Code Obfuscation By Reference Linking
First Claim
Patent Images
1. A method for obfuscating executable computer code which derives from assembler source instructions, the method comprising:
- breaking the assembler source instructions into a plurality of fragments, and entering each fragment of said plurality of fragments into a fragment database;
examining each of said plurality of fragments and excluding a fragment from said fragment database if at least one of the following conditions occurs;
said fragment has a fragment size smaller than a predetermined minimum fragment size;
said fragment contains stack-pointer modification instructions;
said fragment contains a branching instruction to a relative address outside the fragment;
assembler source instructions contain a branching instruction into said fragment from outside said fragment;
for each fragment remaining in said fragment database;
making a copy of said fragment in an area of program space of the assembler source instructions and appending a return instruction thereto;
replacing the fragment in the assembler source instructions with a call to said copy, followed by a jump; and
assembling the assembler source instructions into obfuscated executable code.
4 Assignments
0 Petitions
Accused Products
Abstract
A method of obfuscating executable computer code to impede reverse-engineering, by interrupting the software'"'"'s execution flow and replacing in-line code with calls to subroutines that do not represent logical program blocks. Embodiments of the present invention introduce decoy code to confuse attackers, and computed branching to relocated code so that actual program flow cannot be inferred from disassembled source representations.
-
Citations
10 Claims
-
1. A method for obfuscating executable computer code which derives from assembler source instructions, the method comprising:
-
breaking the assembler source instructions into a plurality of fragments, and entering each fragment of said plurality of fragments into a fragment database; examining each of said plurality of fragments and excluding a fragment from said fragment database if at least one of the following conditions occurs; said fragment has a fragment size smaller than a predetermined minimum fragment size; said fragment contains stack-pointer modification instructions; said fragment contains a branching instruction to a relative address outside the fragment; assembler source instructions contain a branching instruction into said fragment from outside said fragment; for each fragment remaining in said fragment database; making a copy of said fragment in an area of program space of the assembler source instructions and appending a return instruction thereto; replacing the fragment in the assembler source instructions with a call to said copy, followed by a jump; and assembling the assembler source instructions into obfuscated executable code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification