CN112541188B - Method and device for preventing application program code from being statically analyzed - Google Patents
Method and device for preventing application program code from being statically analyzed Download PDFInfo
- Publication number
- CN112541188B CN112541188B CN201910905676.8A CN201910905676A CN112541188B CN 112541188 B CN112541188 B CN 112541188B CN 201910905676 A CN201910905676 A CN 201910905676A CN 112541188 B CN112541188 B CN 112541188B
- Authority
- CN
- China
- Prior art keywords
- code
- function
- modified
- application program
- interference
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000006870 function Effects 0.000 claims description 244
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 11
- 238000010367 cloning Methods 0.000 claims description 4
- 238000004422 calculation algorithm Methods 0.000 abstract description 7
- 230000008569 process Effects 0.000 description 15
- 238000004458 analytical method Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 230000003068 static effect Effects 0.000 description 11
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/629—Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a device for preventing application program codes from being statically analyzed, and relates to the technical field of information security. The method comprises the steps of inserting interference codes into at least one functional function of application program codes, and forming a false branch function in the application program codes through the interference codes, so that the false branch function operates a base register and a stack register when the application program codes are statically analyzed. By the method, the data obtained by the base address register and the stack register when the application program code is statically analyzed can be interfered, so that a hacker is prevented from obtaining the algorithm logic in the application program code through the data in the base address register and the stack register, and the purpose of preventing the intellectual labor achievement of developers from being leaked is achieved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for preventing application program codes from being statically analyzed.
Background
In the conventional scheme, no matter how the core verification function is, the complexity of the algorithm is taken as the starting point, so that the function of the application program is very complex. However, for hackers, each function in the application program can still be analyzed by some static code analysis tools (e.g., IDAPro), and meanwhile, each function can be decompiled to obtain the algorithm logic therein, which leads to the leakage of the intellectual labor achievement of developers.
Therefore, for those skilled in the art, in order to protect the intellectual labor achievement of the application program developer, it is necessary to develop a method capable of interfering with the static code analysis tool, so that the analysis thereof is erroneous, thereby preventing the application program code from being statically analyzed.
Disclosure of Invention
The embodiment of the application solves the problem that the application program code is easy to be statically analyzed in the prior art by providing the method and the device for preventing the application program code from being statically analyzed.
In order to achieve the above purpose, the preferred embodiment of the present application adopts the following technical solutions:
in a first aspect, an embodiment of the present application provides a method for preventing application program code from being statically analyzed, where the method includes:
acquiring an application program code to be processed;
performing function disassembly on the application program code to obtain a plurality of function functions contained in the application program code;
selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function;
acquiring code blocks contained in the functions to be modified, wherein each function to be modified contains at least one code block;
selecting at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function;
and inserting interference codes into each code block to be modified, and forming a false branch function in the application program codes through the interference codes, so that the false branch function operates on a base register and a stack register when the application program codes are statically analyzed.
Optionally, in an embodiment of the present application, the step of performing function disassembling on the application program code includes:
calling a pre-configured class function inherited from the functional pass;
and processing the application program code based on an LLVM compiler framework and the class function to obtain a plurality of function functions contained in the application program code.
Optionally, in an embodiment of the present application, the step of selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function includes:
respectively generating a random number aiming at each function contained in the application program code;
judging whether the random number corresponding to each function is larger than a first preset threshold value or not;
and if the random number is larger than the first preset threshold value, taking the function corresponding to the random number as a function to be modified.
Optionally, in an embodiment of the present application, the step of obtaining a code block included in the function to be modified includes:
traversing a first linked list used for storing code blocks contained in the functions to be modified according to a pre-configured for loop statement to obtain the code blocks contained in each function to be modified;
and storing the code blocks contained in each function to be modified into a corresponding second linked list according to the logical relationship among the code blocks in the function to be modified.
Optionally, in an embodiment of the present application, the step of selecting at least one code block from each function to be modified according to a preset second random selection function as a code block to be modified includes:
respectively generating a random number for each code block contained in the function to be modified;
judging whether the random number corresponding to each code block is larger than a second preset threshold value or not;
and if the random number is larger than the second preset threshold, taking the code block corresponding to the random number as a code block to be modified.
Optionally, in an embodiment of the present application, the step of inserting an interference code into each code block to be modified and forming a false branching function in the application program code through the interference code includes:
splitting the code block to be modified into a first part and a second part according to a pre-configured code block splitting function;
generating an interference code according to the code logic of the first part and the code logic of the second part;
inserting the interference code between the first part and the second part to form a false branch function in the code block to be modified through the interference code;
wherein the first part is a first non-ending statement and a statement before the first non-ending statement in the code block to be modified, the second part is a remaining statement except the first part in the code block to be modified, and the code block splitting function includes the following execution steps:
acquiring a first row of codes in the code block to be modified;
judging whether the first line of codes is an end statement or a debugging code;
and if so, taking the next line of codes as the first non-end statement of the codes to be modified.
