of this invention. It is a block diagram which showed the example of the component which the processor of the server can include in another embodiment of this invention. It is a flowchart which showed the example of the method which a server can execute in another embodiment of this invention. It is a figure which showed the example which adds the protection module to the package file in another embodiment of this invention. It is a figure which showed the other example which adds the protection module to the package file in another embodiment of this invention. It is a block diagram which showed the example of the component which can include the processor of the electronic device in another embodiment of this invention. It is a flowchart which showed the example of the method which an electronic device can perform in another embodiment of this invention. It is a figure which showed the example of the processing process of the control instruction in another embodiment of this invention.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings.

FIG. 1 is a diagram showing an example of a network environment according to an embodiment of the present invention. The network environment of FIG. 1 shows an example including a plurality of electronic devices 110, 120, 130, 140, a plurality of servers 150, 160, and a network 170. Such FIG. 1 is merely an example for explaining the invention, and the number of electronic devices and the number of servers are not limited as in FIG.

The plurality of electronic devices 110, 120, 130, 140 may be fixed terminals or mobile terminals realized by a computer device. Examples of a plurality of electronic devices 110, 120, 130, 140 include a smartphone (smart phone), a mobile phone, a navigation system, a computer, a notebook pancon, a digital broadcasting terminal, a PDA (Personal Digital Assistants), and a PMP (Tablet Multimedia Player). ), Tablet PC, etc. As an example, electronic device 1 (110) may use a wireless or wired communication method to communicate with other electronic devices 120, 130, 140 and / or servers 150, 160 via network 170.

The communication method is not limited, and not only the communication method utilizing the communication network (for example, mobile communication network, wired Internet, wireless Internet, broadcasting network) that can be included in the network 170, but also the short distance between devices. Wireless communication may be included. For example, the network 170 includes a PAN (personal area network), a LAN (local area network), a CAN (campus area network), a MAN (metropolitan area network), a WAN (wide network), etc. It may include any one or more of the networks. In addition, network 170 may include any one or more of network topologies, including bus networks, star networks, ring networks, mesh networks, star-bus networks, tree or hierarchical networks, and the like. You are not limited to this.

Each of the servers 150 and 160 is realized by a computer device or a plurality of computer devices that communicate with a plurality of electronic devices 110, 120, 130, 140 via a network 170 to provide instructions, codes, files, contents, services, and the like. You may.

As an example, the server 150 may add a protection module file to the application package registered from the electronic device 2 (120). The application package containing the protection module file may be provided directly from the server 150 to the electronic device 1 (110), or may be provided to the electronic device 1 (110) through another server 160. The electronic device 1 (110) may install and execute the application on the electronic device 1 (110) through the application package, or may be provided with a specific service through the application. Here, the protection module file may protect the application code.

FIG. 2 is a block diagram for explaining the internal configurations of the electronic device and the server according to the embodiment of the present invention. In FIG. 2, the internal configuration of the electronic device 1 (110) as an example for one electronic device and the server 150 as an example for one server will be described. Other electronic devices 120, 130, 140 and server 160 may also have the same or similar internal configuration.

Electronic device 1 (110) and server 150 may include memory 211,221, processor 212,222, communication modules 213,223, and input / output interfaces 214,224. The memories 211 and 221 are computer-readable recording media and include a RAM (random access memory), a ROM (read only memory), and a permanent mass storage device such as a disk drive. It's fine. Further, the memory 211 and 221 store an operating system and at least one program code (for example, a code for a browser installed and executed in the electric device 1 (110), an application for a video call, and the like). You can do it. Such software components may be loaded from a computer-readable recording medium other than the memories 211 and 221 using a drive mechanism. Such computer-readable recording media may include computer-readable recording media such as floppy® drives, disks, tapes, DVD / CD-ROM drives, and memory cards. In other embodiments, the software components may be loaded into memory 211, 221 using communication modules 213, 223, which are not computer readable recording media. For example, at least one program is a program installed by a file provided by a file distribution system (as an example, the server 160 described above) that distributes a developer or application installation file via a network 170 (as an example, described above). It may be loaded into memory 211,221 based on the application).

Processors 212 and 222 may be configured to process instructions in a computer program by performing basic arithmetic, logic, and input / output operations. Instructions may be provided to processors 212 and 222 by memory 211, 221 or communication modules 213 and 223. For example, processors 212 and 222 may be configured to execute instructions received according to program code stored in a recording device such as memory 211 and 221.

The communication modules 213 and 223 may provide a function for the electronic device 1 (110) and the server 150 to communicate with each other via the network 170, or may provide another electronic device (for example, the electronic device 2 (120)). )) Or another server (for example, server 160) may be provided with a function for communicating with the server. As an example, a request generated by the processor 212 of the electronic device 1 (110) according to a program code stored in a recording device such as a memory 211 (as an example, a request for a video call service) controls the communication module 213. It may be transmitted to the server 150 via the network 170 according to the above. On the contrary, the control signals, instructions, contents, files, etc. provided under the control of the processor 222 of the server 150 pass through the communication module 223 and the network 170, and then through the communication module 213 of the electronic device 1 (110). It may be received at 1 (110). For example, the control signals and instructions of the server 150 received through the communication module 213 may be transmitted to the processor 212 and the memory 211, and the contents and files may be further stored in the electronic device 1 (110). It may be stored in a medium.

The input / output interfaces 214 and 224 may be means for interfacing with the input / output device 215. For example, the input device may include a device such as a keyboard or mouse, and the output device may include a device such as a display for displaying a communication session of an application. As another example, the input / output interface 214 may be a means for an interface with a device such as a touch screen in which functions for input and output are integrated into one. As a more specific example, the processor 212 of the electronic device 1 (110) utilizes the data provided by the server 150 and the electronic device 2 (120) in processing the instructions of the computer program loaded in the memory 211. The configured service screens and contents may be displayed on the display through the input / output interface 214.

