CN118916852A - Code encryption method, device, program product and electronic equipment - Google Patents

Abstract

The application discloses a code encryption method, a device, a program product and electronic equipment, and relates to the technical field of software security, wherein the method comprises the following steps: firstly, compiling an object code to obtain a code object corresponding to the object code, wherein the object code is a Python code to be protected, and then encrypting the code object into an object byte code, wherein the object byte code is used for representing the encrypted object code in a byte code form, and the object byte code comprises key information dynamically generated in the encryption process. The application solves the technical problem of low safety of Python codes caused by dynamic editing of Python language and open source characteristic of Python interpreter in the running process.

Description

Code encryption method, device, program product and electronic device

Technical Field

The present application relates to the field of software security technology, and in particular to a code encryption method, device, program product, and electronic device.

Background Art

Python is one of the popular development languages in the field of software development technology. Python is an interpreted language, and its code will be executed by the interpreter only at runtime. This makes it difficult for Python code to be protected by the compiler like code written in compiled languages such as C and C++. In addition, Python has features such as dynamic typing, dynamic binding, and dynamic loading. These Python features enable Python code to be dynamically modified, added, and deleted at runtime. Attackers can use these features of Python to dynamically obtain the running logic of the code. In addition, Python's open source feature also allows attackers to crack, modify, and copy Python code based on its source code. For example, attackers can reversely restore the Python bytecode in the Python interpreter to Python source code based on the code logic of the Python interpreter, thereby causing the technical problem of low security of Python code in the prior art.

With respect to the technical problems in the above-mentioned prior art that Python code is difficult to protect and has low security, no effective solution has been proposed yet.

Summary of the invention

The present application provides a code encryption method, device, program product and electronic device to at least solve the technical problem of low security of Python code caused by the ability of Python language to be dynamically edited during operation and the open source characteristics of the Python interpreter.

According to one aspect of the present application, a code encryption method is provided, comprising: compiling a target code to obtain a code object corresponding to the target code, wherein the target code is a Python code to be protected; encrypting the code object into a target bytecode, wherein the target bytecode is used to represent the encrypted target code in the form of a bytecode, and the target bytecode includes key information dynamically generated during the encryption process.

Optionally, in the process of encrypting the code object into target bytecode, the code encryption method also includes: scanning the first attribute of the code object to obtain L constants, where L is a positive integer, and the first attribute is used to characterize the constant tuple of the code object; when the i-th constant among the L constants is a function type, recursively encrypting the code object embedded in the i-th constant; when the i-th constant is a string type or a numeric type, XOR-encrypting the i-th constant, where i is a positive integer less than or equal to L.

Optionally, when the i-th constant is a string type, the i-th constant is XOR-encrypted, including: dividing the i-th constant into M bytes, where M is a positive integer; dynamically generating M XOR keys, where the M XOR keys correspond to the M bytes one-to-one, and the m+1-th XOR key among the M XOR keys is obtained by updating the m-th XOR key based on a preset rule, where m is a positive integer less than M; performing XOR processing on each XOR key in the M XOR keys and the byte corresponding to the XOR key to obtain all XOR results corresponding to the M bytes; and using all XOR results corresponding to the M bytes as the XOR encryption result of the i-th constant.

Optionally, in the process of encrypting the code object into the target bytecode, the code encryption method also includes: scanning the second attribute of the code object to obtain N bytecode instructions, wherein N is a positive integer, and the second attribute is used to characterize the bytecode instruction sequence of the code object; using the last XOR key dynamically generated in the process of XOR encrypting the constant of the code object as the initial value of the instruction key, wherein the instruction key is used to XOR encrypt the bytecode instruction, and the redundant bytes corresponding to the bytecode instruction are used to store the latest value of the instruction key; when the jth bytecode instruction among the N bytecode instructions includes parameters, XOR encrypting the jth bytecode instruction according to the latest value of the instruction key, and prohibiting updating the latest value of the instruction key, wherein j is a positive integer less than or equal to N.

Optionally, in the process of encrypting the code object into target bytecode, the code encryption method also includes: when the jth bytecode instruction does not include parameters, XOR encrypting the jth bytecode instruction based on the latest value of the instruction key, and updating the latest value of the instruction key to a random number selected from a preset range.

Optionally, in the process of encrypting the code object into a target bytecode, the code encryption method also includes: determining whether the number of keys is greater than or equal to a first preset threshold, wherein the number of keys is the total number of instruction keys dynamically generated in the process of XOR encryption of the bytecode instructions; generating a target key based on P instruction keys when the number of keys is greater than or equal to the first preset threshold, wherein the P instruction keys are the instruction keys ranked as the top P in terms of generation time among all instruction keys, and P is equal to the first preset threshold; symmetrically encrypting a first encryption result based on the target key, wherein the first encryption result is a result obtained by XOR-encrypting a key attribute of the code object using an instruction key in a first set, the key attribute of the code object includes at least a second attribute, and the first set is a set of instruction keys other than the P instruction keys among all instruction keys.

Optionally, in the process of encrypting the code object into target bytecode, the code encryption method also includes: determining whether the number of keys is greater than or equal to a second preset threshold, wherein the second preset threshold is greater than the first preset threshold; when the number of keys is greater than or equal to the second preset threshold, generating a target vector based on Q instruction keys, wherein Q is a positive integer, and the Q instruction keys are instruction keys ranked from P+1th to Rth in generation time among all instruction keys, P is equal to the first preset threshold, and R is equal to the second preset threshold; symmetrically encrypting a second encryption result based on the target vector and the target key, wherein the second encryption result is a result obtained by XOR-encrypting a key attribute of the code object with instruction keys in a second set, and the second set is a set of instruction keys other than P instruction keys and Q instruction keys among all instruction keys.

Optionally, after the code object is encrypted into a target bytecode, the code encryption method further includes: after the target bytecode is loaded into an interpreter, detecting an encryption identifier of a function to be called in the target bytecode, wherein the encryption identifier of the function is used to indicate whether the code object corresponding to the function is encrypted; when the encryption identifier of the function is a preset identifier, decrypting the bytecode corresponding to the function by calling a decryption function corresponding to the function, wherein the decryption function corresponding to the function is a function stored in a decryption extension library; detecting the number of function calls, wherein the number of calls is used to indicate the remaining number of times the function is called by other functions that have not been completed; when the number of calls is equal to the preset number, re-encrypting the decryption result corresponding to the function.

According to another aspect of the present application, a code encryption device is also provided, including: a compilation unit, used to compile a target code to obtain a code object corresponding to the target code, wherein the target code is a Python code to be protected; an encryption unit, used to encrypt the code object into a target bytecode, wherein the target bytecode is used to represent the encrypted target code in the form of a bytecode, and the target bytecode includes key information dynamically generated during the encryption process.

According to another aspect of the present application, a computer program product is provided, in which a computer program is stored, wherein when the computer program is running, the computer program product is controlled to execute any one of the above code encryption methods.

According to another aspect of the present application, an electronic device is also provided, wherein the electronic device includes one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by one or more processors, the one or more processors implement any one of the above-mentioned code encryption methods.

