CN108932407A

CN108932407A - A kind of program safety guard method and device

Info

Publication number: CN108932407A
Application number: CN201810493964.2A
Authority: CN
Inventors: 黄绍莽; 潘剑锋
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2018-05-22
Filing date: 2018-05-22
Publication date: 2018-12-04
Anticipated expiration: 2038-05-22
Also published as: CN108932407B

Abstract

The invention discloses a kind of program safety guard methods and device, this method to include：M called function is obtained from the source files of program that user edits；The look-up table of functions comprising M called function is established, M is the integer greater than 1；The function call instruction of called function each in M called function is replaced with into table lookup operation instruction, so as to obtain new program file, the table lookup operation instruction from look-up table of functions for obtaining current called function；Generate executable program file corresponding with new program file.

Description

A program security protection method and device

技术领域technical field

本发明涉及软件开发技术领域，尤其涉及一种程序安全保护方法及装置。The invention relates to the technical field of software development, in particular to a program security protection method and device.

背景技术Background technique

高级语言编写的源程序文件经过编译变成可执行程序文件，用于机器执行，而反编译是其逆过程，可以将可执行程序文件通过反编译得到可读的源程序文件。计算机软件反向工程(Reversepengineering)也称为计算机软件还原工程，就是指通过对他人软件的可执行程序文件进行“逆向分析、研究”等工作，以推导出他人的软件产品所使用的思路、原理、结构、算法、处理过程、运行方法等设计要素，从而作为自己开发软件时的参考，或者直接用于自己的软件产品中。A source program file written in a high-level language is compiled into an executable program file for machine execution, and decompilation is the reverse process. The executable program file can be decompiled to obtain a readable source program file. Computer software reverse engineering (Reverse engineering), also known as computer software restoration engineering, refers to the work of "reverse analysis and research" on the executable program files of other people's software to deduce the ideas and principles used by other people's software products. , structure, algorithm, processing process, operation method and other design elements, so as to be used as a reference when developing software by yourself, or directly used in your own software products.

因此，用户所自主开发的软件产品很容易被竞争对手通过计算机软件反向工程，反编译而知晓该软件产品所使用的思路、原理、结构、算法、处理过程、运行方法，导致软件产品被模仿，甚至盗取。因此，目前的软件产品的安全性不高。Therefore, software products independently developed by users can easily be reverse-engineered and decompiled by competitors through computer software to know the ideas, principles, structures, algorithms, processing procedures, and operating methods used by the software products, resulting in software products being imitated. , or even steal. Therefore, the security of the current software products is not high.

发明内容Contents of the invention

本发明实施例提供一种程序安全保护方法及装置，解决了软件产品的安全性不高的技术问题。Embodiments of the present invention provide a program security protection method and device, which solve the technical problem of low security of software products.

第一方面，本发明实施例提供了一种程序安全保护方法，包括：In a first aspect, an embodiment of the present invention provides a program security protection method, including:

从用户编辑的源程序文件中获取M个被调函数；Obtain M called functions from the source program file edited by the user;

建立包含所述M个被调函数的函数查找表，M为大于1的整数；Establish a function lookup table containing the M called functions, where M is an integer greater than 1;

将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，所述查表操作指令用于从所述函数查找表中获得当前被调函数；The function call instruction of each called function in the M called functions is replaced by a table lookup operation instruction so as to obtain a new program file, and the table lookup operation instruction is used to obtain from the function lookup table the current called function;

生成与所述新的程序文件对应的可执行程序文件。An executable program file corresponding to the new program file is generated.

可选的，所述建立包含所述M个被调函数的函数查找表，包括：Optionally, the establishment of a function lookup table containing the M called functions includes:

以单个所述被调函数对应所述函数查找表的一列，建立包含M列*N行的函数查找表，N为大于1的整数；Corresponding to a column of the function lookup table with a single described called function, set up a function lookup table comprising M columns*N rows, where N is an integer greater than 1;

在所述函数查找表的每列，建立对该列所在的被调函数的索引。In each column of the function lookup table, an index of the called function where the column is located is established.

可选的，所述从用户编辑的源程序文件中获取M个被调函数，包括：Optionally, the acquisition of M called functions from the source program file edited by the user includes:

通过扫描所述源程序文件，获取所述源程序文件中存在的每个被调函数，或者满足预设条件的被调函数。By scanning the source program file, each called function existing in the source program file, or a called function meeting a preset condition is obtained.

可选的，所述在所述函数查找表的每列，建立对该列所在的被调函数的索引，包括：Optionally, in each column of the function lookup table, an index of the called function where the column is located is established, including:

对每个所述被调函数分配列索引，所述列索引用于确定所述被调函数在所述函数查找表的所在列；assigning a column index to each called function, and the column index is used to determine the column where the called function is located in the function lookup table;

在每个所述被调函数的列索引下，对所述函数查找表中当前列的被调函数建立行索引，所述行索引用于在所述函数查找表中当前列获取所述被调函数。Under each column index of the called function, a row index is established for the called function of the current column in the function lookup table, and the row index is used to obtain the called function in the current column of the function lookup table function.

可选的，所述对每个所述被调函数分配列索引，包括：Optionally, the assigning a column index to each called function includes:

随机为每个所述被调函数分配作为列索引的整数值；randomly assigning an integer value as a column index to each of said called functions;

对每个所述被调函数的列索引进行加密处理，得到每个所述被调函数的加密列索引；Encrypting the column index of each called function to obtain the encrypted column index of each called function;

构建针对每个所述加密列索引的第一解密函数，所述第一解密函数用于解密每个所述加密列索引，得到与加密列索引对应的列索引。A first decryption function for each encrypted column index is constructed, and the first decrypted function is used to decrypt each encrypted column index to obtain a column index corresponding to the encrypted column index.

可选的，所述对所述函数查找表中当前列的被调函数建立行索引，包括：Optionally, establishing a row index for the called function in the current column in the function lookup table includes:

对当前列的被调函数建立N级行索引，其中，当前行的行索引为上一行的查表结果，最后一级行索引对应的查表结果为当前列的被调函数。An N-level row index is established for the called function of the current column, wherein the row index of the current row is the table lookup result of the previous row, and the table lookup result corresponding to the row index of the last level is the called function of the current column.

可选的，所述对当前列的被调函数建立N级行索引，包括：Optionally, the establishment of an N-level row index for the called function of the current column includes:

对所述N级行索引中的一个或者多个行索引进行加密处理，得到对应的加密行索引；Encrypting one or more row indexes in the N-level row indexes to obtain corresponding encrypted row indexes;

构建针对每个所述加密行索引的第二解密函数，所述第二解密函数用于解密每个所述加密行索引，得到对应的行索引。A second decryption function for each encrypted row index is constructed, and the second decryption function is used to decrypt each encrypted row index to obtain a corresponding row index.

可选的，在所述将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令之后，还包括：Optionally, after the function call instruction of each of the M called functions is replaced with a table lookup operation instruction, it also includes:

将对应所述函数查找表中间行的查表操作指令处理为该查表操作指令中查表函数的递归调用；或者Processing the table lookup operation instruction corresponding to the middle row of the function lookup table as a recursive call of the table lookup function in the table lookup operation instruction; or

将对应所述函数查找表中间行的查表操作指令处理为多个查表操作指令中查表函数的相互递归调用。The table lookup operation instruction corresponding to the middle row of the function lookup table is processed as mutual recursive calls of the table lookup function in the multiple table lookup operation instructions.

