Summary of the invention
For the code that prevents JAVA software and logic, by reverse and crack, the invention provides a kind of method and apparatus of the JAVA of protection executable program.At first create a local dynamic link library file; enumerate the .class file in protected JAVA software; analyze the JVM code in this .class file; randomly draw the partial code fragment in the JVM code; situ in the partial code fragment extracted replaces with to the native method (namely; calling nation method), generate derivative function in local dynamic link library, realize the function of the described partial code fragment be extracted out.By method provided by the invention, can improve the security intensity of software.
The present invention is not only applicable to the windows platform, is applicable to the operating system that other use dynamic base mechanism yet.
A kind of method of protecting the JAVA executable program, concrete steps comprise:
1. create a local dynamic link libraries file;
2. enumerate the .class file in shielded JAVA software;
3. analyze the JVM code in this .class file, choose at random code snippet;
4. the code snippet that will choose is from taking out the .class file, and original position replaces with calling the native method;
5. in the local dynamic link library in step 1, generate a derivative function, function name is corresponding with the native method in step 4, the instruction in the simulation code fragment one by one, the function of the code snippet extracted in performing step 4.
6. get back to step 2, continue to enumerate, until finish.
According to an aspect of the present invention, the local dynamic link library file title in described step 1 is random.
According to an aspect of the present invention, for ease of robotization, realize in described step 3, extract code snippet and follow single-input single-output and storehouse balance principle.Described single-input single-output and storehouse balance principle, refer to that carrying out flow process can only enter this section code from described code snippet beginning, can't be in the middle of outside described code snippet, jumping to described code snippet, and can only leave this section code from described code snippet ending, can't be from described code snippet, jumping to outside code snippet; Fundamental operation in described code snippet is complete, during the described code snippet of turnover, does not relate to the temporary variable in the JVM storehouse.These two principles can realize by static analysis JVM instruction.
According to an aspect of the present invention, in step 4, the native method name is random.
According to an aspect of the present invention, in step 5 one by one the instruction in the simulation code fragment comprise to instructions such as access classes, objects, use JNI(JAVA Native Interface JAVA this locality to call) simulation; The arithmetic sum controls metastasis is used the local code simulation.
A kind of device of protecting the JAVA executable program specifically comprises:
Enumerate module, for enumerating the .class file of shielded JAVA software, and can be from .jar .war bag, extracting the .class file;
Analysis module, for analyzing the JVM code of .class file, choose code snippet according to single-input single-output and storehouse balance principle;
Replace code module, extracts away from the .class file for the code snippet that will choose, replace with calling a native method of naming at random in the situ of the code snippet be extracted;
Generate the local code module, be used to generating a local code derivative function, realize the function of the described code snippet be extracted out.
Use in the JAVA software after the present invention protects; the logic of code is dispersed in local dynamic library file, can take precautions against preferably the decompiling static analysis of JVM aspect, and because partial logic is replaced by local code; flow process be dispersed in JVM inside and outside, increased the difficulty of analyzing and cracking.In addition, the code in local dynamic base is directly operation, and the code before replacing can not be arranged in JVM, avoids like this attack of DUMP.Therefore the present invention has protected logic and the flow process of software preferably, and code and data security during operation, and can provide the algorithm of robotization to realize, the security that has improved software.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
According to one embodiment of present invention, as shown in Figure 2, provide a kind of method of the JAVA of protection executable program, concrete steps comprise:
1. create a local dynamic link libraries file
2. enumerate the .class file in shielded JAVA software
3. analyze the JVM code in this .class file, choose at random code snippet
4. the code snippet that will choose is from taking out the .class file, and original position replaces with calling the native method
5. in the local dynamic link library in step 1, generate a derivative function, function name is corresponding with the native method in step 4, the instruction in the simulation code fragment one by one, the function of the code snippet extracted in performing step 4.
6. get back to step 2, continue to enumerate, until finish.
According to an aspect of the present invention, the local dynamic link library file title in described step 1 can be random.
According to an aspect of the present invention, for ease of robotization, realize in described step 3, extract code snippet and follow single-input single-output and storehouse balance principle.
According to an aspect of the present invention, in step 4, the native method name can be random.
According to an aspect of the present invention, in step 5 one by one the instruction in the simulation code fragment comprise to instructions such as access classes, objects, use JNI(JAVA Native Interface JAVA this locality to call) simulation; The arithmetic sum controls metastasis is used the local code simulation.
Described single-input single-output and storehouse balance principle, namely carrying out flow process is to enter this section code from the fragment beginning, cannot in the middle of outside fragment, jumping to fragment, can only leave this section code from the fragment ending, cannot in fragment, jump to outside.And in fragment, fundamental operation is complete, during the turnover fragment, do not relate to the temporary variable in the JVM storehouse.These two principles can realize by static analysis JVM instruction.
According to one embodiment of present invention, as shown in Figure 3, provide a kind of equipment of the JAVA of protection executable program, specifically comprise:
Enumerate module, for enumerating the .class file of shielded JAVA software, and can be from .jar .war bag, extracting the .class file.
Analysis module, for analyzing the JVM code of .class file, choose code snippet according to the principle of single-input single-output and storehouse balance.
Replace code module, extract away from the .class file for the code snippet that will choose, original position replaces with calling the native method of a random name.
Generate the local code module, be used to generating a local code derivative function, realize the function of the JAVA code snippet extracted.As preferably, the equipment of the protection executable program of the present embodiment also comprises encrypting module, for the information such as function or supplemental characteristic are encrypted.As shown in Figure 3, in Fig. 3, encrypting module is encrypted for the local code generation module.According to one embodiment of present invention, concrete cipher mode includes but not limited to: Custom Encryption algorithm, or disclosed symmetry, rivest, shamir, adelman.According to one embodiment of present invention, decipher during the running software after protection.The code of deciphering and relevant key etc. are placed in the local code derivative function.
The present invention creates a local dynamic link library file; enumerate the .class file in protected JAVA software; analyze the JVM code in this .class file; randomly draw code snippet; former extraction position replaces with calling native (nation method) method; in local dynamic link library, generate derivative function, realize extracting the function of code snippet.According to one embodiment of present invention, creating local dynamic link library file can generate automatically by the software programming instrument, and create local dynamic link library and belong to the state of the art, be not emphasis of the present invention, the application is not described in detail.
Use in the JAVA software after the present invention protects; the logic of code is dispersed in local dynamic library file, can take precautions against preferably the decompiling static analysis of JVM aspect, and because partial logic is replaced by local code; flow process be dispersed in JVM inside and outside, increased the difficulty of analyzing and cracking.In addition, the code in cup end dynamic base is directly operation, and the code before replacing can not be arranged in JVM, so, avoids the attack of DUMP.Therefore the present invention has protected logic and the flow process of software preferably, and code and data security during operation, and can provide the algorithm of robotization to realize, the security that has improved software.
Embodiment 1
According to one embodiment of present invention, as shown in Figure 1, Fig. 1 comprises the code signal fragment of each several part in the present embodiment.Instantiation is as follows: the software that certain is write by JAVA, a class MyClass is arranged in source code, and wherein defined three field a, b, c and a case method Mul, the logic of the method is that the value of field b and c is multiplied each other, result is assigned to field a.
The Java source code, when compiling, can generate a .class file for each class, and the structure of this .class file defines in the JVM document, be the set of a series of attributes and value.By resolving the class title association attributes in the .class file, can learn it comes from which class in source code; The analytic method Table Properties, can obtain methodical list in class again; Resolve the Code attribute of each method, can obtain the JVM bytecode of method.
For example corresponding MyClass.class file after compilation of source code shown in Fig. 1, have the Mul method in the method table parsed, and bytecode (JVM instruction) is as follows:
(only be signal, actual JVM instruction meeting is more complicated)
Load MyClass.a // a the field of current object is loaded into to JVM operation storehouse
Load MyClass.c // c the field of current object is loaded into to JVM operation storehouse
Mul // two numbers in storehouse are ejected and multiply each other, by the operation result pop down
SetField MyClass.b // by the b field that ejects and be saved in current object of counting in storehouse
According to the JVM document, the jump instruction in bytecode all is only limited to method inside, namely can not jump in the code of additive method (it is initial that the call instruction also can only be transferred to the code of additive method), so method is " singly entering "; Again because the target location of all jump instructions is staticly (namely when compiling, just can determine, there is no register and indirect branch, comprise that abnormality processing etc. is also static), so each JVM instruction column in method can be become to a table, whether whether analyzing and mark each instruction is redirect or call instruction, and be possible redirect destination.Consideration is by some the continuous code snippets that the JVM instruction forms, if they are not redirect or call instruction (or redirect is arranged but destination in fragment) yet, neither the redirect destination (or destination but all from interval), this fragment is single-input single-output.
JVM is based on storehouse, and the execution of each instruction has regulation to the impact of storehouse in document.As load int instruction meeting, be pressed into a word in storehouse, and mul int can eject 2, then be pressed into 1, amount to and be equivalent to reduce a word, can staticly determine when these are all also compiling.To JVM instruction list in method, and with a stack pointer, record every instruction and carry out the impact on storehouse.If continuous some the JVM instructions in certain single-input single-output interval, after carrying out, stack pointer is constant, and this sub-range is the storehouse balance.Between the JVM instruction area that the above illustrates, be namely single-input single-output and storehouse balance.
After by method of the present invention, protecting, the above JVM instruction in the .class file is taken out, and replaces with calling nation method native_fun123.And in newly-increased local dynamic link library, derived the native_fun123 function, instruction simulation one by one above JVM instruction.According to the definition in the JVM document, to each JVM instruction, all finish writing in advance one section local code and simulate its function.As the access object field, simulate with JNI, the simulation of local cpu multiplying order is used in multiplying.Local code fragment assembly corresponding to all instructions in JVM instruction fragment got up, just become the code of nation method.
Can see in the software after protection, there is no the JVM instruction of Mul method, the key logic of the method is also realized by local code and JNI when operation.
This method is not only applicable to windows platform, is applicable to the operating system that other use dynamic base mechanism yet.When other operating systems were used, method step and windows platform step were basic identical, repeat no more herein.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.