Optionally, in an embodiment of the present application, the step of generating the interference code according to the code logic of the first portion and the code logic of the second portion includes:
cloning the code statements contained in the first and second portions;
selecting a random statement from the cloned code statements to modify to obtain an interference statement;
and combining the interference statement with a constant and false condition statement to obtain the interference code.
In a second aspect, an embodiment of the present application provides an apparatus for preventing application program code from being statically analyzed, where the apparatus includes:
the first acquisition module is used for acquiring application program codes to be processed;
the disassembling module is used for performing function disassembling on the application program code to obtain a plurality of function functions contained in the application program code;
the first selection module is used for selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function;
a second obtaining module, configured to obtain code blocks included in the functions to be modified, where each function to be modified includes at least one code block;
the second selection module is used for selecting at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function;
and the inserting module is used for inserting interference codes into each code block to be modified and forming a false branch function in the application program codes through the interference codes so that the false branch function operates a base address register and a stack register when the application program codes are statically analyzed.
Optionally, in an embodiment of the present application, the disassembling module is specifically configured to:
calling a pre-configured class function inherited from the functional pass;
and processing the application program code based on an LLVM compiler framework and the class function to obtain a plurality of function functions contained in the application program code.
Optionally, in an embodiment of the present application, the first selecting module is specifically configured to:
respectively generating a random number aiming at each function contained in the application program code;
judging whether the random number corresponding to each function is larger than a first preset threshold value or not;
and if the random number is larger than the first preset threshold value, taking the function corresponding to the random number as a function to be modified.
Optionally, in an embodiment of the present application, the second obtaining module is specifically configured to:
traversing a first linked list used for storing code blocks contained in the functions to be modified according to a pre-configured for loop statement to obtain the code blocks contained in each function to be modified;
and storing the code blocks contained in each function to be modified into a corresponding second linked list according to the logic relation among the code blocks in the function to be modified.
Optionally, in an embodiment of the application, the second selecting module is specifically configured to:
respectively generating a random number for each code block contained in the function to be modified;
judging whether the random number corresponding to each code block is larger than a second preset threshold value or not;
and if the random number is larger than the second preset threshold value, taking the code block corresponding to the random number as a code block to be modified.
Optionally, in an embodiment of the present application, the insertion module is specifically configured to:
splitting the code block to be modified into a first part and a second part according to a pre-configured code block splitting function;
generating an interference code according to the code logic of the first part and the code logic of the second part;
inserting the interference code between the first part and the second part to form a false branch function in the code block to be modified through the interference code;
wherein the first part is a first non-end statement and a previous statement in the code block to be modified, the second part is a remaining statement except the first part in the code block to be modified, and the code block splitting function includes the following execution steps:
acquiring a first row of codes in the code block to be modified;
judging whether the first line of codes is an end statement or a debugging code;
and if so, taking the next line of codes as the first non-end statement of the codes to be modified.
Optionally, in an embodiment of the present application, the interference code includes a conditional statement and an interference statement, and the inserting module is further specifically configured to:
cloning the code statements contained in the first and second portions;
selecting a random statement from the cloned code statements to modify to obtain an interference statement;
and combining the interference statement with a constant and false condition statement to obtain the interference code.
In a third aspect, an embodiment of the present application provides a storage medium, which includes a computer program, and the computer program is used to implement the method described in any one of the above.
In a fourth aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, the memory is used for storing a computer program, and the processor is used for loading and executing the computer program, so as to cause the electronic device to perform the method described in any one of the above.
Compared with the prior art, the method for preventing the application program code from being statically analyzed provided by the embodiment of the application program has at least the following technical effects or advantages:
according to the method for preventing the application program code from being statically analyzed, the interference code is inserted into at least one function of the application program code, and the interference code forms a false branch function in the application program code, so that the false branch function operates the base register and the stack register when the application program code is statically analyzed. By the method, the data obtained by the base address register and the stack register when the application program code is statically analyzed can be interfered, so that a hacker is prevented from obtaining the algorithm logic in the application program code through the data in the base address register and the stack register, and the purpose of preventing the intellectual labor achievement of developers from being leaked is achieved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating steps of a method for preventing application code from being statically analyzed according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a sub-step of step S60 in FIG. 2;
fig. 4 is a block diagram illustrating an apparatus for preventing application code from being statically analyzed according to an embodiment of the present application.
Icon: 20-an electronic device; 21-a memory; 22-a memory controller; 23-a processor; 70-means to prevent application code from being statically analyzed; 701-a first obtaining module; 702-disassembling the module; 703-a first selection module; 704-a second obtaining module; 705-a second selection module; 706 — plug-in module.
Detailed Description
In order to better understand the technical solution, the technical solution will be described in detail with reference to the drawings and the specific embodiments. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
It should be noted that in the description of the present application, the terms "first", "second", etc. are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Aiming at the problem that in the prior art, the application program code is easily decompiled by a static analysis tool, and further the intellectual labor achievement of a developer is leaked, the applicant finds through research that in each process of calling a function (a main function calls a sub-function), when the called function is started, the EBP of the current function (the main function) is pushed, so that the EBP can be obtained when the sub-function returns to the main function.
In other words, the principle of decompilation implemented by various static analysis tools (e.g., IDAPro) is usually based on an access pointer (i.e., the base address of the pointer when the number is stored or read) of the current function stored in the base register (EBP or BP), and a top pointer of the current function stored in the stack register (ESP or SP).
Based on the foregoing principles, embodiments of the present application provide a method, an apparatus, a storage medium, and an electronic device for preventing application codes from being statically analyzed, so as to prevent the application codes from being decompiled by a static analysis tool.
Referring to fig. 1, a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure is provided, where the electronic device 20 includes a device 70 for preventing application codes from being statically analyzed, a memory 21, a storage controller 22, and a processor 23.
The memory 21, the memory controller 22 and the processor 23 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The means 70 for preventing application program code from being statically analyzed may comprise at least one software function module which may be stored in the memory 21 in the form of software or firmware (firmware) or may be fixed in an Operating System (OS) of the electronic device 20. The processor 23 is configured to execute executable modules stored in the memory 21, such as software functional modules and computer programs included in the apparatus 70 for preventing application program codes from being statically analyzed, so as to provide the electronic device 20 with a function of preventing application program codes from being statically analyzed as shown below.
Referring to fig. 2, a flowchart illustrating steps of a method for preventing application code from being statically analyzed according to an embodiment of the present application may be applied to the electronic device 20 shown in fig. 1, so as to provide the electronic device 20 with a function of preventing application code from being statically analyzed as described below.
The method for preventing the application program code from being statically analyzed according to the embodiment of the present application is described in detail below with reference to fig. 2 to 3.
Referring to fig. 2, in an embodiment of the present application, the method includes:
in step S10, the application code to be processed is acquired.
Step S20, performing function parsing on the application program code to obtain a plurality of function functions included in the application program code.
And step S30, selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function.
Step S40, obtaining code blocks included in the functions to be modified, where each function to be modified includes at least one code block.
Step S50, selecting at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function.
Step S60, inserting an interference code into each code block to be modified, and forming a false branch function in the application program code through the interference code, so that the false branch function operates the base register and the stack register when the application program code is statically analyzed.
In the embodiment of the application, the application code developed and obtained by the developer can be processed by adopting the steps, so that the application code is encrypted, and the condition that a hacker performs decompilation on the application code through static analysis tools such as IDAPro and the like to cause the leakage of the labor result of the developer is prevented.
Specifically, in the embodiment of the present application, the electronic device may be a computer device such as a mobile phone and a computer. In other words, in the embodiment of the present application, the above algorithm program may be configured on an electronic device such as a mobile phone or a computer, and then the application code developed by a developer is processed by the electronic device, that is, an interference code may be generated in the application code to interfere with an analysis result of a static analysis tool, so as to prevent the application code from being decompiled, which may cause leakage of algorithm logic therein.
Optionally, in an embodiment of the present application, in the step S20, the application code may be processed by using an llvm (low Level Virtual machine) compiler framework, so as to obtain a plurality of function functions included in the application code. It should be noted that, in the embodiment of the present application, the following advantages exist in processing the application program code by using the LLVM compiler framework: original code is not polluted, more development languages can be supported, the development languages do not need to be known, and meanwhile, the compatibility is achieved, and the space for operation is larger.
Specifically, in this embodiment, in order to implement the Function disassembling Function, a class insert can be written, and its core Function is to reload such virtual pool runon Function (Function & F) { }, so as to operate each Function included in the application code and disassemble all Function functions included in the application code.
Further, in the embodiment of the present application, the first random selection function in the step S30 may be a random number generation function rand (0, 100). For example, in an embodiment of the present application, the determination process of the function to be modified may be, but is not limited to: and respectively generating a random number within the range of 0 to 100 by a random number generation function aiming at each function contained in the application program code, and if the obtained random number is greater than a first preset threshold value, taking the function corresponding to the random number as the function to be modified.
Since the higher the complexity of the application code, the more functions the code is represented to implement, the greater the importance, and the more difficult it is to develop. Therefore, in the embodiment of the present application, in order to better protect the application code with high complexity, the first preset threshold may be determined according to the complexity of the application code. For example: the higher the complexity of the application program code to be processed is, the lower the first preset threshold may be correspondingly decreased, so as to increase the probability that the random number satisfies the first preset threshold, thereby inserting interference codes into more function functions in the application program code with high complexity.
Specifically, in this embodiment, the complexity of the application code may be determined according to the total length of the application code (the total number of lines in the code), specifically, if the total length of the application code is longer, the complexity corresponding to the application code is higher, and otherwise, the complexity of the application is lower.
Further, in this embodiment of the application, in the step S40, a for loop may be written to obtain the code blocks included in the function to be modified, and the code blocks included in each function to be modified may be stored in another linked list again according to the logical relationship of each code block in the function to be modified, so as to download the interference codes inserted or deleted in the function to be modified on the premise that the normal operation of the function to be modified is not affected. Specifically, the process may be represented as:
(Function::iterator i=F.begin();i!=F.end();++i)
BBlocks.push_back(&*i)
wherein F denotes a first linked list used for storing each code block in the function to be modified, BBlocks is a second linked list used for storing the code block included in each function to be modified again according to the logical relationship of each code block in the function to be modified, and in the embodiment of the present application, different second linked lists may be used for storing different function functions.
