Permutation of opcode values for application program obfuscation

US 20050071655A1
Filed: 09/25/2003
Published: 03/31/2005
Est. Priority Date: 09/25/2003
Status: Active Grant

First Claim

Patent Images

1. A method for executing an obfuscated application program, the method comprising:

receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes;

determining a dispatch table associated with said application program, said dispatch table corresponding to said one of a plurality of instruction set opcode value encoding schemes; and

executing said application program using said associated dispatch table.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Obfuscating an application program comprises reading an application program comprising code, transforming the application program code into transformed application program code that uses one of multiple opcode value encoding schemes of a dispatch table associated with the application program, and sending the transformed application program code. Executing an obfuscated application program comprises receiving an obfuscated application program comprising at least one instruction opcode value encoded using one of multiple instruction set opcode value encoding schemes, determining a dispatch table associated with the application program, and executing the application program using the associated dispatch table. The dispatch table corresponds to the one of multiple instruction set opcode value encoding schemes.

111 Citations

View as Search Results

63 Claims

1. A method for executing an obfuscated application program, the method comprising:
- receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes;
  
  determining a dispatch table associated with said application program, said dispatch table corresponding to said one of a plurality of instruction set opcode value encoding schemes; and
  
  executing said application program using said associated dispatch table.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 wherein said determining comprises generating said dispatch table in response to said receiving.
  - 3. The method of claim 1 wherein said determining comprises selecting a dispatch table from a plurality of dispatch tables in response to said receiving, said plurality of dispatch tables stored in a memory.

4. A method for executing an obfuscated application program, the method comprising:
- receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of non-standard instruction set opcode value encoding schemes;
  
  determining an instruction set opcode value encoding scheme associated with said obfuscated application program;
  
  rewriting said application program using a standard opcode value encoding scheme if said received application program is not encoded using said standard opcode value encoding scheme; and
  
  executing said application program using a dispatch table associated with said standard opcode value encoding scheme.

5. A method for application program obfuscation, the method comprising:
- reading an application program comprising code;
  
  transforming said application program code into transformed application program code that uses one of a plurality of opcode value encoding schemes of a dispatch table associated with said application program; and
  
  sending said transformed application program code.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, further comprising receiving an application program request from a user device, said transforming occurring in response to said receiving.
  - 7. The method of claim 5 wherein said method further comprises, after said creating, applying a cryptographic process to said obfuscated application program together with a cryptographic key to create an encrypted obfuscated application program;
    - and said sending comprises sending said encrypted obfuscated application program.

8. A method for creating an opcode value encoding scheme for an instruction set, the method comprising:
- creating a series of numbers using a randomized process;
  
  filtering said series to remove duplicate numbers; and
  
  creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.

9. A method for creating an opcode value encoding scheme for an instruction set, the method comprising:
- selecting a seed and a cryptographic key;
  
  creating a series of numbers based at least in part on said seed and said cryptographic key, said seed having a size that is less than the size of said series;
  
  filtering said series to remove duplicate numbers; and
  
  creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 wherein said creating comprises using a loop back hash function to create said series.
  - 11. The method of claim 10 wherein said loop back hash function comprises the MD4 algorithm.
  - 12. The method of claim 10 wherein said loop back hash function comprises the MD5 algorithm.
  - 13. The method of claim 10 wherein said loop back hash function comprises the SHA-1 algorithm.
  - 14. The method of claim 10 wherein said key is based at least in part on a target ID.
  - 15. The method of claim 14 wherein said target ID comprises a VM ID.

16. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for executing an obfuscated application program, the method comprising:
- receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes;
  
  determining a dispatch table associated with said application program, said dispatch table corresponding to said one of a plurality of instruction set opcode value encoding schemes; and
  
  executing said application program using said associated dispatch table.
- View Dependent Claims (17, 18)
- - 17. The program storage device of claim 16 wherein said determining comprises generating said dispatch table in response to said receiving.
  - 18. The program storage device of claim 16 wherein said determining comprises selecting a dispatch table from a plurality of dispatch tables in response to said receiving, said plurality of dispatch tables stored in a memory.

19. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for executing an obfuscated application program, the method comprising:
- receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of non-standard instruction set opcode value encoding schemes;
  
  determining an instruction set opcode value encoding scheme associated with said obfuscated application program;
  
  rewriting said application program using a standard opcode value encoding scheme if said received application program is not encoded using said standard opcode value encoding scheme; and
  
  executing said application program using a dispatch table associated with said standard opcode value encoding scheme.

20. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for application program obfuscation, the method comprising:
- reading an application program comprising code;
  
  transforming said application program code into transformed application program code that uses one of a plurality of opcode value encoding schemes of a dispatch table associated with said application program; and
  
  sending said transformed application program code.
- View Dependent Claims (21, 22)
- - 21. The program storage device of claim 20, the method further comprising receiving an application program request from a user device, said transforming occurring in response to said receiving.
  - 22. The program storage device of claim 20 wherein said method further comprises, after said creating, applying a cryptographic process to said obfuscated application program together with a cryptographic key to create an encrypted obfuscated application program;
    - and said sending comprises sending said encrypted obfuscated application program.

23. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for creating an opcode value encoding scheme for an instruction set, the method comprising:
- creating a series of numbers using a randomized process;
  
  filtering said series to remove duplicate numbers; and
  
  creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.

24. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for creating an opcode value encoding scheme for an instruction set, the method comprising:
- selecting a seed and a cryptographic key;
  
  creating a series of numbers based at least in part on said seed and said cryptographic key, said seed having a size that is less than the size of said series;
  
  filtering said series to remove duplicate numbers; and
  
  creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The program storage device of claim 24 wherein said creating comprises using a loop back hash function to create said series.
  - 26. The program storage device of claim 25 wherein said loop back hash function comprises the MD4 algorithm.
  - 27. The program storage device of claim 25 wherein said loop back hash function comprises the MD5 algorithm.
  - 28. The program storage device of claim 25 wherein said loop back hash function comprises the SHA-1 algorithm.
  - 29. The program storage device of claim 25 wherein said key is based at least in part on a target ID.
  - 30. The program storage device of claim 29 wherein said target ID comprises a VM ID.

31. An apparatus for executing an obfuscated application program, the apparatus comprising:
- means for receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes;
  
  means for determining a dispatch table associated with said application program, said dispatch table corresponding to said one of a plurality of instruction set opcode value encoding schemes; and
  
  means for executing said application program using said associated dispatch table.
- View Dependent Claims (32, 33)
- - 32. The apparatus of claim 31 wherein said means for determining comprises means for generating said dispatch table in response to said receiving.
  - 33. The apparatus of claim 31 wherein said means for determining comprises means for selecting a dispatch table from a plurality of dispatch tables in response to said receiving, said plurality of dispatch tables stored in a memory.

34. An apparatus for executing an obfuscated application program, the apparatus comprising:
- means for receiving an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of non-standard instruction set opcode value encoding schemes;
  
  means for determining an instruction set opcode value encoding scheme associated with said obfuscated application program;
  
  means for rewriting said application program using a standard opcode value encoding scheme if said received application program is not encoded using said standard opcode value encoding scheme; and
  
  means for executing said application program using a dispatch table associated with said standard opcode value encoding scheme.

35. An apparatus for application program obfuscation, the apparatus comprising:
- means for reading an application program comprising code;
  
  means for transforming said application program code into transformed application program code that uses one of a plurality of opcode value encoding schemes of a dispatch table associated with said application program; and
  
  means for sending said transformed application program code.
- View Dependent Claims (36, 37)
- - 36. The apparatus of claim 35, further comprising means for receiving an application program request from a user device, said transforming occurring in response to said receiving.
  - 37. The apparatus of claim 35 wherein said apparatus further comprises means for applying a cryptographic process to said obfuscated application program together with a cryptographic key to create an encrypted obfuscated application program after said creating;
    - and said means for sending comprises means for sending said encrypted obfuscated application program.

38. An apparatus for creating an opcode value encoding scheme for an instruction set, the apparatus comprising:
- means for creating a series of numbers using a randomized process;
  
  means for filtering said series to remove duplicate numbers; and
  
  means for creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.

39. An apparatus for creating an opcode value encoding scheme for an instruction set, the apparatus comprising:
- means for selecting a seed and a cryptographic key;
  
  means for creating a series of numbers based at least in part on said seed and said cryptographic key, said seed having a size that is less than the size of said series;
  
  means for filtering said series to remove duplicate numbers; and
  
  means for creating a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.
- View Dependent Claims (40, 41, 42, 43, 44, 45)
- - 40. The apparatus of claim 39 wherein said means for creating comprises means for using a loop back hash function to create said series.
  - 41. The apparatus of claim 40 wherein said loop back hash function comprises the MD4 algorithm.
  - 42. The apparatus of claim 40 wherein said loop back hash function comprises the MD5 algorithm.
  - 43. The apparatus of claim 40 wherein said loop back hash function comprises the SHA-1 algorithm.
  - 44. The apparatus of claim 40 wherein said key is based at least in part on a target ID.
  - 45. The apparatus of claim 44 wherein said target ID comprises a VM ID.

46. An apparatus for executing an obfuscated application program, the apparatus comprising a user device configured to:
- receive an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes;
  
  determine a dispatch table associated with said application program, said dispatch table corresponding to said one of a plurality of instruction set opcode value encoding schemes; and
  
  execute said application program using said associated dispatch table.
- View Dependent Claims (47, 48)
- - 47. The apparatus of claim 46 wherein said user device is further configured to generate said dispatch table in response to said receiving.
  - 48. The apparatus of claim 46 wherein user device is further configured to select a dispatch table from a plurality of dispatch tables in response to said receiving, said plurality of dispatch tables stored in a memory.

49. An apparatus for executing an obfuscated application program, the apparatus comprising a user device configured to:
- receive an obfuscated application program, said obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of non-standard instruction set opcode value encoding schemes;
  
  determine an instruction set opcode value encoding scheme associated with said obfuscated application program;
  
  rewrite said application program using a standard opcode value encoding scheme if said received application program is not encoded using said standard opcode value encoding scheme; and
  
  execute said application program using a dispatch table associated with said standard opcode value encoding scheme.

50. An apparatus for application program obfuscation, the apparatus comprising an application program provider configured to:
- read an application program comprising code;
  
  transform said application program code into transformed application program code that uses one of a plurality of opcode value encoding schemes of a dispatch table associated with said application program; and
  
  send said transformed application program code.
- View Dependent Claims (51, 52)
- - 51. The apparatus of claim 50, said application program provider further configured to receive an application program request from a user device, said transforming responsive to said receiving.
  - 52. The apparatus of claim 50 wherein said application program provider is further configured to apply a cryptographic process to said obfuscated application program together with a cryptographic key to create an encrypted obfuscated application program after said creating;
    - and said application program provider is further configured to send said encrypted obfuscated application program.

53. An apparatus for creating an opcode value encoding scheme for an instruction set, the apparatus comprising an application program provider configured to:
- create a series of numbers using a randomized process;
  
  filter said series to remove duplicate numbers; and
  
  create a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.

54. An apparatus for creating an opcode value encoding scheme for an instruction set, the apparatus comprising an application program provider configured to:
- select a seed and a cryptographic key;
  
  create a series of numbers based at least in part on said seed and said cryptographic key, said seed having a size that is less than the size of said series;
  
  filter said series to remove duplicate numbers; and
  
  create a one-to-one mapping between instruction implementation methods in an instruction set and said numbers.
- View Dependent Claims (55, 56, 57, 58, 59, 60)
- - 55. The apparatus of claim 54 wherein said application program provider is configured to use a loop back hash function to create said series.
  - 56. The apparatus of claim 55 wherein said loop back hash function comprises the MD4 algorithm.
  - 57. The apparatus of claim 55 wherein said loop back hash function comprises the MD5 algorithm.
  - 58. The apparatus of claim 55 wherein said loop back hash function comprises the SHA-1 algorithm.
  - 59. The apparatus of claim 55 wherein said key is based at least in part on a target ID.
  - 60. The apparatus of claim 59 wherein said target ID comprises a VM ID.

61. A memory for storing data for access by an application program being executed on a data processing system, comprising:
- a data structure stored in said memory, said data structure including information used by said application program execute an obfuscated application program, said data structure an obfuscated application program comprising at least one instruction opcode value encoded using one of a plurality of instruction set opcode value encoding schemes.
- View Dependent Claims (62, 63)
- - 62. The memory of claim 61 wherein said data structure further comprises a cryptographic key and protected data, said protected data encrypted using said cryptographic key.
  - 63. The memory of claim 61 wherein said data structure further comprises an obfuscation descriptor that indicates an obfuscation method used to create said obfuscated application program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
de Jong, Eduard K.

Granted Patent

US 7,415,618 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/190
CPC Class Codes

G06F 21/125   by manipulating the program...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/60   Digital content management,...

H04L 9/002   Countermeasures against att...

H04L 9/34   Bits, or blocks of bits, of...

Y10S 707/99942   Manipulating data structure...

Permutation of opcode values for application program obfuscation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

63 Claims

Specification

Solutions

Use Cases

Quick Links

Permutation of opcode values for application program obfuscation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

63 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links