Obfuscation techniques for enhancing software security
DCFirst Claim
1. A computer implemented method for obfuscating code, comprising:
- identifying one or more source code input files corresponding to source code for the code of an application to be processed;
selecting a required level of obfuscation (the potency);
selecting a maximum execution time or space penalty (the cost);
reading and parsing the input files;
providing information identifying data types, data structures, and control structures used by the application to be processed;
selecting and applying obfuscating transformations to source code objects until the required potency has been achieved or the maximum cost has been exceeded; and
outputting the transformed code of the application, wherein the transformed code provides weak equivalence to the untransformed code.
7 Assignments
Litigations
0 Petitions
Accused Products
Abstract
The present invention provides obfuscation techniques for enhancing software security. In one embodiment, a method for obfuscation techniques for enhancing software security includes selecting a subset of code (e.g., compiled source code of an application) to obfuscate, and obfuscating the selected subset of the code. The obfuscating includes applying an obfuscating transformation to the selected subset of the code. The transformed code can be weakly equivalent to the untransformed code. The applied transformation can be selected based on a desired level of security (e.g., resistance to reverse engineering). The applied transformation can include a control transformation that can be creating using opaque constructs, which can be constructed using aliasing and concurrency techniques. Accordingly, the code can be obfuscated for enhanced software security based on a desired level of obfuscation (e.g., based on a desired potency, resilience, and cost).
781 Citations
171 Claims
-
1. A computer implemented method for obfuscating code, comprising:
-
identifying one or more source code input files corresponding to source code for the code of an application to be processed;
selecting a required level of obfuscation (the potency);
selecting a maximum execution time or space penalty (the cost);
reading and parsing the input files;
providing information identifying data types, data structures, and control structures used by the application to be processed;
selecting and applying obfuscating transformations to source code objects until the required potency has been achieved or the maximum cost has been exceeded; and
outputting the transformed code of the application, wherein the transformed code provides weak equivalence to the untransformed code. - View Dependent Claims (2, 3, 4, 5)
outputting information about obfuscating transformations applied to the obfuscated code and information relating obfuscated code of a transformed application to source code of the application.
-
-
4. The method of claim 1, wherein at least one transformation is selected to preserve the observable behavior of the code of an application.
-
5. The method of claim 1, further comprising:
deobfuscating the code, the deobfuscating the code comprising removing any obfuscations from the obfuscated code of an application by use of slicing, partial evaluation, dataflow analysis, or statistical analysis.
-
6. A computer program embodied on a computer-readable medium for obfuscating code, comprising:
-
logic that identifies one or more source code input files corresponding to source code for the code of an application to be processed;
logic that selects a required level of obfuscation (the potency);
logic that selects a maximum execution time or space penalty (the cost);
logic that reads and parses the input files;
logic that provides information identifying data types, data structures, and control structures used by the application to be processed;
logic that selects and applies obfuscating transformations to source code objects until the required potency has been achieved or the maximum cost has been exceeded; and
logic that outputs the transformed code of the application, wherein the transformed code provides weak equivalence to the untransformed code. - View Dependent Claims (7, 8, 9, 10)
logic that outputs information about obfuscating transformations applied to the obfuscated code and information relating obfuscated code of a transformed application to source code of the application.
-
-
9. The computer program of claim 6, wherein at least one transformation is selected to preserve the observable behavior of the code of an application.
-
10. The computer program of claim 6, further comprising:
logic that deobfuscates the code, the deobfuscating the code comprising removing any obfuscations from the obfuscated code of an application by use of slicing, partial evaluation, dataflow analysis, or statistical analysis.
-
11. An apparatus for obfuscating code, comprising:
-
means for identifying one or more source code input files corresponding to source code for the code of an application to be processed;
means for selecting a required level of obfuscation (the potency);
means for selecting a maximum execution time or space penalty (the cost);
means for reading and parsing the input files;
means for providing information identifying data types, data structures, and control structures used by the application to be processed;
means for selecting and applying obfuscating transformations to source code objects until the required potency has been achieved or the maximum cost has been exceeded; and
means for outputting the transformed code of the application, wherein the transformed code provides weak equivalence to the untransformed code. - View Dependent Claims (12, 13, 14, 15, 16, 17)
means for outputting information about obfuscating transformations applied to the obfuscated code and information relating obfuscated code of a transformed application to source code of the application.
-
-
14. The apparatus of claim 11, wherein at least one transformation is selected to preserve the observable behavior of the code of an application.
-
15. The apparatus of claim 11, further comprising:
means for deobfuscating the code, the deobfuscating the code comprising removing any obfuscations from the obfuscated code of an application by use of slicing, partial evaluation, dataflow analysis, or statistical analysis.
-
16. The apparatus of claim 11, wherein the code comprises Java™
- bytecode.
-
17. The apparatus of claim 11, wherein at least one transformation provides a data obfuscation, a control obfuscation, or a preventive obfuscation.
-
18. A computer-implemented method for obfuscating computer code, the method including:
-
loading the computer code that is to be obfuscated into a memory unit;
selecting one or more obfuscation transformations to apply to the computer code, wherein at least one obfuscation transformation is one of;
a transformation that includes converting at least one reducible control flow graph to a non-reducible control flow graph;
a transformation that includes splitting at least one loop;
a transformation that includes identifying a programming idiom that is used in the computer code, and replacing at least one programming construct that exemplifies the programming idiom with an equivalent programming construct that does not exemplify the programming idiom;
a transformation that includes promoting at least one variable to a more general type;
a transformation that includes merging two variables into a single variable;
a transformation that includes splitting a variable into at least two variables; and
a transformation that includes replacing at least one string with a call to a procedure that produces the string; and
generating obfuscated computer code by applying the one or more obfuscation transformations to the computer code, wherein the obfuscated computer code is more resistant to reverse engineering, decompilation, or attack than the computer code. - View Dependent Claims (19, 20, 21)
evaluating the obfuscated computer code to obtain a metric indicative of a level of obfuscation associated with the obfuscated computer code; and
applying additional obfuscation transformations to the obfuscated computer code if the metric is less than a predefined level.
-
-
20. A method as in claim 18, further including:
-
performing a preprocessing pass on the computer code, wherein the preprocessing pass serves to gather information about the computer code, and wherein performing the preprocessing pass includes performing at least one of (a) data flow analysis, and (b) data dependence analysis on the computer code; and
using the information gathered in the preprocessing pass in selecting the one or more obfuscation transformations to apply to the computer code.
-
-
21. A method as in claim 18, in which the computer code that is to be obfuscated is characterized by an absence of annotations pre-inserted for the purpose of facilitating a subsequent application of obfuscation transformations to the computer code.
-
22. A computer-implemented method for obfuscating computer code, the method including:
-
loading the computer code that is to be obfuscated into a memory module;
performing a preprocessing pass on the computer code, the preprocessing pass serving to gather information about the computer code for use in selecting and applying one or more obfuscation transformations to the computer code;
selecting one or more obfuscation transformations to apply to the computer code;
generating obfuscated computer code by applying the one or more obfuscation transformations to the computer code;
evaluating the obfuscated computer code to obtain an obfuscation level associated with the computer code; and
applying additional obfuscation transformations to the obfuscated computer code if the obfuscation level is less than a predefined amount;
wherein the obfuscated computer code is rendered more resistant to reverse engineering, decompilation, or attack than the computer code. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
constructing one or more control flow graphs for one or more routines contained in the computer code.
-
-
24. A method as in claim 22, in which performing a preprocessing pass on the computer code includes constructing an inheritance graph for a plurality of classes contained in the computer code.
-
25. A method as in claim 22, in which selecting one or more obfuscation transformations includes:
-
obtaining an obfuscation metric for each of a plurality of obfuscation transformations;
obtaining a cost metric for each of the plurality of obfuscation transformations; and
choosing one or more obfuscation transformations for which the obfuscation metric is maximized and the cost metric is minimized.
-
-
26. A method as in claim 25, in which the obfuscation metric for a given obfuscation transformation is based, at least in part, on a measure of potency and a measure of resilience of the given obfuscation transformation.
-
27. A method as in claim 25, in which the cost metric of a given obfuscation transformation is based, at least in part, on an execution time penalty and a space penalty associated with the given obfuscation transformation.
-
28. A method as in claim 22, in which selecting one or more obfuscation transformations to apply to the computer code includes:
-
evaluating an appropriateness metric for one or more obfuscation transformations; and
selecting one or more obfuscation transformations for which the appropriateness metric is higher than the appropriateness metric for one or more other obfuscation transformations.
-
-
29. A method as in claim 28, in which evaluating an appropriateness metric for a given obfuscation transformation includes:
-
comparing one or more programming constructs used by the given obfuscation transformation to one or more programming constructs used by at least a portion of the computer code; and
assigning a value to the appropriateness metric based on a degree of similarity between the programming constructs used by the given obfuscation transformation and the programming constructs used by the portion of the computer code.
