19

Does anyone know of good products with comprehensive binary hardening and anti-reverse-engineering features? Or better, has anyone seen an independent review comparing products that perform these types of binary code protections? I've only found one or two that offer comprehensive solutions:

  1. Arxan GuardIt http://www.arxan.com/software-protection-products/index.php
  2. PikeWerks http://pikewerks.com

Of these even Arxan seems the most comprehensive in terms of its protection mechanisms. The types of features I'm looking for include:

  • protection against reverse engineering
  • protection against BORE attacks (break once run everywhere)
  • protection against tampering
  • protection against binary modification

To provide these features the products would implement many different techniques in the larger categories of:

  • static and dynamic binary obfuscation
  • virtual machines
  • static and runtime encryption
  • checksums and timing
  • anti-debugging
  • authentication

For example, to implement static binary obfuscation the product should offer many different techniques from basic constant and export renaming to path chaffing, fake code insertion, and others. For a good reference see Andrew Griffith's paper on Binary Protection Schemes at felinemenace.org.

I don't know much about PikeWerks but I like how Arxan's product sounds like it conveniently integrates into a build environment so no custom code is required. Furthermore it seems to have capabilities not only to defend but to detect and react to attacks.

* Update * I should have listed the platform requirements: Linux, x86, x64, Java, C, and C++.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
Weber
  • 1,006
  • 1
  • 6
  • 10
  • 2
    Guys, I'm totally in the same camp as you about the usefulness of these protections. We all know these are merely hurdles and a determined RE effort will overcome them with time and resources. That's not the point of discussion here though. The point of this question was to identify viable commercial solutions that implement a significant and challenging set of hurdles. From all of the answers so far, Arxan still stands out as the leader of the pack so unless someone knows of another relevant competitor that's where we'll go. – Weber Dec 11 '10 at 23:52
  • Check out RedGate's product, their products are always topnotch. – AviD Dec 12 '10 at 00:14
  • The problem is, viable commercial solutions that become popular are going to get targeted more, leaving you open to Break-One-App-Run-Them-All. – bobince Jan 08 '12 at 22:26

7 Answers7

9

The more you invest in protecting your binary from crackers:

  • the less of your project cost is being invested in adding value for the customer
  • the more expensive your product becomes, driving away legitimate customers
  • the longer your time to market, allowing a less conservative competitor to execute faster

Virtual machines are part and parcel of the way IT departments are run now. Avoid running in a VM and you avoid selling your product to part of the market.

Tamper-proofing/Authentication should probably be handled by an OS feature: I know that Windows, Mac OS and many smartphone platforms already support that. My main area of expertise is OS X, which has a "kill" flag such that a process that becomes unsigned can voluntarily suicide. An application can test its own signature, which comes with the proviso that if your app's been cracked you can assume that the test has been changed or removed too.

Obfuscation/encryption techniques are worthless: at some point the CPU has to see the instructions that it actually needs to run, and at this time those instructions can be dumped out to result in the "clean" binary.

  • Graham, this wasn't meant to be a philosophical question, it's practical. We have a requirement for this technology, understand the limitations and costs, and need to pick the right one. – Weber Dec 10 '10 at 07:30
  • @weber: I appreciate that it's a prctical question. That is the reason I gave a factual answer. –  Dec 10 '10 at 09:40
  • It is true that encryption can be worthless, but only when the key is hidden in application itself, or is able to be intercepted. In other case the strength of protection depends on how strong is encryption algorithm. And about obfuscation - it can help to slow down binary code analysis, additionally it may confuse disassemblers and thus introduce invalid listing. –  Dec 10 '10 at 11:50
7

Summarizing all previous answers - it is impossible to protect your application with 100% guarantee. If the software is good, then it will be cracked sooner or later, if protection is hard, then it will carded (bought illegally, but with legal licence) and there will be found way how to run your software without paying for it. Just look at IDA Pro - I think author of this software really knows how to protect his software, however, we can find cracked versions all over the internet. So, if you want to start selling your program, be ready for eternal race between crackers and developers, that are trying to think what to do next release to change/improve protection.

