CN114357389B - LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device - Google Patents
LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device Download PDFInfo
- Publication number
- CN114357389B CN114357389B CN202111680645.0A CN202111680645A CN114357389B CN 114357389 B CN114357389 B CN 114357389B CN 202111680645 A CN202111680645 A CN 202111680645A CN 114357389 B CN114357389 B CN 114357389B
- Authority
- CN
- China
- Prior art keywords
- basic block
- instruction
- loop
- instructions
- basic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000006870 function Effects 0.000 claims abstract description 13
- 230000011218 segmentation Effects 0.000 claims description 18
- 230000009191 jumping Effects 0.000 claims description 16
- 238000003780 insertion Methods 0.000 claims description 9
- 230000037431 insertion Effects 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000003068 static effect Effects 0.000 abstract description 5
- 239000000284 extract Substances 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 6
- 230000001419 dependent effect Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
Landscapes
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a LLVM (logical level virtual machine) -based instruction adding and mixing method and device, wherein the method converts a source program to be mixed into an LLVM intermediate representation file, and extracts functions, original basic blocks and instruction information; all instructions in each original basic block are subjected to dependency analysis, the instructions in the original basic blocks are split into a plurality of instruction dependency sets according to the dependency relationship among the instructions, a position is randomly selected, and the original basic blocks are segmented into a first basic block and a second basic block; and inserting an overlapped jump instruction between the first basic block and the second basic block, and further inserting a false loop instruction to convert the confusing intermediate representation file into an executable file of the target platform. The method can effectively interfere the analysis of reverse personnel while fully utilizing the instruction information in the source program, and increases the difficulty of static analysis; in addition, the method is based on the LLVM intermediate representation layer, can be applied to different front-end programming languages and target machine architectures, and has universality.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a LLVM (logical level virtual machine) -based instruction flower confusion method and device.
Background
Along with the continuous popularization of the mobile internet, the use frequency of various software is greatly increased, and accordingly, the intellectual property problem of the software is seriously threatened, and huge losses are caused for enterprises and individuals. Code obfuscation techniques are one of the most effective methods of protecting software from tampering. Code obfuscation converts the code of a computer program into a form that is identical to the original function but more difficult to read and understand, not with the aim of preventing reverse engineering, but rather with the aim of increasing the difficulty of reverse. Instruction confusion is a typical code confusion manner, and can be further divided into instruction substitution, instruction addition and the like.
The purpose of instruction-adding is to add some useless information to the program that does not alter the behavior of the program, but can hide the original program in irrelevant code to interfere with the reverse engineer's analysis. The traditional instruction adding method is mainly divided into two ideas, one is to directly insert some irrelevant variables in the middle of source codes, so that the codes are more complex, a reverse engineer is forced to spend higher cost to delete useless instructions, and the other is to insert some incomplete bytes at some positions of the instructions, so that disassembly errors are caused. The two modes can simply and effectively increase the disassembly difficulty, but with the optimization of a reverse tool, the traditional instruction adding method is easily identified and restored or deleted by a disassembly device or a code optimizer, and is usually specific to a specific programming language and a machine platform, and has no universality.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a LLVM (logical level virtual machine) -based instruction adding confusion method and device.
The invention provides an instruction flower confusion method based on LLVM, which comprises the following steps:
converting a source program to be confused into an LLVM intermediate representation file, and extracting functions, original basic blocks and instruction information;
Carrying out dependency analysis on all instructions in each original basic block, splitting the instructions in the original basic blocks into a plurality of instruction dependency sets according to the dependency relationship among the instructions, wherein the data dependency relationship exists among the instructions in each instruction dependency set;
Randomly selecting a position from among the instruction dependency sets, and dividing the original basic block into a first basic block and a second basic block;
inserting an overlapped jump instruction between the first basic block and the second basic block, wherein the overlapped jump instruction comprises a third basic block different from the second basic block and a jump relation between the third basic block and the first basic block and the second basic block;
And converting the confusing intermediate representation file into an executable file of the target platform.
Specifically, an overlapping jump instruction is inserted between the first basic block and the second basic block, the overlapping jump instruction includes a third basic block different from the second basic block and a jump relation between the third basic block and the first basic block and the second basic block, and the method includes:
Creating a copy by taking the segmented second basic block as a prototype to obtain a copy basic block; randomly modifying the operators and operands of the instructions in the duplicate basic blocks to obtain a third basic block; and constructing a jump relation among the first basic block, the second basic block and the third basic block by using dynamic opaque predicates, wherein the jump relation is when the condition is true jump to the second basic block, and the jump relation is when the condition is false jump to the third basic block.
