Preventing decompilation
-
Do most people that distribute byte code use an obfuscator? If you were going to distribute an application that was compiled into byte code would you use an obfuscator?
The only way to distribute a .NET application is as "byte code" (IL, to be exact). An assembly, either an EXE or DLL, contains IL. Decompilers turn IL into equivalent code in a higher-level language (ex. IL -> C#). If you obfuscate the IL, it's extremely difficult to make sense out of the decompiled C#. :josh: My WPF Blog[^]
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
-
Duncan Edwards Jones wrote:
It is better to put a "no reverse engineering/decompilation" clause in your license document...
Duncan Edwards Jones wrote:
(*) Wrecks any code that uses reflection (*) Makes stack traces useless
Excellent points.
Not really, if it's important to obfuscate and encrypt it then it should be done. It's trivial to set the obfuscator to not obfuscate the method names for the reflected methods anyway. We do it all the time. As for stack traces being useless it's not entirely true either, sure some of the method names etc will be obfuscated but it's pretty easy to follow the stack trace if you wrote the software in the first place. We use an Encryptor and obfuscator so it's not an issue in any case.
-
Most code is not that important taken individually. Unless you have a trade-secret algorithm (which is patentable BTW? (idk) there is nothing that can be gained. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
Right, and I have a bridge in Brooklyn you might want to buy. :rolleyes: Unless you are specifically excluding commercial software in your comment then I couldn't possibly disagree with you more. We have built and sold commercial software via the internet for over 10 years now and I could write a good sized novel on all the nefarious stuff I've seen people do when they have any kind of access to your code and the motivation to do so. Not obfuscating commercial software is negligent at best.
-
This is not a problem to which a technical solution (obfuscation) is the best approach. It is better to put a "no reverse engineering/decompilation" clause in your license document... Bear in mind that obfuscation: (*) Wrecks any code that uses reflection (*) Makes stack traces useless '--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd
That clause is a given, but useless in practical terms. Licensed customers are not interested in pirating your software, they already paid. When you see requests for hacks and cracks of the software you spent years of your life working on posted on the internet and then people trying to fulfil them you will have a slightly different opinion about this subject. Not to mention it's very minor to exclude reflected methods from obfuscation and relatively inexpensive to buy an obfuscator / encryptor than a simple encryptor. And it's trivially easy to read your own software's stack trace even with the method names obfuscated. -- modified at 11:58 Thursday 6th July, 2006
-
Is this something that you do when you are writing java or .net applications? I am just wondering if this is something that I should do when distributing applications to clients. Is there draw backs or any other issues you have seen when using obfuscators?
I do it for anything I release to be used. Whether it's a demo or just what. I do it because I've spent 1000's of hours on some Java code I was paid to write. If that code gets decompiled and used by anyone it's my fault and a disservice to my clients. I obfuscate *everything* to the degree that it would take some real effort to get at the code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
I do it for anything I release to be used. Whether it's a demo or just what. I do it because I've spent 1000's of hours on some Java code I was paid to write. If that code gets decompiled and used by anyone it's my fault and a disservice to my clients. I obfuscate *everything* to the degree that it would take some real effort to get at the code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Not really, if it's important to obfuscate and encrypt it then it should be done. It's trivial to set the obfuscator to not obfuscate the method names for the reflected methods anyway. We do it all the time. As for stack traces being useless it's not entirely true either, sure some of the method names etc will be obfuscated but it's pretty easy to follow the stack trace if you wrote the software in the first place. We use an Encryptor and obfuscator so it's not an issue in any case.
-
That clause is a given, but useless in practical terms. Licensed customers are not interested in pirating your software, they already paid. When you see requests for hacks and cracks of the software you spent years of your life working on posted on the internet and then people trying to fulfil them you will have a slightly different opinion about this subject. Not to mention it's very minor to exclude reflected methods from obfuscation and relatively inexpensive to buy an obfuscator / encryptor than a simple encryptor. And it's trivially easy to read your own software's stack trace even with the method names obfuscated. -- modified at 11:58 Thursday 6th July, 2006
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
BrockVnm wrote:
What do you do to prevent people from decompiling your compiled code?
I don't. Anyone determined enough can get around such schemes. Instead, i write really lousy code, figuring anyone smart enough and determined enough to decompile it and then fix it is likely to have the time and ability to re-implement it all from scratch. (i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
BrockVnm wrote:
What do you do to prevent people from decompiling your compiled code?
I don't. Anyone determined enough can get around such schemes. Instead, i write really lousy code, figuring anyone smart enough and determined enough to decompile it and then fix it is likely to have the time and ability to re-implement it all from scratch. (i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
-
I saw some comments about it being tough to use stack traces. I see that John does not seem to find it an issue, do you feel the same way? Do you also use an encrypter? If so do you have a link for a good java encrypter?
I want to make it hard for the average and above average users to do. If you have a fully trained computer scientiest attempting to take apart your software they can and they will. But that's going to cost a lot of money. I just use Zelix and if they want past Zelix bad enough they'll do it regardless. I mean there are definitely ways to get around things and there are some sophisticated ways to reassemble almost anything. Do I have the time/money/tools to do it? No and aside from hackers in Germany/Russia/Etc and the NSA I don't think most others do either. You might find a computer lab somewhere in some university doing it but you cannot keep professionals out without it becoming time or cost prohibitive and even then I don't believe you can *keep* them out. Zelix is enough for me. John has some good points and if I had enough money I'm sure I'd own and use more tools. Truth is that I obfuscate as much as the client is willing to pay and I leave it at that but I strongly encourage making it as hard as possible to the degree they want to spend money protecting their code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
Didn't you know? I thought everyone knew... Shog got *that* code from Rent-A-Coder.:laugh:
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
BrockVnm wrote:
What do you do to prevent people from decompiling your compiled code?
I don't. Anyone determined enough can get around such schemes. Instead, i write really lousy code, figuring anyone smart enough and determined enough to decompile it and then fix it is likely to have the time and ability to re-implement it all from scratch. (i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
Shog9 wrote:
i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
When you say "to lazy to split out and protect properly", what do you mean? Is there a way to split out your code and protect it without using obfuscation?
Last modified: Thursday, July 06, 2006 1:30:22 PM --
-
I want to make it hard for the average and above average users to do. If you have a fully trained computer scientiest attempting to take apart your software they can and they will. But that's going to cost a lot of money. I just use Zelix and if they want past Zelix bad enough they'll do it regardless. I mean there are definitely ways to get around things and there are some sophisticated ways to reassemble almost anything. Do I have the time/money/tools to do it? No and aside from hackers in Germany/Russia/Etc and the NSA I don't think most others do either. You might find a computer lab somewhere in some university doing it but you cannot keep professionals out without it becoming time or cost prohibitive and even then I don't believe you can *keep* them out. Zelix is enough for me. John has some good points and if I had enough money I'm sure I'd own and use more tools. Truth is that I obfuscate as much as the client is willing to pay and I leave it at that but I strongly encourage making it as hard as possible to the degree they want to spend money protecting their code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Shog9 wrote:
i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
When you say "to lazy to split out and protect properly", what do you mean? Is there a way to split out your code and protect it without using obfuscation?
Last modified: Thursday, July 06, 2006 1:30:22 PM --
BrockVnm wrote:
Is there a way to split out your code and protect it without using obfuscation?
Well, at very least, you can then obfuscate just the important code without needing to do so for your entire app. But depending on your needs, there may be even better ways - such as running it on your server and communicating with it via a web service or etc., thus removing the need to allow such sensitive code on the end-users' machines at all. But, i'm speaking from the perspective of a company whose interest is in protecting key algorithms and (especially) data - i've no interest in schemes to protect a program from being run. Looking at it from the other angle, you get John's perspective, where there are scores of people with full access to your (compiled) code, just looking to break copy protection schemes. In that case, your only real option is to just throw as many roadblocks as possible in the path of the would-be cracker - it's not really possible to effectively secure the program, but if you can discourage all but the most hard-core then you'll probably be ok.
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
Heh, thanks. :)
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
BrockVnm wrote:
Is there a way to split out your code and protect it without using obfuscation?
Well, at very least, you can then obfuscate just the important code without needing to do so for your entire app. But depending on your needs, there may be even better ways - such as running it on your server and communicating with it via a web service or etc., thus removing the need to allow such sensitive code on the end-users' machines at all. But, i'm speaking from the perspective of a company whose interest is in protecting key algorithms and (especially) data - i've no interest in schemes to protect a program from being run. Looking at it from the other angle, you get John's perspective, where there are scores of people with full access to your (compiled) code, just looking to break copy protection schemes. In that case, your only real option is to just throw as many roadblocks as possible in the path of the would-be cracker - it's not really possible to effectively secure the program, but if you can discourage all but the most hard-core then you'll probably be ok.
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
Right, and I have a bridge in Brooklyn you might want to buy. :rolleyes: Unless you are specifically excluding commercial software in your comment then I couldn't possibly disagree with you more. We have built and sold commercial software via the internet for over 10 years now and I could write a good sized novel on all the nefarious stuff I've seen people do when they have any kind of access to your code and the motivation to do so. Not obfuscating commercial software is negligent at best.
If someone can penetrate your security with your code then they can penetrate it without. Who was it that said, "Security through obscurity isn't?" Also, I would hope that the use of strongly named assemblies would mitigate the risk of someone stealing code, altering, and then pawning it off as yours. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
If someone can penetrate your security with your code then they can penetrate it without. Who was it that said, "Security through obscurity isn't?" Also, I would hope that the use of strongly named assemblies would mitigate the risk of someone stealing code, altering, and then pawning it off as yours. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh