I wish to sell Go application. I will provide serial number to my clients. Is there ways to make it a bit more complex to crack app?
I say it is complex to crack C app and it is easy to crack Java app. Is there tools that will make Go app cracking job as hard as cracking C app? or some tutorial? At least something I could do to protect my project a bit. I do not ask about super heavy protection.
Once you have the binary itself, obfuscation is pretty difficult. People have tried stripping the symbols out of Go binaries before, but it usually leads to instability and unpredictable behavior, since symbols are required for certain reflection operations.
While you can't necessarily obfuscate the libraries you're statically linking against, you can certainly obfuscate your /own/ code by changing variable, type, and function names prior to compilation to names that are meaningless. If you want to go one step further, you can try obtaining the source code for the libraries you're using (the source code for the standard libraries is available and is included in most Go installations), and applying this obfuscation to the library source code as well.
As for post-compilation binary modification, as I mentioned before, it's probably best to stay away from it.
To add on joshlf13's answer: while stripping Go binaries is not recommended, there's a flag you can pass to the linker to omit the debugging symbols all along:
Pass the '-s' flag to the linker to omit the debug information (for example, go build -ldflags "-s" prog.go).
(Debugging Go Code with GDB)
This should at least be a better way, since I haven't seen any warnings for this like the ones about stripping symbols post-compilation.
Another option, with Go 1.16+ (Feb. 2021:
burrowers/garble
Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.
The tool is designed to be:
Coupled with cmd/go, to support modules and build caching
Deterministic and reproducible, given the same initial source code
Reversible given the original source, to de-obfuscate panic stack traces
That might not be obfuscated enough for your need, but it is a good start.
Related
Actually, I'm a PHP developer. I want to sell my PHP product.
So, I want to protect some major source code in PHP. But it's impossible in PHP.
I know Golang also. So, I want to to build secret algorithm in golang code and compile into binary.
Finally I want to protect my PHP major algorithm with PHP code && binary program.
My doubt is:
When I'm compiling golang source code into binary file.
Is it possible to grab golang source code from binary file ?
No, if they really really want to, they can disassemble the binary and guess what the algorithm does from the assembly, this however, applies to all languages.
If it runs, it can be disassembled and it can be broken.
There are 3 things you can do to protect your code.
You can, of course, obfuscate all the code prior to a build.
I dont knwo of any specific golang tools to do this.
Stripping symbols
But i worry about a "gifted hacker" who will decompile and try to steal my work. It has happened a few times already.
So, you want something whereby the "hacker" is defeated as it's too much work to try and re-assemble.
Stripping the symbols should be more than enough.
You can omit debug information passing the '-w' flag to the linker, and you can omit the symbol table by passing '-s'.
See go tool link in 1.5 here:
https://golang.org/cmd/link/
Device Fingerprinting
This ensures your software cannot run unless its on the same machine when the license was generated for it.
The license is stored on your server, and the fingerprint meta data is sent and check.
You can see this in action here:
https://github.com/hashicorp/nomad/blob/master/client/client.go#L147
Note that in their code they are NOT generating a license against the fingerprint. This is something you would want to do as extra. You can also hash it and sign it and other fancy stuff, but thats too much detail for this post.
Of course a "hacker" can get around this IF they can decompile your code, but as i mentioned in Step 2, this can be defeated pretty well by stripping the symbols.
Obfuscation, as in step 2 helps, but most decent coders can find the place where the code is doing a check and just comment out the check and recompile.
But with no symbols its almost impossible to recompile.
Hope that helps ...
I have a solution with some projects in that make up a library. I use this library in some of my other solutions. I do this by making a reference to the dll which is generated when the library solution is compiled. So far, so good.
Now I'm debugging one of those "other solutions". I see that I'm using a function from the library I built and I want to see what the code does. I hit F12 and I'm taken to a very useless page where I see only the signature.
I could add the library projects to my solution. this is unsatisfactory because when someone is editing the solution I want it to be clear that the messing about with the library bit is going to affect other programs. If I can describe my desire crudely, I would say I want the library solution to be show when I hit F12, but be read only.
How can I do this?
I think it depends on the complied option of the library. If the library is built without debug symbols, it would not be possible to debug inside in a normal human readable way. I suggest you compile/build the library with debug option. That may solve your problem.
HTH!
I understand it is somehow making a connection so that a compiler when envokes connects a source code to whatever libraries that it needs to.
But what is going on a more technical level, or better put what do I need to know in order to confidentally compile code.