Further, inserting a false loop instruction between the first basic block and the third basic block, the false loop instruction including a loop entry, a loop condition, and a loop body; wherein the loop condition is a variable randomly selected from the original basic block.
Specifically, the method further comprises jumping to a loop entry when a condition in the jumping relation is false; and jumping to the loop body when the loop condition is met until the loop condition is not met, and jumping to the third basic block.
Specifically, the number of the third basic blocks is 2 or more.
On the other hand, the invention also provides an instruction adding and confusing device based on LLVM, which comprises the following subsystems:
Extracting a related information subsystem, a dependency analysis and basic block segmentation subsystem, a garbage instruction insertion subsystem and an executable file generation subsystem; wherein the extraction related information subsystem comprises:
the intermediate code conversion module is used for converting the source program to be confused into an LLVM intermediate representation file;
The information extraction module is used for extracting functions, original basic blocks and instruction information;
the dependency analysis and basic block segmentation subsystem comprises:
the dependency analysis module is used for carrying out dependency analysis on all instructions in each original basic block, splitting the instructions in the original basic blocks into a plurality of instruction dependency sets according to the dependency relationship among the instructions, wherein the data dependency relationship exists among the instructions in each instruction dependency set;
the basic block segmentation module is used for randomly selecting a position from among the instruction dependency sets and segmenting the original basic block into a first basic block and a second basic block;
The insert garbage instruction subsystem comprises:
An insert overlapped jump instruction module for inserting an overlapped jump instruction between the first basic block and the second basic block, wherein the overlapped jump instruction comprises a third basic block different from the second basic block and a jump relation between the third basic block and the first basic block and the second basic block;
And generating an executable file subsystem for converting the confusing intermediate representation file into an executable file of the target platform.
The insert overlapped jump instruction module is specifically configured to:
Creating a copy by taking the segmented second basic block as a prototype to obtain a copy basic block; randomly modifying the operators and operands of the instructions in the duplicate basic blocks to obtain a third basic block; and constructing a jump relation among the first basic block, the second basic block and the third basic block by using dynamic opaque predicates, wherein the jump relation is when the condition is true jump to the second basic block, and the jump relation is when the condition is false jump to the third basic block.
Further, the garbage insertion instruction subsystem further comprises an insertion false loop instruction module for inserting a false loop instruction between the first basic block and the third basic block, the false loop instruction comprising a loop entry, a loop condition, and a loop body; wherein the loop condition is a variable randomly selected from the original basic block.
The false loop inserting instruction module is further used for jumping to a loop entry when the condition in the jumping relation is false; and jumping to the loop body when the loop condition is met until the loop condition is not met, and jumping to the third basic block.
The number of the third basic blocks inserted by the insert overlapped jump instruction module is 2 or more.
The invention has the beneficial effects that:
The invention provides a LLVM-based instruction adding and confusing method and device, which are characterized in that a source program is converted into an LLVM intermediate representation file, then the position of garbage instruction insertion is randomly selected by combining data dependence analysis of instructions, so that diversity and randomness of confusing results are ensured, the inserted superimposed jump instruction is similar to but different from the instructions in an original basic block in height, further, the inserted false loop instruction comprises a large number of branch instructions influencing program complexity in static analysis, loop control conditions are derived from variables in the original basic block, and the inserted garbage instruction can effectively interfere analysis of reverse personnel while fully utilizing instruction information in the source program, so that the difficulty of static analysis is increased. In addition, the method is based on the LLVM intermediate representation layer, can be suitable for any programming language and target platform architecture supported by the LLVM, and has modularity and universality.
Drawings
FIG. 1 is a block flow diagram of the obfuscation method of the present invention.
Fig. 2 is a block diagram of a system architecture provided by an embodiment of the obfuscating device of the present invention.
Fig. 3 is a schematic program control flow diagram (taking 2 third basic blocks as an example) after inserting an optional overlapped jump instruction provided by the obfuscation method of the present invention.
FIG. 4 is a schematic diagram of an alternative program control flow after inserting false loop instructions (2 third basic blocks are taken as an example) provided by the obfuscation method of the present invention.
