obfuscate for c

DDD888 · 发表于 2-5-2013 11:00:41

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有帐号？FreeOZ用户注册

x

Good morning,

I am looking for a good obfuscator for C language. Note not c#

I found this one. Here is the url.
http://sourceforge.net/projects/cshroud/?source=dlp

But it is compiled for 16bit MSDOS under very old compiler.

Do you know any open source obfuscator for C?

The reason for that is HexRay has a decompiler for arm which does a good job to decompile binary code. My boss told me that the project I am working on is top secret for the company and I have to use the best method possible. I already do the job on server to hide the business logic. I just want to add extra layer to make people read my code harder if they decompile my code.

TIA

[ 本帖最后由 DDD888 于 2-5-2013 10:02 编辑 ]

planetkeeper · 发表于 2-5-2013 11:10:44

你需要加密壳，推荐你去看雪论坛逛逛

DDD888 · 发表于 2-5-2013 14:43:21

原帖由 planetkeeper 于 2-5-2013 10:10 发表

 登录/注册后可看大图

你需要加密壳，推荐你去看雪论坛逛逛

I guess encrypt shell is useless as the code will run on the local machine which will have the key to decrypt.

I had a look at following url. It seems that I can write same function without much trouble using my C# skill for C obfuscation and no need to buy the software.

http://www.stunnix.com/prod/cxxo/overview.shtml

tristone · 发表于 2-5-2013 16:12:51

我觉得跟架构有关吧？Intel平台上没听到有人抱怨过这个，因为编译器一优化，乱序执行啥的，啥都看不出来了。

你要不给人知道，比较好的解决方案只有把处理逻辑的代码移到服务器上。单机版的东西有什么是破解不了的？人大不了就是看汇编码不是？

DDD888 · 发表于 2-5-2013 17:07:15

原帖由 tristone 于 2-5-2013 15:12 发表

 登录/注册后可看大图

比较好的解决方案只有把处理逻辑的代码移到服务器上。单机版的东西有什么是破解不了的 ...

How to handle the api to the server? i.e. json call to server.

The client application implement the api call to server. How to hide the interface on the client?

DDD888 · 发表于 2-5-2013 17:12:06

原帖由 tristone 于 2-5-2013 15:12 发表

 登录/注册后可看大图

我觉得跟架构有关吧？Intel平台上没听到有人抱怨过这个，因为编译器一优化，乱序执行啥的，啥都看不出来了。

I think hex ray decompiler do a good job to get some useful code from the binary on intel x86 platform.

DDD888 · 发表于 2-5-2013 17:14:56

I was looking at the disassembler code of my arm c code compilation and found I can guess the aes key. Maybe the best for me is to introduce the string obfuscation to the c code.

tristone · 发表于 2-5-2013 17:29:47

原帖由 DDD888 于 2-5-2013 16:12 发表

 登录/注册后可看大图

I think hex ray decompiler do a good job to get some useful code from the binary on intel x86 platform.

看了视频介绍，说的很少啊。不知道优化过的代码是否还能反编出来。

tristone · 发表于 2-5-2013 17:33:06

原帖由 DDD888 于 2-5-2013 16:07 发表

 登录/注册后可看大图

How to handle the api to the server? i.e. json call to server.

The client application implement the api call to server. How to hide the interface on the client?

只要是装在客户机上的，就别指望保什么密了。API被知道又有啥呢？API里面只有输入输出吧？逻辑不在里面啊。当然别人可以试着仅仅根据输入输出分析逻辑但是很困难很困难。就像优化过的binary虽然可以看到汇编码甚至部分还原成C，但是很多东西不make sense。当然只要是有经验的hacker，什么搞不定？微软的NTLM协议曾经是保密的，不也给别人逆向出来了么？

DDD888 · 发表于 2-5-2013 17:57:25

原帖由 tristone 于 2-5-2013 16:29 发表

 登录/注册后可看大图

看了视频介绍，说的很少啊。不知道优化过的代码是否还能反编出来。

Yes, it is readable for windows application binary.

The main issue for windows application is all the code do is call windows api. And windows api has tons of documents. So it is very easy for cross reference. I have not decompiled linux binary, so I don't know about that.

tristone · 发表于 2-5-2013 18:01:31

原帖由 DDD888 于 2-5-2013 16:57 发表

 登录/注册后可看大图

Yes, it is readable for windows application binary.

The main issue for windows application is all the code do is call windows api. And windows api has tons of documents. So it is very easy for ...

linux不是更容易？所有东西都是开源的。我还是怀疑优化代码能否真的反编出来。我指的是能够基本还原原来的逻辑，光是看到有“代码”没用。c/c++的反编译一直被视为基本不可能，尤其是优化过代码以后，因为常常有信息在优化过程中被丢弃。伪编译的java/c#倒是从来都不难。

DDD888 · 发表于 2-5-2013 18:01:40

原帖由 tristone 于 2-5-2013 16:33 发表

 登录/注册后可看大图

只要是装在客户机上的，就别指望保什么密了。API被知道又有啥呢？API里面只有输入输出吧？逻辑不在里面啊。当然别人可以试着仅仅根据输入输出分析逻辑但是很困难很困难。就像优化过的binary虽然可以看到汇编码甚 ...