-
-
30. A method as in claim 22, in which the computer code includes one or more object code files and one or more library code files referenced by the one or more object code files.
-
31. A method as in claim 22, further including:
receiving obfuscation control information as input.
-
32. A method as in claim 31, in which the obfuscation control information includes one or more parameters relating to an acceptable obfuscation cost and/or a desired level of obfuscation.
-
33. A method as in claim 31, in which the obfuscation control information includes one or more parameters relating to a maximum acceptable execution time penalty and a maximum acceptable space penalty associated with the computer code after obfuscation.
-
34. A method as in claim 31, in which the obfuscation control information includes one or more parameters indicative of a desired level of obfuscation potency and/or resilience.
-
35. A method as in claim 22, further including:
receiving as input an obfuscation priority, the obfuscation priority being associated with at least a portion of the computer code, wherein the obfuscation priority comprises a metric of the importance of obfuscating the portion of the computer code with which it is associated.
-
36. A method as in claim 22, in which the computer code includes a plurality of routines, the method further including:
-
assigning an execution time rank to one or more routines; and
associating an obfuscation priority with each of the one or more routines, wherein the obfuscation priority associated with a given routine is inversely proportional to the execution time rank of the given routine.
-
-
37. A method as in claim 22, further including:
-
receiving profiling data as input, the profiling data providing some assistance in identifying relatively frequently-executed portions of the computer code; and
using the profiling data to control, at least in part, application of obfuscation transformations to the computer code.
-
-
38. A method as in claim 22, further including:
generating a file of annotated computer code, the file of annotated computer code providing an indication of how the one or more obfuscation transformations were applied to the computer code.
-
39. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes converting at least one reducible control flow graph to an irreducible control flow graph.
-
40. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes removing at least one programming idiom from the computer code.
-
41. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes splitting an array into at least two arrays.
-
42. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes merging two arrays into a single array.
-
43. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes restructuring an array so that it has a different number of dimensions.
-
44. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes adding at least one opaque programming construct to the computer code.
-
45. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes interleaving programming statements from at least two different subroutines.
-
46. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes:
-
selecting a subroutine in the computer code;
adding an obfuscated version of the subroutine to the computer code; and
replacing a call to the subroutine with a call to the obfuscated version of the subroutine;
wherein the computer code, after application of the one or more obfuscation transformations, includes;
the subroutine;
at least one call to the subroutine;
the obfuscated version of the subroutine; and
at least one call to the obfuscated version of the subroutine.
-
-
47. A method as in claim 46, in which the subroutine comprises a method, procedure, function, or routine.
-
48. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes unrolling at least one loop contained in the computer code.
-
49. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes splitting at least one loop contained in the computer code.
-
50. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes promoting at least one variable to a more general type.
-
51. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes merging two variables into a single variable.
-
52. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes splitting a variable into at least two variables.
-
53. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes inserting a bogus class.
-
54. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes replacing at least one string with a call to a procedure that produces the string.
-
55. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes scrambling at least one identifier.
-
56. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes inserting dead or irrelevant code.
-
57. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes inlining at least one method, procedure, or function call.
-
58. A method as in claim 22, in which the one or more obfuscation transformations include a transformation that includes outlining computer code into at least one method, procedure, or function.
-
59. A computer program product for obfuscating a computer program or a computer program module, the computer program product including:
-
computer code for gathering information about the computer program or module by performing a preprocessing pass on the computer program or module;
computer code for performing a plurality of obfuscation transformations;
computer code for selecting an obfuscation transformation to apply to the computer program or module, wherein the selecting is based, at least in part, on the information gathered about the computer program or module during the preprocessing pass;
computer code for applying one or more obfuscation transformations to the computer program or module;
computer code for calculating a metric indicative of the degree to which the computer program or module is obfuscated;
computer code for comparing the metric to a threshold;
computer code for applying additional obfuscation transformations to the computer program or module if the metric is less than the threshold; and
a computer readable medium that stores the computer codes. - View Dependent Claims (60, 61, 62, 63)
computer code for receiving user-input regarding a desired level of obfuscation; and
computer code for using, at least in part, the desired level of obfuscation to set the threshold.
-
-
61. A computer program product as in claim 59, in which the computer code for gathering information about the computer program or module includes:
computer code for performing data dependency analysis on the computer program or module.
-
62. A computer program product as in claim 59, in which the computer code for performing a plurality of obfuscation transformations includes computer code for implementing at least one opaque construct.
-
63. A computer program product as in claim 62, in which the at least one opaque construct is generated using at least one of (a) aliasing, or (b) concurrency techniques.
-
64. A computer-implemented method for obfuscating computer code, the method including:
-
loading the computer code that is to be obfuscated into a memory module;
performing a preprocessing pass on the computer code, wherein the preprocessing pass serves to gather information about the computer code, and wherein performing the preprocessing pass includes performing at least one of (a) data flow analysis, or (b) data dependence analysis on the computer code;
selecting one or more obfuscation transformations to apply to the computer code, the one or more obfuscation transformations being selected, at least in part, using the information gathered in the preprocessing pass; and
generating obfuscated computer code by applying the one or more obfuscation transformations to the computer code. - View Dependent Claims (65, 66, 67)
constructing one or more control flow graphs for one or more routines contained in the computer code that is to be obfuscated; and
constructing an inheritance graph for a plurality of classes included in the computer code.
-
-
66. A method as in claim 64, in which selecting one or more obfuscation transformations to apply to the computer code includes:
-
calculating an appropriateness metric for one or more obfuscation transformations, wherein calculating the appropriateness metric for a given obfuscation transformation includes;
comparing one or more programming constructs used by the given obfuscation transformation to one or more programming constructs used by at least a portion of the computer code; and
assigning a value to the appropriateness metric based on a degree of similarity between the one or more programming constructs used by the given obfuscation transformation and the one or more programming constructs used by the portion of the computer code;
selecting one or more obfuscation transformations for which the appropriateness metric is higher than the appropriateness metric for one or more other obfuscation transformations.
-
-
67. A method as in claim 64, in which the computer code that is to be obfuscated is characterized by an absence of annotations pre-inserted for the purpose of facilitating a subsequent application of obfuscation transformations to the computer code.
-
68. A computer-implemented method for obfuscating computer code, the method including:
-
loading the computer code that is to be obfuscated into a memory module;
selecting one or more obfuscation transformations to apply to the computer code;
generating obfuscated computer code by applying the one or more obfuscation transformations to the computer code;
evaluating the obfuscated computer code to obtain an obfuscation level associated therewith; and
applying additional obfuscation transformations to the obfuscated computer code if the obfuscation level is less than a predefined level, wherein the obfuscated computer code is more resistant to reverse engineering, decompilation, or attack than the computer code. - View Dependent Claims (69)
performing a preprocessing pass on the computer code that is to be obfuscated, wherein the preprocessing pass serves to gather information about the computer code; and
using the information gathered in the preprocessing pass in selecting the one or more obfuscation transformations to apply to the computer code.
-
-
70. A method of obfuscating a computer program or computer program module, the computer program or module containing a first variable of a first type, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a second variable and a third variable;
replacing a reference to the first variable with a programming construct, wherein the programming construct is designed to use the second variable and the third variable to replicate the reference to the first variable. - View Dependent Claims (71, 72, 73, 74, 75, 76, 77)
a first operation which sets a value for the second variable; and
a second operation which sets a value for the third variable.
-
-
76. A method as in claim 70, in which the programming construct further includes a look-up table, and in which values for the second variable and the third variable can be used to determine a boolean value from the look-up table.
-
77. A method as in claim 76, in which the look-up table is constructed at run-time by an algorithm incorporated into the programming construct.
-
78. A method of obfuscating a computer program or module, the computer program or module including a first procedure containing a first local variable of a first type and a second procedure containing a second local variable of a second type, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
creating a global variable;
replacing at least one reference to the first local variable with a reference to the global variable; and
replacing at least one reference to the second local variable with a reference to the global variable. - View Dependent Claims (79, 80, 81)
-
-
82. A method of obfuscating a computer program or module, the computer program or module including at least one reference to a first instance of an indexed data type, the first instance of the indexed data type including at least two elements, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a second instance of the indexed data type and a third instance of the indexed data type;
storing at least a first element from the first instance of the indexed data type in the second instance of the indexed data type;
storing at least a second element from the first instance of the indexed data type in the third instance of the indexed data type, the second element being different from the first element;
replacing a first reference to the first instance of the indexed data type with a reference to the second instance of the indexed data type; and
replacing a second reference to the first instance of the indexed data type with a reference to the third instance of the indexed data type;
wherein the reference to the second instance of the indexed data type and the reference to the third instance of the indexed data type are designed to retrieve the first element and the second element, respectively.
-
-
83. A method of obfuscating a computer program or module, the computer program or module including at least one reference to a first instance of an indexed data type and at least one reference to a second instance of the indexed data type, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a third instance of the indexed data type;
storing data from the first instance of the indexed data type and data from the second instance of the indexed data type in the third instance of the indexed data type;
replacing a reference to the first instance of the indexed data type with a reference to the third instance of the indexed data type; and
replacing a reference to the second instance of the indexed data type with a reference to the third instance of the indexed data type. - View Dependent Claims (84, 85, 86, 87, 88, 89)
inserting into the computer program or module a first programming construct used to refer to a location within the third instance of the indexed data type corresponding to the particular location within the first-instance of the indexed data type.
-
-
86. A method as in claim 85, in which the reference to the second instance of the indexed data type is designed to refer to a particular location within the second instance of the indexed data type, and in which replacing the reference to the second instance of the indexed data type further includes:
inserting into the computer program or module a second programming construct used to refer to a location within the third instance of the indexed data type corresponding to the particular location within the second instance of the indexed data type.
-
87. A method as in claim 86, in which:
-
the first programming construct uses at least a first variable; and
the second programming construct uses at least a second variable.
-
-
88. A method as in claim 87, in which:
the first variable and the second variable are different, and in which the first programming construct and the second programming construct are otherwise the same.
-
89. A method as in claim 83, in which the first instance of the indexed data type comprises a string of characters and the second instance of the indexed data type comprises a string of characters.
-
90. A method of obfuscating a computer program or module, the computer program or module including a first instance of an indexed data type, the first instance having n dimensions, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a second instance of the indexed data type, the second instance having m dimensions, m being different from n;
storing data from the first instance of the indexed data type into the second instance of the indexed data type; and
replacing a reference to the first instance of the indexed data type with a reference to the second instance of the indexed data type, the reference to the second instance of the indexed data type being designed to retrieve a data element from the second instance of the indexed data type that corresponds to a data element in the first instance of the indexed data type to which the reference to the first instance of the indexed data type refers. - View Dependent Claims (91)
-
-
92. A method of obfuscating a computer program or module, the computer program or module being designed to carry out one or more specified tasks and including a first thread, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a second thread;
inserting one or more programming statements into the computer program or module, the programming statements carrying out no function which contributes to the one or more specified tasks, wherein at least one or more of the programming statements are designed to run in the second thread. - View Dependent Claims (93, 94, 95, 96)
-
-
97. A method of obfuscating a computer program or module, the computer program or module being designed to carry out one or more specified tasks, the computer program or module containing at least one variable used in at least one process, the variable being set to an initial value, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation without materially affecting accomplishment of the one or more specified tasks, the alteration including;
altering the initial value of the variable to yield an altered initial value; and
altering the process to take into account the altered initial value. - View Dependent Claims (98)
incrementing or decrementing the variable for each iteration through the process; and
continuing iteration until the variable reaches a predefined ending value;
wherein altering the process to take into account the altered initial value includes altering the predefined ending value.
-
-
99. A method of obfuscating a computer program or module, the computer program or module containing a variable of a first type, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
creating a variable of a second type, the second type being more general than the first type; and
replacing at least one reference in the computer program or module to the variable of the first type with a reference to the variable of the second type. - View Dependent Claims (100)
-
-
101. A method of obfuscating a computer program or module, the computer program or module including a first character string, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a programming construct designed to dynamically produce the first character string; and
replacing at least one instance of the first character string with the programming construct or a call to the programming construct. - View Dependent Claims (102, 103)
the computer program or module further includes a second character string;
and in which the programming construct accepts a variable value as an input, and produces the first character string or the second character string depending, at least in part, on the variable value.
-
-
103. A method as in claim 102, in which the programming construct comprises a computational function, computational method, procedure, subroutine, or routine.
-
104. A method of obfuscating a computer program or module, the computer program or module including a first variable and a second variable, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
specifying a third variable;
replacing a reference to the first variable with a programming construct, the programming construct including at least one programming statement designed to use a value of the third variable to determine a value of the first variable;
replacing a reference to the second variable with the programming construct, the programming construct including at least one programming statement designed to use the value of the third variable to determine a value of the second variable. - View Dependent Claims (105, 106, 107, 108, 109, 110)
incorporating into the computer program or module an operation performed on the third variable, the operation performing no function necessary for correct execution of the computer program or module.
-
-
108. A method as in claim 107, in which the operation is incorporated into the computer program or module in such a manner that the operation is not performed during normal execution of the computer program or module.
-
109. A method as in claim 107, in which execution of the operation is conditioned on a second operation, the second operation including evaluation of an opaque predicate, the opaque predicate being designed to evaluate in such a manner that the operation is not executed during normal execution of the computer program or module.
-
110. A method as in claim 109, in which the operation includes a rotate operation performed on the third variable.
-
111. A method of obfuscating a computer program or module, the computer program or module including a first variable, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
specifying an instance of an indexed data type, the instance containing at least two elements; and
replacing at least one reference to the first variable with a first programming construct, the first programming construct including one or more programming statements which use, at least in part, one or more values stored in at least one of the elements of the instance of the indexed data type. - View Dependent Claims (112, 113, 114, 115)
the computer program or module includes a second variable; and
the alteration further includes;
replacing at least one reference to the second variable with a second programming construct, the second programming construct including one or more programming statements which use, at least in part, one or more values stored in at least one of the elements of the instance of the indexed data type.
-
-
115. A method as in claim 114, in which the first programming construct and the second programming construct include retrieval of an element from the instance of the indexed data type.
-
116. A method of obfuscating a computer program or module, the computer program or module including a first variable value used in a first indexing operation on an instance of an indexed data type, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
creating a first opaque encoding function, the first opaque encoding function using the first variable value to compute a second variable value for use in indexing the instance of the indexed data type; and
replacing the first indexing operation with a second indexing operation, the second indexing operation using the second variable value to index the instance of the indexed data type. - View Dependent Claims (117)
-
-
118. A method of obfuscating a computer program or module, the computer program or module including a loop, the method including:
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including reversing the direction of the loop. - View Dependent Claims (119)
-
120. A method of obfuscating a computer program or module, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
incorporating an opaque computational function into the computer program or module, wherein evaluation of the opaque computational function depends, at least in part, on a value of a predefined variable;
including a first parallel process and a second parallel process in the computer program or module, the first parallel process and the second parallel process determining, at least in part, the value of the predefined variable; and
modifying the computer program or module so that at least one operation depends upon the opaque computational function evaluating to a predefined value. - View Dependent Claims (121, 122, 123, 124)
the first parallel process includes a first thread, and the second parallel process includes a second thread.
-
-
122. A method as in claim 121, in which the first and second threads execute concurrently.
-
123. A method as in claim 122, in which the first thread includes one or more programming statements that cause execution of the first thread to pause and to later resume.
-
124. A method as in claim 120, in which the opaque computational function comprises an opaque predicate.
-
125. A method of obfuscating a computer program or module, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
incorporating an opaque computational function into the computer program or module, including;
generating a first data structure containing first data structure elements, each first data structure element including a first field capable of pointing to at least one other first data structure element;
generating a first pointer pointing to a particular first data structure element; and
calculating a value of the opaque computational function by using, at least in part, a value of the first pointer;
altering the computer program or module so that at least one operation depend s upon the opaque computational f unction evaluating to a predefined value. - View Dependent Claims (126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137)
each first data structure element further includes an additional field; and
in which the alteration further includes;
adding to the computer program or module a first operation that is dependent on a value of the additional field of the particular first data structure element pointed to by the first pointer.
-
-
127. A method as in claim 126, in which the additional field comprises a boolean field.
-
128. A method as in claim 126, in which incorporating an opaque computational function into the computer program or module further includes:
adding a programming construct to the computer program or module which alters the value of the first pointer, the programming construct causing the first pointer to point to another first data structure element reachable from the particular first data structure element previously pointed to by the first pointer.
-
129. A method as in claim 128, in which incorporating an opaque computational function into the computer program or module further includes adding at least one programming statement which adds a new first data structure element to the first data structure.
-
130. A method as in claim 129, in which incorporating an opaque computational function into the computer program or module further includes:
-
generating a second data structure containing second data structure elements, each second data structure element including a first field capable of pointing to at least one other second data structure element;
generating a second pointer pointing to a particular second data structure data element; and
calculating a value of the opaque computational function by using, at least in part, a value of the second pointer.
-
-
131. A method as in claim 130, in which generating a second data structure is performed at runtime, and in which generating a second pointer is performed at runtime.
-
132. A method as in claim 130, in which:
-
none of the first data structure elements point to a second data structure element; and
none of the second data structure elements point to a first data structure element.
-
-
133. A method as in claim 132, in which the opaque computational function is calculated, at least in part, by an operation which results in a first state if the value of the first pointer is equal to the value of the second pointer, and a second state if the value of the first pointer is not equal to the value of the second pointer;
- whereby the operation always results in the second state.
-
134. A method as in claim 133, in which incorporating an opaque computational function into the computer program or module further includes:
adding a second programming construct which alters the value of the second pointer, the second programming construct causing the second pointer to point to another second data structure element reachable from the particular second data structure element previously pointed to by the second pointer.
-
135. A method as in claim 132, in which the opaque computational function is calculated, at least in part, by an operation which results in a first state if a value associated with the first data structure element pointed to by the first pointer is equal to a value associated with the second data structure element pointed to by the second pointer, and results in a second state if the value associated with the first data structure element pointed to by the first pointer is not equal to the value associated with the second data structure element pointed to by the second pointer.
-
136. A method as in claim 135, in which the value associated with the first data structure element and the value associated with the second data structure element include pointers to other data elements stored in the first and second data structures.
-
137. A method as in claim 130, in which incorporating an opaque computational function into the computer program or module further includes generating a third pointer, the third pointer pointing to one of the first data structure elements;
- whereby the opaque computational function is calculated, at least in part, by an operation which results in a first state if the value of the first pointer is equal to a value of the third pointer, and results in a second state if the value of the first pointer is not equal to the value of the third pointer, whereby the operation may result in the first state or the second state.
-
138. A method of obfuscating a computer program or module, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
incorporating a first opaque computational function into the computer program or module; and
including a first programming construct in the computer program or module, the first programming construct operable to execute a first group of one or more programming statements if the opaque computational function computes to a first value, and to execute a second group of one or more programming statements if the opaque computational function computes to a second value. - View Dependent Claims (139, 140, 141)
-
-
142. A method of obfuscating a computer program or module, the computer program or module including programming statements written in a first language, the method including:
-
performing an alteration on at least a portion of the computer program or module to form an altered computer program or module, the alteration being designed to render the altered computer program or module at least somewhat more resistant to reverse engineering or decompilation than the computer program or module, the alteration including;
translating at least some of the programming statements from the first language to a second language;
incorporating into the altered computer program or module at least one programming construct in the second language which lacks a direct correspondence with any programming construct in the first language. - View Dependent Claims (143, 144, 145, 146)
-
-
147. A process for obfuscating a computer program or module, the computer program or module including at least one call to a method in a first library class, the process including:
-
creating a second library class, the second library class containing a second set of one or more methods designed to perform one or more of the same operations as a first set of one or more methods contained in the first library class, wherein the second library class is designed to obscure, at least in part, similarity to the first library class; and
replacing in the computer program or module at least one call to a method in the first library class with a call to a method in the second library class;
whereby the computer program or module is rendered least somewhat more resistant to reverse engineering or decompilation. - View Dependent Claims (148, 149)
the second library class comprises a standard Java library class; and
the computer program or module is written in Java.
-
-
150. A method of obfuscating a computer program or module, the method including:
-
reviewing the computer program or module to identify at least one programming idiom; and
replacing at least one occurrence of the programming idiom with one or more alternative programming constructs designed to render the computer program or module more difficult to reverse engineer or decompile. - View Dependent Claims (151, 152)
-
-
153. A method of obfuscating a computer program or module, the computer program or module including a call to a particular procedure, the particular procedure being one of a group of procedures, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
replacing a call to the particular procedure with the group of procedures itself, each procedure in the group of procedures being located at a different address; and
incorporating a programming construct designed to jump to the address of the particular procedure. - View Dependent Claims (154)
-
-
155. A method of obfuscating a computer program or module, the computer program or module including a first procedure and a second procedure, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a third procedure, the third procedure including;
at least a portion of the first procedure;
at least a portion of the second procedure;
a parameter list for the first procedure;
a parameter list for the second procedure; and
a programming construct designed to allow a call to the third procedure to specify execution of the first procedure or the second procedure;
replacing at least one call to the first procedure with a call to the third procedure, the call to the third procedure including information used by the programming construct to cause the third procedure to execute at least a portion of the first procedure. - View Dependent Claims (156, 157, 158)
the computer program or module is written in Java, and the first and second procedures comprise Java methods.
-
-
157. A method as in claim 155, in which the programming construct includes an opaque variable.
-
158. A method as in claim 155, in which the programming construct includes an opaque predicate.
-
159. A method of obfuscating a computer program or module, the computer program or module including a loop, the loop including a body containing at least a first programming statement and a second programming statement, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
unrolling tho loop to form an unrolled loop, the unrolling including replicating the body of the loop one or more times;
splitting the unrolled loop into at least a first programming sequence and a second programming sequence, the first programming sequence including the first programming statement; and
the second programming sequence including the second programming statement;
whereby the first programming statement and the second programming statement are performed an equivalent number of times as in the unrolled loop.
-
-
160. A method of obfuscating a computer program or computer program module, the computer program or module including at least a first class, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
generating a second class and a third class, the third class inheriting directly from the second class, and the second class and the third class being designed to replace the first class;
incorporating the second class and the third class into the computer program or module; and
removing the first class from the computer program or module.
-
-
161. A method of deobfuscating an obfuscated computer program or computer program module, the method including:
-
loading the obfuscated computer program or module into a memory unit;
identifying one or more opaque programming constructs included in the obfuscated computer program or module, wherein identifying the one or more opaque programming constructs includes at least one of;
(a) performing pattern matching on the obfuscated computer program or module, wherein the pattern matching includes comparing one or more known opaque programming constructs to one or more programming constructs contained in the obfuscated computer program or module;
(b) performing program slicing on the obfuscated computer program or module; and
/or(c) performing statistical analysis on the computer program or module, wherein the statistical analysis includes (i) analyzing runtime characteristics of one or more predicates contained in the computer program or module, and (ii) determining that at least one predicate evaluates to a given value at least a predefined percentage of the time the computer program or module is run;
evaluating the one or more opaque programming constructs; and
producing a deobfuscated computer program or module by replacing at least one of the one or more opaque programming constructs with equivalent, non-opaque programming constructs;
whereby the deobfuscated computer program or module is rendered easier to understand, reverse engineer, or decompile than the obfuscated computer program or module.
-
-
162. A method of deobfuscating an obfuscated computer program or computer program module, the method including:
-
loading the obfuscated computer program or module into a memory unit;
determining that an obfuscation transformation has been applied to the obfuscated computer program or module;
selecting one or more deobfuscation transformations to apply to the obfuscated computer program or module, the one or more deobfuscation transformations being operable to counteract at least some effects of the obfuscation transformation; and
applying the one or more deobfuscation transformations to the obfuscated computer program or module, whereby the obfuscated computer program or module is rendered more amenable to reverse engineering, decompilation, or attack. - View Dependent Claims (163, 164, 165, 166, 167, 168)
performing a preprocessing pass on the obfuscated computer program or module, the preprocessing pass serving to collect information about the obfuscated computer program or module;
using the information gathered in the preprocessing pass in selecting the one or more deobfuscation transformation to apply to the computer code.
-
-
164. A method as in claim 163, in which performing the preprocessing pass includes performing data flow analysis on the obfuscated computer program or module.
-
165. A method as in claim 163, in which performing the preprocessing pass includes performing an aliasing analysis on the obfuscated computer program or module.
-
166. A method as in claim 163, in which performing the preprocessing pass includes performing one or more of the following:
-
building an inheritance tree;
building a symbol table;
constructing at least one control flow graph;
and performing theorem proving.
-
-
167. A method as in claim 162, in which determining that an obfuscation transformation has been applied to the obfuscated computer program or module includes at least one of:
-
(a) performing pattern matching on the obfuscated computer program or module, wherein the pattern matching includes comparing one or more known opaque programming constructs to one or more programming constructs contained in the obfuscated computer program or module;
(b) performing program slicing on the obfuscated computer program or module; and
(c) performing statistical analysis on the computer program or module, wherein the statistical analysis includes (i) analyzing runtime characteristics of one or more predicates contained in the computer program or module, and (ii) determining that at least one predicate evaluates to a given value at least a predefined percentage of the time the computer program or module is run.
-
-
168. A method as in claim 162, in which the deobfuscation transformation includes:
-
evaluating one or more opaque programming constructs contained in the computer program or module; and
replacing the one or more opaque programming constructs with equivalent, non-opaque programming constructs.
-
-
169. A method of obfuscating a computer program or computer program module, the computer program or module being designed to carry out one or more specified tasks, the method including:
-
performing an alteration on at least a portion of the computer program or module, the alteration being designed to render the computer program or module at least somewhat more resistant to reverse engineering or decompilation, the alteration including;
inserting one or more unnecessary program statements into the computer program or module, the one or more unnecessary program statements carrying out no function which contributes to the one or more specified tasks;
and wherein the unnecessary program statements are designed to render program slicing at least somewhat more difficult or expensive to employ. - View Dependent Claims (170, 171)
-
Specification