Further, in this embodiment of the present application, the second random selection function may be the same as the first random selection function, and both of the second random selection function and the first random selection function adopt random number generation functions. Similarly, in an embodiment of the present application, a random number in a range from 0 to 100 may be generated for each code block included in each function to be modified, then it is determined whether to use the corresponding code block as the code block to be modified based on the random number, and if the random number corresponding to the code block is greater than a second preset threshold, the code corresponding to the random number is used as the code block to be modified.
Similarly, in the embodiment of the present application, the second preset threshold may also be determined according to the complexity of the application program code (e.g., the total number of lines of the code). For example: the higher the complexity of the application program code to be processed (i.e., the more the total number of lines of the code), the higher the second preset threshold may be decreased accordingly, so as to increase the probability that the random number corresponding to each code block satisfies the second preset threshold, thereby inserting an interference code into more code blocks included in the function parameter to be modified in the application program code with high complexity, where the second preset threshold may be equal to the first preset threshold.
Specifically, in one embodiment of the present application, the process may be represented as:
it should be noted that, in the embodiment of the present application, the function to be modified is determined in a random number manner, and then the code block to be modified is determined from the code blocks included in the function to be modified in a random number manner, so that the processed application program code is irregular, and thus the application program code can be further prevented from being decompiled by the static analysis tool.
Further, referring to fig. 3, in an embodiment of the present application, the step S60 may include the following sub-steps:
and a substep S601, splitting the code block to be modified into a first part and a second part according to a pre-configured code block splitting function.
And a substep S602, generating an interference code according to the code logic of the first part and the code logic of the second part.
And a substep S603, inserting the interference code between the first part and the second part to form a false branching function in the code block to be modified through the interference code.
Specifically, in the embodiment of the present application, in order for the interference code to operate on the base register and the stack register, firstly, the data structure in each code block needs to be changed by the interference code, and secondly, it needs to be ensured that the interference code does not affect the original function when the application program code is executed. Therefore, in the embodiment of the present application, the code block to be modified is split into two parts in the manner described in the above sub-step S601, where the first part is a first non-ending sentence and a sentence before the first non-ending sentence in the code block to be modified, and the second part is a remaining sentence in the code block to be modified except for the first part. This process can be expressed as:
the BBlock comprises iterator i1 pb > begin (); firstly, a first line of codes in a code block to be modified is obtained
if (pb- > getFirstNonPPHIORBgOrLifecime ()); if the first line of code is an end statement or debug code;
i1 ═ pb (BasicBlock:: iterator) > getfirstnphiordgborlife (); taking down a code as a first block code;
after the first block code (i.e. the first non-ending statement) is obtained, we need to split this code block into 2 code blocks. We first create a twin var new twin ("oBB"); where twin is a data structure of a binary tree for connecting 2 code blocks. Then we split the code block into 2 code blocks based on the instruction of the first block obtained above. This process can be expressed as:
BBlock oBB pb- > split basic block (i1 var); where the code block pb is split into 2 code blocks starting from instruction i1, we need to create one code block for the split code block.
BBlock alternate bb, createalededbaicblock (oBB, & F); after we split a code block into 2 code blocks, we need to remove it from the original code block.
pb- > getTerminator () - > emerFromParent (); the first code block after splitting removes the original connection.
alteredBB- > getTerminator () - > erasetfromponent (); the second code block after splitting removes the connection.
After the code block to be modified is split into two parts in the above manner, the corresponding interference code is inserted between the first part and the second part to form a false branch function which can operate the base register and the stack register but cannot be executed, that is, the static analysis result of the static analysis tool on the application program code can be interfered.
Specifically, in the embodiment of the present application, in order to make the false branch code formed by the interference code as similar as possible to the original code, so as to make the false branch code better pseudo-loaded in the original code, the interference code may be generated by:
and generating a section of interference statement according to the context logic of the first part and the second part in the code block to be modified, and then combining the interference statement with a constant condition statement or a constant and false condition statement to obtain the interference code.
It should be noted that, in the embodiment of the present application, if the condition statement in the interference code is true, the execution condition of the interference statement generated according to the context logic of the first portion and the second portion in the interference code is false, so that the interference code is never executed when the application program code runs, and thus the application program code is prevented from being statically analyzed on the premise of not affecting the original function. Similarly, in the embodiment of the present application, if the conditional statement in the interference code is false, the execution condition of the interference statement in the interference code generated according to the context logic of the first part and the second part is true.
Optionally, in an embodiment of the present application, in order to ensure similarity between the interference code and the original code, so that the interference code is better pseudo-loaded in the code block to be modified, the original code may be cloned, and then a random statement may be selected to modify the cloned code. Specifically, the first part and the second part obtained by splitting in the above process are cloned, then a random number in a range of 0 to 100 is generated for each statement in the cloned code, and if the random number is greater than a third preset threshold, the statement corresponding to the random number is modified. Similarly, in the embodiment of the present application, the third preset threshold may also be set according to the complexity of the application program code, and if the complexity of the application program code is higher, the third preset threshold may be set to be smaller, so as to increase the number of statements to be modified. Similarly, the third preset threshold may also be the same as the first preset threshold and the second preset threshold.
Meanwhile, since the SP register and the BP register are both integer arithmetic registers, in the embodiment of the present application, it is necessary to determine whether the current instruction op is integer arithmetic. The judgment process can be expressed as follows:
if(op==Instruction::Add||op==Instruction::Sub||op==Instruction::Shl||
op==Instruction::And||op==Instruction::Or||op==Instruction::Mul||
op==Instruction::UDiv||op==Instruction::Xor){
the interference code may be created according to the above instructions.
BinaryOperator::Create(op,SP,i->getOperand(0));
An operation instruction is created, the operation is the same as the previous instruction, and the register of the operation uses the SP register. Binary operator: (op, i- > getOperand (), BP); the same instruction is created to use the BP register, so that both the SP and BP registers participate in the whole calculation and thus the purpose of interference is achieved.
It should be further noted that, the above process is a process of modifying a code block to be modified in a function to be modified, in this embodiment of the present application, a code block to be modified determined by the first random selection function and the second random selection function may be modified in the same manner, and the applicant herein does not need to describe any more. In addition, in the embodiment of the application, the application program code is modified in a mode of randomly determining the modification object three times, so that the irregularity of the processing result can be greatly increased, and the difficulty of statically analyzing the processed application program code is greatly increased.
In addition, in the embodiment of the application, the mode of manually inputting the interference code and automatically generating the interference code can be combined, so that the interference code is better disguised in the original application program code and is more difficult to crack by a hacker. The manually input interference code also ensures that the insertion position can interfere with the results of the base register and the stack register and has no influence on the original application program code. For example, in one embodiment of the present application, the EBP register and ESP register may be operated in the form of manually writing embedded assembly code, and the process may be expressed as:
push esp
add ebp,0x6789
add esp,0x8
Mov eax,[ebp]
CaLL ebp
Mov esp,roomid
in addition, in the process of writing the embedded assembly code, reference can be made to the context variable in the original application program code, so that the similarity between the interference code and the original application program code is improved.
For example, in one embodiment of the present application, the conditional statement may be generated by referring to the above appearing variable (e.g., room number roomid), and the process may be expressed as follows:
String getroomkey(int roomid){
If(roomid==0xffffffff){
since the room number of the live room is usually positive and the value of 0xffffffff in the conditional statement is-1, the condition must not be satisfied, the statement constitutes a false-positive conditional statement, and the following execution statement must not be executed.
Alternatively, in another embodiment of the present application, the following code may also be used:
if((x*x+x)%2==1){
since the above expression is equivalent to (x +1) × x, which is equivalent to odd number multiplied by even number, and even number multiplied by odd number is equal to even number regardless of x, the expression must not hold, and the statement also constitutes a false-positive conditional statement.
It should be noted that, in the process of automatically generating the interference code, the above manner may also be used to refer to the context and the code logic to improve the similarity between the interference code and the original code, so as to improve the disguising effect of the interference code in the original application code.
In summary, the method for preventing application program codes from being statically analyzed provided in the embodiment of the present application has the following technical effects or advantages compared with the prior art:
according to the method for preventing the application program code from being statically analyzed, the interference code is inserted into at least one function of the application program code, and the interference code forms a false branch function in the application program code, so that the false branch function operates the base register and the stack register (namely interferes with data obtained by the base register and the stack register) when the application program code is statically analyzed, and therefore a hacker is prevented from statically analyzing the application program code through the data in the base register and the stack register to obtain the algorithm logic therein, and further, the intellectual labor achievement of a developer is prevented from being leaked. In addition, in the embodiment of the application, the modification object is determined in a multiple random selection mode, so that the irregularity of the processing result can be improved, and the possibility of algorithm logic leakage caused by static analysis of the application program code is further reduced.
Referring to fig. 4, a block diagram of an apparatus 70 for preventing application code from being statically analyzed according to an embodiment of the present application, which may be applied to the electronic device 20 shown in fig. 1, provides the electronic device 20 with the function of preventing application code from being statically analyzed as described above. Specifically, in the embodiment of the present application, the apparatus 70 for preventing application program codes from being statically analyzed includes a first obtaining module 701, a disassembling module 702, a first selecting module 703, a second obtaining module 704, a second selecting module 705, and an inserting module 706.
The first obtaining module 701 is configured to obtain an application program code to be processed; the disassembling module 702 is configured to perform function disassembling on the application program code to obtain a plurality of function functions included in the application program code; the first selecting module 703 is configured to select at least one function from the plurality of function functions as a function to be modified according to a preset first random selecting function; the second obtaining module 704 is configured to obtain code blocks included in the functions to be modified, where each function to be modified includes at least one code block; the second selecting module 705 is configured to select at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function; an inserting module 706, configured to insert an interference code into each code block to be modified, and form a false branch function in the application program code through the interference code, so that the false branch function operates on the base register and the stack register when the application program code is statically analyzed.
Optionally, in an embodiment of the present application, the disassembling module 702 is specifically configured to:
calling a pre-configured class function inherited from the functional pass; and then processing the application program code based on an LLVM compiler framework and the class function to obtain a plurality of function functions contained in the application program code.
Optionally, in an embodiment of the present application, the first selecting module 703 is specifically configured to:
respectively generating a random number aiming at each function contained in the application program code; then judging whether the random number corresponding to each function is larger than a first preset threshold value or not; and finally, if the random number is larger than the first preset threshold value, taking a function corresponding to the random number as a function to be modified.
Optionally, in an embodiment of the present application, the second obtaining module 704 is specifically configured to: traversing a first linked list used for storing the code blocks included in the functions to be modified according to a pre-configured for loop statement to obtain the code blocks included in each function to be modified, wherein the for loop statement is as follows: for (Function:: f.begin (); i | ═ f.end (); + i), where F is the first linked list used to store the code blocks included in the Function to be modified. In this embodiment of the application, the second obtaining module 704 may be further configured to store, according to a logical relationship between code blocks in the functions to be modified, the code block included in each function to be modified into a corresponding second linked list.
Optionally, in an embodiment of the present application, the second selecting module 705 is specifically configured to:
respectively generating a random number for each code block contained in the function to be modified; then judging whether the random number corresponding to each code block is larger than a second preset threshold value or not; and finally, if the random number is larger than the second preset threshold value, taking the code block corresponding to the random number as a code block to be modified.
Optionally, in an embodiment of the present application, the inserting module 706 is specifically configured to:
splitting the code block to be modified into a first part and a second part according to a pre-configured code block splitting function, wherein the first part is a first non-end statement and a statement before the first non-end statement in the code block to be modified, the second part is a remaining statement except the first part in the code block to be modified, and the code block splitting function is as follows:
BBlock::iterator i1=pb->begin()
if(pb->getFirstNonPHIOrDbgOrLifetime())
i1=(BasicBlock::iterator)pb->getFirstNonPHIOrDbgOrLifetime()
wherein pb is the code block, i1 is a code statement in the code block;
then, the inserting module 706 is further configured to generate an interference code according to the code logic of the first portion and the code logic of the second portion; finally, the interference code is inserted between the first part and the second part to form a false branch function in the code block to be modified through the interference code.
Optionally, in an embodiment of the present application, the interference code includes a conditional statement and an interference statement, and the inserting module 706 is further specifically configured to:
cloning the code statements contained in the first and second portions; then selecting random sentences from the cloned code sentences for modification to obtain interference sentences; and finally, combining the interference statement with a constant and false condition statement to obtain the interference code.
Since the apparatus 70 for preventing application code from being statically analyzed according to this embodiment is an apparatus used in the method for preventing application code from being statically analyzed according to this embodiment, a specific implementation manner of the apparatus 70 for preventing application code from being statically analyzed according to this embodiment and various variations thereof can be understood by those skilled in the art based on the method for preventing application code from being statically analyzed according to this embodiment, and therefore, a detailed description of how the apparatus 70 for preventing application code from being statically analyzed implements the method in this embodiment is not provided here. The device 70 for preventing application program codes from being statically analyzed, which is adopted by a person skilled in the art to implement the method for preventing application program codes from being statically analyzed in the embodiment of the present application, falls within the protection scope of the present application.
Furthermore, an embodiment of the present application provides a storage medium, on which a computer program is stored, and the computer program is executed by a processor to execute the steps in the method for testing the phase detection autofocus performance as described above.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for preventing application code from being statically analyzed, the method comprising:
acquiring an application program code to be processed;
performing function disassembly on the application program code to obtain a plurality of function functions contained in the application program code;
selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function;
acquiring code blocks contained in the functions to be modified, wherein each function to be modified contains at least one code block;
selecting at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function;
and inserting interference codes into each code block to be modified, and forming a false branch function in the application program codes through the interference codes, so that the false branch function operates on a base register and a stack register when the application program codes are statically analyzed.
2. The method of claim 1, wherein the step of performing function tearing in the application code comprises:
calling a pre-configured class function inherited from the functional pass;
and processing the application program code based on an LLVM compiler framework and the class function to obtain a plurality of function functions contained in the application program code.
3. The method according to claim 1, wherein the step of selecting at least one function from the plurality of function functions as the function to be modified according to a preset first random selection function comprises:
respectively generating a random number aiming at each function contained in the application program code;
judging whether the random number corresponding to each function is larger than a first preset threshold value or not;
and if the random number is larger than the first preset threshold value, taking the function corresponding to the random number as a function to be modified.
4. The method of claim 1, wherein the step of obtaining the code block included in the function to be modified comprises:
traversing a first linked list used for storing code blocks contained in the functions to be modified according to a pre-configured for loop statement to obtain the code blocks contained in each function to be modified;
and storing the code blocks contained in each function to be modified into a corresponding second linked list according to the logic relation among the code blocks in the function to be modified.
