• Welcome to Valhalla Legends Archive.
 

Code Obfuscation

Started by Yegg, December 30, 2006, 08:12 PM

Previous topic - Next topic

Yegg

I'm working on a large project (language for the job is C/++) and I had the idea to use an obfuscator on the source code in order that if someone were to make an attempt to reverse engineer the software, their job would be much more difficult than if the software's code hadn't been obfuscated.

I'm not 100% on how this obfuscation quite works. Is the performance of your code affected at all? Do obfuscator's generally compile your code as well, or do they just obfuscate the source? In the end, the assembly produced by whatever compiler is used, how is that affected? Will it be much different than if obfuscation hadn't occured? Or, would the assembly be just as obfuscated as your original source?

And most important of all, is obfuscation even worth it?

l)ragon

Quote from: Yegg on December 30, 2006, 08:12 PM
I'm working on a large project (language for the job is C/++) and I had the idea to use an obfuscator on the source code in order that if someone were to make an attempt to reverse engineer the software, their job would be much more difficult than if the software's code hadn't been obfuscated.

I'm not 100% on how this obfuscation quite works. Is the performance of your code affected at all? Do obfuscator's generally compile your code as well, or do they just obfuscate the source? In the end, the assembly produced by whatever compiler is used, how is that affected? Will it be much different than if obfuscation hadn't occured? Or, would the assembly be just as obfuscated as your original source?

And most important of all, is obfuscation even worth it?
Don't use managed code?
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Skywing

You would probably just want to obfuscate the output binary and not your C++ source code, assuming you aren't distributing source code for your program.  There are lots of pre-made tools to do that, but by using a shrink-wrapped pre-made obfuscation scheme, you are opening yourself to the possibility that someone will have hacked the obfuscation/protection scheme already (possibly for a different program), thus giving them a leg up on figuring your program.

Whether obfuscation techniques are really worth it is certainly a valid question.  In most cases, I would say they're not; in general, any clever and determined person will virtually always be able to hack even elaborate obfuscation schemes in a reasonable amount of time; more so unless you are very careful with how you build your obfuscation system to eliminate patterns that could be used to automate the deobfuscation process.

In other words, creating an obfuscation scheme that will end up being more than a trivial road-bump for a competent reverse engineer involves a great deal of work and planning on your end, all towards a goal that doesn't really improve your program in any way (in other words, a bad investment of time).  Furthermore, most obfuscation schemes make it significantly more difficult to diagnose and debug problems, such as crashes, that are reported by end-users running the obfuscated version of your program.

In most cases, if you really do have some sort of critical business logic that really is so important that you think some sort of elaborate protection scheme is warranted, it is much better to place said logic on centralized servers only controlled by you, such that you can then authenticate and allow or deny access to the critical logic based on requests by remote users.  This also has the benefit of making it so that whatever interesting bit of code that you are trying to protect doesn't even run on an end-user's computer, which makes it all the more difficult to successfully reverse engineer.

Yegg

#3
Thank you very much, Skywing, your post helped me out a lot.