In some cases, it is desirable to hide the workings of a computer program. Many programs that are designed to perform legitimate functions could easily be modified to serve a malevolent purpose if a hacker could analyze the program and understand its workings. For example, if a program is designed to protect encrypted copyright material by decrypting the material only under conditions permitted by the copyright owner, a hacker could analyze this program and modify it to decrypt the material without restriction. One technique to protect software from this type of attack is to obscure or hide the operation of the software in order to complicate a hacker's attempt to analyze it; this technique is generically referred to as “code obfuscation.”
Since machine code completely and deterministically defines what a computer will do, a person with sufficient time and motivation can disassemble the code and discover what the code does and how it works. Code obfuscation is based on the premise that, by making the code more convoluted, less straightforward, or less readable, the time and energy to analyze the code will be increased, thereby frustrating a hacker. There are a number of ways to accomplish this goal. For example, a simple algorithm may be buried within thousands of lines of “diversionary” code—i.e., code that hides the “real” algorithm by performing many computations that ultimately perform no useful result. As another example, code may be scrambled or encrypted, and then triggers may be inserted into the code that cause the code to be unscrambled or decrypted just before it is executed. Various other obfuscation techniques are known.
Existing obfuscation techniques, however, contain various drawbacks. Some obfuscation techniques—most notably, encryption or scrambling of code—telegraph to a potential hacker that the code has been obfuscated: since a disassembler would completely fail to recognize encrypted or scrambled code, the hacker would quickly be able to recognize that the code had been encrypted or scrambled, and could thus focus his attention on looking for the decryption or descrambling trigger. In many cases, it is best to hide the code “in plain sight” by making it look like “real” code. However, existing tools that employ this “plain sight” technique often rely on platform-specific code markers, and thus may be difficult to port from one processor to another.
In view of the foregoing, there is a need for an obfuscation technique that overcomes the drawbacks of the prior art.