第二方面，本发明实施例提供一种程序安全保护装置，包括：In a second aspect, an embodiment of the present invention provides a program security protection device, including:

函数获取单元，用于从用户编辑的源程序文件中获取M个被调函数；A function acquisition unit, configured to acquire M called functions from the source program file edited by the user;

查找表建立单元，用于建立包含所述M个被调函数的函数查找表，M为大于1的整数；A lookup table establishment unit, configured to establish a function lookup table containing the M called functions, where M is an integer greater than 1;

指令替换单元，用于将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，所述查表操作指令用于从所述函数查找表中获得当前被调函数；An instruction replacement unit, configured to replace the function call instruction of each of the M called functions with a table lookup operation instruction, so as to obtain a new program file, and the table lookup operation instruction is used to obtain a new program file from the Obtain the current called function from the above function lookup table;

文件生成单元，用于生成与所述新的程序文件对应的可执行程序文件。A file generating unit, configured to generate an executable program file corresponding to the new program file.

可选的，所述查找表建立单元，包括：Optionally, the look-up table establishment unit includes:

建表子单元，用于以单个所述被调函数对应所述函数查找表的一列，建立包含M列*N行的函数查找表，N为大于1的整数；The table building subunit is used to correspond to a column of the function lookup table with a single described function to be adjusted, and establish a function lookup table including M columns*N rows, where N is an integer greater than 1;

建索引子单元，用于在所述函数查找表的每列，建立对该列所在的被调函数的索引。The index building subunit is used to create an index of the called function in each column of the function lookup table.

可选的，所述函数获取单元，包括：Optionally, the function acquisition unit includes:

通过扫描所述源程序文件，获取所述源程序文件中存在的每个被调函数，或者满足预设条件的被调函数。By scanning the source program file, each called function existing in the source program file, or a called function meeting a preset condition is acquired.

可选的，所述建索引子单元，具体用于：Optionally, the index building subunit is specifically used for:

可选的，还包括查表指令处理单元，用于：Optionally, a table lookup instruction processing unit is also included for:

第三方面，本发明实施例提供一种计算机可读存储介质，其上存储有计算机程序，该程序被处理器执行时实现第一方面中任一可能的实现方式所述的步骤。In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps described in any possible implementation manner in the first aspect are implemented.

第四方面，本发明实施例提供一种计算机设备，包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序，所述处理器执行所述程序时实现第一方面中任一可能的实现方式所述的步骤。In a fourth aspect, an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, any aspect of the first aspect is implemented. Steps described in a possible implementation manner.

本发明实施例中提供的一个或多个技术方案，至少具有如下技术效果或优点：One or more technical solutions provided in the embodiments of the present invention have at least the following technical effects or advantages:

通过从用户编辑的源程序文件中获取M个被调函数；建立包含M个被调函数的函数查找表，将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，查表操作指令用于从函数查找表中获得当前被调函数；生成与新的程序文件对应的可执行程序文件。将直接的函数调用指令变成了对被调函数在函数查找表中的查表操作指令，能够将程序中的函数调用完全隐藏在表中，使得最后生成的可执行程序文件中不再是直接的函数调用，而是需要查表才能得到被调函数，以此实现了查表调用函数。而这种查表调用函数的方式，使得逆向工程师很难从反编译可执行程序文件得到程序中看出真实的调用函数，从而提高了逆向难度，进而提高了软件产品的安全性。By obtaining M called functions from the source program file edited by the user; establishing a function lookup table containing M called functions, and replacing the function call instructions of each called function in the M called functions with look-up The table operation instruction is used to obtain a new program file, and the table lookup operation instruction is used to obtain the current called function from the function lookup table; generate an executable program file corresponding to the new program file. Turn the direct function call instruction into a table lookup operation instruction for the called function in the function lookup table, which can completely hide the function call in the program in the table, so that the final executable program file is no longer directly The function call, but needs to look up the table to get the called function, so as to realize the table lookup call function. And this way of looking up the table to call the function makes it difficult for the reverse engineer to see the real calling function from the program obtained by decompiling the executable program file, thereby increasing the difficulty of reverse engineering and thus improving the security of the software product.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案，下面将对实施例描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1为本发明实施例提供的程序安全保护方法的流程图；FIG. 1 is a flowchart of a program security protection method provided by an embodiment of the present invention;

图2为本发明实施例提供的程序保护装置的程序模块图；FIG. 2 is a program module diagram of a program protection device provided by an embodiment of the present invention;

图3为本发明实施例提供的计算机设备的结构框图。Fig. 3 is a structural block diagram of a computer device provided by an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例通过提供一种程序安全保护方法及装置，解决了软件产品的安全性不高的技术问题，总体思路如下：The embodiment of the present invention solves the technical problem of low security of software products by providing a program security protection method and device. The general idea is as follows:

从用户编辑的源程序文件中获取M个被调函数；建立包含M个被调函数的函数查找表，将M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，查表操作指令用于从函数查找表中获得当前被调函数；生成与新的程序文件对应的可执行程序文件。Obtain M called functions from the source program file edited by the user; establish a function lookup table containing M called functions, and replace the function call instruction of each called function in the M called functions with a table lookup operation instruction In order to obtain a new program file, the table lookup operation instruction is used to obtain the current called function from the function lookup table; generate an executable program file corresponding to the new program file.

通过上述技术方案，将直接的函数调用指令变成了对被调函数在函数查找表中的查表操作指令，能够将程序中的函数调用完全隐藏在表中，使得最后生成的可执行程序文件中不再是直接的函数调用，而是需要查表才能得到被调函数，以此实现了查表调用函数。而这种查表调用函数的方式，使得逆向工程师很难从反编译可执行程序文件得到程序中看出真实的调用函数，从而提高了逆向难度，进而提高了软件产品的安全性。Through the above technical solution, the direct function call instruction is changed into a table lookup operation instruction for the called function in the function lookup table, and the function call in the program can be completely hidden in the table, so that the final generated executable program file It is no longer a direct function call, but needs to look up the table to get the called function, so as to realize the table lookup call function. And this way of looking up the table to call the function makes it difficult for the reverse engineer to see the real calling function from the program obtained by decompiling the executable program file, thereby increasing the difficulty of reverse engineering and thus improving the security of the software product.

下面将参照附图更详细地描述本发明的示例性实施例。虽然附图中显示了本发明的示例性实施例，然而应当理解，可以以各种形式实现本发明而不应被这里阐述的实施例所限制。相反，提供这些实施例是为了能够更透彻地理解本发明，并且能够将本发明的范围完整的传达给本领域的技术人员。需要说明的是，在不冲突的前提，本发明实施例提供的各个实施例可以相互结合。Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present invention and to fully convey the scope of the present invention to those skilled in the art. It should be noted that, on the premise of no conflict, various embodiments provided in the embodiments of the present invention may be combined with each other.

用户编辑的源程序文件经过编译步骤和链接步骤生成可执行程序文件。需要说明的是，本发明实施例提供的步骤S101～S104正是应用于对源程序文件进行的编译步骤中，因此，在对源程序文件所进行的编译步骤中，除了本发明所给出的步骤，所需要进行的其他处理细节均可以参考现有技术，为了说明书的简洁，本文不进行赘述。The source program file edited by the user is compiled and linked to generate an executable program file. It should be noted that the steps S101-S104 provided by the embodiment of the present invention are just applied to the compiling step of the source program file, therefore, in the compiling step of the source program file, in addition to the The steps and other processing details that need to be performed can refer to the prior art, and for the sake of brevity of the description, details are not described herein.

参考图1所示，本发明实施例提供的程序安全保护方法，包括如下步骤：Referring to Figure 1, the program security protection method provided by the embodiment of the present invention includes the following steps:

步骤S101：从用户编辑的源程序文件中获取M个被调函数。Step S101: Obtain M called functions from the source program file edited by the user.

具体的，通过扫描源程序文件获取该源程序文件中的M个被调函数。获取该源程序文件中的M个被调函数，可以是：获取源程序文件中存在的每个被调函数或者满足预设条件的被调函数。Specifically, M called functions in the source program file are obtained by scanning the source program file. Obtaining the M called functions in the source program file may be: acquiring each called function existing in the source program file or a called function satisfying a preset condition.

就满足预设条件的被调函数而言，可以是获取源程序文件中用户自定义的被调函数，或者，获取源程序文件中属于库函数的被调函数，或者属于预设名单的被调函数。As far as the called function meeting the preset condition is concerned, it can be to obtain the user-defined called function in the source program file, or to get the called function belonging to the library function in the source program file, or to get the called function belonging to the preset list function.

步骤S102、建立包含所述M个被调函数的函数查找表，M为大于1的整数。Step S102, establishing a function lookup table including the M called functions, where M is an integer greater than 1.

在具体实施过程中，可以是将用户编辑的源程序导入程序加固工具中，由程序加固工具建立函数查找表。In the specific implementation process, the source program edited by the user may be imported into the program hardening tool, and the function lookup table is established by the program hardening tool.

函数查找表具体为M列*N行的函数查找表，N为大于1的整数。The function lookup table is specifically a function lookup table with M columns*N rows, where N is an integer greater than 1.

需要说明的是，函数查找表的列数根据从源程序文件中所获取的被调函数的数量确定，而函数查找表的行数至少为两行，因为在函数查找表的行数高度超过1时，分析出每一个真实调用的目标函数难度更高。It should be noted that the number of columns in the function lookup table is determined according to the number of called functions obtained from the source program file, and the number of rows in the function lookup table is at least two, because the height of the number of rows in the function lookup table exceeds 1 When , it is more difficult to analyze the target function of each real call.

在具体实施过程中，步骤S102的实现过程为：以单个所述被调函数对应所述函数查找表的一列，建立包含M列*N行的函数查找表，N为大于1的整数；在所述函数查找表的每列，建立对该列所在的被调函数的索引。In the specific implementation process, the implementation process of step S102 is: a column of the function look-up table corresponding to a single described function to be called, and a function look-up table including M columns*N rows is established, where N is an integer greater than 1; For each column of the above-mentioned function lookup table, an index of the called function where the column is located is established.

具体来讲，将每一个被调函数对应存放在函数查找表的一列，从而，函数查找表的每一列对应用于：一个主调函数对一个被调函数进行调用的被调函数查找。举例来讲，从源程序文件中获取2个被调函数，则建立的函数查找表为2列，比如，main()函数依次调用for()函数和bar()函数，则函数查找表为两列，一列针对for()函数的调用，另一列针对bar()函数的调用。Specifically, each called function is correspondingly stored in a column of the function lookup table, so that each column of the function lookup table is correspondingly used for: a called function lookup in which a calling function calls a called function. For example, if two called functions are obtained from the source program file, the function lookup table to be established has two columns. For example, the main() function calls the for() function and the bar() function in turn, and the function lookup table has two columns. Columns, one for the call to the for() function and the other for the call to the bar() function.

在具体实施过程中，建立对该列所在的被调函数的索引，可以有多种实施方式：In the specific implementation process, there are many ways to establish the index of the called function where the column is located:

可以是：直接为每个被调函数随机分配一个索引值，形成被调函数与索引值之间的一对一的直接索引关系，基于索引值直接查找到被调函数。而索引值可以为int值，比如，索引值为随机数1，对应被调函数A；索引值为随机数2，对应被调函数B。但是，这种方式被逆向的难度较低，为了提高逆向难度，可以基于如下流程实现：It may be: directly randomly assigning an index value to each called function, forming a one-to-one direct index relationship between the called function and the index value, and directly finding the called function based on the index value. The index value can be an int value, for example, the index value is a random number 1, which corresponds to the called function A; the index value is a random number 2, which corresponds to the called function B. However, this method is less difficult to be reversed. In order to increase the difficulty of reverse, it can be realized based on the following process:

步骤1：对每个所述被调函数分配列索引，所述列索引用于确定所述被调函数在函数查找表的所在列。Step 1: Assign a column index to each called function, and the column index is used to determine the column of the called function in the function lookup table.

具体来讲，在步骤1中，随机为每个被调函数分配作为列索引的整数值int。对每个被调函数的列索引进行加密处理，得到每个被调函数的加密列索引；构建针对每个所述加密列索引的第一解密函数，所述第一解密函数用于解密每个所述加密列索引，得到与所述加密列索引对应的作为列索引的整数值。Specifically, in step 1, each called function is randomly assigned an integer value int as a column index. Encrypt the column index of each called function to obtain the encrypted column index of each called function; construct a first decryption function for each encrypted column index, and the first decryption function is used to decrypt each The encrypted column index obtains an integer value corresponding to the encrypted column index as a column index.

具体的，可以是基于任何一种哈希加密算法对列索引进行加密处理，而第一解密函数是基于对应的哈希解密算法实现。Specifically, the column index may be encrypted based on any hash encryption algorithm, and the first decryption function is implemented based on the corresponding hash decryption algorithm.

在步骤1之后，接着执行步骤2：在每个所述被调函数的列索引下，对所述函数查找表中当前列的被调函数建立行索引，所述行索引用于在所述函数查找表中当前列获取所述被调函数。After step 1, then perform step 2: under each column index of the called function, set up a row index for the called function of the current column in the function lookup table, and the row index is used for the function in the function The called function is obtained by looking up the current column in the table.

在步骤2中，对所述函数查找表中当前列的被调函数建立行索引，具体可以是：对当前列的被调函数建立N级行索引，其中，当前行的行索引为上一行的查表结果，最后一级行索引对应的查表结果为当前列的被调函数。行索引的级数与函数查找表的行数相同。In step 2, a row index is established for the called function of the current column in the function lookup table, which may be specifically: an N-level row index is established for the called function of the current column, wherein the row index of the current row is the row index of the previous row The table lookup result, the table lookup result corresponding to the last row index is the called function of the current column. The number of levels of the row index is the same as the number of rows of the function lookup table.

需要说明的是，根据列索引对应的查表结果为第一级行索引，根据第一级行索引的查表结果为第二级级索引，基于第二级行索引进行查找，得到再下一行的行索引，依次进行，直到得到最后一行的查表结果，即：得到隐藏在最后一行的被调函数。It should be noted that the table lookup result corresponding to the column index is the first-level row index, and the table lookup result based on the first-level row index is the second-level index, and the next row is obtained by searching based on the second-level row index row index, and proceed in turn until the table lookup result of the last row is obtained, that is, the called function hidden in the last row is obtained.

在具体实施过程中，为了提高逆向难度，对所述N级行索引中的一个或者多个行索引进行加密处理，得到对应的加密行索引；构建针对每个所述加密行索引的第二解密函数，所述第二解密函数用于解密每个所述加密行索引，得到对应的行索引。In the specific implementation process, in order to improve the reverse difficulty, one or more row indexes in the N-level row indexes are encrypted to obtain the corresponding encrypted row indexes; the second decryption for each of the encrypted row indexes is constructed function, the second decryption function is used to decrypt each encrypted row index to obtain a corresponding row index.

通过上述步骤1～2，每一次通过查表函数table()的查表操作能够查到被调函数处于函数查找表的对应列、以及下一行的行索引，直到查找到函数查找表当前列的最后一行，而真正的被调函数正是隐藏在函数查找表的最后一行。Through the above steps 1 to 2, every time the table lookup operation of the table lookup function table() can find the corresponding column of the function lookup table and the row index of the next row of the called function, until the current column of the function lookup table is found The last line, and the real called function is hidden in the last line of the function lookup table.

具体的，可以是基于任何一种哈希加密算法对行索引进行加密处理，而第二解密函数是基于对应的哈希解密算法实现。Specifically, the row index may be encrypted based on any hash encryption algorithm, and the second decryption function is implemented based on the corresponding hash decryption algorithm.

通过对行索引的加解密，基于列索引并不能直接得到下一行的行索引，而需要基于对应的哈希解密算法才能得到下一行的行索引，进而才能得到最后一行的行索引，进而才能得到被调函数，实现查表调用函数。Through the encryption and decryption of the row index, the row index of the next row cannot be directly obtained based on the column index, but the row index of the next row can be obtained based on the corresponding hash decryption algorithm, and then the row index of the last row can be obtained, and then the row index of the last row can be obtained. The called function implements the lookup table calling function.