The data behind the api is critical important. By understanding api, it is very easy to extract the data. i.e. if you know how quickflix silverlight how to get video data from their own server, you might develop an application as a dvr to download all the movies you watched.

[ 本帖最后由 DDD888 于 2-5-2013 17:03 编辑 ]

tristone · 发表于 2-5-2013 18:05:56

原帖由 DDD888 于 2-5-2013 17:01 发表

 登录/注册后可看大图

The data behind the api is critical important. By understanding api, it is every easy to extract the data. i.e. if you know how quickflix get video data, you might develop an application as a dvr ...

那么你的业务逻辑其实一钱不值。一个简单的例子，我给你一个字符串数组，然后给你一堆相应的MD5 hash作为输出，在你不曾知道MD5这个东西的前提下，你觉得能成功逆向出来么？如果输出只是把每个字符串倒过来，或者来个ROT13呢？

tristone · 发表于 2-5-2013 18:15:34

原帖由 DDD888 于 2-5-2013 17:01 发表

 登录/注册后可看大图

The data behind the api is critical important. By understanding api, it is very easy to extract the data. i.e. if you know how quickflix silverlight how to get video data from their own server, yo ...

我觉得你说的这种情况是不太容易发生的。因为VOD网站的用户管理都在后台，只有成功登录以后才能下载视频（公开的除外）。除非破解了用户验证，不然就是知道API又有啥用？

DDD888 · 发表于 2-5-2013 20:10:55

Quickflix does not allow their customer to save the video, if read quickflix’s silverlight source code running on client’s pc, the customer can use his login to save the video, obviously quickflix do not want their customer to do that. Don’t you agree?

DDD888 · 发表于 2-5-2013 20:22:54

原帖由 tristone 于 2-5-2013 17:05 发表

 登录/注册后可看大图

那么你的业务逻辑其实一钱不值。一个简单的例子，我给你一个字符串数组，然后给你一堆相应的MD5 hash作为输出，在你不曾知道MD5这个东西的前提下，你觉得能成功逆向出来么？如果输出只是把每个字符串倒过来，或者 ...

I don’t understand what you try to say. If your website is selling the result of md5, and your competion is also developing a website to sell these md5 result. The guy dont need to figure out your website logic, all he need is figure out your website api. By giving input a, the website will return md5 result b. He can write a program to generate all input data, and record all the result down and save in a database. Then he just feed his own website with the record data. Without much work,you got a competition to sell your md5 result.

cais · 发表于 2-5-2013 23:53:58

LZ可以简单的介绍一下你的程序包括整个系统里面，是什么东西是最需要保护的吗？
这样才比较好帮你出主意。
上次你说你的api是公开的，不需要登录就能用，现在还是这样吗？
还有你的api，一会儿说在服务器端，一会儿又说是windows api。你是想保护哪一个api？

ayuanx · 发表于 3-5-2013 00:45:24

原帖由 DDD888 于 2-5-2013 19:10 发表

 登录/注册后可看大图

Quickflix does not allow their customer to save the video, if read quickflix’s silverlight source code running on client’s pc, the customer can use his login to save the video, obviously quickflix d ...

原来楼主在 QuickFix 做啊
我不想讨论 obfuscation 有无意义，我只想说，人家真想弄，简简单单一张视频捕捉卡就搞定了，你程序怎么乱搞都没用

ayuanx · 发表于 3-5-2013 00:50:52

原帖由 DDD888 于 2-5-2013 19:22 发表

 登录/注册后可看大图

I don’t understand what you try to say. If your website is selling the result of md5, and your competion is also developing a website to sell these md5 result. The guy dont need to figure out your ...

你 Server API 不需要用户认证就可以随便调，这是 Server API 的 Bug，跟 Client Software 一点关系都没
举例简单来说，你用任何浏览器都可以登录 GMail，为啥？甚至可以全程开着 TCP dump + Realtime Debugger，都没有任何问题，照样黑不了 Gmail
难道要先把浏览器 Obfuscate 一下？否则不让用 Gmail？

[ 本帖最后由 ayuanx 于 3-5-2013 00:24 编辑 ]

ayuanx · 发表于 3-5-2013 00:55:47

还招 Consultant 不？看来楼主公司亟需帮助啊

DDD888 · 发表于 3-5-2013 07:35:48

原帖由 ayuanx 于 2-5-2013 23:45 发表

 登录/注册后可看大图

原来楼主在 QuickFix 做啊

No, I don't work for Quickflix. That is just for demo purpose.

DDD888 · 发表于 3-5-2013 07:42:17

原帖由 cais 于 2-5-2013 22:53 发表

 登录/注册后可看大图

LZ可以简单的介绍一下你的程序包括整个系统里面，是什么东西是最需要保护的吗？
这样才比较好帮你出主意。
上次你说你的api是公开的，不需要登录就能用，现在还是这样吗？
还有你的api，一会儿说在服务器端，一会 ...

The most important in the system I am working on is the data. The company I work for is selling the data.

Due to the development for android, my boss agrees me to using login now.

I just want to add more work load for the guy who want to get data out of the system I work on.

The windows api is just for example. I don't use windows api for the system I work on. I am working on Android platform which is using arm cpu.

DDD888 · 发表于 3-5-2013 08:36:59

原帖由 ayuanx 于 2-5-2013 23:50 发表

 登录/注册后可看大图

举例简单来说，你用任何浏览器都可以登录 GMail，为啥？甚至可以全程开着 TCP dump + Realtime Debugger， ...

Gmail is different. If you are a user of gmail, there is no point to download your own gmail account with your own user name password for hacker purpose. It might be a point to access other's gmail account without knowing other's user name password legally for argument. I am talking about this.

My case is for example I am a cloth broker and supply online cloth data catalog to different shop i.e. A for a monthly fee. If you are a valid shop A's customer and you can browse the online catalog and you can write a program to use your credential to download all the catalog if you know the api to the website.If I allow you to create account as you wish without authorization, i.e. this freeoz forum to create user. Even I restrict for a particular account max download viewing count number, it is useless. Because you can create unlimited user account to continue downloading data. And if I can manage to hide the api from you, you will not be able to write such program and I get what I want.

[ 本帖最后由 DDD888 于 3-5-2013 07:39 编辑 ]

DDD888 · 发表于 3-5-2013 09:02:05

原帖由 planetkeeper 于 2-5-2013 10:10 发表

 登录/注册后可看大图

你需要加密壳

I found two urls related to this.

http://elf-encrypter.sourceforge.net/
http://www.securiteam.com/tools/5XP041FA0U.html

But some use x86 assembler which is useless for android

[ 本帖最后由 DDD888 于 3-5-2013 08:04 编辑 ]

tristone · 发表于 3-5-2013 10:25:58

原帖由 DDD888 于 3-5-2013 07:36 发表

 登录/注册后可看大图

Gmail is different. If you are a user of gmail, there is no point to download your own gmail account with your own user name password for hacker purpose. It might be a point to access other's gmai ...

LZ，你原来说是业务逻辑需要加密，现在说是数据，@#$%^&...

你的数据在server上，而且还要给所有人看，而且还是让免费注册的人随便看，就这还要加密？你只是想让人不能写个程序把所有data grab下来，费这么大劲值么？人家雇几个小工手工注册帐号人工填excel表不行么？哪至于要逆向你的二进制文件？而且还是C文件？再说，开个wireshark抓包，不是一样知道你的client和server怎么通信的么？

darrenlee · 发表于 3-5-2013 11:53:59

如果你是在说安卓客户端的话,隐藏api可以通过强制升级实现
同时升级服务端api和客户端相应代码
但得写个程序自动生成上面的东西,要不会累死人
可以让他破解,但我没事儿就升级,他就会失去耐心,时间精力,成本高,只能放弃破解

BTW,your English is good.

DDD888 · 发表于 3-5-2013 12:23:26

原帖由 tristone 于 3-5-2013 09:25 发表

 登录/注册后可看大图

再说，开个wireshark抓包，不是一样知道你的client和server怎么通信的么？

They can't.

I am using 256bit aes encryption for the communication which is usa military standard.

DDD888 · 发表于 3-5-2013 12:25:50

原帖由 tristone 于 3-5-2013 09:25 发表

 登录/注册后可看大图

人家雇几个小工手工注册帐号人工填excel表不行么？

You are right. 99% of the website grabbing for the website I wrote is done by real person sitting in front of the browser and clicking the url. I manage to stop all these behaviour.

I am quite surprised that these company can afford to pay someone to do that in Australia, New Zealand and USA and Russia. That is very labour intensive.

[ 本帖最后由 DDD888 于 3-5-2013 11:35 编辑 ]

DDD888 · 发表于 3-5-2013 12:30:27

原帖由 tristone 于 3-5-2013 09:25 发表

 登录/注册后可看大图

LZ，你原来说是业务逻辑需要加密，现在说是数据，@#$%^&...

I am asking if there is any way to obfuscate my c code which runs on the client android tablet to hide the api to get data from the website. I am sorry if I confused you.

DDD888 · 发表于 3-5-2013 12:34:15

原帖由 tristone 于 3-5-2013 09:25 发表

 登录/注册后可看大图

你的数据在server上，而且还要给所有人看，而且还是让免费注册的人随便看，就这还要加密？

It is my boss's requirement. I just do what he want me to do. He treat his data very seriously and do not want others to steal the data and I treat his requirement very seriously and I want to keep my job too.

		自动登录	找回密码
密码			FreeOZ用户注册

FreeOZ

[学习深造] obfuscate for c

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

回复 #14 tristone 的帖子

回复 #23 DDD888 的帖子