Also, in other embodiments, the electronic device 1 (110) and the server 150 may include even more components than the components of FIG. However, it is not necessary to clearly illustrate most of the prior art components. For example, the electronic device 1 (110) may be realized to include at least a part of the above-mentioned input / output device 215, a transceiver, a GPS (Global Positioning System) module, a camera, and various types. Other components such as sensors, databases, etc. may be further included. As a more specific example, when the electronic device 1 (110) is a smartphone, the acceleration sensor, gyro sensor, camera, various physical buttons, buttons using the touch panel, input / output, which are generally included in the smartphone. It can be seen that various components such as ports and vibrators for vibration may be further included in the electronic device 1 (110).

FIG. 3 is a block diagram for explaining a processor included in the server according to the embodiment of the present invention, and FIG. 4 is a flowchart showing a method executed by the server according to the embodiment of the present invention.

As shown in FIG. 3, the processor 222 included in the server 150 has a package management control unit 310, a replication control unit 320, a code deformation control unit 330, a search code additional control unit 340, and a package generation control unit as components. 350 may be included. Such processor 222 and the components of processor 222 may control the server 150 to perform steps 410-460 included in the code protection method of FIG. At this time, the processor 222 and the components of the processor 222 may be realized to execute an instruction by the code of the operating system included in the memory 221 and the code of at least one program. Here, the components of the processor 222 may be representations of different functions executed by the processor 222 according to the control instructions provided by the program code stored in the server 150. For example, the package management control unit 310 may be used as a functional representation in which the processor 222 operates to store and manage packages in accordance with the control instructions described above.

At step 410, processor 222 may load the program code stored in the program file for the code protection method into memory 221. For example, when a program is executed on the server 150, the processor 222 may control the server 150 to load the program code from the program file into the memory 221 under the control of the operating system.

Here, the package management control unit 310, the replication control unit 320, the code deformation control unit 330, the search code addition control unit 340, and the package generation control unit 350 included in the processor 222 are each among the program codes loaded in the memory 221. It may be a functional representation of processor 222 for executing the corresponding instruction and executing subsequent steps 420-460.

At step 420, the package management control unit 310 may store the package containing the files for the application in the storage device. For example, the application developer may generate a package and register it on the server 150. As a more specific example, the developer uses the electronic device 2 (120) to connect to the server 150 via the network 170, and uploads the package file to the server 150 using the user interface provided by the server 150. You may. Here, the package management control unit 310 may store and manage the package uploaded to the server 150 in the storage device of the server 150.

At step 430, the replication control unit 320 may select the protected method or function from the file containing the execution code and replicate it to the protection module file. For example, the replication control unit 320 may select a method or function having a preset function from the entire method or function of the execution code as a protection target method or function and duplicate it in the protection module file. As a more specific example, a method or function corresponding to the Java Native Interface (JNI) in the Java (Java (registered trademark)) language may be preset, and the replication control unit 320 may be a JNI series. You may find the method or function and duplicate it in the protection module file. As another example, the replication control unit 320 can select the method or function corresponding to the information input by the developer of the application as the protection target method or function and replicate it in the protection module file. As a more specific example, the server 150 may receive input of the name of the method or function to be selected from the developer, select the method or function with the input name, and copy it to the protection module file. Optionally, the replication control unit 320 can also select both the method or function of the preset function and the method or function instructed by the developer.

For this purpose, the replication control unit 320 may control the server 150 so that the file containing the execution code and the protection module file are loaded into the memory 221 and are selected by the execution code loaded in the memory 221. The server 150 may be controlled so that the methods and functions are replicated to the protection module loaded in memory 221. Such a process may be processed by a read instruction for a file containing the execution code (a file stored in the storage device of the server 150), a write instruction for the protection module file, and the like. In the following, the description of clear matters such as the process of loading data through the storage device of the memory 221 or the server 150 and writing data to the stored file will be omitted.

At step 440, the code transformation control unit 330 may transform the code contained in the selected protected method or function. For example, the code transformation control unit 330 may transform the code instruction into an unknown instruction that cannot be recognized or an instruction that jumps to an arbitrary random address. Therefore, in an electronic device on which an application is installed and executed (for example, electronic device 1 (110)), an unknown instruction or any arbitrary that cannot be recognized even if the code is obtained through a function such as dump. Instructions to jump to a random address obscure the original code.

At step 450, the search code addition control unit 340 may add search code to the execution code to find the protected method or function replicated in the protection module file. Such a search code is not the code transformed by the executable code, but the code for searching the protection module file to obtain the original code, and when the protection module file is removed, the original code is used. Since it cannot be obtained, stable code protection is possible through the protection module.

As a more specific embodiment, the search code addition control unit 340 adds the first code for calling the gateway to the selected protected method or function in the step 450, and adds the first code to the execution code as the gateway to the protection module file. You may add a second code to get the memory address of the duplicated protected method or function. Here, the memory address may be calculated according to the second code by using the partner address value provided by the program counter (Program Counter: PC) and the protection module file in the electronic device in which the application is installed and executed as a factor. good. Finding a protected method or function duplicated in a protection module file is described in more detail below.

At step 460, the package generation control unit 350 may generate a package containing a protection module file in which the protected method or function is duplicated and a file for the application. At this time, since the code included in the protected method or function is transformed in the file containing the execution code of the application, the application cannot be executed accurately without the protection module file. Therefore, the removal of the protection module can be prevented. In addition, in the execution code of the application, the instruction of the code included in the protected method or function is deformed, so the original code cannot be restored, the code can be protected, and falsification / alteration of the code can be prevented. become able to.

FIG. 5 is a flowchart showing an example of a process for adding an encryption and decryption code of a protected method or function in one embodiment of the present invention. Steps 510 and 520 of FIG. 5 may optionally be included and performed in the code protection method of FIG. FIG. 5 describes an embodiment in which steps 510 and 520 of FIG. 5 are included between steps 430 and 440 and performed, but steps 510 and 520 of FIG. 5 are after step 430 and then in steps. If it is 460 or earlier, there is no restriction on the execution order. To perform steps 510 and 520 of FIG. 5, processor 222 may further include an encryption control unit (not shown) and a decryption code additional control unit (not shown).

At step 510, the processor 222 or the cryptographic control unit may encrypt the instructions for the protected method or function replicated in the protection module file with the first key or the first cryptographic algorithm. Protected methods or functions duplicated in a protected module file by coupling are written in a high-level language (for example, Java or C ++), so protected methods or functions may be leaked from the protected module file. exist. Therefore, such leakage can be prevented by encrypting the protected method or function.

At step 520, the processor 222 or the decryption code addition control unit may add the decryption code to decrypt the encrypted instruction to the protected method or function replicated in the protection module file. Here, the decryption code, unlike the duplicated protected method or function, is written in binary code and can be difficult to analyze.

The process of decrypting an encrypted instruction is described in more detail below.

Hereinafter, the code protection method will be described with reference to FIGS. 6 and 7 from the viewpoint of the electronic device 1 (110) that has received the package.

FIG. 6 is a diagram showing an example of components that can be included in the processor of the electronic device according to the embodiment of the present invention, and FIG. 7 is a diagram showing the execution by the electronic device according to the embodiment of the present invention. It is a flowchart which showed the example of the possible method.

As shown in FIG. 6, the processor 212 included in the electronic device 1 (110) may include a package management control unit 610 and an execution code processing unit 620 as components, and may selectively include an execution code processing unit 620 depending on the embodiment. The re-encryption control unit 630 may be further included. Such a processor 212 and components of the processor 212 may control electronic device 1 (110) to perform steps 710 to 740 included in the code protection method of FIG. Here, the processor 212 and the components of the processor 212 are instructions (instruction) by the code of the operating system included in the memory 211 and the code of at least one program (for example, the code of the package including the protection module file provided by the server 150). ) May be implemented. Further, the components of the processor 212 may be representations of different functions (different funtions) executed by the processor 212 according to the control instructions provided by the program code stored in the electronic device 1 (110). For example, the package management control unit 610 may be used as a functional representation that operates to control the electronic device 1 (110) so that the processor 212 stores and manages the package in accordance with the control instructions described above.

At step 710, the package management control unit 610 may store the package containing the files for the application in the storage device. For example, the package management control unit 610 may control the electronic device 1 (110) so as to store the package in the storage device of the electronic device 1 (110) according to the control of the operating system of the electronic device 1 (110). ..

Here, the package is a package containing the protection module file described with reference to FIGS. 3 to 5, and can be downloaded directly through the server 150 or through another server (for example, the server 160). It may be a downloaded package. Therefore, the protected method or function selected by the execution code of the application may be duplicated in the protection module file, and the code contained in the selected protected method or function is transformed into the execution code. May be included. In addition, the execution code may have a search code added to find the protected method or function duplicated in the protection module file.

At step 720, processor 212 may load the program code stored in the application file for the code protection method into memory 211. For example, when an application is executed on the electronic device 1 (110), the processor 212 controls the server 150 to load the program code including the execution code into the memory 221 in the application package according to the control of the operating system. May be good.

At stage 730, the executable code processor 620 executes the executable code according to the execution of the application, uses the search code for the selected protected method or function, and duplicates the protected method or function in the protection module file. You may find the function and execute it.

As mentioned above, the screened protected method or function has been modified to include unknown instructions or instructions that jump to any random address, so just executing the executable code will result in the executable code. It cannot be executed accurately. Since the original code is duplicated in the protection module file and the program code of the protection module file is loaded in the memory 211, the execution code processing unit 620 is duplicated loaded in the memory 211 using the search code. By finding and executing the protected method or function, the original execution code can be executed accurately.

As a specific embodiment, the search code may include a first code added to the screened protected method or function to call the gateway, and a second code added to the execution code as the gateway. In this case, at step 730, the execution code processing unit 620 calls the second code as a gateway according to the first code, and acquires the memory address of the protected method or function duplicated in the protection module file through the second code. You may find and execute the duplicated protected method or function with. As described above, the memory address may be calculated by the second code with the partner address value provided by the program counter (Program Counter: PC) and the protection module file provided by the execution of the application as factors.

Further, as described above, the protected method or function (instruction) duplicated in the protection module file may be encrypted by the first key or the first encryption algorithm. In this case, the execution code processing unit 620 may decrypt the encrypted instruction by using the decryption code added to the duplicated protected method or function.

At step 740, the re-encryption control unit 630 tells the re-encryption control unit 630 when the application is executed and the instructions for the protected method or function replicated in the protection module file are decrypted by the decryption code and the preset conditions are met. Instructions may be re-encrypted with a second key or a second encryption algorithm. Since each protected method or function has a different execution time point, at least some protected methods or functions will always exist in an encrypted state. Also, because the encrypted protected method (or function) and the decrypted protected method (or function) or re-encrypted protected method (or function) continue to be different at each execution time point. The protected methods or functions duplicated in the protection module file will have different values, allowing the code to be protected even more safely.

As described above, according to the embodiment of the present invention, by providing the code of the application to be protected and the protection module by coupling, the application cannot be executed without the protection module and the removal of the protection module is prevented. Can be done. In addition, the code to be protected can be selected by processing the coupling with the protection module only for the code that is absolutely necessary, instead of applying the protection to the entire code. Furthermore, by encrypting the code coupled with the protection module, decrypting the encrypted code only at the time of execution of the corresponding code, and re-encrypting the decrypted code, it is protected even at the time of application execution. You can protect your code so that at least part of the code coupled to the module is always encrypted. Not only this, but by moving the code of the protected application to the protection module and protecting it, it is possible to prevent the application code from being analyzed statically, and the code of the application moved to the protection module is the first. Decrypted at run time or periodically re-encrypted, it can also provide protection against dynamic analysis. For example, since the application code stored in the protection module changes every moment of runtime, it is possible to disable the analysis method through a memory dump or the like, especially for dynamic analysis.

Hereinafter, a more specific embodiment of the code protection method will be described.

FIG. 8 is a diagram showing an example of a process in which a server adds a protection module file to a package and transmits it to an electronic device according to an embodiment of the present invention.

FIG. 8 shows a developer terminal 810, a code protection system 820, a file distribution system 830, a user terminal 840, and a service system 850, respectively. The developer terminal 810 may be an electronic device used by the developer of the application, and the user terminal 840 may be an electronic device used by the user of the application. The code protection system 820 may correspond to the server 150 described above, and the file distribution system 830 and the service system 850 may also be individual servers. In other embodiments, the code protection system 820 and the file distribution system 830 may be systems operated by the same entity or may be one system. Further, the service system 850 may be a server system operated by the developer, or may be a server system that operates based on a server-side program provided by the developer by a third party different from the developer. good. For example, the service system 850 may be a game server that provides an online game service through a game application. In this case, the user terminal 840 can connect to the game server through the game application and receive the game service.

1. 1. The package registration process may be a process in which the developer terminal 810 registers the package of the application developed by the developer in the code protection system 820. For example, the package may be uploaded from the developer terminal 810 to the code protection system 820 by data communication via the network between the developer terminal 810 and the code protection system 820 (for example, the network 170 in FIG. 1). Hereinafter, the description of data communication via such a network will be omitted.

2. The protection file addition process may be a process in which the code protection system 820 adds a protection module file to the package of the registered application. In this process, the code protection method described with reference to FIGS. 4 and 5 may be implemented by the code protection system 820.

3. 3. The package registration process may be a process in which the code protection system 820 registers the package to which the protection module file is added in the file distribution system 830. In another embodiment, the code protection system 820 provides the developer terminal 810 with a package to which the protection module file is added, and the developer terminal 810 directly registers the package to which the protection module file is added to the file distribution system 830. It is also possible to do.

4. The package distribution process may be a process in which the file distribution system 830 distributes the package to which the protection module file is added to the user terminal 840 at the request of the user terminal 840. On the user terminal 840, the application may be installed through a package to which the protection module file is added.

5. The service communication process may be a process in which the user terminal 840 communicates with the service system 850 based on the application to be executed and receives the service.

FIG. 9 is a diagram showing an example of a process of selecting a method or function to be protected in one embodiment of the present invention. FIG. 9 shows the game application package 910. The game application package 910 may include a plurality of files such as file 1 (911) and file 2 (912).

Here, the code protection system 820 described with reference to FIG. 8 sorts the protected methods or functions according to preset rules or according to the information input by the developer to select the packing list 920. It may be generated. For example, when method 2 is selected as a protected method, the packing list 920 contains a protected list matched with the identifier "method 2" of the selected method and the index "9" which is a random eigenvalue. It may be generated. Further, when the method 4 is additionally selected as the protected method, the packing list 920 shows the protected list matched with the identifier "method 4" of the selected method and the index "2" which is a random eigenvalue. May be generated.

The code protection system 820 will be able to identify protected methods (or functions) selected based on the generated packing list 920.

FIG. 10 is a diagram showing an example of a process of replicating a protected method or function to a protected module file in one embodiment of the present invention. FIG. 10 illustrates an example in which the first instruction "instruction 1" of the function "jni onload" is replicated to the protection module file 1020 by the code protection system 820 in the file 1 (1011) of the game application package 1010. Here, the code protection system 820 may find a protected method or function selected based on the packing list 920 described with reference to FIG.

In general, one instruction may be duplicated in the protection module file 1020 as well, but an instruction whose current program counter value affects the opcode value is converted to two or more instructions. It is also possible to duplicate. For example, an instruction that is branched at a current program counter so as to be separated by 4 Mbytes or more may be converted into two or more instructions and duplicated in order to reflect such a branch.

In addition, the instruction for each mode is different in the protection module file 1020, such as the arm mode of the instruction defined as 4byte and the thumb mode of the instruction defined as 2byte in the android (registered trademark) operating system. It is also possible to replicate to regions (“Faction Arm” and “Function Thumb”). The instruction conversion may be processed by an instruction translator called by the code protection system 820. Here, the code protection system 820 may call the instruction converter for the arm mode and the instruction converter for the thumb mode, respectively. In other embodiments, instruction transducers for thumb2 mode may be further utilized.

The instruction conversion may also include the process of integrating multiple instructions into one for code optimization. For example, instructions that are unnecessarily included in the process of compiling the executable code may be removed.

Here, since the code of the protection module file is variably loaded in the memory, the instruction may be translated in consideration of the variable memory address. Such a variable memory address may be based on the peer address value provided by the protection module file described above.

FIG. 11 is a diagram showing an example of a process of adding a gateway and transforming a code instruction in one embodiment of the present invention.

As mentioned above, the address at which the protection module file code is loaded into memory is variable. The code protection system 820 may add the first code "b.gateway Index1" for calling the gateway 1110 to the protected method (or function), and the game application package 1010 (or the execution code) of the gateway 1110 may be added. You may add a section of second code for this. Here, the 4-byte address may be a remote address value provided by the protection module file 1020 when the application is executed on the user terminal 840. It becomes possible to find and execute the instruction of the protected method (or function) duplicated by the code of the protection module file 1020 uploaded to the memory through such a gateway 1110.

Existing instructions may be transformed into unknown instructions or instructions that jump to any random address. Indexes such as "Index1" may be managed by packing list 920.

FIG. 12 is a diagram showing an example of a process of encrypting a duplicated protected method or function instruction in one embodiment of the present invention. FIG. 12 shows an example in which the protection module file 1020 described with reference to FIG. 11 is changed to the encrypted protection module file 1210 for the duplicated instruction. The first dotted line box 1211 shows that the duplicated instruction is encrypted, and the second dotted line box 1212 shows an example in which a decryption code for decrypting the encrypted instruction is added. ing.

The decryption code "UnCryptor Code" may be implemented to decrypt the encrypted instruction at the first execution, and after the instruction is decrypted, simply jump to the decrypted instruction.

FIG. 13 is a diagram showing an example of the overall flow of the protection operation in one embodiment of the present invention. When the application is executed on the user terminal 840, the user terminal 840 may receive the service while sequentially executing the execution code loaded in the memory in the game application package 1010. When the protected function "jni onload" of the file 1 (1011) must be executed, the user terminal 840 may call the gateway 1110 according to the instruction "b.gateway Index1", and the gateway 1110 "Index1" may be called. It will be possible to find the protected method or function duplicated in the protection module file 1210 according to the included instructions.

The "4 byte addless" of the gateway 1110 may be provided to the gateway 1110 as a remote address value in the memory after the code for the protection module is loaded into the memory in the protection module file 1210. The user terminal 840 may find an area in which the protection target function "jni onload" is duplicated in the protection module file 1210 (actually, the protection module code loaded in the memory) through the gateway 1110. The user terminal 840 may decrypt the instruction encrypted by the code "UnCryptor Code". The protection module file 1310 (actually, the protection module code loaded into memory) shows how the encrypted instructions have been decrypted. Here, the code "UnCryptor Code" has been changed to a code for jumping to "instruction 1" (as another example, a code for jumping to the original place). Therefore, the user terminal 840 can obtain the instruction for the protection target function "jni onload".

After that, the instruction decrypted according to the preset conditions may be re-encrypted by another key (second key) or another encryption algorithm (second encryption algorithm).

FIG. 14 is a diagram for explaining encryption and decryption of instructions at the time of execution in one embodiment of the present invention.

The first box 1410 at execution time 1 indicates the encrypted state of the code replicated in the protection module file. Here, as shown in box 1410, all the first replicated code may exist in an encrypted state.

The second box 1420 at the execution time point 2 indicates that a part of the code is decoded and a part of the decoded code "Code" exists.

The third box 1430 at the time of execution 3 indicates that a part of the decrypted code is re-encrypted and a part of the re-encrypted code "Recrypted Code" exists.

In this way, when the application is executed, decryption is performed at the execution time of each instruction and re-encryption is performed for the encrypted instruction, so that the protection module file contains different code values depending on the execution time. Become. Therefore, even if the protection module file is analyzed, it is difficult to obtain the original code, and forgery / alteration of the code can be prevented. The conditions for re-encrypting the instruction may be preset according to various conditions, such as when the application is converted to operate in the background mode or immediately after the instruction is decrypted and executed.

FIG. 15 is a block diagram showing an example of components that the server processor can include in another embodiment of the invention, and FIG. 16 is a block diagram performed by the server in another embodiment of the invention. It is a flowchart which showed the example of the possible method.

The server 150 may realize a code protection system according to another embodiment of the present invention, and as shown in FIG. 15, the processor 222 included in the server 150 is a component of the package file management unit 1510. The encryption control unit 1520, the file control unit 1530, the protection module addition unit 1540, and the package file provision unit 1550 may be included. Such processor 222 and the components of processor 222 may control the server 150 to perform steps 161 to 1660 included in the code protection method of FIG. At this time, the processor 222 and the components of the processor 222 may be realized to execute an instruction by the code of the operating system included in the memory 221 and the code of at least one program. Here, the component of the processor 222 may be a representation of different functions of the processor 222 executed by the processor 222 according to a control instruction provided by a program code stored in the server 150. For example, the package file management unit 1510 may be used as a functional representation of the processor 222 that controls the server 150 so that the processor 222 stores the package files for the application according to the control instructions described above.

At step 1610, processor 222 may load program code stored in a file of programs associated with control of server 150 into memory 221. For example, the processor 222 may control the server 150 to load the program code from the file of the program into the memory 221 under the control of the operating system. For example, the program file may contain at least a portion of the code that controls the processor 222 to perform steps 1620 to 1660 described below.

At step 1620, the package file management unit 1510 may control the server 150 to store the package files for the application. For example, the package file may be input to the server 150 through the input / output interface 224 or received by the server 150 through the communication module 223, which is input under the control of the package file management unit 1510. , Or the received package file may be stored and managed in a permanent storage device such as storage. For example, the package file may be a package of an application generated by collecting all the files after compiling the code developed by the developer.

At step 1630, the encryption control unit 1520 may encrypt the library file included in the package file to generate the encrypted library file. As a method of encrypting the library file, one of well-known encryption methods may be used.

At step 1640, the file control unit 1530 may convert the library file contained in the package file or remove it from the package file. For example, the file control unit 1530 converts the code or instruction contained in the library file into an unknown code or instruction, or removes the file itself from the package file so that the user can change the contents of the library file. It can be made inaccessible.

At step 1650, the protection module adder 1540 may add a protection module containing an encrypted library file to the package file to regenerate the package file. If the library file is simply converted or removed, the application cannot be executed correctly through the package file, so the server 150 is an encrypted library under the control of the protection module addition unit 1540. By including the file in the protection module and adding it to the package file, you can prevent access to the library file and at the same time ensure that the library file can only be accessed through the protection module.

At step 1660, the package file provider 1550 may control the server 150 to serve the regenerated package file over the network 170. The regenerated package file may be sent directly to the user's terminal (for example, electronic device 1 (110)) via the network 170, or may be sent to the user through another server (for example, server 160). It may be transmitted to the terminal of. As another example, the regenerated package file may be sent to the developer's terminal via network 170, then uploaded from the developer's terminal to another server and transmitted to the user's terminal. It is possible.

Here, the protection module (protection module included in the protection module file) is a control instruction for the library file converted or removed by the electronic device (for example, electronic device 1 (110)) in which the application is installed through the package file. May be implemented to intercept or hook and use the encrypted library file contained in the protection module to process the intercepted control instructions. The protection modules that work with electronic devices are described in more detail below.