在步骤S102之后，接着执行步骤S103：将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，获得新的程序文件，所述查表操作指令用于从所述函数查找表中获得当前被调函数。After step S102, step S103 is then performed: the function call instruction of each called function in the M called functions is replaced with a table lookup operation instruction to obtain a new program file, and the table lookup operation instruction is used for The current called function is obtained from the function lookup table.

需要说明的是，查表操作指令为利用查表函数table()的指令。具体的，查表操作指令所用的查表函数table()，由于步骤S102进行了至少一次的索引加密/解密处理，使得查表操作指令所用的查表函数table()并不是直接通过索引值对应每一个函数调用，以增加了查表函数本身的逆向难度。It should be noted that the table lookup operation instruction is an instruction using the table lookup function table( ). Specifically, the table lookup function table() used in the table lookup operation instruction, because the index encryption/decryption process has been performed at least once in step S102, the table lookup function table() used in the table lookup operation instruction does not directly correspond to the index value Each function call increases the reverse difficulty of the table lookup function itself.

为了进一步增加逆向难度，除函数查找表的第一行与最后一行之外，中间行的查表操作指令处理为查表函数本身的递归调用，或者多个查表函数之间的相互递归调用。实现过程具体为:将对应所述函数查找表中间行的查表操作指令处理为该查表操作指令中查表函数的递归调用；或者将对应所述函数查找表中间行的查表操作指令处理为多个查表操作指令中查表函数的相互递归调用。In order to further increase the difficulty of reverse engineering, except for the first row and the last row of the function lookup table, the table lookup operation instructions in the middle row are processed as recursive calls of the table lookup function itself, or mutual recursive calls between multiple table lookup functions. The implementation process is specifically: processing the table lookup operation instruction corresponding to the middle row of the function lookup table as a recursive call of the table lookup function in the table lookup operation instruction; or processing the table lookup operation instruction corresponding to the middle row of the function lookup table It is the mutual recursive calling of the table lookup function in multiple table lookup operation instructions.

下面，以源程序文件中包括如下函数调用为例：main(){foo()；bar()；}，对步骤S101～S103的实现过程进行举例说明，建立的函数查找表包括两列，一列为对foo()函数的索引，另一列为对bar()函数的索引。Next, take the following function call included in the source program file as an example: main(){foo(); bar();}, to illustrate the implementation process of steps S101-S103, the established function lookup table includes two columns, one column is the index to the foo() function, and the other column is the index to the bar() function.

为foo()函数分配随机int值并加密该随机int值，得到加密列索引为encode_rand_1，为foo()函数分配随机int值并加密该随机int值，得到加密列索引为encode_rand_2。在需要调用foo()函数时，基于列索引encode_rand_1能够索引到foo()函数所在列为函数查找表的第一列，在需要调用bar()函数时，基于列索引encode_rand_2能够索引到bar()函数所在列为函数查找表的第二列。以及建立foo()函数和bar()函数的行索引。Assign a random int value to the foo() function and encrypt the random int value to obtain the encrypted column index as encode_rand_1, assign a random int value to the foo() function and encrypt the random int value, and obtain the encrypted column index as encode_rand_2. When the foo() function needs to be called, the column index encode_rand_1 can index to the column where the foo() function is located as the first column of the function lookup table. When the bar() function needs to be called, the column index encode_rand_2 can index to bar() The column where the function is located is the second column of the function lookup table. And establish the row index of foo() function and bar() function.

将原始的函数调用指令{foo()；bar()；}替换用于在函数查找表查找的查表操作指令，具体为：{table(encode_rand_1)；table(encode_rand_2)；}Replace the original function call instruction {foo(); bar();} with the table lookup operation instruction for searching in the function lookup table, specifically: {table(encode_rand_1);table(encode_rand_2);}

将对应所述函数查找表中间行的查表操作指令处理为该查表操作指令中查表函数的递归调用；或者将对应所述函数查找表中间行的查表操作指令处理为多个查表操作指令中查表函数的相互递归调用。Processing the table lookup operation instruction corresponding to the middle row of the function lookup table as a recursive call of the table lookup function in the table lookup operation instruction; or processing the table lookup operation instruction corresponding to the middle row of the function lookup table as multiple lookup tables Mutual recursive calls of lookup table functions in operation instructions.

基于上述实现过程，最后得到新的程序如下：Based on the above implementation process, the new program is finally obtained as follows:

而建立的函数查找表如下：The established function lookup table is as follows:

index_1_1—>encoded_index_2_1index_1_1—>encoded_index_2_1 index_1_2—>encoded_index_2_2index_1_2—>encoded_index_2_2 index_2_1—>foo()index_2_1—>foo() index_2_2—>bar()index_2_2—>bar()

在步骤S103之后，接着执行步骤S104、生成所述新的程序文件对应的可执行程序文件。After step S103, step S104 is executed to generate an executable program file corresponding to the new program file.

具体来讲，通过链接步骤生成与所述新的程序对应的可执行程序文件。Specifically, an executable program file corresponding to the new program is generated through the linking step.

需要说明的是，本发明实施例提供的技术方案，可以应用于白盒加固工具对程序进行加固的场景下，白盒加固工具为相对于黑盒加固工具而言的一种对程序进行测试、加固的工具，白盒加固工具具体是在将用户编辑的源程序处理为可执行程序文件过程中进行的，这里的可执行程序文件即二进制文件(Binary)。而黑盒是对已经形成的可执行程序文件在此处理为可执行程序文件的过程中所进行的程序测试、加固过程。It should be noted that the technical solution provided by the embodiment of the present invention can be applied to the scenario where the white box hardening tool is used to harden the program. The white box hardening tool is a kind of program testing, The hardening tool, the white box hardening tool is specifically performed in the process of processing the source program edited by the user into an executable program file, where the executable program file is a binary file (Binary). The black box is a process of program testing and reinforcement performed during the process of processing the formed executable program files into executable program files.

还需要说明的是，本发明实施例提供的如上技术方案，可以应用于多种平台下软件产品(可执行程序文件)的生成：基于安卓操作系统的ELF文件，基于苹果手机操作系统的应用程序，苹果电脑操作系统的应用程序，基于Linux系统的软件和加载的库文件，Windows操作系统的可执行程序和DLL(Dynamic Link Library，动态链接库)文件。需要说明的是，本发明实施例提供的如上技术方案，可基于如下执行集类型：X86、X86_64、ARM、ARM64。It should also be noted that the above technical solutions provided by the embodiments of the present invention can be applied to the generation of software products (executable program files) under various platforms: ELF files based on the Android operating system, application programs based on the Apple mobile phone operating system , the application program of the Apple computer operating system, the software based on the Linux system and the loaded library file, the executable program and the DLL (Dynamic Link Library, dynamic link library) file of the Windows operating system. It should be noted that the above technical solutions provided by the embodiments of the present invention may be based on the following execution set types: X86, X86_64, ARM, ARM64.

进一步的，为了进一步增加逆向难度，从而增加程序安全性，本发明实施例在前述实施过程的前提下，在获得新的程序之前，包括如下步骤：Furthermore, in order to further increase the reverse difficulty and thereby increase the security of the program, the embodiment of the present invention includes the following steps before obtaining the new program on the premise of the aforementioned implementation process:

首先，执行步骤A1：从用户编辑的源程序文件中确定N个目标函数，所述源程序文件至少由N个函数组成，N为大于1的整数。First, perform step A1: determine N target functions from the source program file edited by the user, the source program file is composed of at least N functions, and N is an integer greater than 1.