Detailed Description
The implementation steps of the method provided by the invention comprise: the method comprises a stage of extracting relevant information of the file to be confused, a stage of dependency analysis and basic block segmentation, a stage of inserting garbage instructions and a stage of generating executable files.
The phase of extracting the relevant information of the file to be confused comprises the following steps:
Step 1, converting a source program into an LLVM intermediate representation file, namely compiling the source program to be confused into the LLVM intermediate representation file (such as a. Bc or. Ll file) by using an LLVM front-end compiler (such as Clang);
The method is based on the LLVM intermediate representation layer, can be suitable for any programming language and target platform architecture supported by the LLVM, and has modularity and universality.
Step 2, extracting information of functions, basic blocks and instructions according to the intermediate representation file obtained in the step 1, namely traversing from the program, the functions and the basic block layers to obtain the information of the functions, the basic blocks and the instructions;
the extracted basic blocks are all original basic blocks.
The dependency analysis and basic block segmentation phase comprises the steps of:
Step 3, traversing each instruction according to the instruction information obtained in the step 2, and checking whether the dependency analysis is carried out;
Step 4, starting from any instruction which is not subjected to dependency analysis in the step 3, traversing other instructions, analyzing to obtain all instructions with dependency relation with the instructions, treating the instructions as a unified instruction set, and mutually relying the instructions in the set and being inseparable;
step 5, according to the inseparable dependent instruction set obtained in the step 4, randomly selecting a position from the instruction sets to divide the basic block into two parts;
The insert garbage instruction stage comprises the following steps:
And 6, constructing a superposition jump instruction by taking the basic block obtained after the segmentation in the step 5 as a prototype. That is, a copy is first created based on the original basic block, and then the operators and operands of the instructions in the copy basic block are randomly modified, so that the copy basic block constructed is highly similar to but different from the original basic block, and can greatly interfere with the analysis of the inverse personnel. Then under the condition of guaranteeing source program semantics, constructing a proper jump relation by using dynamic opaque predicates;
In this step, an original basic block is split into two, called a first basic block and a second basic block, a copy can be created by taking the first basic block as a prototype, the operators and operands of the instructions in the copy basic block are modified randomly, and the processes of splitting, creating a copy and modifying the operators and operands of the instructions in the copy basic block can be repeated by using a constructed third basic block as the prototype, so that the constructed copy basic block can be called the third basic block. The number of the third basic blocks can be 1 or more (2 third basic blocks are obtained as shown in fig. 3), so that the basic blocks added in the whole process are connected through a skip relation constructed by opaque predicates. The opaque predicate is effectively a statement, assuming that the true first basic block jumps to the second basic block, otherwise jumps to the third basic block.
Step 7, analyzing the basic block obtained after the segmentation in the step 5 according to the thought of the step 2, extracting an operand of a program instruction as a circulation condition, constructing a false circulation instruction containing a custom circulation statement, and then inserting the false circulation instruction between the original basic block and the copy constructed in the step 6; the false loop instruction includes a loop entry, a loop condition, and a loop body.
After inserting the false loop instruction, if the assumption condition in step 6 is false, the loop entry of the false loop instruction is jumped to, the loop body is jumped to if the loop condition is satisfied, the loop body is not jumped to until the loop condition is not satisfied, and the loop body is jumped to the third basic block. In this step, the circulation conditions are derived from the variables in the original basic block, so that the analysis of the inverse personnel can be effectively disturbed.
The executable file generation stage comprises the following steps:
And 8, according to the target platform operated by the confused program, converting the confused intermediate representation file into an executable file based on a specific platform by utilizing an LLVM back-end compiler.
According to the embodiment of the invention, the source program is converted into the LLVM intermediate representation file, then the dependency analysis is combined to randomly select the insertion position of the garbage instruction, so that the diversity and the randomness of the confusion result are ensured, the inserted superimposed jump instruction is similar to but different from the instruction in the original basic block, the false loop instruction comprises a large number of branch instructions influencing the complexity of the program in static analysis, the loop control conditions are derived from the variables in the original basic block, and the two types of garbage instructions can effectively interfere the analysis of reverse personnel while fully utilizing the instruction information in the source program, so that the difficulty of the static analysis is increased. In addition, the method is based on the LLVM intermediate representation layer, can be suitable for any programming language and target platform architecture supported by the LLVM, and has modularity and universality.
By using the LLVM-based instruction adding and confusing method, the invention realizes a corresponding LLVM-based instruction adding and confusing device, which comprises the following steps: extracting a related information subsystem, a dependency analysis and basic block segmentation subsystem, a garbage instruction insertion subsystem and an executable file generation subsystem; wherein,
The related information extraction subsystem comprises an intermediate code conversion module and an information extraction module; the intermediate code conversion module mainly uses a front-end compiler (e.g., clang) of the LLVM to convert a source program written in a specific high-level programming language (e.g., C language) into an intermediate representation of the LLVM; the information extraction module extracts related information of functions, basic blocks and instructions by traversing the intermediate representation;
The dependency analysis and basic block segmentation subsystem comprises a dependency relation analysis module and a basic block segmentation module; the dependency analysis module divides the instructions into a plurality of independent instruction sets by analyzing the data dependency among the instructions in the basic block, and the instructions in the instruction sets have the interdependence; the basic block segmentation module randomly selects two independent instruction sets to segment, and segments an original basic block into two independent basic blocks;
the insert garbage instruction subsystem comprises an insert superposition jump instruction module and an insert false loop instruction module; inserting a superposition jump instruction module to copy the segmented basic blocks as prototypes to obtain copies, randomly modifying operands and operators of instructions in the basic blocks of the copies to obtain basic blocks with the height similar to that of the original basic blocks, and then controlling jump relations between the original basic blocks and the copies by using dynamic opaque predicates; inserting a false loop instruction module, extracting an operand in a basic block as a loop control condition, constructing the basic block containing a loop instruction and inserting the basic block between the original basic block and the constructed overlapped jump instruction;
the function of the executable file subsystem is to convert the obfuscated intermediate representation file into an executable file based on a specific target platform by using the LLVM back-end compiler so that it can run on a different architecture.
A detailed example is given below to illustrate the method of the invention.
FIG. 1 is a block flow diagram of the obfuscation method of the present invention. The implementation of the invention comprises four stages, and the following specific embodiments can be adopted:
step one, extracting relevant information of a file to be confused;
stage two, dependency analysis and basic block segmentation;
Step three, inserting a garbage instruction;
and step four, generating an executable file.
Wherein stage one includes the following steps:
step 1, converting a source program into an LLVM intermediate representation file, namely compiling the source program to be confused into the LLVM intermediate representation file (such as. Bc or. Ll) by using an LLVM front-end compiler (such as Clang);
further, taking the program test.c to be confused as an example, the following commands can be used for compiling and generating the bc file:
clang++-c-emit-llvm test.c-o test.bc
the following commands may also be used for compilation, generating the. Ll file:
clang++-S-emit-llvm test.c-o test.ll
Step 2, traversing the bc file generated in the step 1 to obtain functions, basic blocks and specific instruction information of the file;
The second stage comprises the following steps:
Step 3, carrying out data dependency analysis of the instruction according to the related information of the instruction in the basic block obtained in the step 2;
Further, taking instruction%3=% 1+%2 as an example, the instruction%3 involves two operands,% 1 and%2, meaning that%3 depends on%1 and%2, thus requiring an upward search to find both 1% and%2 instructions, adding them to an instruction dependency set with%3. The dependent instructions of both instructions% 1 and% 2 then continue to be analyzed until no new dependent instructions are generated. At this time, all instructions in the instruction dependency set should be regarded as a unified whole, and there are inter-dependencies inside them. Finally, the instructions in the whole basic block are divided into a plurality of independent instruction sets;
Step 4, taking fig. 3 as an example, randomly selecting a position from the instruction dependency set generated in step 3, and dividing the basic block into two parts, which are named startBB and mainBB;
wherein the third stage comprises the steps of:
Step 5, inserting an overlapped jump instruction between startBB and mainBB;
further, using mainBB as a prototype to copy, and performing some random substitution (not necessarily equivalent) on the instructions in the basic blocks to obtain bogusBB, bogusBB2 and other basic blocks which are similar to mainBB in height but are different from each other (the number of specific basic blocks is specified by a user, as shown in fig. 3, to obtain 2 basic blocks which are similar to mainBB in height but are different from each other); the dynamic opaque predicates are then used to construct the jump relationship shown in FIG. 3, i.e., set to jump to mainBB when the condition is true, jump to bogusBB1 when the condition is false, and the same applies to bogusBB1, and the process can nest multiple rounds.
Step 6, taking fig. 4 as an example, inserting a false loop instruction between startBB and bogusBB;
Further, the false loop instruction contains three basic blocks involved in the loop: entryBB, loopCondition and loopBody. Taking this code as an example, entryBB corresponds to the pre-declaration of the loop statement on line 1-2, loopCondition is the loop condition determination on line 3, which is a variable randomly selected from the original basic block, here exemplified by 10, and loopBody is the inner loop body on line 4. The jump relationship between these three basic blocks is: first entryBB jumps to loopCondition to determine if a loop body is entered. When the loop condition is met, loopCondition blocks jump to loopBody blocks, then jump back to loopCondition blocks again, and judge again. Until loopCondition is not satisfied, the loop exits and jumps to bogusBB1 constructed in step 5;
wherein the fourth stage comprises the steps of:
And 7, converting the confused intermediate representation file into an executable file based on a specific target platform by using an LLVM back-end compiler so that the executable file can run on different architectures.
Through the four-stage operation, the LLVM-based instruction adding confusion method is realized.
By using the instruction adding and confusing method based on LLVM, the invention realizes a corresponding instruction adding and confusing device based on LLVM, and FIG. 2 is a system structure block diagram provided by the embodiment of the confusing device of the invention; the instruction adding and confusing device comprises the following subsystems:
the subsystem is a subsystem for extracting related information;
the subsystem II is a dependency analysis and basic block segmentation subsystem;
a third subsystem is inserted into the garbage instruction subsystem;
generating an executable file subsystem by the subsystem IV;
the subsystem comprises the following modules:
a first module, an intermediate transcoding module, for converting a source program written in a specific high-level programming language (e.g., C language) into an intermediate representation of the LLVM using a front-end compiler (e.g., clang) of the LLVM;
the second module is used for extracting related information of the function, the basic block and the instruction by traversing the intermediate representation;
the subsystem II comprises the following modules:
The third module is a dependency analysis module, which divides the instructions into a plurality of independent instruction sets by analyzing the data dependency relationship among the instructions in the basic block, wherein the mutual dependency relationship exists among the instructions in the instruction sets;
a fourth module, a basic block segmentation module, which randomly selects two independent instruction sets for segmentation, and segments the original basic block into two independent basic blocks;
The subsystem III comprises the following modules:
inserting a superposition jump instruction module, copying the segmented basic block as a prototype to obtain a copy, randomly modifying an operand and an operator of an instruction in the basic block of the copy, and controlling a jump relation between the original basic block and the copy by using a dynamic opaque predicate;
A module six, after inserting the overlapped jump instruction, the false loop instruction inserting module extracts the operand in the basic block as a loop control condition, constructs the basic block containing the loop instruction and inserts the basic block between the original basic block and the copy constructed by the module 5;
the subsystem IV comprises the following modules:
And a module seven, which is used for generating an executable file sub-module, and converting the confused intermediate representation file into an executable file based on a specific target platform by using an LLVM back-end compiler so that the executable file can run on different architectures.
It should be noted that the purpose of the disclosed embodiments is to aid further understanding of the present invention, but those skilled in the art will appreciate that: various alternatives and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, the invention should not be limited to the disclosed embodiments, but rather the scope of the invention is defined by the appended claims.
Claims (2)
1. An instruction adding and confusing method based on LLVM, which is characterized by comprising the following steps:
converting a source program to be confused into an LLVM intermediate representation file, and extracting functions, original basic blocks and instruction information;
Carrying out dependency analysis on all instructions in each original basic block, splitting the instructions in the original basic blocks into a plurality of instruction dependency sets according to the dependency relationship among the instructions, wherein the data dependency relationship exists among the instructions in each instruction dependency set;
Randomly selecting a position from among the instruction dependency sets, and dividing the original basic block into a first basic block and a second basic block;
Inserting an overlapped jump instruction between the first basic block and the second basic block, wherein the overlapped jump instruction comprises a third basic block different from the second basic block and a jump relation between the third basic block and the first basic block and the second basic block; the method specifically comprises the following steps: creating a copy by taking the segmented second basic block as a prototype to obtain a copy basic block; randomly modifying the operators and operands of the instructions in the duplicate basic blocks to obtain a third basic block; constructing a jump relation among the first basic block, the second basic block and the third basic block by using dynamic opaque predicates, wherein when the condition is true jump to the second basic block, the condition is false jump to the third basic block;
Inserting a false loop instruction between the first basic block and the third basic block, the false loop instruction including a loop entry, a loop condition, and a loop body; wherein the loop condition is a variable randomly selected from the original basic block, including jumping to a loop entry when a condition in a jumping relationship is false; when the circulation condition is met, jumping to the circulation body until the circulation condition is not met, and jumping to a third basic block; the number of the third basic blocks is 2 or more;
And converting the confusing intermediate representation file into an executable file of the target platform.
