Preventing decompilation
-
BrockVnm wrote:
What do you do to prevent people from decompiling your compiled code?
I don't. Anyone determined enough can get around such schemes. Instead, i write really lousy code, figuring anyone smart enough and determined enough to decompile it and then fix it is likely to have the time and ability to re-implement it all from scratch. (i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
-
I saw some comments about it being tough to use stack traces. I see that John does not seem to find it an issue, do you feel the same way? Do you also use an encrypter? If so do you have a link for a good java encrypter?
I want to make it hard for the average and above average users to do. If you have a fully trained computer scientiest attempting to take apart your software they can and they will. But that's going to cost a lot of money. I just use Zelix and if they want past Zelix bad enough they'll do it regardless. I mean there are definitely ways to get around things and there are some sophisticated ways to reassemble almost anything. Do I have the time/money/tools to do it? No and aside from hackers in Germany/Russia/Etc and the NSA I don't think most others do either. You might find a computer lab somewhere in some university doing it but you cannot keep professionals out without it becoming time or cost prohibitive and even then I don't believe you can *keep* them out. Zelix is enough for me. John has some good points and if I had enough money I'm sure I'd own and use more tools. Truth is that I obfuscate as much as the client is willing to pay and I leave it at that but I strongly encourage making it as hard as possible to the degree they want to spend money protecting their code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
Didn't you know? I thought everyone knew... Shog got *that* code from Rent-A-Coder.:laugh:
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
BrockVnm wrote:
What do you do to prevent people from decompiling your compiled code?
I don't. Anyone determined enough can get around such schemes. Instead, i write really lousy code, figuring anyone smart enough and determined enough to decompile it and then fix it is likely to have the time and ability to re-implement it all from scratch. (i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
Shog9 wrote:
i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
When you say "to lazy to split out and protect properly", what do you mean? Is there a way to split out your code and protect it without using obfuscation?
Last modified: Thursday, July 06, 2006 1:30:22 PM --
-
I want to make it hard for the average and above average users to do. If you have a fully trained computer scientiest attempting to take apart your software they can and they will. But that's going to cost a lot of money. I just use Zelix and if they want past Zelix bad enough they'll do it regardless. I mean there are definitely ways to get around things and there are some sophisticated ways to reassemble almost anything. Do I have the time/money/tools to do it? No and aside from hackers in Germany/Russia/Etc and the NSA I don't think most others do either. You might find a computer lab somewhere in some university doing it but you cannot keep professionals out without it becoming time or cost prohibitive and even then I don't believe you can *keep* them out. Zelix is enough for me. John has some good points and if I had enough money I'm sure I'd own and use more tools. Truth is that I obfuscate as much as the client is willing to pay and I leave it at that but I strongly encourage making it as hard as possible to the degree they want to spend money protecting their code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Shog9 wrote:
i'm joking - obfuscation as a way of preventing plagiarism always makes me laugh. Yeah, you're gonna intentionally mangle your whole app to protect 512 bytes of code and data that you were too lazy to split out and protect properly... :rolleyes: )
When you say "to lazy to split out and protect properly", what do you mean? Is there a way to split out your code and protect it without using obfuscation?
Last modified: Thursday, July 06, 2006 1:30:22 PM --
BrockVnm wrote:
Is there a way to split out your code and protect it without using obfuscation?
Well, at very least, you can then obfuscate just the important code without needing to do so for your entire app. But depending on your needs, there may be even better ways - such as running it on your server and communicating with it via a web service or etc., thus removing the need to allow such sensitive code on the end-users' machines at all. But, i'm speaking from the perspective of a company whose interest is in protecting key algorithms and (especially) data - i've no interest in schemes to protect a program from being run. Looking at it from the other angle, you get John's perspective, where there are scores of people with full access to your (compiled) code, just looking to break copy protection schemes. In that case, your only real option is to just throw as many roadblocks as possible in the path of the would-be cracker - it's not really possible to effectively secure the program, but if you can discourage all but the most hard-core then you'll probably be ok.
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
Shog9 wrote:
i write really lousy code
You do? I thought the code for CPhog was very good :-D
Heh, thanks. :)
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
BrockVnm wrote:
Is there a way to split out your code and protect it without using obfuscation?
Well, at very least, you can then obfuscate just the important code without needing to do so for your entire app. But depending on your needs, there may be even better ways - such as running it on your server and communicating with it via a web service or etc., thus removing the need to allow such sensitive code on the end-users' machines at all. But, i'm speaking from the perspective of a company whose interest is in protecting key algorithms and (especially) data - i've no interest in schemes to protect a program from being run. Looking at it from the other angle, you get John's perspective, where there are scores of people with full access to your (compiled) code, just looking to break copy protection schemes. In that case, your only real option is to just throw as many roadblocks as possible in the path of the would-be cracker - it's not really possible to effectively secure the program, but if you can discourage all but the most hard-core then you'll probably be ok.
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
Right, and I have a bridge in Brooklyn you might want to buy. :rolleyes: Unless you are specifically excluding commercial software in your comment then I couldn't possibly disagree with you more. We have built and sold commercial software via the internet for over 10 years now and I could write a good sized novel on all the nefarious stuff I've seen people do when they have any kind of access to your code and the motivation to do so. Not obfuscating commercial software is negligent at best.
If someone can penetrate your security with your code then they can penetrate it without. Who was it that said, "Security through obscurity isn't?" Also, I would hope that the use of strongly named assemblies would mitigate the risk of someone stealing code, altering, and then pawning it off as yours. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
If someone can penetrate your security with your code then they can penetrate it without. Who was it that said, "Security through obscurity isn't?" Also, I would hope that the use of strongly named assemblies would mitigate the risk of someone stealing code, altering, and then pawning it off as yours. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
If someone can penetrate your security with your code then they can penetrate it without. Who was it that said, "Security through obscurity isn't?" Also, I would hope that the use of strongly named assemblies would mitigate the risk of someone stealing code, altering, and then pawning it off as yours. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
Ennis Ray Lynch, Jr. wrote:
Who was it that said, "Security through obscurity isn't?"
Whoever said that was incorrect. Probably what they should have said is "Security through obscurity isn't perfect". Strongly named assemblies are useless if you can easily create source code from the assembly, you simply re-sign it with your own key and away you go. The real problem isn't people pawning off our software as their own, it's breaking our license key system then posting a free version on a warez site. If we make no effort at all to prevent it then we're negligent. If people are capable of breaking the encryption on top of our obfuscation then I have someone to go to who built it and is responsible to fix it but so far it's not happened. We use signed xml license documents, strongly named assemblies that are obfuscated and then encrypted with an IL loader system. Can it be hacked? I'm sure it can, anything can. Is it worth it for the casual cracker to take on? Doubtful they would put in the effort. The worst we've seen in the past is requests for cracks for our software and ultimately they didn't crack it, they used a stolen credit card from a nice older couple in Arizona (who didn't even own a computer) to purchase a license via an email account created on a hacked network at (ironically) a computer networking company in another part of the U.S., posted the license key on a China based warez site and we found out about it when we suddenly had over a thousand downloads of our software in the space of what would normally be 20 and immediately re-released our software with a special exception for the stolen license. That's the reality of what software developers face, of course it's bloody worth it. We're talking about thousands of hours of my sweat and gray hairs to make something worth selling. My livelihood. It's not a casual academic discussion to me and in the real world you do whatever you have to to protect your livelihood. We've since added things to prevent the above scenario, and knock on wood nothing serious since. The bottom line is that it's worth a certain amount of effort because it prevents nearly all the casual piracy that goes on all the time with less protected software.
-
Are a combined security effort with your domain and local machine. I am quite sure a machine set to only run strongly named assemblies from a list of trusted authors would not run the affected code. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
Ennis Ray Lynch, Jr. wrote:
Who was it that said, "Security through obscurity isn't?"
Whoever said that was incorrect. Probably what they should have said is "Security through obscurity isn't perfect". Strongly named assemblies are useless if you can easily create source code from the assembly, you simply re-sign it with your own key and away you go. The real problem isn't people pawning off our software as their own, it's breaking our license key system then posting a free version on a warez site. If we make no effort at all to prevent it then we're negligent. If people are capable of breaking the encryption on top of our obfuscation then I have someone to go to who built it and is responsible to fix it but so far it's not happened. We use signed xml license documents, strongly named assemblies that are obfuscated and then encrypted with an IL loader system. Can it be hacked? I'm sure it can, anything can. Is it worth it for the casual cracker to take on? Doubtful they would put in the effort. The worst we've seen in the past is requests for cracks for our software and ultimately they didn't crack it, they used a stolen credit card from a nice older couple in Arizona (who didn't even own a computer) to purchase a license via an email account created on a hacked network at (ironically) a computer networking company in another part of the U.S., posted the license key on a China based warez site and we found out about it when we suddenly had over a thousand downloads of our software in the space of what would normally be 20 and immediately re-released our software with a special exception for the stolen license. That's the reality of what software developers face, of course it's bloody worth it. We're talking about thousands of hours of my sweat and gray hairs to make something worth selling. My livelihood. It's not a casual academic discussion to me and in the real world you do whatever you have to to protect your livelihood. We've since added things to prevent the above scenario, and knock on wood nothing serious since. The bottom line is that it's worth a certain amount of effort because it prevents nearly all the casual piracy that goes on all the time with less protected software.
How many casual pirates purchase your software because of the "security" you put in place? I think you are confusing the concept of security with the concept of protecting intellectual property. I have no qualms with protecting IP but to say a hacker is a pirate and claim security is the issue is a literary device I cannot come to terms with. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
How many casual pirates purchase your software because of the "security" you put in place? I think you are confusing the concept of security with the concept of protecting intellectual property. I have no qualms with protecting IP but to say a hacker is a pirate and claim security is the issue is a literary device I cannot come to terms with. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
IP is not really a concern when it comes down to it for most of the software on the planet. Let's face facts here, how much real break through technology is hidden inside most software? Not much. What is at issue for most who are concerned with protecting their software is cracking of licensing schemes. A hacker or more appropriately a 'cracker' trying to bypass the licensing of software is in fact probably the most common and important security issue to most software publishers. Perhaps the posters original question was concerned with protecting some kind of patentable intellectual property, that's not what I'm talking about. If you think I'm talking about people breaking into online software to steal information or disrupt service I apologize for the confusion. If you are just plain disagreeing with the idea that there is any merit to trying to protect software from theft and piracy then we'll just have to disagree on that one.
-
IP is not really a concern when it comes down to it for most of the software on the planet. Let's face facts here, how much real break through technology is hidden inside most software? Not much. What is at issue for most who are concerned with protecting their software is cracking of licensing schemes. A hacker or more appropriately a 'cracker' trying to bypass the licensing of software is in fact probably the most common and important security issue to most software publishers. Perhaps the posters original question was concerned with protecting some kind of patentable intellectual property, that's not what I'm talking about. If you think I'm talking about people breaking into online software to steal information or disrupt service I apologize for the confusion. If you are just plain disagreeing with the idea that there is any merit to trying to protect software from theft and piracy then we'll just have to disagree on that one.
I was just qualifying my who cares statement. However, licensing is not security imho. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
I was just qualifying my who cares statement. However, licensing is not security imho. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
:-D That depends on whether you wrote the software or are using the software that someone else wrote. As a developer *and* publisher security encompasses a lot more than it does to an end user.
To see how many pirates would buy the software if it could not be pirated and the compare that revenue with the cost of implementing some of the more lame anit-piracy schemes out there. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
To see how many pirates would buy the software if it could not be pirated and the compare that revenue with the cost of implementing some of the more lame anit-piracy schemes out there. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
Simple, buy two dozen donuts, put half on a table in your office with a FREE DONUTS sign, set up another table beside it with the other dozen, put a price sign up, set up a cash register and stand behind it and charge people who want one and see which donuts are gone first. There is no study required, that's ludicrous.
-
Simple, buy two dozen donuts, put half on a table in your office with a FREE DONUTS sign, set up another table beside it with the other dozen, put a price sign up, set up a cash register and stand behind it and charge people who want one and see which donuts are gone first. There is no study required, that's ludicrous.
If you take away the free donuts how many people that would have taken a free donut will not partake of the paid donut? Try the following experiment: Buy 1 dozen donuts 5 days a week and go to a large office and setup shop in the break-room. Sell the donuts for a profit (count your overhead and the office overhead, Fuel, etc.). Next go to a different but equally sized office and repeat only giving away the donuts. Repeat for several weeks. Then come back with data. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
Most code is not that important taken individually. Unless you have a trade-secret algorithm (which is patentable BTW? (idk) there is nothing that can be gained. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
You can't patent algorithms. You have to patent the system/process around it. regards, Paul Watson Ireland FeedHenry needs you
eh, stop bugging me about it, give it a couple of days, see what happens.