需要说明的是，用户编辑的源程序文件具体指用户按照一定的程序设计语言规范书写的最原始程序的未经编译的代码，源程序文件为可读的文本文件。通常由高级语言编写，比如：C语言、C++语言、Java语言等，源程序文件可以是以书籍或者磁带或者其他载体的形式出现，但最为常用的格式是文本文件。并且，源程序文件中的函数是一个自我包含的完成一定相关功能的一系列指令。It should be noted that the source program file edited by the user specifically refers to the uncompiled code of the most original program written by the user according to a certain programming language specification, and the source program file is a readable text file. It is usually written in a high-level language, such as: C language, C++ language, Java language, etc. The source program file can appear in the form of a book or tape or other carriers, but the most commonly used format is a text file. Moreover, the function in the source program file is a self-contained series of instructions to complete certain related functions.

具体的，用户编辑的源程序文件由多个函数组成，可以包括函数库中的函数、还可以包括用户自定义的函数。源程序文件包括主函数以及各个子函数，无论是主函数还是子函数，每个函数具有各自的函数名。Specifically, the source program file edited by the user is composed of multiple functions, which may include functions in the function library, and may also include user-defined functions. The source program file includes a main function and various sub-functions, no matter the main function or the sub-functions, each function has its own function name.

具体的，步骤A1具体为：对用户编辑的源程序文件进行扫描，得到源程中存在的全部函数，则通过扫描源程序文件中的全部函数，均确定为目标函数。Specifically, step A1 is as follows: scan the source program file edited by the user to obtain all the functions existing in the source program, and determine all functions in the source program file as target functions by scanning all the functions in the source program file.

步骤A1具体为：确定源程序文件中的全部函数，从源程序文件的全部函数中筛选出一个或者多个函数，确定为目标函数。在具体实施过程中，可以有多种筛选规则，进行举例说明：Step A1 specifically includes: determining all the functions in the source program file, screening out one or more functions from all the functions in the source program file, and determining it as the target function. In the specific implementation process, there can be a variety of screening rules, for example:

筛选规则一：预先建立一个函数名单，函数名单中写有可以确定为目标函数的函数名。步骤A1具体为：对源程序文件进行扫描，得到源程中存在的全部函数的函数名，判断源程中存在的每个函数的函数名是否在函数名单中，如果存在于函数名单中，则确定为目标函数，否则不是目标函数。Screening rule 1: establish a function list in advance, and the function name that can be determined as the target function is written in the function list. Step A1 is specifically: scan the source program file to obtain the function names of all functions existing in the source program, and determine whether the function name of each function existing in the source program is in the function list, and if it exists in the function list, then Determined to be the objective function, otherwise it is not the objective function.

具体的，在函数名单为一些完成特定功能的函数的函数名，从而能够更有针对性进行函数调用混淆。Specifically, the function list is the function name of some functions that complete specific functions, so that function call confusion can be performed more specifically.

筛选规则二：随机从源程序文件的全部函数中筛选出多个函数，各自确定为目标函数。Screening rule 2: multiple functions are randomly selected from all functions in the source program file, and each is determined as the target function.

筛选规则三：确定源程序文件中的全部函数，从源程序文件的全部函数中筛选出有函数调用的函数，确定为目标函数。Screening rule three: determine all the functions in the source program file, filter out the functions with function calls from all the functions in the source program file, and determine them as target functions.

在步骤A1之后，接着执行步骤A2：在所述N个目标函数的每个目标函数内创建不可达分支。After step A1, step A2 is then performed: creating an unreachable branch within each of the N objective functions.

需要说明的是，不可达分支是不能通过输入来执行的路径，因此，不可达中的程序在执行时不会被执行到。相对于不可达分支的是可达分支，可达分支是在某一输入下可被执行到的路径，因此，可达分支中的程序在实际执行时会在某一输入下被执行到。It should be noted that an unreachable branch is a path that cannot be executed through input, therefore, the unreachable program will not be executed during execution. Relative to the unreachable branch is the reachable branch, which is a path that can be executed under a certain input. Therefore, the program in the reachable branch will be executed under a certain input during actual execution.

具体的，在所述N个目标函数的每个目标函数内创建不可达分支，实施方式如下：Specifically, an unreachable branch is created in each of the N objective functions, and the implementation manner is as follows:

在每个所述目标函数内创建条件调用语句，其中，每个所述目标函数内的条件调用语句包括可达分支和所述不可达分支；在每个所述目标函数的条件调用语句的可达分支中，写入该目标函数的真实函数调用。Create a conditional call statement in each of the target functions, wherein the conditional call statement in each of the target functions includes a reachable branch and the unreachable branch; In the reach branch, write the real function call of the target function.

在具体实施过程中，每个目标函数中的真实函数调用可能存在一个或者多个。需要说明的是，目标函数的真实函数调用，就是指：在源程序文件没有经过程序加固之前就已经存在的，该目标函数的函数调用，即：该目标函数调用了哪个函数或者哪些函数。具体而言，如果该目标函数中存在一个真实函数调用，将该目标函数函数调用指令处创建一个条件调用语句，而将用于实现该目标函数的真实函数调用的函数调用指令移动至该条件调用语句的可达分支中。In a specific implementation process, there may be one or more real function calls in each target function. It should be noted that the real function call of the target function refers to the function call of the target function that existed before the source program file was hardened, that is, which function or functions are called by the target function. Specifically, if there is a real function call in the target function, create a conditional call statement at the function call instruction of the target function, and move the function call instruction for realizing the real function call of the target function to the conditional call In the reachable branch of the statement.

在具体实施过程中，在每个目标函数内创建条件调用语句，可以是：将用于实现该目标函数的真实函数调用的函数调用指令进行变换，得到针对该目标函数的条件调用语句。In the specific implementation process, creating a conditional call statement in each target function may be: transforming a function call instruction for realizing the real function call of the target function to obtain a conditional call statement for the target function.

因此，如果该目标函数内具有多个连续的真实函数调用，在该目标函数内可以创建一个条件调用语句，在目标函数内的一个条件调用语句的可达分支中写入该多个连续的真实函数调用。也可以创建多个条件调用语句，在各个条件调用语句中，一对一写入一个真实函数调用。Therefore, if there are multiple consecutive real function calls in the target function, a conditional call statement can be created in the target function, and the multiple continuous real function calls can be written in the reachable branch of a conditional call statement in the target function. function call. It is also possible to create multiple conditional call statements, and in each conditional call statement, a real function call is written one-to-one.

具体的，每个目标函数内的条件调用语句可以是：基于具有唯一结果的数学表达式设置，在得到该数学表达式的唯一结果时，执行该条件调用语句的可达分支中的指令，即执行：用于实现该目标函数的真实函数调用的函数调用指令，而条件调用语句的不可达分支中的指令在实际执行时不会被执行到。因此，形成了具有可达分支和不可达分支的条件调用语句。Specifically, the conditional call statement in each target function can be: based on the setting of a mathematical expression with a unique result, when the unique result of the mathematical expression is obtained, execute the instruction in the reachable branch of the conditional call statement, that is Execution: the function call instruction used to implement the real function call of the target function, and the instructions in the unreachable branch of the conditional call statement will not be executed during actual execution. Thus, a conditional call statement with reachable and unreachable branches is formed.

具体的，在N个目标函数的不同目标函数中，所使用的具有唯一结果的数学表达式可以相同，也可以有多种数学表达式，在针对当前的目标函数时从中随机确定一种数学表达式。Specifically, among the different objective functions of the N objective functions, the mathematical expression with the unique result used may be the same, or there may be multiple mathematical expressions, and a mathematical expression is randomly determined for the current objective function Mode.

在具体实施过程中，所用的数学表达式具体为比较复杂的数学表达式，提高逆向难度。In the specific implementation process, the mathematical expression used is specifically a relatively complex mathematical expression, which increases the difficulty of reverse engineering.

