What about protection for Golang source code - go

Actually, I'm a PHP developer. I want to sell my PHP product.
So, I want to protect some major source code in PHP. But it's impossible in PHP.
I know Golang also. So, I want to to build secret algorithm in golang code and compile into binary.
Finally I want to protect my PHP major algorithm with PHP code && binary program.
My doubt is:
When I'm compiling golang source code into binary file.
Is it possible to grab golang source code from binary file ?

No, if they really really want to, they can disassemble the binary and guess what the algorithm does from the assembly, this however, applies to all languages.
If it runs, it can be disassembled and it can be broken.

There are 3 things you can do to protect your code.
You can, of course, obfuscate all the code prior to a build.
I dont knwo of any specific golang tools to do this.
Stripping symbols
But i worry about a "gifted hacker" who will decompile and try to steal my work. It has happened a few times already.
So, you want something whereby the "hacker" is defeated as it's too much work to try and re-assemble.
Stripping the symbols should be more than enough.
You can omit debug information passing the '-w' flag to the linker, and you can omit the symbol table by passing '-s'.
See go tool link in 1.5 here:
https://golang.org/cmd/link/
Device Fingerprinting
This ensures your software cannot run unless its on the same machine when the license was generated for it.
The license is stored on your server, and the fingerprint meta data is sent and check.
You can see this in action here:
https://github.com/hashicorp/nomad/blob/master/client/client.go#L147
Note that in their code they are NOT generating a license against the fingerprint. This is something you would want to do as extra. You can also hash it and sign it and other fancy stuff, but thats too much detail for this post.
Of course a "hacker" can get around this IF they can decompile your code, but as i mentioned in Step 2, this can be defeated pretty well by stripping the symbols.
Obfuscation, as in step 2 helps, but most decent coders can find the place where the code is doing a check and just comment out the check and recompile.
But with no symbols its almost impossible to recompile.
Hope that helps ...

Related

How to develop for PIC32MM without either MPLABX or XC32

While working for just one month with the MPLABX5.5 + XC32 3.01 I've already had 3 separate instances where code compiled incorrectly, causing my program to fail after either the stack or frame pointer began using an incorrect address. I would like to dump these tools and try something else as tracking down compiler errors is sucking up too much of my time. Is there anything else available that I can use to work with a PIC32MM? Even access to a different compiler than XC32 might help.
I would like to do the same thing. Maybe we can collect the best options for how to get there, as after many many tries, I haven't yet been successful. As one starting point, I'd also like to be able to recompile xc32-gcc from source to understand exactly what it's doing, and to be able to compile xc32 binaries for other architectures (like, as insane as it may sound, I'd like to compile some code for the pic32mm platform with clang or gcc running on a raspberry pi.)
I would love to be able to even just compile xc32-gcc from source. I know this is possible, but I've not been successful. Some links and starts:
https://github.com/zeha/xc32
This seems to be the most recent grouping of source I've found, but I haven't yet figured out how to compile it.
ChipKit is cited a lot, but, I haven't gotten to the bottom of getting that to build for me either. There are numerous projects here, and I'm not sure how they all fit together yet:
https://github.com/chipKIT32
I suspect somebody (maybe someone who will see this post) knows the formula or script or docker file, or whatever to make this simple.
https://gitlab.com/spicastack/pic32-parts-free
This project seems close to what we're talking about, but, the
recommended way to install is with podman and gentoo. I'm not a
gentoo person (yet?), and the docker version failed for me. It's
probably a simple fix to the dockerfile for a gentoo person, but.. I
didn't get there yet. (I did try installing gentoo and started down
the path but holy cow, talk about being down a rabbit hole when what
I'm trying to do is get a pic cross-compiler working.. when emerge on my new gentoo install failed with a python error, I gave up.)
https://github.com/andeha/Twinbeam
This project also says some of the "right things" about building pic32 code using llvm, and has references to llvm2pic32 in this project: https://github.com/andeha/Sprinkle
I've also not yet managed to get this to make viable intel hex files that I can use on a pic just yet, but there's promise.
Use clang/llvm to generate code. I think it will compile C and generate mips out of the box and I've gotten that far, but I can't get it to link and produce a valid hex file yet. The linker scripts from microchip seem sort of ok, but the hex files end up putting the code in the wrong place, I think. I should probably put together a blinky-light example and try to push it farther, and share it with others to figure out what the deal is, but even stepping one step further back and just trying to get a super simple mips assembly program to get linked and be uploadable to a PIC32MM part would be a great success to me.
Maybe others have better references and links?

Making a "library" project read only in a solution

I have a solution with some projects in that make up a library. I use this library in some of my other solutions. I do this by making a reference to the dll which is generated when the library solution is compiled. So far, so good.
Now I'm debugging one of those "other solutions". I see that I'm using a function from the library I built and I want to see what the code does. I hit F12 and I'm taken to a very useless page where I see only the signature.
I could add the library projects to my solution. this is unsatisfactory because when someone is editing the solution I want it to be clear that the messing about with the library bit is going to affect other programs. If I can describe my desire crudely, I would say I want the library solution to be show when I hit F12, but be read only.
How can I do this?
I think it depends on the complied option of the library. If the library is built without debug symbols, it would not be possible to debug inside in a normal human readable way. I suggest you compile/build the library with debug option. That may solve your problem.
HTH!

How to protect (obsfucate) Go binary from cracking

I wish to sell Go application. I will provide serial number to my clients. Is there ways to make it a bit more complex to crack app?
I say it is complex to crack C app and it is easy to crack Java app. Is there tools that will make Go app cracking job as hard as cracking C app? or some tutorial? At least something I could do to protect my project a bit. I do not ask about super heavy protection.
Once you have the binary itself, obfuscation is pretty difficult. People have tried stripping the symbols out of Go binaries before, but it usually leads to instability and unpredictable behavior, since symbols are required for certain reflection operations.
While you can't necessarily obfuscate the libraries you're statically linking against, you can certainly obfuscate your /own/ code by changing variable, type, and function names prior to compilation to names that are meaningless. If you want to go one step further, you can try obtaining the source code for the libraries you're using (the source code for the standard libraries is available and is included in most Go installations), and applying this obfuscation to the library source code as well.
As for post-compilation binary modification, as I mentioned before, it's probably best to stay away from it.
To add on joshlf13's answer: while stripping Go binaries is not recommended, there's a flag you can pass to the linker to omit the debugging symbols all along:
Pass the '-s' flag to the linker to omit the debug information (for example, go build -ldflags "-s" prog.go).
(Debugging Go Code with GDB)
This should at least be a better way, since I haven't seen any warnings for this like the ones about stripping symbols post-compilation.
Another option, with Go 1.16+ (Feb. 2021:
burrowers/garble
Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.
The tool is designed to be:
Coupled with cmd/go, to support modules and build caching
Deterministic and reproducible, given the same initial source code
Reversible given the original source, to de-obfuscate panic stack traces
That might not be obfuscated enough for your need, but it is a good start.

In Ruby, what's the equivalent of Java's technique of limiting access to source in a cowork situation?

In Java when you compile a .java file which defines a class, it creates a .class file. If you provide these class files to your coworkers then they cannot modify your source. You can also bundle all of these class files into a jar file to package it up more neatly and distribute it as a single library.
Does Ruby have any features like these when you want to share your functionality with your coworkers but you don't want them to be able to modify the source (unless they ask you for the actual .rb source file and tell you that they want to change it)?
I believe the feature you are looking for is called "trust" (and a source code control repository). Ruby isn't compiled in the same way that Java is, so no you can't do this.
I have to say your are in a rough position, not wanting to share code with a coworker. However, given that this is an unassailable constraint perhaps you could change the nature of the problem.
If you have a coworker that needs access to some service provided by a library of yours, perhaps you could expose it by providing a web/rest service instead of as a .rb file.
This way you can hide your code behind a web server, and if there is a network architecture that allows for low latency making these service calls, you can effectively achive the same goal.
Trust is a lot easier though.
edit:
Just saw this on HN: http://blog.astrails.com/2009/5/12/ruby-http-require, allows a ruby file to include another file through http instead of the filesystem.
Ruby is
A dynamic, interpreted, open source programming language with a focus on simplicity and productivity.
So like all interpreted languages, you need to give the source code to anyone who want's to execute your program/script.
By the way searching "compiled ruby" on google returned quiet a few results.
I don't think there is one. Ruby is purely an interpreted language, which means ruby interprets your source code directly in order to run it. Java is compiled, so there's an intermediate bytecode (the .class). You can obfuscate your ruby if you really wish, but it's probably more trouble than it's worth.
Just to make sure you realize, however, upwards of 95% of Java can be decompiled back into source using various free utilities, so in reality, Java's compilation isn't much better than distributing Ruby source.
This is not a language specific problem and one that can be managed more effectively through source control software.
There is a library called ruby2c that compiles a subset of Ruby into C code (which you can then compile into native code, if you want).
It was actually originally written as a Ruby code obfuscator (but has since been used for lots of other stuff, including Ruby Arduino development).

Tool purely for Syntax Checking?

We have a proprietry system that we develop scripting code in.
We currently do not have a developer environment (apart from Notepad++) and cannot debug or compile this code. We have to submit it to the vendor to insert the code into the test or live system.
The language is essentially C like and has the same syntax.
Basically we want a tool to be able to simply check the syntax of chunks of code we send to the vendor.
Does a tool exist that will do this for me?
You write code in a proprietary scripting language, so you require syntax checking because you cannot compile or debug the code onsite? I'd suggest getting a copy of the language reference (including the BNF if possible) from your vendor, get a compiler-compiler like Coco/R (http://www.ssw.uni-linz.ac.at/coco/), and build yourself a quick and dirty compiler that just validates the abstract syntax tree.
That is to say, yes, there are tools you can use, though perhaps they involve more work than what you may have hoped.
If it's really the same syntax as C you can use a C compiler. Usually there's a syntax check only option (/Zs for MSVC).
I'm not sure how many problems you'll run into since C compilers are pretty picky, and being "like C" is not the same as being C.
It does seem odd that you're being asked to develop code without having any capability to run or even compile it. Kind of like writing a book without being able to proof read it before publishing. I have a hard time getting even "Hello World" programs to compile & run without some sort of goof-up on the very first go.

Resources