I'm working with C++ and MinGW, and have started to look into build files and stuff for Sublime Text 2 (Have learned mostly under unix, or Java + eclipse so far). But what I don't understand what is adding a compiler to your path do for you?
Do I need to add it for every folder I want to compile from? Or is it system wide? I'm really learning this stuff for the first time, we we're never showed how to set up development environments or even deploy code on other systems.
You probably mean include paths and library paths in the compiler:
include paths: where the compiler will look for headers; and
library paths: where the linker, invoked by the compiler, will look for binary libraries to finish building your project.
If that is the case, look here for a gentle explanation.
Basically, what is happening is that the compiler looks in certain places for symbols defined by the operating system and other libraries installed system-wide.
In addition to those paths, you need to tell the compiler where to find the symbols defined in your own project.
You may also mean something related to installing the compiler itself or configuring the editor to use it.
In that case, what is happening is that you need to tell the build system where to find the executable for the compiler.
Basically, what is probably happening is that your editor wants to know where the compiler is so that it can provide real time feedback on your code. Adding the compiler to the system path will usually, but not always, solve your problem.
In more detail:
A C++ build is a rather complex tool chain, involving determining dependencies, preprocessing, compiling, and linking. There are tools that automate that tool chain, and those tools are in turn wrapped into the functionality of modern IDEs like Eclipse, Visual C++, or Sublime Text 2. You many need to tell your editor where to find the tools it uses to provide you with those services.
I was wondering if there is a quick and effective way to remove all the unused variables (local, instance, even properties) in xcode... I am doing a code cleanup on my app and if I knew a quick way for code refactoring it would help me a lot...
Thanks...
It's being a long time since you made your question and maybe you found an answer already, but from an answer to a related question:
For static analysis, I strongly
recommend the Clang Static Analyzer
(which is happily built into Xcode 3.2
on Snow Leopard). Among all its other
virtues, this tool can trace code
paths an identify chunks of code that
cannot possibly be executed, and
should either be removed or the
surrounding code should be fixed so
that it can be called.
For dynamic analysis, I use gcov (with
unit testing) to identify which code
is actually executed. Coverage reports
(read with something like CoverStory)
reveal un-executed code, which —
coupled with manual examination and
testing — can help identify code that
may be dead. You do have to tweak some
setting and run gcov manually on your
binaries. I used this blog post to get
started.
Both methodologies are exactly for what you want, detecting unused code (both variables and methods) and removing them.
In Java when you compile a .java file which defines a class, it creates a .class file. If you provide these class files to your coworkers then they cannot modify your source. You can also bundle all of these class files into a jar file to package it up more neatly and distribute it as a single library.
Does Ruby have any features like these when you want to share your functionality with your coworkers but you don't want them to be able to modify the source (unless they ask you for the actual .rb source file and tell you that they want to change it)?
I believe the feature you are looking for is called "trust" (and a source code control repository). Ruby isn't compiled in the same way that Java is, so no you can't do this.
I have to say your are in a rough position, not wanting to share code with a coworker. However, given that this is an unassailable constraint perhaps you could change the nature of the problem.
If you have a coworker that needs access to some service provided by a library of yours, perhaps you could expose it by providing a web/rest service instead of as a .rb file.
This way you can hide your code behind a web server, and if there is a network architecture that allows for low latency making these service calls, you can effectively achive the same goal.
Trust is a lot easier though.
edit:
Just saw this on HN: http://blog.astrails.com/2009/5/12/ruby-http-require, allows a ruby file to include another file through http instead of the filesystem.
Ruby is
A dynamic, interpreted, open source programming language with a focus on simplicity and productivity.
So like all interpreted languages, you need to give the source code to anyone who want's to execute your program/script.
By the way searching "compiled ruby" on google returned quiet a few results.
I don't think there is one. Ruby is purely an interpreted language, which means ruby interprets your source code directly in order to run it. Java is compiled, so there's an intermediate bytecode (the .class). You can obfuscate your ruby if you really wish, but it's probably more trouble than it's worth.
Just to make sure you realize, however, upwards of 95% of Java can be decompiled back into source using various free utilities, so in reality, Java's compilation isn't much better than distributing Ruby source.
This is not a language specific problem and one that can be managed more effectively through source control software.
There is a library called ruby2c that compiles a subset of Ruby into C code (which you can then compile into native code, if you want).
It was actually originally written as a Ruby code obfuscator (but has since been used for lots of other stuff, including Ruby Arduino development).