KR20160114903A - Code obfuscation method and electronic device supporting the same - Google Patents

Code obfuscation method and electronic device supporting the same Download PDF

Info

Publication number
KR20160114903A
KR20160114903A KR1020150041371A KR20150041371A KR20160114903A KR 20160114903 A KR20160114903 A KR 20160114903A KR 1020150041371 A KR1020150041371 A KR 1020150041371A KR 20150041371 A KR20150041371 A KR 20150041371A KR 20160114903 A KR20160114903 A KR 20160114903A
Authority
KR
South Korea
Prior art keywords
code
file
application
electronic device
codes
Prior art date
Application number
KR1020150041371A
Other languages
Korean (ko)
Inventor
김정우
이경희
이정현
박유설
Original Assignee
삼성전자주식회사
숭실대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 삼성전자주식회사, 숭실대학교산학협력단 filed Critical 삼성전자주식회사
Priority to KR1020150041371A priority Critical patent/KR20160114903A/en
Publication of KR20160114903A publication Critical patent/KR20160114903A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an electronic device comprising: a memory for storing an application; a processor for dividing a partial code from an execution file of the application, adding the connection information and loading information of the separated partial code to the execution file, and controlling the separated partial code so as to store the separated partial code in a part of a resource file of the application. Other embodiments of the present disclosure are possible.

Description

TECHNICAL FIELD The present invention relates to a code obfuscation method and an electronic device supporting the code obfuscation method,

Various embodiments of the invention relate to a method for obfuscating an application's code in an electronic device.

The electronic device may include at least one application program (hereinafter referred to as an application). The application may be composed of a plurality of codes for achieving a specific purpose and the codes may be a kind of instruction set written in a programming language and converted according to a platform supported by the electronic device .

The application may require a high level of security processing depending on the purpose to be achieved. For example, when the application is a security-related application or an application requiring a high level of security such as electronic commerce or on-line banking, a protection method such as code obfuscation, watermarking, or forgery detection is applied . The watermarking may be a method of including identification information related to the application in a specific area of the application, for example, information related to rights such as ownership or copyright of the application. In addition, the forgery detection may be a method of adding a routine for determining whether the application is repackaged.

However, the watermarking and forgery detection method described above is not a method for preventing reverse engineering of the application. Therefore, at present, the code obfuscation method is applied as a method for preventing reverse engineering of the application. The code obfuscation method may include an identifier conversion of codes constituting the application, a control flow conversion, a call concealment, a string encryption, or a class encryption. The above-described methods may make the codes unnecessarily complicated, or may cause code that is not executed to be executed, for example, a dead code inserted, a position of the codes changed, ) To treat the codes in an inconceivable way.

However, the existing code obfuscation method is a method of selecting a protection target code in an executable file of an application and applying the above-described methods to the code. For example, if an existing code obfuscation method is applied to an Android application, the electronic device selects a class to be protected in a DEX (Dalvik Executable) file, changes the names of the variables included in the class, Or changing the location of the functions included in the class, or encrypting the class.

In the above-described conventional code obfuscation method, since the obfuscation is performed only on the executable file of the application, the attack target can be limited to the executable file in reverse engineering. In addition, if an executable file can be easily exposed, such as an Android application, there may be a drawback that the reverse engineering attack time is also shortened.

In order to overcome the above-described problems, various embodiments of the present invention include code obfuscation for separating a protected code from an executable file that can be selected as a major attack target in reverse engineering and concealing the resource file at a physically different location Method and an electronic device supporting the same can be provided.

An electronic device according to various embodiments of the present invention includes a memory for storing an application and a program for separating some code from an executable file of the application and adding connection information and loading information of the separated code to the executable file, And a processor for controlling to store the separated partial code in a predetermined portion of the resource file of the application.

According to various embodiments of the present invention, the protection target code is separated from the executable file and concealed in a resource file at a physically different location, thereby widening the scope of attack target in reverse engineering and delaying the attack time.

1 is a diagram illustrating an electronic device according to an embodiment of the present invention.
2 is a diagram illustrating a method of operating an electronic device associated with a code obfuscation method according to various embodiments.
3 is a diagram illustrating a method of obfuscating an Android application according to various embodiments.
4 is a diagram for explaining code concealment processing according to various embodiments.
FIG. 5 is a diagram for illustrating the loading of codes that are hidden when an obfuscated application is executed according to various embodiments.
FIG. 6 is a diagram for explaining reverse engineering results of cloaked codes of an obfuscated application according to various embodiments.

