• KIPS Transactions on Computer and Communication Systems
• /
• v.4 no.1
• /
• pp.23-30
• /
• 2015

Reflection is a feature of the Java programming language that can examine and manipulate components of program itself. If you use the reflection, you can get an obfuscation effect of Java source because it converts sources into complicated structures. However, when using it, strings of components name of program are exposed. Therefore, it cannot prevent static analysis. In this paper, we presents a method and a tool of interfere with static analysis using reflection. And in this case, exposed strings are encoded using Vigen$\acute{e}$re cipher. Experimental results show that this tool is effective in increasing the overall complexity of the source code. Also the tool provides two types decryption method based on server and local. It can be selected based on the importance of the API because it affects the execution speed of the application.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2017.01a
• /
• pp.179-180
• /
• 2017

현재 국내 모바일 게임 시장 규모와 사용자들이 지속적으로 증가되고 있으며, 스마트폰을 이용하여 게임을 즐기는 시간도 계속 늘어나고 있다. 이런 시장 현황의 이면에는 모바일 게임 시장이 사이버 범죄의 진원지로 급부상하고 있다. 본 논문에서는 모바일 게임을 개발하는데 있어서 게임 내부에서 사용하고 있는 데이터들의 난독화 기술과 관련한 프로그램을 제안하여 게임의 원본 소스 데이터를 해킹으로부터 보호할 수 있는 게임 보안 기술을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.501-511
• /
• 2022

In 2021, ransomware attacks became popular, and the number is rapidly increasing every year. Since PowerShell is used as the primary ransomware technique, the need for PowerShell-based malware detection is ever increasing. However, the existing detection techniques have limits in that they cannot detect obfuscated scripts or require a long processing time for deobfuscation. This paper proposes a simple and fast deobfuscation method and a deep learning-based classification model that can detect PowerShell-based malware. Our technique is composed of Word2Vec and a convolutional neural network to learn the meaning of a script extracting important features. We tested the proposed model using 1400 malicious codes and 8600 normal scripts provided by the AI-based PowerShell malicious script detection track of the 2021 Cybersecurity AI/Big Data Utilization Contest. Our method achieved 5.04 times faster deobfuscation than the existing methods with a perfect success rate and high detection performance with FPR of 0.01 and TPR of 0.965.

• Journal of Korea Game Society
• /
• v.19 no.6
• /
• pp.71-82
• /
• 2019

This paper analyzes performance difference between Unreal Engine's built-in network solution and IOCP server. To do this, we developed IOCP server and 3D game with Unreal Engine 4. Also we considered the game variable obfuscation program to prevent the modification of the memory of the code-modulated game hacking program. This paper used SCUE4 Anti-Cheat Solution, which is Unreal Engine's solution, to study preventing memory modification and to analyze performance trade-offs.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2012.04a
• /
• pp.730-733
• /
• 2012

소프트웨어는 대부분 바이너리 형태로 배포되기 때문에 역공학 분석이 쉽지 않다. 그러나 안드로이드는 자바를 기반으로 한다. 즉, 자바 언어로 프로그래밍하고 생성된 클래스 파일을 dx라는 도구를 사용하여 안드로이드용 달빅(Dalvik) 코드로 변환한다. 따라서 안드로이드 역시 자바의 취약점을 가지고 있고, 자바용으로 개발된 역공학 도구에 의해서 쉽게 분석될 수 있다. 한편으로 자바 프로그램의 저작권을 보호하고 핵심 알고리즘이 노출되지 않도록 다양한 난독화 도구들이 개발되었다. 그 중에서 안드로이드 SDK에 포함되어 함께 배포되고 있기 때문에 널리 사용되고 있는 프로가드(Proguard)에 대해서 대표적인 기능 및 사용법, 프로가드로 난독화된 코드가 원본과 비교하여 어떻게 변경되었는지 평가한다. 그리고 프로가드가 가지고 있는 한계를 알아보고, 이것을 극복할 수 있는 방법을 모색한다.

• Journal of IKEEE
• /
• v.27 no.1
• /
• pp.93-102
• /
• 2023

As one of the techniques for analyzing malicious code, techniques creating a sequence or a graph of function call relationships in an executable program and then analyzing the result are proposed. Such methods generally study function calling in the executable program code through static analysis and organize function call relationships into a sequence or a graph. However, in the case of an obfuscated executable program, it is difficult to analyze the function call relationship only with static analysis because the structure/content of the executable program file is different from the standard structure/content. In this paper, we propose a dynamic analysis method to analyze the function call relationship of an obfuscated execution program. We suggest constructing a function call relationship as a graph using the proposed technique.

• KIPS Transactions on Computer and Communication Systems
• /
• v.8 no.9
• /
• pp.217-224
• /
• 2019

Recently, sensor networks are built and used on many kinds of fields such as home, traffic, medical treatment and power grid. Sensing data manipulation on these fields could be a serious threat on property and safety. Thus, a proper way to block sensing data manipulation is necessary. In this paper, we propose IoT(Internet of Things) sensing data validation mechanism based on data obfuscation and variance analysis to remove manipulated sensing data effectively. IoT sensor device modulates sensing data with obfuscation function and sends it to a user. The user demodulates received data to use it. Fake data which are not modulated with proper obfuscation function show different variance aspect with valid data. Our proposed mechanism thus can detect fake data by analyzing data variance. Finally, we measured data validation time for performance analysis. As a result, block rate for false data was improved by up to 1.45 times compared with the existing technique and false alarm rate was 0.1~2.0%. In addition, the validation time on the low-power, low-performance IoT sensor device was measured. Compared to the RSA encryption method, which increased to 2.5969 seconds according to the increase of the data amount, the proposed method showed high validation efficiency as 0.0003 seconds.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.05a
• /
• pp.1457-1458
• /
• 2007

자바 언어의 중요한 특징 중의 하나는 어떤 기계에서든지 실행될 수 있다는 점이다. 이러한 플랫폼에 대한 독립성은 자바 프로그램이 바이트 코드 형태로 배포되기 때문에 가능한 일이다. 바이트 코드는 특정 기계에 종속되지 않고 자바 가상 머신(Java Virtual Machine:JVM)를 지원하는 곳이면 어디에서든지 실행 가능하다. 그런데 바이트 코드로 번역된 코드에는 자바 소스 코드의 정보가 그대로 포함되어 있는데, 이로 인해서 바이트 코드에서 자바 소스코드로의 역컴파일(Decompilation)이 쉽게 이루어진다는 취약점이 있다. 본 논문에서는 자바 바이트 코드의 난독화 기법을 살펴보고, Code Encryption Algorithm을 이용해서 역컴파일 하기 어려운 형태로 만드는 기술인 코드 난독처리(Code Obfuscation) 기법을 제안하였다.

• Communications of the Korean Institute of Information Scientists and Engineers
• /
• v.36 no.3
• /
• pp.26-31
• /
• 2018

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1375-1382
• /
• 2019

The latest version of commercial protector, Themida, has been updated, it is impossible to apply a normalized unpacking mechanism from previous studies by disable the use of a virtual memory allocation that provides initial data to be tracked. In addition, compared to the previous version, which had many values that determined during execution and easy to track dynamically, it is difficult to track dynamically due to values determined at the time of applying the protector. We will look at how the latest version of Themida make it difficult to normalize the API wrapping process by adopted techniques and examine the possibilities of applying the unpacking techniques to further develop an automated unpacking system.