In the present application, when it is necessary to protect the Python code, the target code is first compiled to obtain a code object corresponding to the target code, wherein the target code is the Python code that needs to be protected. After that, the present application encrypts the code object into a target bytecode, wherein the target bytecode is used to represent the encrypted target code in the form of a bytecode, and the target bytecode includes key information dynamically generated during the encryption process.

It can be seen from the above content that the technical solution of the present application realizes the purpose of protecting Python code by encrypting the bytecode corresponding to the Python code. The present application first compiles the Python code to be protected into a code object, and then encrypts the code object into a target bytecode, thereby obtaining an encrypted bytecode file (i.e., target bytecode) corresponding to the Python code, thereby realizing the protection of the Python code. At the same time, compared with the prior art in which the Python code is not protected and the Python code is directly converted into its corresponding bytecode file, the encryption technology based on bytecode of the present application will not change the running logic of the original Python code, that is, the technical solution of the present application has a low cost for encrypting the Python code, and will not cause additional high-cost resource consumption.

It can be seen that the present application adopts the method of encrypting the bytecode corresponding to the Python code to achieve the purpose of protecting the Python code. Even if the attacker modifies the intermediate file corresponding to the Python code during the running of the Python code, since the attacker cannot obtain the key information, the Python code modified by the attacker cannot run normally, thereby achieving the technical effect of improving the security of the Python code, and then solving the technical problem of low security of the Python code caused by the dynamic editing of the Python language during operation and the open source characteristics of the Python interpreter.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of the present application and constitute a part of the present application. The illustrative embodiments of the present application and their descriptions are used to explain the present application and do not constitute an improper limitation on the present application. In the drawings:

FIG1 is a flow chart of an optional code encryption method according to an embodiment of the present application;

FIG2 is a schematic diagram of an optional bytecode instruction format according to an embodiment of the present application;

FIG3 is a schematic diagram of an optional bytecode instruction encryption process according to an embodiment of the present application;

FIG4 is a framework diagram of an optional code encryption method according to an embodiment of the present application;

FIG5 is a flowchart of another optional code encryption method according to an embodiment of the present application;

FIG6 is a schematic diagram of an optional code encryption device according to an embodiment of the present application;

FIG. 7 is a schematic diagram of an optional electronic device according to an embodiment of the present application.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the solution of the present application, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present application.

It should be noted that the terms "first", "second", etc. in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present application described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

It should also be noted that the relevant information (including information on historical use cases that have been generated) and data (including but not limited to data for display and analysis) involved in this application are all information and data authorized by the user or fully authorized by all parties. For example, an interface is set up between this system and the relevant users or organizations. Before obtaining relevant information, it is necessary to send an acquisition request to the aforementioned user or organization through the interface, and obtain relevant information after receiving the consent information fed back by the aforementioned user or organization.

In addition, the collection, storage, use, processing, transmission, provision, disclosure and application of the relevant information and data involved in this application comply with the relevant laws, regulations and standards of the relevant regions, and necessary confidentiality measures have been taken and do not violate public order and good morals. In addition, this application provides corresponding operation entrances for users to choose to agree to authorization or refuse authorization. If the user chooses to refuse authorization, he/she will enter the corresponding expert decision-making process.

In the first embodiment, a Python program encryption protection method based on code virtualization is provided, which specifically includes: modifying the Python code to be protected, adding a pre-built virtual machine to the Python code, and compiling the implementation code of the virtual machine and the Python code to be protected into a bytecode file, and then distributing and executing each instruction contained in the bytecode file corresponding to the Python code through the virtual machine. Since some instructions of the virtual machine are different from the operations corresponding to the official instructions of Python, the attacker cannot crack the bytecode file corresponding to the Python code based on the decompilation tool corresponding to the official bytecode of Python, thereby achieving the technical effect of protecting the Python source code.

The disadvantages of the technical solution provided by the first embodiment mentioned above include: the bytecode information corresponding to the implementation code of the virtual machine in this embodiment will also be saved in the bytecode file in the pyc format. Although the virtual machine can protect the bytecode of the main part of the Python code from being decompiled by attackers, it cannot protect the bytecode of the virtual machine itself. Attackers can still use mainstream decompilation tools to crack the bytecode corresponding to the implementation code of the virtual machine, thereby obtaining the bytecode logic corresponding to the main part of the Python code. In addition, the technical solution provided by the first embodiment mentioned above requires repeatedly running the virtual machine, which causes the problem of low overall operating efficiency of the Python code.

Compared with the first embodiment described above, the technical solution of the present application encrypts the bytecode and hides the encrypted bytecode information and the key information used in the encryption process in the bytecode file, thereby increasing the difficulty for attackers to crack the key information and the bytecode information. In addition, the technical solution of the present application does not change the running logic of the Python code, and the present application does not require additional customization of the Python interpreter. Therefore, the technical solution of the present application has relatively small resource overhead for performing corresponding decryption operations on the encrypted bytecode, thereby ensuring the overall running efficiency of the Python code.

In the second embodiment, a Python source code protection method based on pyc encryption is provided, which specifically includes: protecting the code by encrypting the bytecode file, modifying the official Python interpreter to obtain a customized interpreter, and interpreting and executing the encrypted bytecode file by decrypting the customized interpreter.

The disadvantages of the technical solution provided by the second embodiment include: this embodiment needs to modify the official Python interpreter, and cannot use the local original Python official interpreter to run the encrypted bytecode file, thereby increasing the learning cost of developers and the amount of additional space occupied. In addition, attackers can obtain the key information used in the encryption process of this embodiment by comparing the customized Python interpreter with the original official Python interpreter.

In the third embodiment, a Python program module encryption method based on a symmetric algorithm and a dedicated loading module is provided, and the specific contents include: encrypting the bytecode file based on a symmetric encryption algorithm, and executing the custom encrypted bytecode file by loading a self-made extension module, wherein the self-made extension module is a dynamic link library that can be shared by other Python programs. This embodiment incorporates the core encryption and decryption processes into the dynamic link library to achieve the purpose of protecting the Python code. Developers can implement the encryption operations, decryption operations and execution operations corresponding to the Python code by importing the dynamic link library and calling the corresponding function interface.

The disadvantages of the technical solution provided by the third embodiment include: the homemade extension module of this embodiment needs to be written in Python language and/or C language. Although it increases the difficulty for attackers to crack the homemade extension module, since the core encryption algorithm and related key information used in this method can be found directly from the binary file, attackers can still easily crack the Python source code.

Compared with the second and third embodiments described above, the key information used in the present application is continuously and dynamically updated, thereby increasing the difficulty for attackers to crack the encrypted bytecode file. In addition, the present application hides the key information used in the encryption process in the bytecode file corresponding to the protected code, rather than writing it into the extension library for storage, thereby increasing the difficulty for attackers to obtain the key information and increasing the attacker's attack cost, thereby achieving the technical effect of improving the security of the Python code that needs to be protected.

According to an embodiment of the present application, an embodiment of a code encryption method is provided. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

The present application provides a code encryption system for executing the code encryption method in the present application. The code encryption system can be implemented in software or a combination of software and hardware.

FIG. 1 is a flow chart of an optional code encryption method according to an embodiment of the present application. As shown in FIG. 1 , the method includes the following steps:

Step S101, compile the target code to obtain a code object corresponding to the target code, wherein the target code is the Python code to be protected.