5. The method of claim 1, wherein the step of selecting at least one code block from each of the to-be-modified functions as a to-be-modified code block according to a preset second random selection function comprises:
respectively generating a random number for each code block contained in the function to be modified;
judging whether the random number corresponding to each code block is larger than a second preset threshold value or not;
and if the random number is larger than the second preset threshold, taking the code block corresponding to the random number as a code block to be modified.
6. The method according to any of claims 1-5, wherein the step of inserting an interference code in each of the code blocks to be modified and constructing a false branching function in the application code by the interference code comprises:
splitting the code block to be modified into a first part and a second part according to a pre-configured code block splitting function;
generating an interference code according to the code logic of the first part and the code logic of the second part;
inserting the interference code between the first part and the second part to form a false branch function in the code block to be modified through the interference code;
wherein the first part is a first non-ending statement and a statement before the first non-ending statement in the code block to be modified, the second part is a remaining statement except the first part in the code block to be modified, and the code block splitting function includes the following execution steps:
acquiring a first row of codes in the code block to be modified;
judging whether the first line of codes is an end statement or a debugging code;
and if so, taking the next line of codes as the first non-end statement of the codes to be modified.
7. The method of claim 6, wherein the interference code comprises a conditional statement and an interference statement, and wherein generating the interference code based on the first portion of code logic and the second portion of code logic comprises:
cloning the code statements contained in the first and second portions;
selecting a random statement from the cloned code statements to modify to obtain an interference statement;
and combining the interference statement with a constant and false condition statement to obtain the interference code.
8. An apparatus for preventing application code from being statically analyzed, the apparatus comprising:
the first acquisition module is used for acquiring application program codes to be processed;
the disassembling module is used for performing function disassembling on the application program code to obtain a plurality of function functions contained in the application program code;
the first selection module is used for selecting at least one function from the plurality of function functions as a function to be modified according to a preset first random selection function;
a second obtaining module, configured to obtain code blocks included in the functions to be modified, where each function to be modified includes at least one code block;
the second selection module is used for selecting at least one code block from each function to be modified as a code block to be modified according to a preset second random selection function;
and the inserting module is used for inserting interference codes into each code block to be modified and forming a false branch function in the application program codes through the interference codes so that the false branch function operates a base address register and a stack register when the application program codes are statically analyzed.
9. A storage medium, characterized in that the storage medium comprises a computer program for implementing the method according to any one of claims 1-7.
10. An electronic device, comprising a memory for storing a computer program and a processor for loading execution of the computer program to cause the electronic device to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910905676.8A CN112541188B (en) | 2019-09-20 | 2019-09-20 | Method and device for preventing application program code from being statically analyzed |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910905676.8A CN112541188B (en) | 2019-09-20 | 2019-09-20 | Method and device for preventing application program code from being statically analyzed |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112541188A CN112541188A (en) | 2021-03-23 |
| CN112541188B true CN112541188B (en) | 2022-05-13 |
Family
ID=75013098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910905676.8A Active CN112541188B (en) | 2019-09-20 | 2019-09-20 | Method and device for preventing application program code from being statically analyzed |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112541188B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5264847A (en) * | 1991-10-04 | 1993-11-23 | Sony United Kingdom Ltd. | Data decoder |
| CN101162491A (en) * | 2007-08-14 | 2008-04-16 | 电子科技大学 | Virtual executive system and method based on code slice |
| CN104115094A (en) * | 2011-12-15 | 2014-10-22 | 英特尔公司 | A method, apparatus, and system for energy efficiency and energy conservation including code recirculation techniques |
| CN104142889A (en) * | 2014-07-23 | 2014-11-12 | 西安空间无线电技术研究所 | An assembly-level test point setting and optimization method for single event soft errors |
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN105224452A (en) * | 2015-09-11 | 2016-01-06 | 哈尔滨工业大学 | A kind of prediction cost optimization method for scientific program static analysis performance |
| CN105404794A (en) * | 2014-09-04 | 2016-03-16 | 腾讯科技(深圳)有限公司 | Protection method and device of Java application software |
| CN107291480A (en) * | 2017-08-15 | 2017-10-24 | 中国农业银行股份有限公司 | A kind of function calling method and device |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| CN108446535A (en) * | 2018-02-12 | 2018-08-24 | 北京梆梆安全科技有限公司 | Source code reinforcement means based on code execution sequence and device |
| CN108509772A (en) * | 2018-02-12 | 2018-09-07 | 北京梆梆安全科技有限公司 | Source code reinforcement means and device based on execution sequence and single-point logic |
| CN108537012A (en) * | 2018-02-12 | 2018-09-14 | 北京梆梆安全科技有限公司 | Source code based on variable and code execution sequence obscures method and device |
| CN109344612A (en) * | 2018-09-25 | 2019-02-15 | 郑州昂视信息科技有限公司 | The active defense method and system inversely attacked for program code static analysis |
| CN109948309A (en) * | 2019-03-20 | 2019-06-28 | 西安电子科技大学 | A code protection method, apparatus, computer equipment and storage medium |
| CN109992935A (en) * | 2019-03-15 | 2019-07-09 | 同盾控股有限公司 | A kind of source code guard method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10972291B2 (en) * | 2017-03-31 | 2021-04-06 | Intel Corporation | Securing communications |
-
2019
- 2019-09-20 CN CN201910905676.8A patent/CN112541188B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5264847A (en) * | 1991-10-04 | 1993-11-23 | Sony United Kingdom Ltd. | Data decoder |
| CN101162491A (en) * | 2007-08-14 | 2008-04-16 | 电子科技大学 | Virtual executive system and method based on code slice |
| CN104115094A (en) * | 2011-12-15 | 2014-10-22 | 英特尔公司 | A method, apparatus, and system for energy efficiency and energy conservation including code recirculation techniques |
| CN104142889A (en) * | 2014-07-23 | 2014-11-12 | 西安空间无线电技术研究所 | An assembly-level test point setting and optimization method for single event soft errors |
| CN105404794A (en) * | 2014-09-04 | 2016-03-16 | 腾讯科技(深圳)有限公司 | Protection method and device of Java application software |
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN105224452A (en) * | 2015-09-11 | 2016-01-06 | 哈尔滨工业大学 | A kind of prediction cost optimization method for scientific program static analysis performance |
| CN107291480A (en) * | 2017-08-15 | 2017-10-24 | 中国农业银行股份有限公司 | A kind of function calling method and device |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| CN108446535A (en) * | 2018-02-12 | 2018-08-24 | 北京梆梆安全科技有限公司 | Source code reinforcement means based on code execution sequence and device |
| CN108509772A (en) * | 2018-02-12 | 2018-09-07 | 北京梆梆安全科技有限公司 | Source code reinforcement means and device based on execution sequence and single-point logic |
| CN108537012A (en) * | 2018-02-12 | 2018-09-14 | 北京梆梆安全科技有限公司 | Source code based on variable and code execution sequence obscures method and device |
| CN109344612A (en) * | 2018-09-25 | 2019-02-15 | 郑州昂视信息科技有限公司 | The active defense method and system inversely attacked for program code static analysis |
| CN109992935A (en) * | 2019-03-15 | 2019-07-09 | 同盾控股有限公司 | A kind of source code guard method and device |
| CN109948309A (en) * | 2019-03-20 | 2019-06-28 | 西安电子科技大学 | A code protection method, apparatus, computer equipment and storage medium |
Non-Patent Citations (7)
| Title |
|---|
| Forward Error Correction (FEC) Building Block;M. Luby等;《IETF rfc3452》;20021231;全文 * |
| Independent Data Unit Protection Generic Security ServiceApplication Program Interface: C-bindings;D. Grebovich等;《IETF 》;19950324;全文 * |
| Using entropy analysis to find encrypted and packed malware;LYDA R et al.;《IEEE Security and Privacy》;20070402;全文 * |
| 一种使用静态分析的汇编代码缺陷检测方法;邱景等;《哈尔滨工业大学学报》;20130228(第02期);全文 * |
| 二进制代码中函数混淆调用的识别;曾鸣等;《计算机工程与应用》;20070611(第17期);全文 * |
| 基于代码混淆的软件保护技术研究;宋亚奇;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20060315;全文 * |
| 恶意代码自动脱壳技术研究;彭小详等;《信息网络安全》;20140531;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112541188A (en) | 2021-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kornau | Return oriented programming for the ARM architecture | |
| US9336370B2 (en) | Method and apparatus for dynamic obfuscation of static data | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| CN104680039B (en) | A kind of data guard method and device of application program installation kit | |
| CN110569628B (en) | Code obfuscation method and device, computer device and storage medium | |
| US7530056B1 (en) | Method and system for detecting runtime defects in a program by comparing correct and incorrect runs | |
| WO2015035827A1 (en) | Method and apparatus for providing string encryption and decryption in program files | |
| CN107632832B (en) | A dalvik-oriented bytecode control flow obfuscation method | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| Landsborough et al. | Removing the kitchen sink from software | |
| CN112130926B (en) | Application program running method, device, terminal equipment and storage medium | |
| CN109739582B (en) | Function calling method and device, electronic equipment and computer readable storage medium | |
| US8769498B2 (en) | Warning of register and storage area assignment errors | |
| CN112541188B (en) | Method and device for preventing application program code from being statically analyzed | |
| US20160077950A1 (en) | Methods, circuits, apparatus, systems and associated software modules for evaluating code behavior | |
| US10275228B2 (en) | Relaxing user-specified register constraints for improving register allocation | |
| Li et al. | Semantically find similar binary codes with mixed key instruction sequence | |
| US10521206B2 (en) | Supporting compiler variable instrumentation for uninitialized memory references | |
| US20160350155A1 (en) | Synthesizing inputs to preserve functionality | |
| CN111814120B (en) | Program anti-aliasing processing method, device, equipment and storage medium | |
| CN112905194B (en) | Installation package generation method and device | |
| JP5550578B2 (en) | Entry rewriting device and entry rewriting program | |
| CN113031956A (en) | Program compiling method and device and program running method and device | |
| CN114428630B (en) | Chip algorithm upgrading method and device and chip | |
| CN114371852B (en) | Compiling method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |