Reverse Engineering Code Prevention

[Drakenmul]

I've read about obfuscators.
From what I have read there is no way to completely protect your code. There would almost always be someone out there that has a way to reverse-engineer your classes. Is that true?
What have you done to protect your code and how well does it work?

[keang]

From what I have read there is no way to completely protect your code

True. There is no way to totally protect your code. You can make it more difficult by using obfuscators etc, but it all comes down to how much time and effort someone is willing to put into it reverse engineering the code. Years ago, in order to find out how a machine control program worked I spent several weeks reverse engineering an embedded control system written in Z80 machine code. Which just goes to show if someone is really keen (and possibly a little bit sad), you can't stop them.

What have you done to protect your code and how well does it work

Depends on the product. For complex products giving it away for free and charging for support etc can work well or if the product is likely to sell in high volumes setting the price low enough that it's not worth the effort to reverse engineer it can also work.

Personally speaking I don't spend too much time trying to protect my code these days. Generally your code isn't as valuable/interesting to other people as you might hope it is.

But, if you have code that really is a secret then don't release it for sale because someone somewhere will reverse engineer it.

[dlorde]

As well as renaming classes, methods, and variables, the best obfuscators use code analysis so they can rewrite parts of your code to make it next to impossible to figure out.

AIUI, in principle, it's possible to reverse engineer all code produced by the main popular languages. In practice, a good obfuscator makes it impractical - at a price.

I have heard of fancy tools that can figure out what code does by simulating chunks of it and testing the outputs for given inputs, but this is likely to be at the level (and cost) of major industrial espionage, and unlikely to be available to casual hackers (although I wouldn't put it past some of them).

It's easy to cry "bug" when the truth is that you've got a complex system and sometimes it takes a while to get all the components to co-exist peacefully...
D. Vargas

[Drakenmul]

Thank you both for your replies. One thing I've been thinking of for my client/server programs is to just make sure that the client that you are distributing does not do anything but receive input from the user, send that input to server , receive and display what the client needs to see to further their input. Keeping the main mechanics hidden away in the server. How well do you think that would hold up?

What would be a worthwhile obfuscator if I were to go down that path?

[ProgramThis]

At this point you have to ask yourself the question: Why? What is the big need to hide your code? Why is your code so special that nobody should ever be able to figure out what it does?

If the problem is the client stealing the code, then you have them sign disclaimers and legal documents that will protect you from this. If you are worried about the world stealing it, well, you can try to patent it if you think what you have done is so special that it warrants it.

[Drakenmul]

I just dont want people taking what I've worked on for x amount of years and in one day, they've got all that knowledge without spending that same amount of time coming up with it on their own. I'm not against opensource on projects, but when I want to have the possibility someday to make a living off of my years of work and someone comes along and rips the code from it in one day then put me out of business...not to good for me. Other than hackers hikacking my server computer and taking the class files, with the client only for "show" I dont have as much of a problem to worry about. As you can tell, its an important issue to me.

[dlorde]

... Keeping the main mechanics hidden away in the server. How well do you think that would hold up?

It's known as 'Thin Client' and is very popular. The whole business is moving towards online software services, so you'll be swimming with the current. You can also use Web Services to provide an online API so that others can register to dynamically call your server modules from their own applications.

What would be a worthwhile obfuscator if I were to go down that path?

Why would you need one if your important code is on your own secure server?

I've worked on commercial Java financial software, including 'fat' clients, for 15 years, and never had occasion to use an obfuscator - mostly because the sensitive software and data is stored on secured servers and is never directly accessible to outside parties.

Weeks of programming can save you hours of planning...
Anon.

[Drakenmul]

For obfuscating my server classes. I'm sure my server's firewall is not bulletproof.

[dlorde]

You'll need to do some research then. I would recommend getting in a security consultant if your code is that sensitive.

Teachers open the door, but you must enter by yourself...
Chinese proverb

[ProgramThis]

I just dont want people taking what I've worked on for x amount of years and in one day, they've got all that knowledge without spending that same amount of time coming up with it on their own.

While, as a software engineer with his own business, I do agree with you about having your hard work stolen, every time I hear this argument I am reminded of a quote:

The idea that I can be presented with a problem, set out to logically solve it with the tools at hand, and wind up with a program that could not be legally used because someone else followed the same logical steps some years ago and filed for a patent on it is horrifying.
John Carmack

If I came out with a product that I wanted to market I personally would take the steps to protect my intellectual property by filing for a patent for the design and registering the software.

Software is protected under copyright:

Copyright gives the most basic protection for computer software. Under U.S. copyright law, software is considered to be a "literary work" and is, thus given all of the protections of literary works, such as novels or poems.

You should do some reading up on Copyright laws. From what I found on it:

he author acquires a copyright in a work as soon as it is "fixed in a tangible medium of expression", which, in the case of software, means as soon as it is written down on paper, or electronically on the computer, in some readable form.

So if somebody else did steal your work, and you could prove that you write it first, you would be protected under copyright laws. You could post your code on sourceforge.net, state that it is not open or free to use or distribute if you wanted to.

I guess the point I am trying to make is, don't hide your code. Let it be there for others to learn from. That is how we work as a society. That is how we move forward, learning from each other. Let people see what you have done, if they want to use it they have to pay you royalties.

[Drakenmul]

Thanks ProgramThis you presented some good information, I appreciate that. I never really thought about it like that before but it makes a lot of sense. I'll do some more reading up on what you shared to see how exactly all that is accomplished.

[dlorde]

Bear in mind that whatever your legal rights to your work, it would probably still cost you an arm or a leg to enforce them in court - assuming you could trace and identify the infringer and that they were within that jurisdiction - and even if you won, you would probably not recover all the costs of the case. Big companies have expensive lawyers and can spin these things out until you're old, little companies & individuals can just disappear. Even if costs & damages are awarded, you won't necessarily get a penny back.

In practice, if your code really is that valuable, I would suggest that it isn't wise to rely solely on your automatic legal rights in this area. Prevention is better than cure.

This is just my opinion, I am not a lawyer.

The greatest mistake you can make is to be continually fearing you will make one...
E. Hubbard

[ajhampson]

One last thought from here:

One of the main reasons STO [security through obscurity] fails is because the average person doesn’t think like a criminal. When you hide your password under your mouse pad or your house key in a fake rock, you think you’re being pretty sneaky. The problem is, criminals know these tricks too. Hackers know those same tricks. You may think you’re being sneaky by changing a port or renaming your machine or whatever it is you’ve come up with, but the truth of the matter is, security through obscurity FAILS CONSISTENTLY.

Obfuscation is STO in a classic sense. If someone really want the code, they'll find a way to get it. By hiding it on the server and obfuscating it, you may even make it more attractive to those who take interest in such things.

Just my two cents.