在一具体实施方式中，条件调用语句可以是if语句，具体为：if(一个具有唯一结果的数学表达式){程序块A}else{程序块B}。具体的，该数学表达式为具有唯一结果的布尔型变量，该if语句的可达分支为执行程序块A，不可达分支为执行程序块B，程序块A为用于该目标函数的真实函数调用的函数调用指令。获得唯一结果时，执行条件调用语句的可达分支中的指令。程序块B为所添加的该目标函数对其他函数的调用，是源程序文件中该目标函数不存在的函数调用关系，用于混淆该目标函数真实的函数调用关系。In a specific implementation manner, the conditional call statement may be an if statement, specifically: if (a mathematical expression with a unique result) {block A} else{block B}. Specifically, the mathematical expression is a Boolean variable with a unique result, the reachable branch of the if statement is to execute program block A, the unreachable branch is to execute program block B, and program block A is the real function used for the target function Called function call instruction. When the only result is obtained, the instructions in the reachable branch of the conditional call statement are executed. Program block B is the added call of the target function to other functions, which is a function call relationship that does not exist in the target function in the source program file, and is used to confuse the real function call relationship of the target function.

在具体实施过程中，可以是针对目标函数的每个真实函数调用，分别创建条件调用语句，也可以是，针对目标函数的多个连续的真实函数调用，创建一个条件调用语句。In the specific implementation process, a conditional call statement may be created for each real function call of the target function, or a conditional call statement may be created for multiple continuous real function calls of the target function.

以源程序文件中存在函数A的实函数调用关系为：函数A→调用函数B1，调用函数B2，进行举例来讲：Taking the real function call relationship of function A in the source program file as follows: function A → call function B1, call function B2, for example:

可以是如下方式：Can be as follows:

int A()int A()

{if(具有唯一结果的数学表达式){对函数B1的调用}else{对其他函数的调用}；{if(mathematical expression with unique result){call to function B1}else{call to other function};

if(具有唯一结果的数学表达式){对函数B2的调用}else{对其他函数调用}；if (mathematical expression with unique result) {call to function B2} else{call to other function};

也可以是如下方式：int A(){if(具有唯一结果的数学表达式){对函数B1的调用，对函数B2的调用}else{对其他函数的调用}；It can also be as follows: int A() {if (mathematical expression with unique result) {call to function B1, call to function B2}else{call to other functions};

当然，在具体实施过程中，条件调用语句也可以为其他形式，源程序文件的编程语言不同，则使用的条件调用语句也可以不同。Of course, in the specific implementation process, the conditional call statement can also be in other forms, and the programming language of the source program file is different, so the conditional call statement used can also be different.

在步骤A2之后，接着执行步骤A3：在每个所述目标函数的不可达分支中添加该目标函数对其他函数的调用，得到新的程序，所述其他函数属于所述源程序文件。After step A2, step A3 is then performed: adding calls of the target function to other functions in each unreachable branch of the target function to obtain a new program, and the other functions belong to the source program file.

需要说明的是，其他函数是针对该目标函数而言，其他函数具体是与该目标函数的条件调用语句的可达分支中所调用的函数不同的函数，针对该目标函数的其他函数可以包括该目标函数，即调用该目标函数自身。It should be noted that the other functions are for the target function, specifically the functions that are different from the functions called in the reachable branch of the conditional call statement of the target function, and the other functions for the target function may include the The objective function is to call the objective function itself.

举例来讲，源程序文件包括函数A、函数A调用函数B和函数C，函数B调用函数D、函数D调用函数E，在目标函数A的条件调用语句的可达分支中存在真实函数调用为：调用函数B和函数C，将对函数B、C的调用移动至该目标函数A的条件调用语句的可达分支中。在该目标函数A的条件调用语句的不可达分支中，可以添加对函数D、函数E中的一个或者多个的调用。For example, the source program file includes function A, function A calls function B and function C, function B calls function D, function D calls function E, there is a real function call in the reachable branch of the conditional call statement of target function A as : call function B and function C, and move the calls to function B and C to the reachable branch of the conditional call statement of the target function A. In the unreachable branch of the conditional call statement of the target function A, calls to one or more of function D and function E may be added.

具体的，在步骤A3中，在每个所述目标函数的不可达分支中添加所述目标函数对其他函数的调用，可以有多种实施方式，下面进行分别描述：Specifically, in step A3, adding calls from the target function to other functions in each unreachable branch of the target function can have multiple implementations, which are described separately below:

实施方式一：Implementation mode one:

对每个所述目标函数分别执行如下步骤：在所述目标函数的条件调用语句的不可达分支中，添加所述目标函数对其他函数的随机调用。For each of the target functions, the following steps are respectively performed: in the unreachable branch of the conditional call statement of the target function, adding random calls of other functions by the target function.

具体而言，在该目标函数的条件调用语句的可达分支中，添加该目标函数对该可达分支中所调用函数不同的各个函数的随机调用。Specifically, in the reachable branch of the conditional call statement of the target function, random calls of functions different from the functions called in the reachable branch by the target function are added.

举例来讲，源程序文件包括函数1，函数1调用函数2、3、4，函数3调用函数2、5，函数4调用函数6、7。For example, the source program file includes function 1, function 1 calls functions 2, 3, and 4, function 3 calls functions 2, 5, and function 4 calls functions 6, 7.

目标函数1(即在函数1)中创建条件调用语句1，在该条件调用语句1的可达分支中写入有函数1调用函数2、3、4，在该条件调用语句1的不可达分支中添加函数1对函数1、5、6、7的随机调用，在目标函数3(即在函数3中)中创建条件调用语句2，在该条件调用语句2的可达分支中写入有函数3调用函数2、5，在该条件调用语句2的不可达分支中添加函数3对函数1、3、4、6、7的随机调用。在目标函数4(即在函数1)中创建条件调用语句3，在该条件调用语句3的可达分支中写入有函数4调用函数6、7，在该条件调用语句3的不可达分支中写入函数4对函数1、2、3、4、5的随机调用。Create a conditional call statement 1 in the target function 1 (that is, in function 1). In the reachable branch of the conditional call statement 1, function 1 calls functions 2, 3, and 4. In the unreachable branch of the conditional call statement 1 Add random calls of function 1 to functions 1, 5, 6, and 7 in function 1, create conditional call statement 2 in target function 3 (that is, in function 3), and write a function in the reachable branch of conditional call statement 2 3 calls functions 2 and 5, and adds function 3 random calls to functions 1, 3, 4, 6, and 7 in the unreachable branch of the conditional call statement 2. Create a conditional call statement 3 in the target function 4 (that is, in function 1), in the reachable branch of the conditional call statement 3, function 4 calls functions 6 and 7, and in the unreachable branch of the conditional call statement 3 Write function 4 with random calls to functions 1, 2, 3, 4, 5.

更具体来讲，随机调用是从与该目标函数的条件调用语句的可达分支中所调用的函数不同的各个函数中随机选择出一个或者多个，接着，在不可达分支中写入对随机选择出的一个或者多个函数的调用。More specifically, the random call is to randomly select one or more functions that are different from the functions called in the reachable branch of the conditional call statement of the target function, and then write the random call in the unreachable branch The call of one or more selected functions.

通过实施方式一，能够在每个目标函数中都写入混淆该目标函数内真实函数调用逻辑的不可执行的函数调用关系。Through the first embodiment, an unexecutable function call relationship that confuses the real function call logic in the target function can be written in each target function.

由于用户编辑的源程序文件中可能包含的函数可能较多，在这种情况下，则实施方式一会大大增加生成可执行程序文件的代码量，增加了软件产品的尺寸，对此，给出如下实施方式二：Since the source program file edited by the user may contain many functions, in this case, the first embodiment will greatly increase the amount of code to generate the executable program file and increase the size of the software product. For this, the following is given The second implementation mode is as follows:

对每个所述目标函数执行如下步骤：扫描所述源程序文件，确定所述源程序文件中函数个数；判断所述源程序文件中函数个数是否大于预设数值；如果是，在所述目标函数的条件调用语句的不可达分支中，添加所述目标函数对其他函数的随机调用；否则，在所述目标函数的条件调用语句的不可达分支中，添加所述目标函数对其他函数的一对一调用。Perform the following steps for each of the target functions: scan the source program file to determine the number of functions in the source program file; judge whether the number of functions in the source program file is greater than a preset value; In the unreachable branch of the conditional call statement of the target function, add the random call of the target function to other functions; otherwise, in the unreachable branch of the conditional call statement of the target function, add the random call of the target function to other functions A one-to-one call.