Optionally, before executing step S101, the code encryption system first obtains the Python code to be protected, and then the code encryption system updates the Python code to be protected to the target code through a preset regular expression. The regular expression can add a corresponding decryption function for the call of the non-library function in the original Python code, and the code encryption system stores the generated decryption function in a decryption extension library (or called: decryption extension library), so that in the subsequent process of interpreting and executing the encrypted bytecode (i.e., the target bytecode) through the Python official interpreter, the technical solution of the present application can achieve the purpose of decrypting the encrypted bytecode file through the decryption extension library.

Optionally, the code object is a PyCodeObject, which is a C language structure. PyCodeObject is used to represent the compilation result of the Python code to be protected. Specifically, PyCodeObject includes one or more of the following attribute information:

(1) Basic information:

co_argcount: The number of function parameters.

co_kwonlyargcount: The number of keyword arguments.

co_nlocals: The number of local variables in the function.

co_stacksize: The stack space required when the function is running.

co_flags: Flags of the code object, such as whether it is a generator.

co_lnotab: Line number table, indicating the mapping relationship between bytecode instructions and source code line numbers.

(2) Instruction sequence information:

co_code: bytecode instruction sequence, i.e. compiled code.

co_consts: A constant tuple containing constants used in the code, such as numbers, strings, and code objects corresponding to custom function bodies.

co_names: Name table, including global variables, function names, etc.

co_varnames: variable name table, including local variables, parameter names, etc.

(3) Exception handling information:

co_exceptions: exception table, used for exception handling related information.

(4) Other information:

co_cellvars: closure variables.

co_freevars: Free variables, that is, variables not defined in the local scope.

In some embodiments, the attributes of the PyCodeObject involved in the code encryption system include at least: a co_code attribute, a co_consts attribute, a co_flags attribute, a co_names attribute, and a co_varnames attribute.

Step S102, encrypting the code object into a target bytecode, wherein the target bytecode is used to represent the encrypted target code in the form of a bytecode, and the target bytecode includes key information dynamically generated during the encryption process.

Optionally, Python's bytecode is similar to assembly language. Python's bytecode is an intermediate language converted from Python source code and stored in memory during Python's running. The process of Python virtual machine processing bytecode line by line is similar to the process of processor processing assembly statements line by line. In order to save the conversion time from Python source code to bytecode when the same Python program is running, these converted bytecodes will be stored in the Python bytecode file in the external memory. When the Python program needs to be executed again, the bytecode in the Python bytecode file will be directly executed.

Optionally, the code encryption system can perform encryption operations on code objects through a pre-set encryptor, wherein the encryptor is at least used to XOR encrypt key attributes of the code object according to dynamically generated key information, and when the total number of XOR keys generated for XOR encryption is greater than or equal to a preset threshold, the encryptor will also symmetrically encrypt key attributes of some code objects, thereby achieving the technical effect of increasing the complexity of encrypting Python code and the cracking cost of the generated target bytecode.

Here, the key information may include an XOR key, and the XOR key can be used to perform an XOR process on the XOR key and a byte corresponding to the XOR key in an attribute of the code object.

It should be noted that in step S102, the code encryption system does not directly store the key information dynamically generated during the encryption process into the bytecode file corresponding to the target code, but performs XOR processing on the dynamically generated key information and then stores it hidden in the bytecode file corresponding to the target code, thereby preventing attackers from directly obtaining the key information used by the code encryption system from the bytecode file, thereby increasing the attack cost of attackers and improving the security of the target code.

It can be seen from the above content that the technical solution of the present application realizes the purpose of protecting Python code by encrypting the bytecode corresponding to the Python code. The present application first compiles the Python code to be protected into a code object, and then encrypts the code object into a target bytecode, thereby obtaining an encrypted bytecode file (i.e., target bytecode) corresponding to the Python code, thereby realizing the protection of the Python code. At the same time, compared with the prior art in which the Python code is not protected and the Python code is directly converted into its corresponding bytecode file, the encryption technology based on bytecode of the present application will not change the running logic of the original Python code, that is, the technical solution of the present application has a low cost for encrypting the Python code, and will not cause additional high-cost resource consumption.

It can be seen that the present application adopts the method of encrypting the bytecode corresponding to the Python code to achieve the purpose of protecting the Python code. Even if the attacker modifies the intermediate file corresponding to the Python code during the running of the Python code, since the attacker cannot obtain the key information, the Python code modified by the attacker cannot run normally, thereby achieving the technical effect of improving the security of the Python code, and then solving the technical problem of low security of the Python code caused by the dynamic editing of the Python language during operation and the open source characteristics of the Python interpreter.

In an optional embodiment, in the process of encrypting a code object into a target bytecode, the code encryption system first scans the first attribute of the code object through a preset encryptor to obtain L constants, where L is a positive integer, and the first attribute is used to characterize the constant tuple of the code object. Then, when the i-th constant among the L constants is a function type, the code object embedded in the i-th constant is recursively encrypted through the encryptor, where i is a positive integer less than or equal to L; when the i-th constant is a string type or a numeric type, the i-th constant is XOR-encrypted through the encryptor.

Here, in order to distinguish the code object corresponding to the target code from the code embedded in the i-th constant, the code object corresponding to the target code can be recorded as the first code object, and the code object embedded in the i-th constant can be recorded as the second code object. The first code object is different from the second code object.

Optionally, the first attribute of the above code object is the co_consts attribute of the code object. The constants in the co_consts attribute can be used to represent immutable objects such as numbers, strings, tuples, lists and dictionaries. In addition, references to function objects can also appear as constants in the co_consts attribute. The constants of the function type in the co_consts attribute actually represent references to function objects, rather than the function objects themselves.

Optionally, when the i-th constant among the above L constants is a function type, the code object embedded in the i-th constant is a code object compiled from the Python code corresponding to the function represented by the i-th constant. At this time, the code encryption system encrypts the code object compiled from the Python code corresponding to the function represented by the i-th constant through an encryptor.

Optionally, the code encryption system achieves the purpose of improving the security of the first attribute of the code object by XOR encryption of the first attribute of the code object. Even if the data corresponding to the first attribute is illegally accessed or leaked, the encrypted first attribute data is not easily deciphered by attackers, thereby achieving the purpose of improving the security of the Python source code corresponding to the first attribute of the code object.

In an optional embodiment, in the process of XOR encryption of the ith constant, when the ith constant is of a string type, the code encryption system first divides the ith constant into M bytes through a preset encryptor, where M is a positive integer. Then, M XOR keys are dynamically generated through the encryptor, where the M XOR keys correspond one-to-one to the M bytes, and the m+1th XOR key among the M XOR keys is obtained by updating the mth XOR key based on a preset rule, where m is a positive integer less than M. Then, each XOR key in the M XOR keys and the byte corresponding to the XOR key are XOR-processed by the encryptor to obtain all XOR results corresponding to the M bytes. Finally, the code encryption system uses all XOR results corresponding to the M bytes as the XOR encryption result of the ith constant.

In an optional embodiment, during the process of XOR encryption of the ith constant, when the ith constant is of a digital type, the code encryption system also performs XOR processing on the ith constant according to an XOR key that can be updated based on preset rules, and uses the XOR result obtained by the XOR processing as the XOR encryption result of the ith constant.

In some embodiments, the size of the XOR key used in the code encryption system is within the interval [1, 255].

For example, assume that after the code encryption system divides the first string type constant into M bytes, it controls the encryptor to select a random number from the interval [1,255] as the first XOR key, denoted as xorKey, and stores xorKey additionally at the end of the constant tuple of the code object. Afterwards, the encryptor performs XOR processing on the first XOR key and the first byte in the first constant to obtain the XOR result corresponding to the first byte, and stores the XOR result corresponding to the first byte to the original storage position of the first byte in the bytecode file.

Optionally, after obtaining the XOR result corresponding to the first byte, the encryptor is controlled to update the first XOR key according to a preset rule to obtain a second XOR key. Thereafter, the second XOR key and the second byte in the first constant are XOR-processed by the encryptor to obtain the XOR result corresponding to the second byte, and the XOR result corresponding to the second byte is stored in the original storage position of the second byte in the bytecode file.

Optionally, the code encryption system performs XOR processing on the first attribute of the code object based on the key information dynamically generated by the encryptor, thereby achieving the purpose of encrypting the first attribute of the code object. The XOR processing operation is a simple bit operation. The XOR processing operation only involves two operands and a bit operation, which can be implemented through the basic hardware of the computer. The XOR processing operation is suitable for application scenarios with limited resources or that need to be implemented quickly, thereby achieving the technical effect of not adding additional resource overhead for encrypting the code.

In an optional embodiment, in the process of encrypting a code object into a target bytecode, the code encryption system first scans the second attribute of the code object through a preset encryptor to obtain N bytecode instructions, wherein N is a positive integer, and the second attribute is used to characterize the bytecode instruction sequence of the code object. Afterwards, the code encryption system uses the last XOR key dynamically generated in the process of XOR encrypting the constant of the code object as the initial value of the instruction key, wherein the instruction key is used to XOR encrypt the bytecode instruction, and the redundant bytes corresponding to the bytecode instruction are used to store the latest value of the instruction key. Then, when the jth bytecode instruction among the N bytecode instructions includes parameters, the encryptor XOR encrypts the jth bytecode instruction according to the latest value of the instruction key, and prohibits updating the latest value of the instruction key, wherein j is a positive integer less than or equal to N.

Here, the latest value of the instruction key can be understood as the current value of the instruction key. For example, when the value of the instruction key has never been updated, the latest value is the initial value; when the value of the instruction key has been updated, the latest value is the value after the most recent update of the instruction key.

Optionally, when the j-th bytecode instruction among N bytecode instructions includes parameters, after prohibiting the encryptor from updating the latest value of the instruction key, the encryptor performs XOR encryption on the j+1-th bytecode instruction based on the current instruction key.

Optionally, when the j-th bytecode instruction does not include parameters, the encryptor performs XOR encryption on the j-th bytecode instruction based on the latest value of the instruction key, and updates the latest value of the instruction key to a random number selected from a preset range.

Exemplarily, before the encryptor XOR-encrypts the j-th bytecode instruction according to the latest value of the instruction key, the encryptor first selects a random number based on a preset range and stores the selected random number in the redundant bytes corresponding to the j-th bytecode instruction.

In some embodiments, the preset range is [1, 255], and the initial value of the instruction key is the last XOR key dynamically generated during the XOR encryption of the constants of the code object.

Optionally, Figure 2 is a schematic diagram of an optional bytecode instruction format according to an embodiment of the present application. As shown in Figure 2, in Python 3.6 and later versions, the length of each bytecode instruction in the co_code attribute is 2 bytes, wherein the bytecode instruction with parameters consists of an opcode of 1 byte length and an operand of 1 byte length, and the bytecode instruction without parameters consists of an opcode of 1 byte length and a redundant byte of 1 byte length "\x00".

Optionally, Figure 3 is a schematic diagram of an optional bytecode instruction encryption process according to an embodiment of the present application. As shown in Figure 3, bytecode instruction 1, bytecode instruction 2 and bytecode instruction 4 are all bytecode instructions with parameters, and bytecode instruction 3 is a bytecode instruction without parameters, that is, bytecode instruction 1, bytecode instruction 2 and bytecode instruction 4 all include parameters, and bytecode instruction 3 does not include parameters. Assuming that the initial value of the instruction key is K0, the instruction key used by the encryptor to encrypt bytecode instruction 1 and bytecode instruction 2 is K0. Thereafter, when the code encryption system detects that bytecode instruction 3 is a bytecode instruction without parameters, the code encryption system controls the encryptor to generate a new instruction key K1 based on a preset range, and stores the new instruction key K1 in the redundant bytes of bytecode instruction 3. Thereafter, the code encryption system performs XOR encryption on the entire bytecode instruction 3 (including K1 stored in the redundant bytes of bytecode instruction 3) based on the old instruction key K0, and then, the code encryption system encrypts the bytecode instruction after bytecode instruction 3 (that is, bytecode instruction 4) by the new instruction key K1.

Optionally, compared with the method of not performing XOR encryption on the newly generated instruction key and directly storing it at the location of the redundant bytes of the bytecode instruction, the present application stores the newly generated instruction key in the redundant bytes of the bytecode instruction and then performs XOR encryption on the entire bytecode instruction (including the redundant bytes) based on the old instruction key, thereby improving the security of the key information stored in the redundant bytes and further increasing the difficulty for attackers to obtain the key information.

In an optional embodiment, in the process of encrypting a code object into a target bytecode, after the encryptor completes XOR encryption of the key attributes of the code object, the code encryption system determines through a preset encryptor whether the number of keys is greater than or equal to a first preset threshold, wherein the number of keys is the total number of instruction keys dynamically generated during the XOR encryption of the bytecode instructions. Then, when the number of keys is greater than or equal to the first preset threshold, the encryptor generates a target key based on P instruction keys, wherein the P instruction keys are the instruction keys ranked as the top P in terms of generation time among all instruction keys, and P is equal to the first preset threshold. Then, the encryptor symmetrically encrypts the first encryption result based on the target key, wherein the first encryption result is a result obtained by XOR encryption of the key attributes of the code object through the instruction keys in the first set, the key attributes of the code object include at least the second attribute, and the first set is a set of instruction keys other than the P instruction keys among all instruction keys.

In some embodiments, the first preset threshold may be set to 16.

Optionally, the code encryption system can use the combination of the first 16 instruction keys generated by the encryptor as the target key, and use the target key to re-encrypt the bytecode information encrypted using instruction keys other than the first 16 instruction keys in accordance with the ECB (Electronic Codebook) mode of the AES (Advanced Encryption Standard) symmetric encryption algorithm.

Optionally, in the technical solution of the present application, the code encryption system can not only control the encryptor to perform XOR encryption on the key attributes of the code object, but also perform secondary encryption on the partial encryption results obtained by the XOR encryption based on the AES symmetric encryption algorithm. Although the XOR encryption method is simple and fast to operate, its security is relatively low. By using the AES symmetric encryption algorithm to perform secondary encryption on the partial encryption results of the XOR operation, the technical effect of enhancing the confidentiality and security of the data is achieved.

In an optional embodiment, in the process of encrypting a code object into a target bytecode, the code encryption system determines whether the number of keys is greater than or equal to a second preset threshold through a preset encryptor, wherein the number of keys is the total number of instruction keys dynamically generated in the process of XOR encryption of bytecode instructions, and the second preset threshold is greater than the first preset threshold. Then, when the number of keys is greater than or equal to the second preset threshold, the encryptor generates a target vector based on Q instruction keys, wherein Q is a positive integer, and the Q instruction keys are instruction keys ranked from P+1 to R in generation time among all instruction keys, P is equal to the first preset threshold, and R is equal to the second preset threshold. Then, the encryptor symmetrically encrypts the second encryption result based on the target vector and the target key, wherein the second encryption result is a result obtained by XOR encryption of a key attribute of the code object by an instruction key in a second set, the key attribute of the code object includes at least the second attribute, and the second set is a set of instruction keys other than P instruction keys and Q instruction keys among all instruction keys.

In some embodiments, the second preset threshold may be set to 32.

Optionally, the ECB mode encrypts each plaintext block independently, which means that the encryption results obtained by encrypting plaintext blocks with the same content are the same. Therefore, the ECB mode is not suitable for encrypting long texts including repeated data. Therefore, when the number of keys is greater than or equal to the second preset threshold value 32, the code encryption system in the present application, in addition to performing secondary encryption on the bytecode information encrypted using instruction keys other than the first 16 instruction keys according to the ECB mode of the AES symmetric encryption algorithm through the target key, optionally, the code encryption system also uses the combination of the 17th to 32nd instruction keys generated by the encryptor as the target vector, and performs secondary encryption on the bytecode information encrypted using instruction keys after the 32nd instruction key according to the CBC (CipherBlock Chaining) mode of the AES symmetric encryption algorithm through the target key and the target vector.

Optionally, compared to the ECB mode, the CBC mode has higher encryption security. The encryption of each plaintext block in the CBC mode depends on the encryption result of the previous plaintext block, that is, the CBC mode introduces the influence of the previous ciphertext block in each encrypted block. Therefore, even if two plaintext blocks with the same content are encrypted, the contents of the two ciphertext blocks are different. This chained encryption method can increase the complexity of the encryption result, thereby reducing the risk of information leakage. In addition, the CBC mode requires the use of a randomly generated initialization vector (i.e., target vector). The randomness and uniqueness of the initialization vector further increase the complexity of the encryption process, thereby improving the security of the target bytecode generated by the code encryption system.

In an optional embodiment, when it is necessary to run Python code, the code encryption system is first controlled to load the target bytecode into the interpreter. After the target bytecode is loaded into the interpreter, the code encryption system detects the encryption identifier of the function that needs to be called in the target bytecode, wherein the encryption identifier of the function is used to indicate whether the code object corresponding to the function is encrypted. Then, when the encryption identifier of the function is a preset identifier, the bytecode corresponding to the function is decrypted by calling the decryption function corresponding to the function, and the decryption function corresponding to the function is a function stored in the decryption extension library. Afterwards, the code encryption system detects the number of function calls, wherein the number of calls is used to indicate the remaining number of times the function is called by other functions that have not been completed. Finally, when the number of calls is equal to the preset number, the code encryption system controls the encryptor to re-encrypt the decryption result corresponding to the function.

In some embodiments, the encryption flag is the co_flags attribute of the code object. The preset flag is used to indicate that the code object of the function has been encrypted. The preset number of times can be set to 0.

Optionally, the above-mentioned decryption extension library can be implemented using a class decorator, which is used to decorate a class instead of a function. A class decorator is a function or a callable object. A class decorator can accept a function as a parameter and return a new function, thereby achieving the purpose of dynamically expanding or modifying the code without modifying the original function definition.

Optionally, when the number of calls corresponding to the function is equal to 0, it means that the function does not need to be called again during the current execution of the target code. In order to prevent the problem of Python source code leakage caused by the decrypted function bytecode remaining in the memory, the function is re-encrypted by the encryptor when the function is no longer used.

It can be seen from the above content that the technical solution of the present application realizes the purpose of protecting Python code by encrypting the bytecode corresponding to the Python code. The present application first compiles the Python code to be protected into a code object, and then encrypts the code object into a target bytecode, thereby obtaining an encrypted bytecode file (i.e., target bytecode) corresponding to the Python code, thereby realizing the protection of the Python code. At the same time, compared with the prior art in which the Python code is not protected and the Python code is directly converted into its corresponding bytecode file, the encryption technology based on bytecode of the present application will not change the running logic of the original Python code, that is, the technical solution of the present application has a low cost for encrypting the Python code, and will not cause additional high-cost resource consumption.

It can be seen that the present application adopts the method of encrypting the bytecode corresponding to the Python code to achieve the purpose of protecting the Python code. Even if the attacker modifies the intermediate file corresponding to the Python code during the running of the Python code, since the attacker cannot obtain the key information, the Python code modified by the attacker cannot run normally, thereby achieving the technical effect of improving the security of the Python code, and then solving the technical problem of low security of the Python code caused by the dynamic editing of the Python language during operation and the open source characteristics of the Python interpreter.

In an optional embodiment, Figure 4 is a framework diagram of an optional code encryption method according to an embodiment of the present application. As shown in Figure 4, the code encryption system in the present application includes an encryptor used by the developer side and a decryption extension library used by the user side, wherein the encryptor can convert the Python source code file that the developer needs to protect (i.e., the "Python code" in Figure 4) into an encrypted Python bytecode file (i.e., the "encrypted Python code" in Figure 4), and the encryptor will not change the running logic of the Python source code. Afterwards, the developer will publish the encrypted Python bytecode file and the decryption extension library to the user. When the user needs to run the Python code, the encrypted Python bytecode file can be executed normally through the user's local Python interpreter without consuming additional system resources to customize the Python interpreter. Therefore, the technical solution of the present application will not generate high system overhead due to the need to decrypt the encrypted Python bytecode file.

In an optional embodiment, FIG. 5 is a flowchart of another optional code encryption method according to an embodiment of the present application. As shown in FIG. 5 , the steps of encrypting the code include:

Step 1: After reading the Python source code, match and modify the Python source code using the preset regular expression.

In this way, during the execution of the Python code, before a non-library function needs to be called, the decryption function preset in the decryption extension library is called in advance to decrypt the bytecode information corresponding to the non-library function.

Step 2: Compile the code modified by the regular expression into a code object PyCodeObject.

Step 3: Scan the co_consts of PyCodeObject. When the constant in co_consts represents a function object, recursively encrypt the code object embedded in the function. When the constant in co_consts represents a string or a number, XOR encrypt the constant according to the XOR key that can be dynamically updated according to preset rules.

Step 4: Scan the co_code of PyCodeObject, use the instruction key to XOR encrypt the bytecode instructions one by one (corresponding to "Scan the bytecode and XOR one by one" in Figure 5), and during the encryption process, determine whether each bytecode instruction is a parameterless bytecode instruction (corresponding to "The instruction is a parameterless instruction" in Figure 5). If the bytecode instruction is a parameterless bytecode instruction, hide the new instruction key in the "\x00" redundant byte of the parameterless bytecode instruction (corresponding to "Use a new XOR key and hide" in Figure 5), and control the encryptor to switch the new instruction key to XOR encrypt the bytecode instructions after the bytecode instruction.

Step 5: Control the encryptor to store each instruction key used in the bytecode instruction encryption process, and count the total number of instruction keys generated by the encryptor. When the co_code scan of the PyCodeObject is completed, if the total number of instruction keys is greater than or equal to 16, the encryptor will use the AES encryption algorithm to re-encrypt part of the encryption result; if the total number of instruction keys is less than 16, the encryptor ends.

When the total number of instruction keys is greater than or equal to 16 and less than 32, the ECB mode of the AES symmetric encryption algorithm is used to encrypt the bytecode information generated by the encryptor with instruction keys other than the first 16 instruction keys, and the AES key in the ECB mode is the combination of the first 16 instruction keys; if the total number of instruction keys is greater than or equal to 32, the CBC mode of the AES symmetric encryption algorithm is used to encrypt the bytecode information generated by the encryptor with instruction keys after the 32nd instruction key, and the AES key in the CBC mode is the combination of the first 16 instruction keys, and the initialization vector in the CBC mode is the combination of the 17th to 32nd instruction keys. It should be noted that in the process of encryption according to the AES symmetric encryption algorithm, the encrypted object does not involve the bytecode part where the XOR key is hidden.

In addition, the decryption extension library in Figure 5 is implemented using a class decorator, which decrypts when the function is called and re-encrypts the function when the function is no longer used, thereby preventing the decrypted function bytecode from remaining in the memory and causing the risk of leaking the Python source code. This class decorator will detect the co_flags of the function when the function is called. If there is an encryption flag in co_flags, the function will be decrypted; during the encryption and decryption process, the technical solution of the present application maintains a reference count table of the function. When the reference count of a function is 0, it means that the function no longer needs to be used. At this time, the control encryptor re-encrypts the function.

From the above content, it can be seen that although the decryption extension library is also a binary file, there is a risk of being cracked by attackers through decompilation. However, the key information used for XOR encryption and symmetric encryption in this application is dynamically embedded in the encrypted bytecode, and the decryption extension library in this application does not involve key information. In addition, the decryption extension library needs to use the corresponding API (Application Programming Interface) of Python language and/or C language for conversion and compilation. Compared with ordinary binary files, the cost of cracking the decryption extension library in this application has also been increased.

Optionally, an application scenario of the technical solution of the present application is exemplified as follows: a software written by a developer is developed in Python language, and the software is a software for randomly selecting member data from a database, which can be applied to actual scenarios such as random roll call in class and lottery at corporate annual meetings. The developer hopes to release the software to users for free use, but once the software is cracked by an attacker and the random number algorithm therein is obtained or tampered with, the extraction result of the software may be artificially predicted or changed, thereby losing its fairness and randomness.

Therefore, developers can use the technical solution of the present application to protect the random number algorithm used in the software. The above-mentioned software developers do not need to learn additional code encryption technology. The present solution can simply and quickly achieve the purpose of protecting the software, thereby reducing the learning cost of the developer for the code encryption method, and at the same time, increasing the cost for attackers to crack the random number algorithm of the software. In addition, after the software is encrypted using the technical solution of the present application, the software cannot be cracked by conventional Python decompilation tools and binary reverse tools, thereby improving the security of the random number algorithm used by the software.

From the above content, it can be seen that the technical solution of the present application achieves the purpose of hiding and protecting the dynamic key information used in the encryption process through the bytecode structure, and the present application improves the security of the Python source code by performing XOR encryption and symmetric encryption on the bytecode.

Optionally, the technical solution of the present application can protect the Python source code of the software to ensure that the core logic of the software is not stolen by attackers, thereby protecting the intellectual property rights of the software; at the same time, it can also prevent the software from being tampered with by attackers to achieve the purpose of cracking and bypassing inspection; and it can protect the commercial secrets used in the software, such as important data structures, core algorithms, confidential data, etc.; it can prevent attackers from performing security audits on the source code of the software, thereby reducing the risk of the software being attacked by security attacks.

According to another aspect of the embodiment of the present application, a code encryption device is also provided for executing the code encryption method in the present application. FIG6 is a schematic diagram of an optional code encryption device according to an embodiment of the present application. As shown in FIG6 , the code encryption device includes: a compilation unit 601 and an encryption unit 602.

Optionally, a compilation unit is used to compile the target code to obtain a code object corresponding to the target code, wherein the target code is the Python code to be protected; an encryption unit is used to encrypt the code object into a target bytecode, wherein the target bytecode is used to represent the encrypted target code in the form of a bytecode, and the target bytecode includes key information dynamically generated during the encryption process.

Optionally, before compiling the target code through the compilation unit, the code encryption device first obtains the Python code to be protected, and then the code encryption device updates the Python code to be protected to the target code through a preset regular expression. The regular expression can add a corresponding decryption function for the call of the non-library function in the original Python code, and the code encryption device stores the generated decryption function in the decryption extension library, so that in the subsequent process of interpreting and executing the encrypted bytecode (i.e., the target bytecode) through the Python official interpreter, the technical solution of the present application can achieve the purpose of decrypting the encrypted bytecode file through the decryption extension library.

Optionally, the code encryption device can perform encryption operations on the code object through a preset encryptor, wherein the encryptor is at least used to perform XOR encryption on key attributes of the code object based on dynamically generated key information, and when the total number of XOR keys generated during the XOR encryption process is greater than or equal to a preset threshold, the encryptor will also perform symmetrical encryption on key attributes of some code objects, thereby achieving the technical effect of increasing the complexity of encrypting the Python code and the cracking cost of the generated target bytecode.

Optionally, in the encryption unit, the code encryption device does not directly store the key information dynamically generated during the encryption process into the bytecode file corresponding to the target code, but performs XOR processing on the dynamically generated key information and then hides and stores it in the bytecode file corresponding to the target code, thereby preventing attackers from directly obtaining the key information used by the code encryption device from the bytecode file, thereby increasing the attack cost of attackers and improving the security of the target code.

In an optional embodiment, the encryption unit includes: a first scanning subunit, a first encryption subunit and a second encryption subunit.

Optionally, a first scanning subunit is used to scan a first attribute of a code object to obtain L constants, where L is a positive integer and the first attribute is used to characterize a constant tuple of the code object; a first encryption subunit is used to, when the i-th constant among the L constants is a function type, recursively encrypt the code object in which the i-th constant is embedded, where i is a positive integer less than or equal to L; and a second encryption subunit is used to, when the i-th constant is a string type or a numeric type, perform XOR encryption on the i-th constant.

Optionally, the code encryption device achieves the purpose of improving the security of the first attribute of the code object by XOR encryption of the first attribute of the code object. Even if the data corresponding to the first attribute is illegally accessed or leaked, the encrypted first attribute data is not easily deciphered by attackers, thereby achieving the purpose of improving the security of the Python source code corresponding to the first attribute of the code object.

In an optional embodiment, when the i-th constant is of a string type, the second encryption subunit includes: a byte division module, a key generation module, an XOR processing module and a determination module.

Optionally, a byte division module is used to divide the i-th constant into M bytes, where M is a positive integer; a key generation module is used to dynamically generate M XOR keys, where the M XOR keys correspond one-to-one to the M bytes, and the m+1-th XOR key among the M XOR keys is obtained by updating the m-th XOR key based on a preset rule, where m is a positive integer less than M; an XOR processing module is used to perform XOR processing on each XOR key in the M XOR keys and the byte corresponding to the XOR key to obtain all XOR results corresponding to the M bytes; and a determination module is used to use all XOR results corresponding to the M bytes as the XOR encryption result of the i-th constant.

In an optional embodiment, when the i-th constant is of digital type, the second encryption sub-unit directly performs XOR processing on the i-th constant of digital type through the XOR processing module according to the XOR key dynamically generated by the preset encryptor, and then uses the XOR result obtained by the XOR processing as the XOR encryption result of the i-th constant through the determination module.

Optionally, the code encryption device performs XOR processing on the first attribute of the code object based on the key information dynamically generated by the encryptor, thereby achieving the purpose of encrypting the first attribute of the code object. The XOR processing operation is a simple bit operation. The XOR processing operation only involves two operands and a bit operation, which can be implemented through the basic hardware of the computer. The XOR processing operation is suitable for application scenarios with limited resources or that need to be implemented quickly, thereby achieving the technical effect of not adding additional resource overhead for encrypting the code.

In an optional embodiment, the encryption unit further includes: a second scanning subunit, an instruction key determination subunit, a third encryption subunit and a fourth encryption subunit.

Optionally, a second scanning subunit is used to scan the second attribute of the code object to obtain N bytecode instructions, wherein N is a positive integer, and the second attribute is used to characterize the bytecode instruction sequence of the code object; an instruction key determination subunit is used to use the last XOR key dynamically generated in the process of XOR encryption of the constant of the code object as the initial value of the instruction key, wherein the instruction key is used to XOR encrypt the bytecode instruction, and the redundant bytes corresponding to the bytecode instruction are used to store the latest value of the instruction key; a third encryption subunit is used to XOR encrypt the jth bytecode instruction according to the latest value of the instruction key when the jth bytecode instruction among the N bytecode instructions includes parameters, and prohibit updating the latest value of the instruction key, wherein j is a positive integer less than or equal to N; a fourth encryption subunit is used to XOR encrypt the jth bytecode instruction according to the latest value of the instruction key when the jth bytecode instruction does not include parameters, and update the latest value of the instruction key to a random number selected from a preset range.

Optionally, compared with the method of not performing XOR encryption on the newly generated instruction key and directly storing it at the location of the redundant bytes of the bytecode instruction, the code encryption device stores the newly generated instruction key in the redundant bytes of the bytecode instruction, and then performs XOR encryption on the entire bytecode instruction (including the redundant bytes) based on the old instruction key, thereby improving the security of the key information stored in the redundant bytes, and further increasing the difficulty for attackers to obtain the original key information.

In an optional embodiment, the encryption unit further includes: a first judgment subunit, a target key generation subunit and a fifth encryption subunit.

Optionally, a first judgment subunit is used to judge whether the number of keys is greater than or equal to a first preset threshold, wherein the number of keys is the total number of instruction keys dynamically generated in the process of XOR encryption of bytecode instructions; a target key generation subunit is used to generate a target key based on P instruction keys when the number of keys is greater than or equal to the first preset threshold, wherein the P instruction keys are the instruction keys ranked as the top P in terms of generation time among all instruction keys, and P is equal to the first preset threshold; a fifth encryption subunit is used to symmetrically encrypt a first encryption result based on the target key, wherein the first encryption result is a result obtained by XOR-encrypting a key attribute of a code object using instruction keys in a first set, the key attribute of the code object includes at least a second attribute, and the first set is a set of instruction keys other than the P instruction keys among all instruction keys.

Optionally, the code encryption device can not only control the encryptor to perform XOR encryption on the key attributes of the code object, but also perform secondary encryption on the partial encryption results obtained by the XOR encryption based on the AES symmetric encryption algorithm. Although the XOR encryption method is simple and fast to operate, its security is relatively low. By using the AES symmetric encryption algorithm to perform secondary encryption on the result of the XOR operation, the technical effect of enhancing the confidentiality and security of the data is achieved.

In an optional embodiment, the encryption unit further includes: a second judgment subunit, a target vector generation subunit and a sixth encryption subunit.

Optionally, a second judgment subunit is used to judge whether the number of keys is greater than or equal to a second preset threshold, wherein the second preset threshold is greater than the first preset threshold; a target vector generation subunit is used to generate a target vector based on Q instruction keys when the number of keys is greater than or equal to the second preset threshold, wherein Q is a positive integer, and the Q instruction keys are instruction keys ranked from P+1th to Rth in generation time among all instruction keys, P is equal to the first preset threshold, and R is equal to the second preset threshold; a sixth encryption subunit is used to symmetrically encrypt a second encryption result based on the target vector and the target key, wherein the second encryption result is a result obtained by XOR-encrypting a key attribute of the code object using the instruction keys in the second set, and the second set is a set of instruction keys other than P instruction keys and Q instruction keys among all instruction keys.

In an optional embodiment, the code encryption device further includes: a first detection unit, a decryption unit, a second detection unit and a re-encryption unit.

Optionally, a first detection unit is used to detect the encryption identifier of a function to be called in the target bytecode after the target bytecode is loaded into the interpreter, wherein the encryption identifier of the function is used to indicate whether the code object corresponding to the function is encrypted; a decryption unit is used to decrypt the bytecode corresponding to the function by calling the decryption function corresponding to the function when the encryption identifier of the function is a preset identifier, and the decryption function corresponding to the function is a function pre-generated by a regular expression and stored in a decryption extension library; a second detection unit is used to detect the number of function calls, wherein the number of calls is used to indicate the total number of times the function needs to be executed before the target code ends; a re-encryption unit is used to re-encrypt the decryption result corresponding to the function when the number of calls is equal to the preset number.

Optionally, the preset number of times can be set to 0. When the number of calls corresponding to the function is equal to 0, it means that the function does not need to be called again during the current execution of the target code. In order to prevent the problem of Python source code leakage caused by the bytecode of the decrypted function remaining in the memory, the function is re-encrypted by the encryptor when it is no longer used.

As can be seen from the above content, the code encryption device achieves the purpose of protecting the Python code by encrypting the bytecode corresponding to the Python code. The code encryption device first compiles the Python code to be protected into a code object, and then encrypts the code object into a target bytecode, thereby obtaining an encrypted bytecode file corresponding to the Python code (i.e., the target bytecode), thereby achieving the protection of the Python code. At the same time, compared with the prior art in which the Python code is not protected and the Python code is directly converted into its corresponding bytecode file, the bytecode-based encryption technology used by the code encryption device will not change the original Python code's operating logic, that is, the cost of encrypting the Python code through the code encryption device is low, and will not cause additional high-cost resource consumption.

It can be seen that the code encryption device adopts the method of encrypting the bytecode corresponding to the Python code to achieve the purpose of protecting the Python code. Even if the attacker modifies the intermediate file corresponding to the Python code during the running of the Python code, the attacker cannot obtain the key information, and the Python code modified by the attacker cannot run normally, thereby achieving the technical effect of improving the security of the Python code, and then solving the technical problem of low security of the Python code caused by the dynamic editing of the Python language during operation and the open source characteristics of the Python interpreter.

According to another aspect of an embodiment of the present application, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored computer program, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute any one of the above-mentioned code encryption methods.

According to another aspect of an embodiment of the present application, an electronic device is also provided, including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute any one of the above-mentioned code encryption methods by executing the executable instructions.

Figure 7 is a schematic diagram of an optional electronic device according to an embodiment of the present application. As shown in Figure 7, an embodiment of the present application provides an electronic device, which includes a processor, a memory, and a program stored in the memory and executable on the processor. When the processor executes the program, any one of the above-mentioned code encryption methods is implemented.

The above-mentioned embodiments or examples disclosed in the present application are not exhaustive, but are only illustrative of some embodiments or examples, and are not intended to be specific limitations on the scope of protection disclosed in the present application. In the absence of contradiction, each step in a certain embodiment or example in the present application can be implemented as an independent example, and the steps can be combined arbitrarily. For example, the scheme after removing some steps in a certain embodiment or example can also be implemented as an independent example, and the order of the steps in a certain embodiment or example can be arbitrarily exchanged. In addition, the optional methods or optional examples in a certain embodiment or example can be combined arbitrarily; in addition, the various embodiments or examples can be combined arbitrarily, for example, some or all steps of different embodiments or examples can be combined arbitrarily, and a certain embodiment or example can be combined arbitrarily with the optional methods or optional examples of other embodiments or examples.

In the above embodiments of the present application, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, please refer to the relevant description of other embodiments.

The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory. The memory may include non-permanent memory in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. The memory is an example of a computer-readable medium.

Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program code.

The above are only embodiments of the present application and are not intended to limit the present application. For those skilled in the art, the present application may have various changes and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included within the scope of the claims of the present application.

Claims (10)

1. A code encryption method, comprising:

compiling an object code to obtain a code object corresponding to the object code, wherein the object code is a Python code to be protected;

Encrypting the code object into a target byte code, wherein the target byte code is used for representing the encrypted target code in the form of byte codes, and the target byte code comprises key information dynamically generated in the encryption process.

2. The code encryption method according to claim 1, characterized in that in encrypting the code object into a target bytecode, the code encryption method further comprises:

scanning a first attribute of the code object to obtain L constants, wherein L is a positive integer, and the first attribute is used for representing a constant tuple of the code object;

Performing recursive encryption on a code object embedded by an ith constant in the L constants under the condition that the ith constant is of a function type, wherein i is a positive integer less than or equal to L;

and performing exclusive-or encryption on the ith constant under the condition that the ith constant is of a character string type or a digital type.

3. The code encryption method according to claim 2, wherein, in the case where the i-th constant is of a string type, exclusive-or encrypting the i-th constant includes:

dividing the ith constant into M bytes, wherein M is a positive integer;

dynamically generating M exclusive-or keys, wherein the M exclusive-or keys are in one-to-one correspondence with the M bytes, and the (m+1) th exclusive-or key in the M exclusive-or keys is obtained by updating the (M) th exclusive-or key based on a preset rule, wherein M is a positive integer smaller than M;

Performing exclusive-or processing on each exclusive-or key in the M exclusive-or keys and the byte corresponding to the exclusive-or key to obtain all exclusive-or results corresponding to the M bytes;

and taking all exclusive-or results corresponding to the M bytes as exclusive-or encryption results of the ith constant.

4. The code encryption method according to claim 1, characterized in that in encrypting the code object into a target bytecode, the code encryption method further comprises:

Scanning a second attribute of the code object to obtain N byte code instructions, wherein N is a positive integer, and the second attribute is used for representing a byte code instruction sequence of the code object;

Taking the last exclusive-or key dynamically generated in the exclusive-or encrypting process of the constant of the code object as an initial value of an instruction key, wherein the instruction key is used for exclusive-or encrypting the byte code instruction, and a redundant byte corresponding to the byte code instruction is used for storing the latest value of the instruction key;

When a j-th byte code instruction in the N byte code instructions comprises parameters, performing exclusive-or encryption on the j-th byte code instruction according to the latest value of the instruction key, and prohibiting updating of the latest value of the instruction key, wherein j is a positive integer less than or equal to N;

And under the condition that the j-th byte code instruction does not comprise the parameter, carrying out exclusive or encryption on the j-th byte code instruction according to the latest value of the instruction key, and updating the latest value of the instruction key into a random number selected from a preset range.

5. The code encryption method according to claim 1, characterized in that in encrypting the code object into a target bytecode, the code encryption method further comprises:

judging whether the number of the keys is larger than or equal to a first preset threshold value, wherein the number of the keys is the total number of instruction keys dynamically generated in the process of performing exclusive-or encryption on the byte code instructions;

Generating target keys according to P instruction keys under the condition that the number of the keys is larger than or equal to the first preset threshold, wherein the P instruction keys are instruction keys with top P arranged at generation moments in all the instruction keys, and P is equal to the first preset threshold;

And symmetrically encrypting a first encryption result according to the target key, wherein the first encryption result is obtained by performing exclusive-or encryption on key attributes of the code object through instruction keys in a first set, the key attributes of the code object at least comprise second attributes, and the first set is a set formed by instruction keys except the P instruction keys.

6. The code encryption method according to claim 1 or 5, characterized in that in encrypting the code object into a target bytecode, the code encryption method further comprises:

judging whether the number of the keys is larger than or equal to a second preset threshold value, wherein the second preset threshold value is larger than the first preset threshold value;

generating a target vector according to Q instruction keys under the condition that the number of the keys is larger than or equal to the second preset threshold, wherein Q is a positive integer, the Q instruction keys are instruction keys with the generation time row names of P+1st to R < th > in all instruction keys, P is equal to the first preset threshold, and R is equal to the second preset threshold;

And symmetrically encrypting a second encryption result according to the target vector and the target key, wherein the second encryption result is obtained by performing exclusive-or encryption on key attributes of the code object through instruction keys in a second set, and the second set is a set formed by instruction keys except P instruction keys and Q instruction keys in all the instruction keys.

7. The code encryption method according to claim 1, characterized in that after encrypting the code object into a target bytecode, the code encryption method further comprises:

After loading the target byte code to an interpreter, detecting an encryption identifier of a function to be called in the target byte code, wherein the encryption identifier of the function is used for representing whether a code object corresponding to the function is encrypted or not;

under the condition that the encryption identifier of the function is a preset identifier, decrypting the byte code corresponding to the function by calling a decryption function corresponding to the function, wherein the decryption function corresponding to the function is a function stored in a decryption expansion library;

Detecting the calling times of the function, wherein the calling times are used for representing the remaining times of the function which are called by other functions which do not finish running;

And re-encrypting the decryption result corresponding to the function under the condition that the calling times are equal to the preset times.

8. A code encryption apparatus, comprising:

The compiling unit is used for compiling the target code to obtain a code object corresponding to the target code, wherein the target code is a Python code needing to be protected;

the encryption unit is used for encrypting the code object into a target byte code, wherein the target byte code is used for representing the encrypted target code in the form of byte codes, and the target byte code comprises key information dynamically generated in the encryption process.

9. A computer program product, characterized in that the computer program product comprises a computer program, wherein the computer program product is controlled to perform the code encryption method according to any one of claims 1 to 7 when the computer program is run.

10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the code encryption method of any one of claims 1 to 7.