Hereinafter, various embodiments of the present document will be described with reference to the accompanying drawings. It should be understood, however, that this invention is not intended to be limited to the particular embodiments described herein but includes various modifications, equivalents, and / or alternatives of the embodiments of this document . In connection with the description of the drawings, like reference numerals may be used for similar components.

In this document, the expressions "have," "may," "include," or "include" may be used to denote the presence of a feature (eg, a numerical value, a function, Quot ;, and does not exclude the presence of additional features.

In this document, the expressions "A or B," "at least one of A and / or B," or "one or more of A and / or B," etc. may include all possible combinations of the listed items . For example, "A or B," "at least one of A and B," or "at least one of A or B" includes (1) at least one A, (2) Or (3) at least one A and at least one B all together.

The expressions "first," " second, "" first, " or "second ", etc. used in this document may describe various components, It is used to distinguish the components and does not limit the components. For example, the first user equipment and the second user equipment may represent different user equipment, regardless of order or importance. For example, without departing from the scope of the rights described in this document, the first component can be named as the second component, and similarly the second component can also be named as the first component.

(Or functionally or communicatively) coupled with / to "another component (eg, a second component), or a component (eg, a second component) Quot; connected to ", it is to be understood that any such element may be directly connected to the other element or may be connected through another element (e.g., a third element). On the other hand, when it is mentioned that a component (e.g., a first component) is "directly connected" or "directly connected" to another component (e.g., a second component) It can be understood that there is no other component (e.g., a third component) between other components.

As used herein, the phrase " configured to " (or set) to be "adapted to, " To be designed to, "" adapted to, "" made to, "or" capable of ". The term " configured to (or set up) "may not necessarily mean" specifically designed to "in hardware. Instead, in some situations, the expression "configured to" may mean that the device can "do " with other devices or components. For example, a processor configured (or configured) to perform the phrases "A, B, and C" may be implemented by executing one or more software programs stored in a memory device or a dedicated processor (e.g., an embedded processor) , And a generic-purpose processor (e.g., a CPU or an application processor) capable of performing the corresponding operations.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the other embodiments. The singular expressions may include plural expressions unless the context clearly dictates otherwise. Terms used herein, including technical or scientific terms, may have the same meaning as commonly understood by one of ordinary skill in the art. The general predefined terms used in this document may be interpreted in the same or similar sense as the contextual meanings of the related art and, unless expressly defined in this document, include ideally or excessively formal meanings . In some cases, even the terms defined in this document can not be construed as excluding the embodiments of this document.

An electronic device in accordance with various embodiments of the present document may be, for example, a smartphone, a tablet personal computer, a mobile phone, a video phone, an e-book reader, Such as a desktop personal computer, a laptop personal computer, a netbook computer, a workstation, a server, a personal digital assistant (PDA), a portable multimedia player (PMP) A device, a camera, or a wearable device. According to various embodiments, the wearable device may be of the accessory type (e.g., a watch, a ring, a bracelet, a bracelet, a necklace, a pair of glasses, a contact lens or a head-mounted-device (HMD) (E. G., Electronic apparel), a body attachment type (e. G., A skin pad or tattoo), or a bioimplantable type (e.g., implantable circuit).

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An electronic apparatus according to various embodiments will now be described with reference to the accompanying drawings. In this document, the term user may refer to a person using an electronic device or a device using an electronic device (e.g., an artificial intelligence electronic device).

1 is a diagram illustrating an electronic device according to an embodiment of the present invention.

Referring to Figure 1, in various embodiments, an electronic device 101 within a network environment is described. The electronic device 101 may include a bus 110, a processor 120, a memory 130, an input / output interface 150, a display 160, and a communication interface 170. In some embodiments, the electronic device 101 may omit at least one of the components or additionally include other components.

The bus 110 may include circuitry, for example, to connect the components 110-170 to one another and to communicate communications (e.g., control messages and / or data) between the components.

The processor 120 may include one or more of a central processing unit (CPU), an application processor (AP), or a communication processor (CP). The processor 120 may perform computations or data processing related to, for example, control and / or communication of at least one other component of the electronic device 101.

According to various embodiments, the processor 120 may include a code separation processing module 121, a code concealment processing module 123, and a code obfuscation processing module 125 to obfuscate the codes of the application. The code separation processing module 121 may perform a function of separating at least one or more codes among the codes of the application. According to one embodiment, the code separation processing module 121 can isolate a code selected as a protection target (hereinafter, referred to as a protection target code) in the executable file of the application. In this regard, the electronic device 101 receives information corresponding to the protection target codes through the input / output interface 150, or refers to information corresponding to the protection target codes previously stored in the memory 130 The protection target codes can be selected from an executable file of the application.

According to various embodiments, the code separation processing module 121 may add the connection information of the protection target codes to a part where the protection target codes are separated, for example, a certain part of the execution target file in the application. The connection information of the protection target codes may be an interface, for example, code for coupling the protection target codes with the codes not separated from the execution target file. According to one embodiment, when the protection target codes are a class or a function, the code separation processing module 121 defines only the declared portion of the class or the function as the interface, . ≪ / RTI > Accordingly, when executing the application, the electronic device 101 can solve the absence of a part of the code generated in the executable file due to the code separation process described above. For example, by adding the interface, the electronic device 101 can prevent a problem from occurring in the process of calling or referring to a plurality of codes constituting the application.

According to various embodiments, the code separation processing module 121 may add loading information of the protected codes, for example, a loading routine, to a portion of the application. According to one embodiment, the code separation processing module 121 may add a loader of the protection target codes (for example, a class loader if the protection target codes are classes) to the application executable file. The loading information may include information that the codes are actually loaded into the memory 130, in particular, the code area associated with the application, in the process of calling or referencing a plurality of codes that make up the application.

According to various embodiments, the code concealment processing module 123 may provide the protected codes to another file (e.g., a resource file) that is physically separate from a parent file (e.g., executable file) ). For example, the code concealment processing module 123 separates the protection target codes from an executable file to be attacked during reverse engineering and stores the code in a resource file such as an image, audio, or video, which is a file physically different from the executable file, can do.

According to various embodiments, the code obfuscation processing module 125 may obfuscate the codes of the application. For example, the code obfuscation processing module 125 may perform at least one of the protection target codes or the executable file of the application in which the protection target codes are separated by performing an identifier conversion, a control flow conversion, a call concealment, a string encryption, Can be obfuscated by the method of.

Memory 130 may include volatile and / or non-volatile memory. Memory 130 may store instructions or data related to at least one other component of electronic device 101, for example. According to one embodiment, the memory 130 may store software and / or programs. The program may include, for example, a kernel, a middleware, an application programming interface (API), and / or an application program (or "application"). The kernel, middleware, or at least a portion of the API may be referred to as an operating system (OS).

According to various embodiments, the memory 130 may store information corresponding to the protected codes. For example, the memory 130 may store information such as classes or functions related to security, such as security, among codes that the electronic device 101 supports. Also, the memory 13 may store information corresponding to the protection-target codes input through the input / output interface 150. [

The input / output interface 150 may serve as an interface by which commands or data input from, for example, a user or other external device can be transferred to another component (s) of the electronic device 101. Output interface 150 may output commands or data received from other component (s) of the electronic device 101 to a user or other external device.

According to various embodiments, the input / output interface 150 may include at least one of an application input from a user or other external device, a plurality of codes constituting a specific application, or information corresponding to the protected codes, Or to the memory 130 or the like. In addition, the input / output interface 150 can output the repackaged application to the user or another external device by separating and concealing the protection target codes by the processor 120. [

Display 160 may include, for example, a liquid crystal display (LCD), a light-emitting diode (LED) display, an organic light-emitting diode (OLED) A microelectromechanical systems (MEMS) display, or an electronic paper display. Display 160 may display various content (e.g., text, image, video, icon, or symbol, etc.) to a user, for example. Display 160 may include a touch screen and may receive a touch, gesture, proximity, or hovering input using, for example, an electronic pen or a portion of the user's body.

The communication interface 170 can establish communication between the electronic device 101 and the external electronic device 102, for example. For example, the communication interface 170 may be connected to the network via wireless or wired communication to communicate with the external electronic device 102.

As described above, the electronic device 101 includes a memory 130 for storing an application and a code for separating some codes from an executable file of the application, adding connection information and loading information of the separated code to the executable file , And a processor (120) for controlling to store the separated partial code in a predetermined portion of the resource file of the application.

According to various embodiments, the processor 120 may perform at least one of the following methods: identifier conversion, control flow conversion, call hiding, string encryption, or class encryption for at least one of the code or the executable file Can be applied.

According to various embodiments, the processor 120 may add a dummy code of a certain size to the partial code, and control to store the partial code to which the dummy code is added in a predetermined portion of the resource file .

According to various embodiments, the processor 120 may additionally add the dummy code to a portion of at least one resource file different from the resource file.

According to various embodiments, the processor 120 may reorganize the application by packaging the resource file in which at least the executable file in which the partial code is separated and the partial code is stored.

2 is a diagram illustrating a method of operating an electronic device associated with a code obfuscation method according to various embodiments.

Referring to FIG. 2, the electronic device 101 may, in operation 210, analyze an executable file of the application in connection with obfuscation of the codes that comprise the application. For example, the electronic device 101 may analyze information of the codes that make up the executable file, such as identifiers of classes, functions, variables, or constants, control flow, or calls (or references). According to one embodiment, the electronic device 101 may analyze the codes constituting the executable file on the basis of a tree structure. For example, the electronic device 101 may classify an upper (or parent) class and a lower (or child) class implemented by inheriting the upper class based on an inheritance relationship of the codes to analyze the execution file have. In this case, the electronic device 101 can distinguish the codes by each node on the tree structure.

After analyzing the executable file, at operation 220, the electronic device 101 may separate the protected codes from the executable file. In this regard, the protection-target codes may be input from the user or other external device through the input / output interface 150, or may be selected by referring to information corresponding to the protection-target codes previously stored in the memory 130. [ The protection target codes may be codes having high importance among the codes constituting the application, and may be codes that are not processed to recognize information of the protection target codes during reverse engineering. According to one embodiment, in operation 210, when analyzing the executable file based on a tree structure, the electronic device 101 can separate nodes corresponding to the protected codes in the entire tree structure corresponding to the executable file have.

Once the protected codes are detached from the executable file, the electronic device 101 generates an action (e.g., action 230 and action 240) for the parent file of separate codes, i.e., an executable file, For example, action 250). The electronic device 101 may perform the operations (e.g., operation 230, operation 240, and operation 250) concurrently or at certain time intervals, and perform another operation until one operation is completed It may be processed so as not to start.

At operation 230, the electronic device 101 may generate an interface of the separated codes and add the interface to the executable file. For example, the electronic device 101 may generate the interface that includes only the declared portion of the separated codes. Further, the electronic device 101 may add the interface to the separate part of the separate codes in the executable file. According to one embodiment, the electronic device 101 may add a node in the entire tree structure corresponding to the executable file that contains information corresponding to the interface to a location where the nodes corresponding to the separated codes are separated have.

At operation 240, the electronic device 101 may generate the loading routine of the discrete codes and add the loading routine to the executable file. For example, the electronic device 101 may add a loader to the executable file that includes information from which the separated codes are loaded into the memory 130. [ The loading routine may include location information that is actually stored on the application. For example, the loading routine may include resource file information, such as a resource file name, in which the separated codes are stored. According to one embodiment, the electronic device 101 may refer to the separate codes loaded into the memory 130 based on the loading routine via the interface of the separated codes at the execution of the executable file.

At operation 250, the electronic device 101 may conceal the separate codes into another file, e.g., a resource file, physically separate from the executable file. The electronic device 101 may store the separated codes in a resource file constituting the application, for example, an image file, an audio file, or a video file and conceal them. According to various embodiments, the electronic device 101 may obfuscate at least one of the separate code or the separate executable file. For example, the electronic device 101 may perform at least one of codes excluding the separated code from the separated code or the executable file by using an identifier conversion, a control flow conversion, a call concealment, a string encryption, It can be changed. The electronic device 101 increases the attack vector of the reverse engineering by performing the obfuscation method for the separated code or the executable file in which the separated code is separated so as to increase the security strength of the application have.

After performing operations on the executable file (e.g., operations 230 and 240) and operations on the separate codes (e.g., operation 250), at operation 260, the electronic device 101 executes the executable file Resource files or the like can be packaged into one application. According to one embodiment, the electronic device 101 can output the newly packaged application to a user or another external device via the input / output interface 150. [ In some embodiments, the electronic device 101 may communicate the application to the external electronic device 102 via the communication interface 170.

