我一直在思考如何保护我的C/ c++代码不被反汇编和逆向工程破坏。通常情况下,在我的代码中,我绝不会宽恕这种行为;然而,为了各种人的安全,我目前正在研究的协议决不能被检查或理解。
现在这对我来说是一个新的主题,互联网并没有真正的资源来防止逆向工程,而是描述了大量关于如何逆向工程的信息
到目前为止我想到的一些事情是:
Code injection (calling dummy functions before and after actual function calls)
Code obfustication (mangles the disassembly of the binary)
Write my own startup routines (harder for debuggers to bind to)
void startup();
int _start()
{
startup( );
exit (0)
}
void startup()
{
/* code here */
}
Runtime check for debuggers (and force exit if detected)
Function trampolines
void trampoline(void (*fnptr)(), bool ping = false)
{
if(ping)
fnptr();
else
trampoline(fnptr, true);
}
Pointless allocations and deallocations (stack changes a lot)
Pointless dummy calls and trampolines (tons of jumping in disassembly output)
Tons of casting (for obfuscated disassembly)
我的意思是,这些是我想过的一些事情,但它们都可以在适当的时间框架内由代码分析师解决。我还有别的选择吗?
最好的反反汇编技巧,特别是在可变字长指令集上,是在汇编程序/机器代码中,而不是在c中
CLC
BCC over
.byte 0x09
over:
The disassembler has to resolve the problem that a branch destination is the second byte in a multi byte instruction. An instruction set simulator will have no problem though. Branching to computed addresses, which you can cause from C, also make the disassembly difficult to impossible. Instruction set simulator will have no problem with it. Using a simulator to sort out branch destinations for you can aid the disassembly process. Compiled code is relatively clean and easy for a disassembler. So I think some assembly is required.
I think it was near the beginning of Michael Abrash's Zen of Assembly Language where he showed a simple anti disassembler and anti-debugger trick. The 8088/6 had a prefetch queue what you did was have an instruction that modified the next instruction or a couple ahead. If single stepping then you executed the modified instruction, if your instruction set simulator did not simulate the hardware completely, you executed the modified instruction. On real hardware running normally the real instruction would already be in the queue and the modified memory location wouldnt cause any damage so long as you didnt execute that string of instructions again. You could probably still use a trick like this today as pipelined processors fetch the next instruction. Or if you know that the hardware has a separate instruction and data cache you can modify a number of bytes ahead if you align this code in the cache line properly, the modified byte will not be written through the instruction cache but the data cache, and an instruction set simulator that did not have proper cache simulators would fail to execute properly. I think software only solutions are not going to get you very far.
上面这些都是老的和众所周知的,我对当前的工具了解不够,不知道它们是否已经围绕这些事情工作了。自修改代码可能/将使调试器出错,但是人类可以/将缩小问题范围,然后看到自修改代码并解决它。
It used to be that the hackers would take about 18 months to work something out, dvds for example. Now they are averaging around 2 days to 2 weeks (if motivated) (blue ray, iphones, etc). That means to me if I spend more than a few days on security, I am likely wasting my time. The only real security you will get is through hardware (for example your instructions are encrypted and only the processor core well inside the chip decrypts just before execution, in a way that it cannot expose the decrypted instructions). That might buy you months instead of days.
另外,读读凯文·米特尼克的《欺骗的艺术》。这样的人可以拿起电话,让你或同事把秘密交给系统,以为那是公司其他部门的经理、其他同事或硬件工程师。你的安全系统也被破坏了。安全不仅仅是管理技术,还要管理人。
Take, for example, the AES algorithm. It's a very, very public algorithm, and it is VERY secure. Why? Two reasons: It's been reviewed by lots of smart people, and the "secret" part is not the algorithm itself - the secret part is the key which is one of the inputs to the algorithm. It's a much better approach to design your protocol with a generated "secret" that is outside your code, rather than to make the code itself secret. The code can always be interpreted no matter what you do, and (ideally) the generated secret can only be jeopardized by a massive brute force approach or through theft.
我认为一个有趣的问题是“为什么你想让你的代码变得模糊?”你想让攻击者难以破解你的算法?让他们更难在你的代码中发现可利用的漏洞?如果代码一开始就不可破解,那么您就不需要混淆代码。问题的根源在于易破解的软件。解决问题的根源,不要只是混淆它。
而且,你的代码越混乱,你就越难找到安全漏洞。是的,这对黑客来说很难,但你也需要找到漏洞。从现在开始,代码应该很容易维护,即使是编写良好的清晰代码也很难维护。不要让事情变得更糟。
为了能够做出正确的选择,你应该考虑以下几个方面:
有没有可能“新用户”不愿意花钱而是使用你的软件?
现有客户是否有可能需要比他们拥有的更多的许可证?
潜在用户愿意支付多少钱?
你想按用户/并发用户/工作站/公司发放许可证吗?
你的软件需要培训/定制才能有用吗?
如果问题5的答案是“是”,那么就不用担心非法拷贝。反正也没用。
如果问题1的答案是“是”,那么首先考虑定价问题(见问题3)。
如果你回答问题2“是”,那么“按使用付费”模式可能会
适合你。
从我的经验来看,按使用付费+定制和培训是最好的保护
为您的软件,因为:
新用户被定价模式所吸引(很少使用->很少付费)
几乎没有“匿名用户”,因为他们需要培训和定制。
没有软件限制会吓跑潜在客户。
现有客户源源不断地提供资金。
由于长期的业务关系,您可以从客户那里得到有价值的发展反馈。
在您考虑引入DRM或混淆之前,您可能会考虑这些要点,以及它们是否适用于您的软件。
