Fuzzy: Keep your code away from your eye
[ |
Source: Author: Cactus Studio |
|
We know that the source code compiled by Java gets the bytecode,. net compiled source program is obtained by msil (Microsoft intermediate language). This compilation method is called "incomplete compilation", which is particularly prone to decompilation or reverse engineering implementation. Different from the local code, the intermediate code not fully compiled completely retains the variables and process names, so that the program decompiled is almost the same as the original program, only the comments of the original program are missing, and the rest of the content can be restored completely.
For commodity software developers, high-quality decompilation code brings great risks: algorithms may be stolen and transformed, and program code may be copied and modified. (Even non-commodity software used within the organization, source code leakage caused by decompilation poses a great threat. For example, you can easily see the password for accessing the database or the SQL command embedded in the program. Similarly, websites hosted by external organizations are at risk. Once the ASP. NET application code is uploaded, the owner may view and change the program code at will ).
Even more worrying is that hackers or curious users can easily obtain various reverse engineering tools. Microsoft provides a msil reproducer called ildasm for free. Here is an open-source. Net decompilation tool anakrino. Of course, many other vendors provide commercialized reverse engineering tools.
1. Modify the variable name
The most effective way to prevent such reverse engineering threats is to blur them. (According to the traditional American Dictionary, "fuzzy" means "confusing, confusing, or overly confusing, making it hard to feel or understand "). Fuzzy tools use various means to achieve this goal, however, the main way is to make the variable name no longer have the ability to indicate its role, encrypt strings and text, and insert various spoofing commands so that the decompiled Code cannot be compiled.
A forthcoming Visual Studio version, called vs. NET 2003, with the code name Everett, will integrate a fuzzy tool, which Microsoft recommends for final processing of. Net intermediate code. This blur is another tool called Lite version of dotfuscator. Dotfuscator, produced by preemptive solutions, is more powerful. The company in Cleveland, Northeastern Ohio, initially developed Java code fuzzy technology. The dotfuscator blur uses a series of excellent technologies to make reverse engineering futile, or at least to make reverse engineering difficult.
Preemptive solutions: the patented technology used by preemptive solutions to modify variable names in the intermediate code is named overload induction,. NET 2003 Lite version only has this fuzzy function. (The Blur will never change the source code, or even use the source code as a reference .) This technology makes full use of. net code features: the same identifier can be applied to classes and methods with different features at the same time. In different namespaces, variables can have the same name without conflict.
Dotfuscator makes full use of the characteristics of vs. net, and changes as many symbols as possible into the letter "". According to the company, about 33% of some code references can be changed to "A", and 10% can be changed to "B ". The Code obtained by reverse engineering will be hard to understand after fuzzy machine processing. The following is an example.
Execute reverse engineering for unblurred code:
private void CalcPayroll(SpecialList employeeGroup) { while (employeeGroup.HasMore()) { employee = employeeGroup.GetNext(true); employee.updateSalary(); DistributeCheck(employee); }} |
For the same code, perform reverse engineering after fuzzy processing:
private void a(a b) { while (b.a()) { a = b.a(true); a.a(); a(a); }} |
Obviously, the processing logic of the two code segments is the same. However, it is extremely difficult to understand what the second code is doing, and even to determine which methods and variables it is accessing.
The function of changing the variable name is configurable. For example, if you are constructing a DLL, You can require that you do not change the API. Interestingly, this process simply compresses the names of a large number of variables into a single character, but achieves very good fuzzy effects.
Ii. Encrypted string
String encryption is another security problem. In fact, this security problem also exists in the local code-extracting characters and text from binary code is very simple. For example, if you use a Unix strings tool to process any binary file, you can quickly obtain the ASCII text list contained in the binary file.
In the simplest case, this list only exposes copyright information and libraries referenced by binary execution files. However, if the program wants to access the database, this list will contain all SQL commands; if the code module is embedded with a password, the password will be unencrypted.
For intermediate code, unencrypted strings pose an additional risk. By analyzing the reference to a specific string, hackers can determine where the code is protected by the password and add a patch to bypass the password verification section.
To solve the security problem caused by string plaintext, most obfuscators use the encryption string technology. The decryption operation requires a certain amount of overhead, so the performance of the access string in the runtime is certainly reduced. Interestingly, the local code is not cheap in this regard, because to achieve the same effect, the developer of the local code must manually encrypt and decrypt each string, however, the intermediate code work can be done by the fuzzy tool.
3. Hide the execution process
Fuzzy control process is a technique used to mislead the anti-compiler. It inserts many goto commands into the original code, although the sequence of commands executed by the program is still the same as the original one, however, too many "Roundabout actions" make it very difficult to analyze the actual logic flow of the program. The following is an example.
Implement reverse engineering for intermediate code that has not undergone fuzzy processing of the control process:
public int CompareTo(Object o) { int n = occurrences - ((WordOccurrence)o).occurrences; if (n == 0) { n = String.Compare(word, ((WordOccurrence)o).word; } return (n);} |
For the same code, perform reverse engineering after fuzzy processing of the control process:
public virtual int a(object A_0) { int local0; int local1; local0 = this.a - (c) A_0.a; if (local0 != 0) goto i0; goto i1; while (true) { return local1; i0: local1 = local0; } i1: local0 = System.String.Compare(this.b, (c) A_0.b); goto i0;} |
As you can see, after the control process is fuzzy, the code is inserted with a pseudo-condition detection statement and then executed with a goto command. In the Goto destination, the original statement (in the form of fuzzy processing) is executed, and then a GOTO statement transfers the control to the original logical flow branch. Note that the while () loop is not executed, but it is misleading. This code snippet is very small. Even if there is no original code for comparison and reference, the possibility of identifying the actual process of the program still exists. However, for a large process, if there is no source code for reference, the instructions specifically used to disturb the normal execution process of the program will make the code analysts exhausted and finally have to give up.
That is to say, the root idea of this fuzzy processing is to make it extremely difficult to restore the original code, forcing hackers to change their minds, maybe simply by making it easier, for example, "write your own code ".
To perform fuzzy processing on the control process, you need to insert some code into the binary file, which increases the running time overhead. If the Code has very strict runtime requirements, you can add this additional protection to those particularly important parts.
The two obfuscators and the anti-compiler are shown as follows:
▲Blur:
Lsw DOTNET il obfuscator
Demeanor for. net
Salamander. Net obfuscator
Dotfuscator
Aspose. obfuscator
. Net IL-obfuscator
Deploy. net
Salamander. Net Protector
Thinstall
Xenocode
▲Anti-compiler:
Salamander. Net decompiler
Exemplar/anakrino