Author: Cactus studio issued a document time: 2003.03.31 16:25:39 We know that, Java compiler source code to get a byte code, VS.NET compiler source code to get a MSIL (Microsoft Intermediate Language), this compilation mode It is known as "incomplete compilation", especially easily and reverse engineering. Unlike the local code, the intermediate code that is not fully compiled is completely the variable, the process name, so that the procedure obtained by the anti-compilation is almost exactly the original program, only the annotation of the original program is missing, and the remaining content can not move. Restore.
For developers of the product software, high quality anti-compile code has brought great risks: algorithms may be steadped and transformed, and the program code may be copied and changed. (Even the non-commodity software used inside the unit also brings great threat due to the source code leakage caused by anti-compilation. For example, the user will easily see the password or program embedded SQL command to access the database. Similarly, use outside The website of the unit hosted server is also facing risks. Once the code of the ASP.NET app is uploaded, the person who hosts the unit may view and change the program code at will.
More worry is that hackers or curious users can easily get a variety of reverse engineering tools. Microsoft itself provides a msil reverse pollier, called iLDASM; there is an open .NET anti-compilation tool Anakrino; of course, there are many other manufacturers with commodity reverse engineering tools.
First, modify the variable name
In order to prevent the threat of such reverse engineering, the most effective way is to blur. (According to the "American Traditional Dictionary", "Fuzzy" means "makes confusion, make it confusing, making too confusing or blurry, making it difficult to feel or understand"). The fuzzy tools use various means to achieve this goal, but the main way is to make the variable name no longer have the ability to indicate its role, encrypt strings, and text, inserting various spoofing instructions to make anti-compilation code cannot be compiled.
An upcoming Visual Studio version (called VS.NET 2003, code name Everett) integrates a fuzzy tool, Microsoft recommends using this tool to perform the last process of the .NET intermediate code. This blurry is another tool Dotfuscator so-called Lite version. The Dotfuscator function produced by Preemptive Solutions is more powerful, and this company is initially developed by the company in Northeastern Ohio, USA. Fuzzy technique for initially developing Java code. Dotfuscator blur uses a series of excellent technologies to make reverse engineering in vain, or at least make the reverse engineering difficult.
Preemptive Solutions gives it a patent technology that modifies the variable name in the middle code takes a name called "Overload Induction), and the LITE version brought by VS.NET 2003 has this fuzzy function. (The ambient never changes the original source code, and even simultaneously use source code as a reference.) This technology fully utilizes the feature of VS.NET code: The same identifier can be used simultaneously to use a class with different characteristics. Method; in different namespaces, variables can have the same name without conflict.
DotFuscator fully uses VS.NET these symbolics features, change as many symbols as possible into letters "a". According to the company, some code has approximately 33% of the reference to "A", and 10% can be changed to "B". The process of reverse engineering will be difficult to understand through the formation of ambient. Let's take a look at an example.
Performing a reverse engineering for code without fuzzy treatment:
private void CalcPayroll (SpecialList employeeGroup) {while (employeeGroup.HasMore ()) {employee = employeeGroup.GetNext (true); employee.updateSalary (); DistributeCheck (employee);}} same code, and then performing a reverse obfuscated engineering:
Private void A (a b) {whele (B.A ()) {a = B.A (TRUE); A.A (); A (a);}}
Obviously, the processing logic of the two codes is the same. However, to make sure that the second paragraph of code is doing something extremely difficult, even which methods are also visiting which modifications are also difficult.
This function of this change the variable name is configurable, for example, suppose you are constructed a DLL, which may not change the API. Interestingly, this process is obviously simply simply simplifying the name of a large number of variables into a single character, but has a very good fuzzy effect.
Second, the encrypted string
String encryption to deal with another security problem, in fact, this security issue also exists in this machine code - extracting characters from binary code and text is a very simple thing. For example, using UNIX's Strings tool to process any binary, you can quickly get the list of ASCII text included in this binary.
In the simplest case, this list will only reveal the copyright information and binary execution files. However, if the program is to access the database, this list will contain all SQL commands; if the password is embedded in the code module, the password will not be confident.
For intermediate code, unencrypted strings will also bring an additional risk. The hacker can determine the password protection from where the start code is received by analyzing the reference to a particular string, and then add the patch to bypass the password verification section.
In order to solve the security problem brought by the character string, most of the ambiguators use the technology of encrypted strings. Since the decryption operation requires a certain overhead, the performance of the access string is definitely reduced during runtime. Interestingly, in this respect, this codes don't take advantage of it, because if you want to achieve the same effect, the machine code developer must manually encrypt and decrypt each string, but for intermediate code, these work can be deducted by the blur .
Third, hidden implementation process
The control process blur is a technique for misleading the anti-compiler. It inserts a lot of GOTO instructions in the original code, although the final execution of the program is still the same as the original, but too many "roundabout action" makes the analyzer The actual logic process is very difficult. Let's take a look at an example.
Reverse engineering is implemented for intermediate code without control process fuzzy processing:
Public int compareto (Object O) {INT N = OCCURRENCES - (WordOcurrence) O) .occurrences; if (n == 0) {n = string.compare (WordOccurrence O) .word;} return N);
The same code, after the control process is blurred, perform reverse engineering:
Public Virtual Int A (Object A_0) {INT Local0; INT Local1; Local0 = THIS.A - (c) A_0.A; if (local0! = 0) goto I0; GTO I1; While (TRUE) {Return Local1; I0 : local1 = local0;} i1: local0 = system.string.compare (this.b, (c) a_0.b); goto I0;}
It can be seen that after the control process is blurred, the code is inserted into a pseudo-condition detection statement, and then a GOTO directive is executed. In the destination of GOTO, the original statement (in the form of fuzzy treatment) is executed, and then a goto statement will control the original logic branch. Note that the while () loop is not executed, it simply plays a misleading role. This code is small, even if there is no original code for comparison and reference, identifying the possibility of actual procedure still exists. However, for a larger process, if there is no source code for reference, instructions that are specifically used to be used to perform the normal implementation process will make the person who analyze the code is exhausted, and finally have to give up. In other words, the fundamental idea of this fuzzy treatment is to make it extremely difficult to restore the original code, forcing hackers to change their minds, maybe it is relaxed, such as "write code for yourself."
Fuzzy processing for the control process To insert some code in the binary, some running time overhead is added. If the code is very demanding on the runtime requirements, you can only add this level of extra protection to those special parts.
■ Blur and anti-compiler big broadcast:
▲ Flator:
Lsw DotNet Il Obfuscator
Demeanor for .net
Salamander .NET OBFUSCATOR
Dotfuscator
Askose.obfuscator
.NET IL-OBFUSCATOR
Deploy .NET
Salamander .Net Protector
ThinsTall
XenoCode
▲ Anti-compiler:
Salamander .net Decompiler
Exemplar / anakrino