Without philosophical aspects of binary protection, several methods by protectors are usually used:

  • linking to hardware;
  • CRC checks;
  • Original Entry Point hiding;
  • different unpacking tricks - applying unusual unpacking algorithms;
  • import and other sections damaging;
  • different anti-debugging tricks via debugger bugs;

All of that is able to be bypassed. And plus to that, it slows down your software, sometimes leads to new bugs and instability issues.

What developers usually apply to their software:

  • code mixing (scrambling), obfuscation;
  • application encryption;
  • pseudo-code usage;
  • deliberate errors popping via EH;

Again, in any way it is able to bypass these protection. However, encryption looks like more advisable and best solution today. But could be hard to implement securely, additionally, it may slow down software significantly.

And finally protection software. From what I have heard to be good:

I wont delve into observe of each of above mention software, you should do it on your own. If you are considering buying license of one of those protectors, think through on your effort, possible issues regarding protections.

  • Why would anyone use a CRC check? A CRC using generator polynomial _G(x)_ detects all modifications except those which are a multiple of _G(x)_, making it trivial to fool a CRC check. – forest Apr 17 '18 at 11:02
4

I use SLP Server from InishTech. http://www.inishtech.com It was formerly developed by Microsoft, and was spun off into a 3rd party company.

SLP is a technology that protects software running on Windows platforms and addresses many, if not all of your concerns. I've been communicating with their sales rep and they have some cost-effective plans for small developers, startups, and custom deployments of the software.

It also handles software licensing, metering, and try-before-you-buy in conjunction with the base code protection.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Thanks for that, I was wondering why it dropped off MS's site! I did some preliminary research on SLP a while ago, looked very good. – AviD Dec 11 '10 at 21:13
2

I will start by saying there is no guaranteed way to enforce these things. My recommendation is don't ship out your custom algorithms to the client, keep them on a server that is under your control.

Woot4Moo
  • 889
  • 6
  • 10
  • Please don't answer if you don't have information to help the question. We all understand the limitations and arms race of trying to protect code from reverse engineering. We're trying to determine if we've identified the two leading products or if we missed some. – Weber Dec 10 '10 at 07:32
  • Server-side solution has it own implications. For example, you have to watch for your servers stability and provide good measures against DDoS attacks. Also, not all users may have stable internet connection. Besides of that, missing code can be emulated. That's why this is not desirable solution in most cases. –  Dec 10 '10 at 11:31
2

Those products you have identified do what they say they will do, but what Woot4Moo and Graham Lee said is true. You can not prevent reverse engineering. It isn't a philosophical discussion, it is simple reality.The people who do it best seem to be the bad guys, so far, but all anyone can expect to do is slow down an attack.

What are you trying to get out of it? If you are simply protecting your IP, forget it. If the core mechanism is top secret, do not put the app in the public domain. If you are simply trying to slow the bad guys down, use one of those apps you already mentioned.

But just remember - don't believe it won't be hacked, and don't promise anything of the sort to stakeholders :-)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

What you're trying to do isn't just a difficult problem to solve, it's a provably impossible problem to solve. If you deliver the program to a user who has complete control of his own operating environment, you simply cannot control how it will be run. It's not just hard, it's impossible.

You can make it more difficult for him to do, but each of these tactics and techniques has a cost, and in a very real way decreases the overall value of your software to the consumer as is discussed in other answers.

Instead, if you're worried, you should focus on a value-add service that connects your paying customers to a system you control, not them. If users get additional value by tying their software to some outside account (e.g. an account on your server) then you can use that link to help positively identify your paying customers.

tylerl
  • 82,225
  • 25
  • 148
  • 226
0

Strongly agree with the other posters, @Graham, @Rory, @Ams, etc...
This will only make it harder, and prevent casual piracy. If someone really wants to get your code, they will. Worst case they can attach a debugger and get the decrypted machine code.

I will add another very good one: Red-Gate's SmartAssembly.

AviD
  • 72,138
  • 22
  • 136
  • 218