通过实施方式二，能够兼顾最后生成的可执行程序文件的代码量与逆向难度。Through the second embodiment, it is possible to balance the code size and reverse difficulty of the final generated executable program file.

在上述实施方式一、二中，该目标函数对其他函数的随机调用，实现过程均可以如下：In the first and second embodiments above, the random call of the objective function to other functions can be implemented as follows:

从所述源程序文件的全部函数中确定一个以上候选被调函数；在所述目标函数的条件调用语句的不可达分支中，添加所述目标函数对所述一个以上候选被调函数的一对一调用。Determine one or more candidate called functions from all the functions in the source program file; in the unreachable branch of the conditional call statement of the target function, add a pair of the target function to the one or more candidate called functions one call.

进一步的，所述候选被调函数与该目标函数的条件调用语句的可达分支中所调用的函数不同。Further, the candidate called function is different from the function called in the reachable branch of the conditional call statement of the target function.

需要说明的是，针对该目标函数的候选被调函数只要与该目标函数的条件调用语句的可达分支中所调用的函数不同，但是可以与其他函数(包括N个目标函数中其他的目标函数)中所调用的函数相同。It should be noted that, as long as the candidate called function for the target function is different from the function called in the reachable branch of the conditional call statement of the target function, it can be different from other functions (including other target functions in the N target functions) ) in the same function called.

从所述源程序文件的全部函数中确定一个以上候选被调函数，可以有多种方式，下面分别进行说明：There are many ways to determine more than one candidate called function from all the functions in the source program file, which will be explained separately below:

方式一、随机从所述源程序文件的全部函数中，选择与该目标函数的条件调用语句的可达分支中所调用函数不同的函数，确定为所述候选被调函数。Method 1: Randomly select a function different from the function called in the reachable branch of the conditional call statement of the target function from all the functions in the source program file, and determine it as the candidate called function.

方式二：从所述源程序文件的全部函数中，筛选出满足预设函数条件的函数，确定为所述候选被调函数。比如，可以从所述源程序文件的全部函数中筛选出用户自定义函数为候选被调函数，从而，候选被调函数不会是库函数，由此增加被逆向工程师解读的难度。Method 2: From all the functions in the source program file, select a function that satisfies a preset function condition, and determine it as the candidate called function. For example, user-defined functions may be selected from all functions of the source program file as candidate called functions, so that the candidate called functions will not be library functions, thereby increasing the difficulty of being interpreted by reverse engineers.

在具体实施过程，为了在该目标函数的条件调用语句的不可达分支中，添加该目标函数对所述一个以上候选被调函数的一对一调用。In the specific implementation process, in order to add a one-to-one call of the target function to the one or more candidate called functions in the unreachable branch of the conditional call statement of the target function.

添加该目标函数对所述候选被调函数的调用，具体实现方式如下：Adding the call of the target function to the candidate called function, the specific implementation is as follows:

首先，通过扫描用户编辑的源程序文件，获取所述源程序文件中全部函数的函数名，记录所述源程序文件中全部函数的函数名；在所述目标函数的条件调用语句的不可达分支中添加函数调用指令；从所述源程序文件中全部函数的函数名中，获取所述候选被调函数的函数名；在所述函数调用指令中写入所述候选被调函数的函数名。First, by scanning the source program file edited by the user, the function names of all functions in the source program file are obtained, and the function names of all functions in the source program file are recorded; Adding a function call instruction in the source program file; obtaining the function name of the candidate called function from the function names of all functions in the source program file; writing the function name of the candidate called function in the function call instruction.

进一步的，所述候选被调函数可以为有参函数，也可以为无参函数，如果所述候选被调函数是有参函数，在所述函数调用指令中写入所述候选被调函数的函数名之后，还包括如下步骤：针对所述候选被调函数生成随机的传递参数；将所述随机的传递参数写入在所述函数调用指令中。Further, the candidate called function may be a parameterized function or a parameterless function, if the candidate called function is a parameterized function, write the name of the candidate called function in the function call instruction After the function name, the following steps are further included: generating a random transfer parameter for the candidate called function; writing the random transfer parameter into the function calling instruction.

比如，将所述随机的传递参数写入在所述函数调用指令之后，可以表示如下：For example, writing the random transfer parameter after the function call instruction may be expressed as follows:

int_stdcall function(随机的传递参数x,随机的传递参数y)。int_stdcall function (random pass parameter x, random pass parameter y).

因为不可达分支中的指令并不会被执行到，因此，在不可达分支中写入的针对所述候选被调函数的传递参数可以随机生成，而不影响程序本身的功能。Because the instructions in the unreachable branch will not be executed, the transfer parameters for the candidate called function written in the unreachable branch can be randomly generated without affecting the function of the program itself.

基于同一发明构思，本发明实施例提供了一种程序安全保护装置，参考图2所示，包括：Based on the same inventive concept, an embodiment of the present invention provides a program security protection device, as shown in FIG. 2 , including:

函数获取单元201，用于从用户编辑的源程序文件中获取M个被调函数；A function acquisition unit 201, configured to acquire M called functions from the source program file edited by the user;

查找表建立单元202，用于建立包含所述M个被调函数的函数查找表，M为大于1的整数；A lookup table establishment unit 202, configured to establish a function lookup table comprising the M called functions, where M is an integer greater than 1;

指令替换单元203，用于将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，所述查表操作指令用于从所述函数查找表中获得当前被调函数；The instruction replacement unit 203 is used to replace the function call instruction of each called function in the M called functions with a table lookup operation instruction so as to obtain a new program file, and the table lookup operation instruction is used to obtain a new program file from Obtain the current called function in the function lookup table;

文件生成单元204，用于生成与所述新的程序文件对应的可执行程序文件。The file generation unit 204 is configured to generate an executable program file corresponding to the new program file.

在一具体的实施方式中，所述查找表建立单元202，包括：In a specific implementation manner, the lookup table establishment unit 202 includes:

在一具体的实施方式中，所述函数获取单元201，包括：In a specific implementation manner, the function acquiring unit 201 includes:

在一具体的实施方式中，所述建索引子单元，具体用于：In a specific implementation manner, the indexing subunit is specifically used for:

在一具体的实施方式中，还包括查表指令处理单元，用于：In a specific embodiment, it also includes a table look-up instruction processing unit for:

基于同一发明构思，作为对上述方法的实现，本发明实施例提供一种计算机设备30，图3为本发明实施例中的计算机设备30的结构示意图，参见图3所示，该计算机设备30包括：存储器301、处理器302以及存储在存储器301上并可在处理器302上运行的计算机程序303，处理器执行程序303时实现前述程序保护方法实施例中的任一实施方式所述的步骤。Based on the same inventive concept, as an implementation of the above method, the embodiment of the present invention provides a computer device 30. FIG. 3 is a schematic structural diagram of the computer device 30 in the embodiment of the present invention. Referring to FIG. A memory 301, a processor 302, and a computer program 303 stored in the memory 301 and operable on the processor 302. When the processor executes the program 303, the steps described in any one of the foregoing program protection method embodiments are implemented.

基于同一发明构思，本发明实施例提供一种计算机存储介质，其上存储有计算机程序，上述指令可由图3所示的该计算机设备30的处理器302执行以完成上述方法。所述计算机存储介质具体为非临时性计算机可读存储介质，具体可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。Based on the same inventive concept, an embodiment of the present invention provides a computer storage medium on which a computer program is stored, and the above instructions can be executed by the processor 302 of the computer device 30 shown in FIG. 3 to complete the above method. The computer storage medium is specifically a non-transitory computer-readable storage medium, specifically ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device.

上述本发明实施例中的技术方案，至少具有如下的技术效果或优点：The above-mentioned technical solutions in the embodiments of the present invention have at least the following technical effects or advantages:

通过从用户编辑的源程序文件中获取M个被调函数；建立包含M个被调函数的函数查找表，将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令，以使获得新的程序文件，查表操作指令用于从函数查找表中获得当前被调函数；生成与新的程序文件对应的可执行程序文件。将直接的函数调用指令变成了对被调函数的查表操作指令，能够将程序中的函数调用关系完全隐藏在表中，逆向工程师很难根据反编译的程序中看出真实的函数调用，从而提高了逆向每一个真实的调用函数的难度，进而提高了软件产品的安全性。By obtaining M called functions from the source program file edited by the user; establishing a function lookup table containing M called functions, and replacing the function call instructions of each called function in the M called functions with look-up The table operation instruction is used to obtain a new program file, and the table lookup operation instruction is used to obtain the current called function from the function lookup table; generate an executable program file corresponding to the new program file. Turn the direct function call instruction into a table lookup operation instruction for the called function, which can completely hide the function call relationship in the program in the table. It is difficult for reverse engineers to see the real function call from the decompiled program. Therefore, the difficulty of reversing each real calling function is increased, thereby improving the security of the software product.

本领域内的技术人员应明白，本发明的实施例可提供为方法、系统、或计算机程序产品。因此，本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

尽管已描述了本发明的优选实施例，但本领域内的技术人员一旦得知了基本创造性概念，则可对这些实施例作出另外的变更和修改。所以，所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

显然，本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样，倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内，则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

本发明公开了一种A1、一种程序安全保护方法，包括：The invention discloses A1, a program security protection method, including:

A2、如A1所述的程序安全保护方法，所述建立包含所述M个被调函数的函数查找表，包括：A2, the method for program security protection as described in A1, the establishment of a function lookup table comprising the M called functions includes:

A3、如A2所述的程序安全保护方法，所述从用户编辑的源程序文件中获取M个被调函数，包括：A3, the method for program security protection as described in A2, described to obtain M called functions from the source program file edited by the user, including:

A4、如A2或A3所述的程序安全保护方法，所述在所述函数查找表的每列，建立对该列所在的被调函数的索引，包括：A4, the method for program security protection as described in A2 or A3, described in each column of the function lookup table, establishes the index of the called function where the column is located, including:

A5、如A4所述的程序安全保护方法，所述对每个所述被调函数分配列索引，包括：A5, the method for program security protection as described in A4, said assigning a column index to each said called function, comprising:

A6、如A4所述的程序安全保护方法，所述对所述函数查找表中当前列的被调函数建立行索引，包括：A6, the method for program security protection as described in A4, said setting up a row index to the called function of the current column in the function lookup table, comprising:

A7、如A6所述的程序安全保护方法，所述对当前列的被调函数建立N级行索引，包括：A7, the method for program security protection as described in A6, said setting up an N-level row index to the called function of the current column, including:

A8、如A2或A3所述的程序安全保护方法，在所述将所述M个被调函数中每个被调函数的函数调用指令均替换为查表操作指令之后，还包括：A8. The program security protection method as described in A2 or A3, after the function call instruction of each called function in the M called functions is replaced with a table lookup operation instruction, it also includes:

本发明还公开一种B9、一种程序安全保护装置，包括：The present invention also discloses a B9, a program security protection device, including:

B10、如B9所述的程序安全保护装置，所述查找表建立单元，包括：B10. The program security protection device as described in B9, the look-up table establishment unit includes:

B11、如A10所述的程序安全保护装置，所述函数获取单元，包括：B11. The program security protection device as described in A10, the function acquisition unit includes:

B12、如B10或B11所述的程序安全保护装置，所述建索引子单元，具体用于：B12. The program security protection device as described in B10 or B11, the indexing subunit is specifically used for:

B13、如B12所述的程序安全保护装置，所述建索引子单元，具体用于：B13. The program security protection device as described in B12, the index building subunit is specifically used for:

B 14、如B 12所述的程序安全保护装置，所述建索引子单元，具体用于：B14. The program security protection device as described in B12, the index building subunit is specifically used for:

B 15、如B 14所述的程序安全保护装置，所述建索引子单元，具体用于：B15. The program security protection device as described in B14, the index building subunit is specifically used for:

B16、如B10或B11所述的程序安全保护装置，还包括查表指令处理单元，用于：B16. The program security protection device as described in B10 or B11, further comprising a table lookup instruction processing unit, for:

本发明还公开了C17、一种计算机可读存储介质，其上存储有计算机程序，该程序被处理器执行时实现A1-A8中任一项所述的步骤。The present invention also discloses C17, a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps described in any one of A1-A8 are realized.

本发明还公开了D18、一种计算机设备，包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序，所述处理器执行所述程序时实现A1-A8中任一项所述的步骤。The present invention also discloses D18, a computer device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, any one of A1-A8 is realized. described steps.

Claims

1. a kind of program safety guard method, which is characterized in that including：

M called function is obtained from the source files of program that user edits；

The look-up table of functions comprising the M called function is established, M is the integer greater than 1；

The function call instruction of each called function in the M called function is replaced with into table lookup operation instruction, so as to obtain Program file newly is obtained, the table lookup operation instruction from the look-up table of functions for obtaining current called function；

Generate executable program file corresponding with the new program file.

2. program safety guard method as described in claim 1, which is characterized in that described to establish comprising the M by letter of transfer Several look-up table of functions, including：

The column that the look-up table of functions is corresponded to the single called function, establish the look-up table of functions comprising M column * N row, N For the integer greater than 1；

In each column of the look-up table of functions, the index to the called function where the column is established.

3. program safety guard method as claimed in claim 2, which is characterized in that the source files of program edited from user Middle M called function of acquisition, including：

By scanning the source files of program, each called function present in the source files of program is obtained, or meet pre- If the called function of condition.

4. program safety guard method as claimed in claim 2 or claim 3, which is characterized in that described in the look-up table of functions Each column establishes the index to the called function where the column, including：

Column index is distributed to each called function, the column index is for determining the called function in the function lookup The column of table；

Under the column index of each called function, in the look-up table of functions when the called function in forefront establishes row rope Draw, the line index is used in the look-up table of functions obtain the called function when forefront.

5. program safety guard method as claimed in claim 4, which is characterized in that described to distribute each called function Column index, including：

The integer value as column index is distributed for each called function at random；

The column index of each called function is encrypted, the encryption column index of each called function is obtained；

For the first decryption function of each encryption column index, first decryption function is used to decrypt each described for building Column index is encrypted, column index corresponding with encryption column index is obtained.

6. program safety guard method as claimed in claim 4, which is characterized in that described to current in the look-up table of functions The called function of column establishes line index, including：

N grades of line index are established to the called function when forefront, wherein the line index of current line is the checking result of lastrow, most The corresponding checking result of rear stage line index is the called function when forefront.

7. program safety guard method as claimed in claim 6, which is characterized in that described pair is established when the called function in forefront N grades of line index, including：

One or more line index in the N grades of line index is encrypted, corresponding encryption line index is obtained；

For the second decryption function of each encryption line index, second decryption function is used to decrypt each described for building Line index is encrypted, corresponding line index is obtained.

8. a kind of program safety protective device, which is characterized in that including：

Function acquiring unit, for obtaining M called function from the source files of program that user edits；

Look-up table establishes unit, and for establishing the look-up table of functions comprising the M called function, M is the integer greater than 1；

Replacement unit is instructed, is looked into for replacing with the function call instruction of each called function in the M called function Table handling instruction, so as to obtain new program file, the table lookup operation instruction from the look-up table of functions for being worked as Preceding called function；

File generating unit, for generating executable program file corresponding with the new program file.

9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor Step of any of claims 1-7 is realized when row.

10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes step of any of claims 1-7 when executing described program Suddenly.