To Prevent Reverse-Enginnering Tools by Shuffling the Stack Status with Hook Mechanism

To Prevent Reverse-Enginnering Tools by Shuffling the Stack Status with Hook Mechanism

Kazumasa Fukuda (Kyoto Sangyo University, Kyoto, Japan) and Haruaki Tamada (Kyoto Sangyo University, Kyoto, Japan)
Copyright: © 2015 |Pages: 12
DOI: 10.4018/IJSI.2015070102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

In this paper, we propose an obfuscation method to shuffle the stack status for preventing illegal analysis from crackers. Generally, crackers tries building a call flow graph of a program to clarify its behaviors. The call flow graph represents relations among methods, and helps comprehension of a program. On the other hand, a callee is fixed by a method name and the stack status in object oriented languages. Then, changing a stack status causes changing a callee when the callee is overloaded. Therefore, we focus on a hook mechanism to change a callee at runtime by changing the stack status. The program applied our method makes a fake call flow graph (CFG) from reverse-engineering tools, and the fake CFG leads misunderstanding of the program. We conducted two experiments to evaluate the proposed method. First is to evaluate the tolerance against existing reverse-engineering tools: Soot, Jad, Procyon, and Krakatau. The Procyon only succeeded decompilation, the others crashed. Second is to evaluate understandability of the program obfuscated by our method. Only one subject in the nine subjects answered the correct value. The experiments show the proposed method leads misunderstanding even if the target program is tiny and simple.
Article Preview

2. Proposed Method

2.1. Program Obfuscation Method

We describe what is a program obfuscation method before describing our method. A program obfuscation method transforms a program harder to understand. Collberg et al. give the definition of the program obfuscation method (Collberg & Nagra, 2009). We re-statement the definition as follows.

  • Definition 1 (Program Obfuscation Method): Let p be a given program, I be an input set for p, and r(p, I) be an output of p with I. Let X be a set of information in p, and c(p, X) be a cost for extracting X from p. Then, the obfuscation of p with respect to X is to transform p into p′ with a certain method f (p′ = f(p)), such thatCondition 1: r(p, I) = r(p′, I), andCondition 2: c(p, X) < c(p′, X).

Condition 1 means to keep input/output mapping before and after the obfuscation. This means that the obfuscation must preserve the external specification of a target program. Condition 2 means that understanding p′ is significantly more difficult than understanding p for extracting X.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 5: 4 Issues (2017)
Volume 4: 4 Issues (2016)
Volume 3: 4 Issues (2015)
Volume 2: 4 Issues (2014)
Volume 1: 4 Issues (2013)
View Complete Journal Contents Listing