FIG. 17 is a diagram showing an example of adding a protection module to a package file in another embodiment of the present invention. The package file 1710 input or received to the server 150 may include at least one library file 1711. For example, in an android operating system, library file 1711 may have a ".so" extension, such as "libGame.so", or may be implemented to include at least header 1712 and code 1713. In the prior art, a protection module file was added to such a package file 1710 to protect the package file 1710, but as described above, the protection module file is deleted or the protection module is loaded into memory. By previously accessing the library file 1711, the library file 1711 could be forged or altered.

In order to prevent such falsification / alteration, in the present embodiment, the protection module 1721 including the encrypted library file 1724 is added to the package file 1710, and the library file 1711 is removed from the package file 1710 to obtain the package file 1720. It may be generated. As a result, the user of the package file 1720 cannot remove the protection module 1721 and cannot easily access the contents of the library file 1711. The protection module 1721 may further include a header 1722 and a code 1723 for protection against the package file 1720, decryption of the encrypted library file 1724, and the like.

FIG. 18 is a diagram showing another example of adding a protection module to a package file in another embodiment of the present invention. In the embodiment of FIG. 18, a protection module 1820 containing an encrypted library file 1823 may be added to the package file 1710, as in the embodiment of FIG. On the other hand, in the embodiment of FIG. 18, unlike the embodiment of FIG. 17, the library file 1711 is not deleted, and the code 1713 is converted into an unknown code or instruction 1811 that cannot be interpreted by the user's terminal and packaged. File 1710 may be generated. Also in this case, the user of the package file 1810 cannot easily access the contents of the library file 1711, and when the protection module 1820 is removed, the application does not execute normally. Therefore, the protection module 1820 is deleted. Can be prevented. The protection module 1820 may further include a header 1821 and code 1822 for protection against the package file 1810, decryption of the encrypted library file 1823, and the like.

Hereinafter, embodiments of the present invention will be described from the perspective of electronic device 1 (110) that has received the package file regenerated and provided by the server 150.

FIG. 19 is a block diagram showing an example of components that can be included in the processor of the electronic device in another embodiment of the present invention, and FIG. 20 is a block diagram shown by the electronic device in one embodiment of the present invention. It is a flowchart which showed the example of the method which can be done.

The electronic device 1 (110) may realize the code protection system according to another embodiment of the present invention, and as shown in FIG. 19, the processor 212 included in the electronic device 1 (110) is a component. May include an application installation control unit 1910, a control instruction intercept unit 1920, and a control instruction processing unit 1930. Such a processor 212 and components of the processor 212 may control electronic device 1 (110) to perform steps 2010 to 2040 included in the code protection method of FIG. At this time, the processor 212 and the components of the processor 212 may be realized to execute an instruction by the code of the operating system included in the memory 211 and the code of at least one program. Here, the components of the processor 212 are representations of different functions of the processor 212 executed by the processor 212 according to the control instructions provided by the program code stored in the electronic device 1 (110). May be good. For example, the application installation control unit 1910 may be used as a functional representation of the processor 212 that controls the electronic device 1 (110) so that the processor 212 installs the application according to the control instructions described above.

In step 2010, the processor 212 may load the program code stored in the file of the program associated with the control of the electronic device 1 (110) into the memory 211. For example, the processor 212 may control the electronic device 1 (110) to load the program code from the file of the program into the memory 211 according to the control of the operating system. For example, the program file may contain at least a portion of the code that controls the processor 212 to perform steps 2020-2040 described below.

At step 2020, the application installation control unit 1910 may control the electronic device 1 (110) to receive the package file and install the application through the package file. Here, as described above, the package file may be a file in which the library file included in the package file is converted or deleted by the server 150, and a protection module including the encrypted library file is added.

In step 2030, the control instruction intercept unit 1920 intercepts the control instruction for the library file converted or deleted under the control of the protection module loaded in the memory 211 of the electronic device 1 (110) when the application is executed. You may. For example, the control instruction intercept unit 1920 generates a detour linker according to an open instruction for the protection module loaded in the memory 211 of the electronic device 1 (110), and converts or converts according to the control of the generated detour linker. Control instructions for the deleted library may be intercepted. In other words, the detour linker is a module that monitors the control instructions for the converted or deleted library and controls the electronic device 1 (110) to intercept the monitored control instructions, and is a control instruction intercept unit (1920). ) May be another functional expression.

At step 2040, the control instruction processing unit 1930 may process the intercepted control instructions using the encrypted library file included in the protection module under the control of the protection module. For example, a control instruction for a converted or removed library file may include an open instruction for the library file. In this case, the control instruction processing unit 1930 decrypts the library file encrypted by the response to the open instruction intercepted under the control of the protection module in step 2040, and then stores the contents of the decrypted library file. A fake hand parameter indicating a buffered buffer may be generated and returned. As an example, the fake handle parameter may have the maximum value of the constant variable, and the protection module of the decrypted library file if the maximum value of the constant variable is returned as the fake handle parameter. You may control to access the buffer containing the contents and process control instructions for the library file.

After that, the buffer containing the contents of the library file can be accessed using the fake handle parameter. For example, the control instruction for the converted or removed library file may further include at least one instruction of a read instruction, a write instruction, and a search instruction for the library file. In this case, the control instruction processing unit 1930 stores the contents of the library file decoded based on the fake handle parameter by the response to at least one instruction intercepted under the control of the protection module in step 2040. May be accessed to process at least one instruction. As a more specific example, in step 2040, the control instruction processing unit 1930 copies and returns the contents corresponding to the read instruction in the buffer according to the response to the read instruction according to the control of the protection module, or returns the contents corresponding to the read instruction to the buffer according to the write instruction. The content corresponding to the write instruction may be written, or the position of the file pointer corresponding to the search instruction may be returned in the buffer according to the search instruction. Therefore, the electronic device 1 (110) can process the control instruction for the library file through the buffer without the original library file.

FIG. 21 is a diagram showing an example of a control command processing process in another embodiment of the present invention. FIG. 21 shows "dropen (protection module)" 2110 which is an open instruction function for the protection module. According to the open instruction for the protection module, the control instruction intercept unit 1920 may generate the bypass linker 2111 and may process the open 2112 and / or the read 2113 for the protection module.

On the other hand, FIG. 21 shows "dropen (library file)" 2120, which is an open instruction function for a library file. Here, the open 2121 and read 2122 for the library file may be monitored and intercepted by the bypass linker 2111. If an open 2121 or read 2122 is required for a library file before the protection module is opened, the library file has been removed or converted and control instructions will not be processed properly, thereby bypassing the protection module. You will not be able to.

The open interceptor 2131 module contained in the memory-loaded protection module 2130 may decrypt the library file encrypted according to the intercepted open 2121 and manage the decrypted library file 2132 in a buffer, fake. A handle parameter may be generated. The fake handle parameter may indicate a buffer containing the contents of the decrypted library file, allowing the protection module 2130 to access the library file according to control instructions.

The read interceptor 2134 module may copy and return the contents of the library file corresponding to the read 2122 in a buffer based on the fake handle parameter according to the intercepted read 2122.

Since the protection module 2130 performs all decryption of the encrypted library file and access to the contents of the library file on the memory (for example, the memory 211 of the electronic device 1 (110)), the protection module 2130 is deleted or bypassed. Can be prevented.

Thus, according to an embodiment of the invention, a protection module that includes an encrypted library file by converting or removing the library file with a package file to prevent users from directly accessing the library file. Is added to the package file so that the encrypted library file is accessed through the protection module, so that the file can be prevented from being forged or altered by removing or bypassing the protection module.

The system or device described above may be implemented by hardware components, software components, or a combination of hardware components and software components. For example, the devices and components described in the embodiments include, for example, a processor, a controller, an ALU (arithmetic logic unit), a digital signal processor, a microprocessor, an FPGA (field programgate array), and a PLU (program). It may be implemented using one or more general purpose computers or special purpose computers, such as a logic unit), a microprocessor, or various devices capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on said OS. The processing device may also respond to the execution of the software, access the data, store, manipulate, process, and generate the data. For convenience of understanding, one processing device may be described as being used, but those skilled in the art will appreciate that the processing device includes multiple processing elements and / or multiple types of processing elements. But you can see that it's okay. For example, the processing device may include multiple processors or one processor and one controller. In addition, other processing configurations such as a parallel processor are also possible.

The software may include computer programs, codes, instructions, or a combination of one or more of these, configuring the processing equipment to operate at will, or collecting processing equipment independently or collectively. You may order to. The software and / or data is interpreted on the basis of a processing device or is a machine, component, physical device, virtual equipment, computer storage medium or device of any kind to provide instructions or data to the processing device. , Or may be permanently or temporarily embodied in the transmitted signal wave. The software is distributed on networked computer systems and may be stored or executed in a distributed manner. The software and data may be stored on a recording medium readable by one or more computers.

The method according to the embodiment may be realized in the form of program instructions that can be executed by various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the embodiment, or may be usable known to those skilled in the art of computer software. Examples of computer-readable recording media include hard disks, floppy disks, and magnetic media such as magnetic tape, optical media such as CD-ROMs and DVDs, and optical magnetism such as floptic discs. Includes media and hardware devices specially configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language code, such as those generated by a compiler, but also high-level language code, which is executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

As described above, the embodiments have been described based on the limited embodiments and drawings, but those skilled in the art can make various modifications and modifications from the above description. For example, the techniques described may be performed in a different order than the methods described, and / or components such as the systems, structures, devices, circuits described may be in a different form than the methods described. Appropriate results can be achieved even if they are combined or combined, or confronted or replaced by other components or equivalents.

Therefore, even if the embodiments are different, they belong to the attached claims as long as they are equal to the claims.

110, 120, 130, 140: Electronic equipment 150, 160: Server 170: Network

Claims (20)