3 is a diagram illustrating a method of obfuscating an Android application according to various embodiments.

Typically, Android applications are distributed as files with an apk (android package) extension. The file with the above apk extension is implemented in the same form as a zip archive file and can be easily decompressed. When the Android application is decompressed, it may include a META-INF folder, a res folder, a lib folder, androidManifest.xml file, and a classes.dex file. The META-INF folder may be a folder containing data associated with the signature (e.g., an authenticated key value). The res folder may be a folder including resource files of the Android application, and the lib folder may be a folder containing a so-called shared object library. Also, the androidManifest.xml file may be a configuration file of the android application, and the classes.dex file may be an executable file of the android application. Applications for other operating systems besides Android may have a similar or corresponding structure to the above Android applications.

A file having a dex extension of the above components, for example, a classes.dex file, includes code such as a class to be recognized by the android dalvik virtual machine, a bytecode corresponding to the virtual machine (byte codes). Since the executable file (eg, a Dex file) is a set of codes for performing functions of the corresponding Android application, it can be a major attack target in reverse engineering. Therefore, the electronic device 101 can separate the protection target codes from the executable file and conceal them in a resource file, which is a physically different file, so that it is difficult to select an attack target in reverse engineering, and the attack time can also be delayed.

Referring to FIG. 3, the electronic device 101 may obfuscate the Android application 310. The electronic device 101 can separate a specific code (for example, a specific class (classN)) selected as a protection target from an executable file (e.g., classes.dex file) 320 constituting the Android application 310. [ According to one embodiment, the electronic device 101 may generate a temporary file (e.g., a classN.dex file) 350 using the separated specific code.

According to various embodiments, the electronic device 101 may perform an obfuscation such as identifier conversion, control flow conversion, call concealment, or string encryption for at least one of the temporary file 350 or the executable file 320 in which the specific code is separated The methods of the present invention can be selectively performed. The electronic device 101 may also encrypt an obfuscated temporary file (e.g., an obfuscatedClassN.dex file) by encrypting (e.g., class encrypting) the temporary file 350 or adding a dummy code to the temporary file 350. [ (360). The electronic device 101 may store the obfuscated temporary file 360 in a resource file that is physically different from the executable file 320. [ According to one embodiment, when the obfuscated temporary file 360 to which the dummy code is added is stored in the resource file, the electronic device 101 additionally stores the dummy code in at least one resource file different from the resource file Or similar. For example, the electronic device 101 may add the dummy code to another resource file having at least one of a file length or a file format that is the same as or similar to the resource file. This can have the effect of increasing the attack vector of reverse engineering not only in the reverse engineering of the executable file but also in the reverse engineering of the resource file.

According to various embodiments, the electronic device 101 may generate information 330 associated with the particular code. For example, the electronic device 101 may generate an interface for the specific code, a loading routine for the specific code, and a decryption routine for the temporary file 350. The electronic device 101 may newly construct the executable file 340 by adding the information 330 related to the specific code to the executable file 320 in which the specific code is separated.

According to various embodiments, the electronic device 101 packages the resource file in which the obfuscated temporary file 360 is stored and the executable file 340 to which the information related to the specific code 330 is added, (370). The newly configured Android application 370 is an obfuscated application, which can make it difficult to select an attack target in reverse engineering, and can also delay the attack time.

As described above, an application code obfuscation method includes an operation of separating some code from an executable file of the application, an operation of adding connection information and loading information of the separated code to the executable file, And controlling the code to be stored in a predetermined portion of the resource file of the application.

According to various embodiments, the code obfuscation method includes at least one of an identifier conversion, a control flow conversion, a call concealment, a string encryption, or a class encryption for at least one of the code or the executable file in which the code is separated May be applied.

According to various embodiments, the act of controlling to store includes adding a dummy code of a certain size to the partial code, and storing the partial code to which the dummy code has been added in a predetermined portion of the resource file Lt; / RTI >

According to various embodiments, the adding operation may further include adding the dummy code to a portion of at least one resource file that is different from the resource file.

According to various embodiments, the code obfuscation method may further include an operation of re-configuring the application by packaging the resource file in which at least the partial code is separated and the executable file in which the partial code is stored.

4 is a diagram for explaining code concealment processing according to various embodiments. The electronic device 101 can store code separated from the executable file of the application in a resource file physically separated from the executable file and conceal it. For example, the electronic device 101 may store and separate the separate codes into an image, audio, or video file. 4 illustrates a method for storing the separated codes in a portable network graphics (png) file 410, in which the electronic device 101 is an image file.

Referring to FIG. 4A, the PJ file 410 may include a signature 411 and chunks. The signature 411 is unique information that can distinguish the type of the image file, and may be data allocated to the first 8 bytes of the image file. In case of the Phenji file 410, "0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A" may be assigned to the signature 411. A chunk can be a unit in which image related information is divided into groups and stored. Each chunk can contain specific information related to the image, depending on the type, and can be divided into chunks that are essentially included and optionally chunks that can be included. The required chunks may include an IHDR chunk 413, a PLTE chunk (not shown), an IDAT chunk (not shown), and an IEND chunk 415. The IHDR chunk 413 may include header information of the image, and the PLTE chunk may include palette table information. Also, the IDAT chunk may include image data information, and the IEND chunk 415 may include trailer information of the image. The required chunks should be organized in the following order: IHDR chunk 413, PLTE chunk, IDAT chunk, and IEND chunk 415, and the PLTE chunk may be excluded from the configuration. In addition, there may be a plurality of IDAT chunks among the necessary chunks, and only one IHDR chunk 413, a PLTE chunk, and an IEND chunk 415 may exist. Thus, the IEND chunk 415 may be essentially one at the end of the Phenji file 410. [

4B, the Android application 430 may include an executable file 431 and a resource file (e.g., a pengi file 435). The electronic device 101 can separate the protection object codes (e.g., a specific class (class N) 433) from the executable file 431. [ The electronic device 101 may hide the protection target codes in a resource file physically separated from the executable file 431. [ For example, the electronic device 101 may store a specific class 433 in a certain portion of the paper file 435 for concealment. According to one embodiment, the electronic device 101 may store a specific class 433 at the end of the pienji file 435. For example, the electronic device 101 may look for an IEND chunk (e.g., IEND chunk 415) in the pie file 435 and store the specific class 433 at the end of the IEND chunk. Storing the specific class 433 separated from the executable file 431 at the end of the pienji file 435 allows the electronic device 101 to properly read and process the pienji file 435 as a resource file .

According to various embodiments, the electronic device 101 may provide an interface (e.g., classN interface 453) of codes (e.g., a specific class 433) separated from the executable file 431 to a schedule (E.g., a location where the separated codes are separated from the executable file 431). In addition, the electronic device 101 may add a loading routine or the like of the separated codes to a certain portion of the executable file 431. [ According to various embodiments, the electronic device 101 may be configured to perform at least one of the separate codes or the executable files 431 with the separated codes as an identifier conversion, a control flow conversion, a call concealment, a string encryption, Can be obfuscated.

According to various embodiments, the electronic device 101 further comprises a newly configured executable file 451, such as an interface or a loading routine for the separated codes, and a resource file (e.g., a pie file 455) can be packaged to create an obfuscated Android application 450.

FIG. 5 is a diagram for illustrating the loading of codes that are hidden when an obfuscated application is executed according to various embodiments.

Referring to FIG. 5, the obfuscated application 500 may include an executable file 510 and a resource file 530. The executable file 510 is composed of a plurality of codes 511 and may include an interface 513 of codes 533 separated and hidden in the executable file 510. [ The executable file 510 may also include a loading routine (not shown) of the covert codes 533. The loading routine may include loading information so that the electronic device 101 can find and load the code 533 hidden in the resource file 530 into the memory 550, for example. The resource file 530 may include resource data 531 and covert codes 533. According to one embodiment, the covert codes 533 may be stored at the end of the resource data 531 in the resource file 530. [

According to various embodiments, the electronic device 101 may refer to loading information associated with the obfuscated application 500 when the obfuscated application 500 is run. The loading information includes loading information of all the codes referenced by the obfuscated application 500 (e.g., the kernel, the middleware, or the API included in the memory 130 of FIG. 1) and the obfuscated application 500 ). ≪ / RTI > The electronic device 101 may load the codes 511 of the executable file 510 into the memory 550 based on the loading information. The electronic device 101 also locates the location of the covert codes 533 in the resource file 530 based on the loading routine of the covert codes 533 added to the executable file 510, 550). According to one embodiment, the electronic device 101 extracts the hidden codes 533 from the resource file 530 and uses the hidden codes 533 to create a temporary file (e.g., temp_classes.dex file ) ≪ / RTI > In this case, the electronic device 101 may load the temporary file 570 into the memory 550 as a secret code based on the loading routine.

The electronic device 101 may refer to the hidden codes 533 loaded into the memory 550 via the interface 513 of the hidden codes 533. [

FIG. 6 is a diagram for explaining reverse engineering results of cloaked codes of an obfuscated application according to various embodiments.

6A, an executable file 610 of an obfuscated application or an obfuscated application according to an existing method can be used to execute a specific code 611, for example, a specific class is separated from an executable file 610 . Thus, the file 630 generated as a result of the reverse engineering may include both the declared portion and the definition (or implementation) portion 631 of the specific codes 611. Since the definition portion actually contains the implementation contents of the specific codes 611, it may be fatal that the definition portion is reverse engineered and exposed when a high level of security is required.

In order to solve the above problem, the electronic device 101 can obfuscate specific codes requiring high level security by performing secret processing. For example, the electronic device 101 can select a protection object to be concealed in the executable file 650. [ When the protection object is selected, the electronic device 101 separates the selected specific codes 651 from the executable file 650 and stores it in a resource file (not shown) physically separated from the executable file 650 have. In addition, the electronic device 101 may add the interface and loading routine of the specific codes 651 to the executable file 650. In this case, the file 670 generated as a result of reverse engineering may include only the interface of the specific codes 651, that is, the declaration portion 671.

As used in this document, the term "module" may refer to a unit comprising, for example, one or a combination of two or more of hardware, software or firmware. A "module" may be interchangeably used with terms such as, for example, unit, logic, logical block, component, or circuit. A "module" may be a minimum unit or a portion of an integrally constructed component. A "module" may be a minimum unit or a portion thereof that performs one or more functions. "Modules" may be implemented either mechanically or electronically. For example, a "module" may be an application-specific integrated circuit (ASIC) chip, field-programmable gate arrays (FPGAs) or programmable-logic devices And may include at least one.

At least a portion of a device (e.g., modules or functions thereof) or a method (e.g., operations) according to various embodiments may include, for example, computer-readable storage media in the form of program modules, As shown in FIG. When the instruction is executed by a processor (e.g., processor 120), the one or more processors may perform a function corresponding to the instruction. The computer readable storage medium may be, for example, memory 130. [

The computer readable recording medium may be a hard disk, a floppy disk, a magnetic media (e.g., a magnetic tape), an optical media (e.g., a compact disc read only memory (CD-ROM) digital versatile discs, magneto-optical media such as floptical disks, hardware devices such as read only memory (ROM), random access memory (RAM) Etc. The program instructions may also include machine language code such as those produced by a compiler, as well as high-level language code that may be executed by a computer using an interpreter, etc. The above- May be configured to operate as one or more software modules to perform the operations of the embodiment, and vice versa.

Modules or program modules according to various embodiments may include at least one or more of the elements described above, some of which may be omitted, or may further include additional other elements. Operations performed by modules, program modules, or other components in accordance with various embodiments may be performed in a sequential, parallel, iterative, or heuristic manner. Also, some operations may be performed in a different order, omitted, or other operations may be added. And the embodiments disclosed in this document are presented for the purpose of explanation and understanding of the disclosed technology and do not limit the scope of the technology described in this document. Accordingly, the scope of this document should be interpreted to include all modifications based on the technical idea of this document or various other embodiments.

Claims (10)

In an electronic device,
A memory for storing an application; And
A control unit that separates some codes from the executable file of the application, adds connection information and loading information of the separated code to the executable file, and stores the separated code in a predetermined portion of the resource file of the application A processor comprising: a processor; The method according to claim 1,
Wherein the processor applies at least one of identifier conversion, control flow conversion, call concealment, string encryption, or class encryption to at least one of the partial code or the executable file in which the partial code is separated. The method according to claim 1,
Wherein the processor adds a dummy code of a certain size to the partial code and stores the partial code to which the dummy code is added in a predetermined portion of the resource file. The method of claim 3,
Wherein the processor further adds the dummy code to a portion of at least one resource file different from the resource file. The method according to claim 1,
And the processor re-configures the application by packaging the resource file in which at least the executable file in which the partial code is separated and the partial code is stored. In an application code obfuscation method,
Separating some code from an executable file of the application;
Adding connection information and loading information of the separated partial code to the executable file; And
And storing the separated partial code in a predetermined portion of the resource file of the application. The method of claim 6,
Applying at least one of identifier conversion, control flow conversion, call concealment, string encryption, or class encryption to at least one of the code or the executable file in which the code is partially separated; and code obfuscation Way. The method of claim 6,
Wherein the act of controlling to store comprises: adding a dummy code of a certain size to the partial code; And
And storing the partial code to which the dummy code is added in a predetermined portion of the resource file. The method of claim 8,
Wherein the adding operation further includes adding the dummy code to a portion of at least one resource file different from the resource file. The method of claim 6,
And packaging the resource file in which at least the executable file in which the partial code is separated and the partial code is reconstructed to reconstruct the application.
KR1020150041371A 2015-03-25 2015-03-25 Code obfuscation method and electronic device supporting the same KR20160114903A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150041371A KR20160114903A (en) 2015-03-25 2015-03-25 Code obfuscation method and electronic device supporting the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150041371A KR20160114903A (en) 2015-03-25 2015-03-25 Code obfuscation method and electronic device supporting the same

Publications (1)

Publication Number Publication Date
KR20160114903A true KR20160114903A (en) 2016-10-06

Family

ID=57164774

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150041371A KR20160114903A (en) 2015-03-25 2015-03-25 Code obfuscation method and electronic device supporting the same

Country Status (1)

Country Link
KR (1) KR20160114903A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101885260B1 (en) 2017-10-30 2018-08-03 주식회사 안랩 Obfuscated symbol recognition apparatus and method
CN111274057A (en) * 2020-01-13 2020-06-12 北京字节跳动网络技术有限公司 Memory leakage link processing method, device, medium and electronic equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101885260B1 (en) 2017-10-30 2018-08-03 주식회사 안랩 Obfuscated symbol recognition apparatus and method
CN111274057A (en) * 2020-01-13 2020-06-12 北京字节跳动网络技术有限公司 Memory leakage link processing method, device, medium and electronic equipment
CN111274057B (en) * 2020-01-13 2021-07-06 北京字节跳动网络技术有限公司 Memory leakage link processing method, device, medium and electronic equipment

Similar Documents

Publication Publication Date Title
JP6166839B2 (en) System and method for replacing application methods at runtime
US10032043B2 (en) Masking sensitive data in mobile applications
JP6490598B2 (en) Compiler-based obfuscation
US8892876B1 (en) Secured application package files for mobile computing devices
US9535942B2 (en) Apparatus and method for managing APK file in an android platform
TWI530874B (en) Method and apparatus for generating application installation packages and running applications
CN106295255B (en) Application program reinforcing method and device
US20140245448A1 (en) Apparatus and method for analyzing permission of application for mobile devices and detecting risk
WO2016078130A1 (en) Dynamic loading method for preventing reverse of apk file
US9762385B1 (en) Protection of program code of apps of mobile computing devices
US10002193B2 (en) Implementation of data protection policies in ETL landscapes
CN106560830A (en) Linux embedded system safety protection method and system
KR101234591B1 (en) Method for Anti-Encoding Android by Using Java Native Interface
US9632853B2 (en) Virtualizing integrated calls to provide access to resources in a virtual namespace
CN108319850B (en) Sandbox detection method, sandbox system and sandbox equipment
US9250917B2 (en) Auto-cloudifying applications via runtime modifications
US9659156B1 (en) Systems and methods for protecting virtual machine program code
KR20160114903A (en) Code obfuscation method and electronic device supporting the same
CN111090425A (en) Program packaging method and device and electronic equipment
JP6798669B2 (en) Methods and devices for hiding user information contained in applications
US8788785B1 (en) Systems and methods for preventing heap-spray attacks
US20190102573A1 (en) Theater ears android app sensitive data management
KR102226218B1 (en) Apparatus and method for extracting feature information to identify an application created by cross-platform development framework
CN113835748A (en) HTML 5-based application packaging method, system and readable medium
KR20210154017A (en) Method and system for protecting file using class dispersion and sequential memory loading