2. The LLVM-based instruction adding and confusing device is characterized by comprising the following subsystems:
Extracting a related information subsystem, a dependency analysis and basic block segmentation subsystem, a garbage instruction insertion subsystem and an executable file generation subsystem; wherein the extraction related information subsystem comprises:
the intermediate code conversion module is used for converting the source program to be confused into an LLVM intermediate representation file;
the information extraction module is used for extracting functions, original basic blocks and instruction information;
the dependency analysis and basic block segmentation subsystem comprises:
the dependency analysis module is used for carrying out dependency analysis on all instructions in each original basic block, splitting the instructions in the original basic blocks into a plurality of instruction dependency sets according to the dependency relationship among the instructions, wherein the data dependency relationship exists among the instructions in each instruction dependency set;
the basic block segmentation module is used for randomly selecting a position from among the instruction dependency sets and segmenting the original basic block into a first basic block and a second basic block;
The insert garbage instruction subsystem comprises: an insert overlapped jump instruction module for inserting an overlapped jump instruction between the first basic block and the second basic block, wherein the overlapped jump instruction comprises a third basic block different from the second basic block and a jump relation between the third basic block and the first basic block and the second basic block;
The insert overlapped jump instruction module is specifically configured to: creating a copy by taking the segmented second basic block as a prototype to obtain a copy basic block; randomly modifying the operators and operands of the instructions in the duplicate basic blocks to obtain a third basic block; constructing a jump relation among the first basic block, the second basic block and the third basic block by using dynamic opaque predicates, wherein when the condition is true jump to the second basic block, the condition is false jump to the third basic block;
The garbage insertion instruction subsystem further comprises an insertion false loop instruction module for inserting a false loop instruction between the first basic block and the third basic block, the false loop instruction comprising a loop entry, a loop condition, and a loop body; wherein the loop condition is a variable randomly selected from the original basic block;
The false loop inserting instruction module is further used for jumping to a loop entry when the condition in the jumping relation is false; when the circulation condition is met, jumping to the circulation body until the circulation condition is not met, and jumping to a third basic block;
The number of the third basic blocks inserted by the insert superposition jump instruction module is 2 or more;
And generating an executable file subsystem for converting the confusing intermediate representation file into an executable file of the target platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111680645.0A CN114357389B (en) | 2021-12-31 | 2021-12-31 | LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111680645.0A CN114357389B (en) | 2021-12-31 | 2021-12-31 | LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114357389A CN114357389A (en) | 2022-04-15 |
| CN114357389B true CN114357389B (en) | 2024-04-16 |
Family
ID=81105876
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111680645.0A Active CN114357389B (en) | 2021-12-31 | 2021-12-31 | LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114357389B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115438318A (en) * | 2022-07-18 | 2022-12-06 | 桂林电子科技大学 | Complex control flow confusion method based on LLVM compiling optimization stage |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104834837A (en) * | 2015-04-03 | 2015-08-12 | 西北大学 | Binary code anti-obfuscation method based on semanteme |
| KR101837337B1 (en) * | 2017-02-14 | 2018-04-19 | 한양대학교 에리카산학협력단 | Obfuscated method of preventing CFG generation from using debugging tools to transform relative address jump into indirect jump between basic block in native code and apparatus therefor |
| CN109344612A (en) * | 2018-09-25 | 2019-02-15 | 郑州昂视信息科技有限公司 | The active defense method and system inversely attacked for program code static analysis |
| CN109784010A (en) * | 2018-12-18 | 2019-05-21 | 武汉极意网络科技有限公司 | A kind of program control flow based on LLVM obscures method and device |
| CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
| CN111723345A (en) * | 2020-05-09 | 2020-09-29 | 中国人民解放军战略支援部队信息工程大学 | Control flow obfuscation method and system based on callback function |