A code protection method executed by a computer
The stage of storing a package file containing a file for an application in the storage device of the computer in the processor of the computer.
The stage in which the processor transforms a protected method or function that is screened in the file that contains the executable code, or transforms or removes a library file in the file.
The step of adding the first protection module file for restoring the modified protected method or function or the second protection module file for restoring the library file to the package file and regenerating the package file. and said viewing including the step of providing via the network the regenerated package file for the second protective module file, the converted or removed library file in the electronic device in which the application is installed via the package file A code protection method comprising a module that intercepts a control instruction and processes the intercepted control instruction using an encrypted library file included in the second protection module file. In the processor, the step of transforming the protected method or function that is selected in the file containing the executable code among the files is
The stage of selecting a protected method or function from the file containing the execution code and replicating it to the first protection module file.
The step of transforming the code contained in the selected protected method or function with the execution code, and the search code for finding the protected method or function duplicated in the first protection module file are added to the execution code. The code protection method according to claim 1, which comprises a step. The step of selecting the protected method or function and replicating it to the first protection module file is
The method or function of the preset function among the whole methods or functions of the execution code is selected as the protected method or function, or the method or function corresponding to the information input by the developer of the application is selected. The code protection method according to claim 2, which is selected as a method or function to be protected. The step of transforming the code contained in the selected protected method or function with the execution code is
The code protection method according to claim 2 or 3 , wherein the instruction of the code is transformed into an unknown instruction that cannot be recognized or an instruction that jumps to an arbitrary random address. The step of adding the search code for finding the protected method or function duplicated in the first protection module file to the execution code is
To add the first code to call the gateway to the selected protected method or function, and to obtain the memory address of the protected method or function duplicated in the first protection module file as the gateway in the execution code. The code protection method according to any one of claims 2 to 4, wherein the second code of the above is added. The memory address is based on the program counter (Program Counter: PC) in the electronic device in which the application is installed and executed and the remote address value provided by the first protection module file as a factor, and according to the second code. The code protection method according to claim 5, which is calculated. In the processor, the step of transforming the protected method or function that is selected in the file containing the executable code among the files is
The step of encrypting the instructions of the protected method or function duplicated in the first protection module file by the first key or the first encryption algorithm, and the protected method or function duplicated in the first protection module file. The code protection method according to any one of claims 2 to 6, further comprising a step of adding a decryption code for decrypting the encrypted instruction. In the first protection module file, the application is executed on the electronic device in which the application is installed, and the instruction of the protected method or function duplicated in the first protection module file is decrypted by the decryption code. The code protection method according to claim 7, wherein the instruction is re-encrypted by a second key or a second encryption algorithm according to a predetermined condition. The stage of converting or removing a library file among the files on the processor is
To convert the library file by generating a library file that is encrypted by encrypting the library file, or step is removed from the package file, and the encrypted the library files second protection module file code protection method according the step of adding to any one of including, claim 2 -8. When the application is executed by the electronic device, a detour linker is generated according to an open instruction for the second protection module file loaded in the memory of the electronic device, and the electronic device is controlled by the detour linker. The code protection method according to claim 9, wherein the control instruction for the library file is intercepted in the above. The control instruction for the converted or removed library file includes an open instruction for the library file.
After decrypting the encrypted library file according to the open instruction intercepted by the second protection module file, a fake handle (fake handle) indicating a buffer in which the contents of the decrypted library file are stored. ) The code protection method according to claim 9 or 10 , wherein a parameter is generated and returned. The control instruction for the converted or removed library file further includes at least one instruction of a read instruction, a write instruction, and a search instruction for the library file.
The second protection module file processes the at least one instruction by accessing the buffer containing the contents of the decrypted library file based on the fake handle parameter according to the intercepted at least one instruction. The code protection method according to claim 11. In the second protection module file, the content corresponding to the read instruction is copied and returned in the buffer according to the read instruction, the content corresponding to the write instruction is written to the buffer according to the write instruction, or the content corresponding to the write instruction is written in the buffer. The code protection method according to claim 12, wherein the position of the file pointer corresponding to the search command is returned in the buffer according to the search command. A computer program stored on a recording medium to cause an electronic device having a computer to execute a code protection method.
The code protection method is
The electronic device processor is in the stage of causing the electronic device storage device to store a package file containing a file for an application, and the package file restores a modified protected method or function. The protected method or function that contains the first protection module file for restoring or the second protection module file for restoring the library file and is screened by the file containing the executable code is modified or modified. The stage in which the library file is converted or removed from the file, and the processor of the electronic device restores the modified protected method or function through the first protection module file according to the execution of the application. when said either executes the execution code, or the application execution Te, the control command for the conversion or the removed library file and restore through the second protective module file the conversion or removal library file processing the step of viewing including, the second protection module files, intercepts a control command for the conversion or removal library file in the electronic device in which the application is installed via the package file included in the second protective module file A computer program that includes a module that processes the intercepted control instructions using an encrypted library file. The protected method or function selected by the execution code is duplicated in the first protection module file.
A search code for finding the protected method or function duplicated in the first protection module file is added to the execution code.
In the processor of the electronic device, the step of restoring the modified protected method or function through the first protection module file and executing the execution code according to the execution of the application is
14. The 14th aspect of claim 14, wherein the duplicated protected method or function is found from the first protection module file by using the search code for the selected protected method or function, and the execution code is executed. Computer program. Claim 14 that the instruction of the code contained in the selected protected method or function is transformed into an unrecognizable unknown instruction or an instruction that jumps to an arbitrary random address. Or the computer program according to 15. The library file is encrypted and added to the second protection module file.
In the processor of the electronic device, upon execution of the application, processing the control command for the conversion or the converted removed library file and restore through the second protective module file or remove library files ,
At the time of executing the application, the step of loading the protection module included in the second protection module file into the memory of the electronic device,
A step of intercepting control instructions for the converted or removed library file under the control of the loaded protection module, and added to the second protection module file under the control of the loaded protection module. The computer program according to any one of claims 14 to 16, comprising processing the intercepted control instruction using an encrypted library file. It is a code protection method for electronic devices realized by a computer.
The stage of storing a package file containing a file for an application in the storage device of the electronic device in the processor of the electronic device (the package file is a first stage for restoring a modified protected method or function. The protected method or function that contains the second protection module file for restoring the protection module file or library file and is screened by the file that contains the executable code is modified or among the files. The library file has been converted or removed), and in the processor of the electronic device, the modified protected method or function is restored through the first protection module file according to the execution of the application to obtain the execution code. when either run, or the application execution, look including the step of treating a control command for the conversion or the converted removed library file and restore through the second protective module file or remove library file The second protection module file intercepts the control instruction for the converted or removed library file in the electronic device in which the application is installed through the package file, and is encrypted contained in the second protection module file. A code protection method that includes a module that processes the intercepted control instructions using a library file. The protected method or function selected from the execution code is duplicated in the first protection module file.
A search code for finding the protected method or function duplicated in the first protection module file is added to the execution code.
In the processor of the electronic device, the step of restoring the modified protected method or function through the first protection module file and executing the execution code according to the execution of the application is
The 18th aspect of claim 18, wherein the duplicated protected method or function is found from the first protection module file by using the search code for the selected protected method or function, and the execution code is executed. Code protection method. The library file is encrypted and added to the second protection module file.
In the processor of the electronic device, upon execution of the application, processing the control command for the conversion or the converted removed library file and restore through the second protective module file or remove library files ,
When the application is executed, the step of loading the protection module included in the second protection module file into the memory of the electronic device,
A step of intercepting control instructions for the converted or removed library file under the control of the loaded protection module, and added to the second protection module file under the control of the loaded protection module. The code protection method according to claim 18 or 19 , comprising processing the intercepted control instruction using an encrypted library file.

Images