| CN112434266A (en) * | 2021-01-26 | 2021-03-02 | 成都无糖信息技术有限公司 | Shell code control flow flattening confusion method |
| WO2021244054A1 (en) * | 2020-06-02 | 2021-12-09 | 浙江大学 | Contract code obfuscation platform and obfuscation method based on smart contract bytecode features |
| WO2021248665A1 (en) * | 2020-06-08 | 2021-12-16 | 西安电子科技大学 | Sgx side channel attack defense method and system, and medium, program and application |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7065652B1 (en) * | 2000-06-21 | 2006-06-20 | Aladdin Knowledge Systems, Ltd. | System for obfuscating computer code upon disassembly |
| EP2159732A1 (en) * | 2008-08-21 | 2010-03-03 | Thomson Licensing | Method and device for code obfuscation |
-
2021
- 2021-12-31 CN CN202111680645.0A patent/CN114357389B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104834837A (en) * | 2015-04-03 | 2015-08-12 | 西北大学 | Binary code anti-obfuscation method based on semanteme |
| KR101837337B1 (en) * | 2017-02-14 | 2018-04-19 | 한양대학교 에리카산학협력단 | Obfuscated method of preventing CFG generation from using debugging tools to transform relative address jump into indirect jump between basic block in native code and apparatus therefor |
| CN109344612A (en) * | 2018-09-25 | 2019-02-15 | 郑州昂视信息科技有限公司 | The active defense method and system inversely attacked for program code static analysis |
| CN109784010A (en) * | 2018-12-18 | 2019-05-21 | 武汉极意网络科技有限公司 | A kind of program control flow based on LLVM obscures method and device |
| CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
| CN111723345A (en) * | 2020-05-09 | 2020-09-29 | 中国人民解放军战略支援部队信息工程大学 | Control flow obfuscation method and system based on callback function |
| WO2021244054A1 (en) * | 2020-06-02 | 2021-12-09 | 浙江大学 | Contract code obfuscation platform and obfuscation method based on smart contract bytecode features |
| WO2021248665A1 (en) * | 2020-06-08 | 2021-12-16 | 西安电子科技大学 | Sgx side channel attack defense method and system, and medium, program and application |
| CN112434266A (en) * | 2021-01-26 | 2021-03-02 | 成都无糖信息技术有限公司 | Shell code control flow flattening confusion method |
Non-Patent Citations (1)
| Title |
|---|
| Win32平台下基于LLVM的代码混淆技术研究;张泉等;信息工程大学学报;20180815;第19卷(第04期);498-502 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114357389A (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Denis et al. | Creusot: A foundry for the deductive verification of Rust programs | |
| US8589897B2 (en) | System and method for branch extraction obfuscation | |
| Tratt | Model transformations and tool integration | |
| JP5496772B2 (en) | Method for building code executable for component-based application, computer-readable storage medium including program for executing the method, and compiler | |
| US8429637B2 (en) | System and method for conditional expansion obfuscation | |
| Miecznikowski et al. | Decompiling Java using staged encapsulation | |
| Deering et al. | Atlas: a new way to explore software, build analysis tools | |
| WO2000045260A1 (en) | Compiler, compiling method, and storage medium stored with program therefor | |
| CN110673852B (en) | Method, system and equipment for realizing control flow flattening based on front end of compiler | |
| Fischer et al. | Abstract syntax trees-and their role in model driven software development | |
| CN114357389B (en) | LLVM (logical Low level virtual machine) -based instruction flower adding confusion method and device | |
| CN103927164A (en) | Method and system for confusing scripts | |
| Juričić | Detecting source code similarity using low-level languages | |
| Ishihara et al. | Development and implementation of an interactive parallelization assistance tool for OpenMP: iPat/OMP | |
| Marin et al. | Towards a framework for generating program dependence graphs from source code | |
| KR102524627B1 (en) | System for obfuscation of binary programs using intermediate language and method therefor | |
| CN114003868A (en) | Method for processing software code and electronic equipment | |
| Arnold et al. | Specifying and verifying sparse matrix codes | |
| Bowen | From programs to object code and back again using logic programming: Compilation and decompilation | |
| Paulweber et al. | CASM-IR: uniform ASM-based intermediate representation for model specification, execution, and transformation | |
| Oliveira et al. | From circus to jcsp | |
| Borisov et al. | On the Characteristics of Symbolic Execution in the Problem of Assessing the Quality of Obfuscating Transformations | |
| Bach et al. | Model transformations with tom | |
| Ferreira et al. | TranspileJS, an Intelligent Framework for Transpiling JavaScript to WebAssembly | |
| CN108846265B (en) | A program reinforcement method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |