Lazarus

Free Pascal => General => Topic started by: justnewbie on March 22, 2018, 08:05:00 pm

Title: Some questions about program protection
Post by: justnewbie on March 22, 2018, 08:05:00 pm

1./ As I know, Lazarus/Free Pascal makes native code, so regaining the source code from a binary (exe,dll ...) is impossible. In other words: decompiling is impossible. Is it true?
2./ If it is true, then why do Pascal-obfuscators exist?
3./ What is the best method to protect my Lazarus-made binaries (exe, dll) from getting decompiled?
4./ A concrete example, if I have this:
MyString: string = 'My special string';
Can I somehow protect the 'My special string' against decompilation?

Title: Re: Some questions about program protection
Post by: howardpc on March 22, 2018, 08:30:34 pm

Quote from: justnewbie on March 22, 2018, 08:05:00 pm

1./ As I know, Lazarus/Free Pascal makes native code, so regaining the source code from a binary (exe,dll ...) is impossible. In other words: decompiling is impossible. Is it true?

Quote

2./ If it is true, then why do Pascal-obfuscators exist?

To make it (slightly) harder for others to reconstruct your source code.

Quote

3./ What is the best method to protect my Lazarus-made binaries (exe, dll) from getting decompiled?

Keep your exe or dll on a single machine running an unusual operating system that is never connected to the internet.

Quote

4./ A concrete example, if I have this:
MyString: string = 'My special string';
Can I somehow protect the 'My special string' against decompilation?

You can apply encryption of various strengths to the string. FPC offers several implementations of encryption algorithms. But you cannot protect it indefinitely from a determined hacker with a big enough array of super computers, given enough time.

Title: Re: Some questions about program protection
Post by: justnewbie on March 22, 2018, 08:40:16 pm

Based on my original questions:
1./ I read this: "You could do other things to reduce an attacker's ability to disable your software activation system, for example, but in a native-compiled system like Delphi, you can't recreate source code from the binaries." Link: https://stackoverflow.com/questions/6225081/when-and-how-should-i-obfuscate-my-delphi-code (https://stackoverflow.com/questions/6225081/when-and-how-should-i-obfuscate-my-delphi-code)
So, it is not true?

2./ I know what obfuscation means, but I don't understand why to obfuscate a source that cannot be decompiled.

3./ :) Anything else?

4./ Obviously by using encryption, but how can you hide the key itself?

Title: Re: Some questions about program protection
Post by: Martin_fr on March 22, 2018, 08:58:30 pm

Quote from: justnewbie on March 22, 2018, 08:40:16 pm

1./ I read this: "You could do other things to reduce an attacker's ability to disable your software activation system, for example, but in a native-compiled system like Delphi, you can't recreate source code from the binaries." Link: https://stackoverflow.com/questions/6225081/when-and-how-should-i-obfuscate-my-delphi-code (https://stackoverflow.com/questions/6225081/when-and-how-should-i-obfuscate-my-delphi-code)
So, it is not true?

It is true and false.

You can't get the exact original source code back (so long as you ship without debug info, and the like)
But you can get a compile-able source, and that in pascal or c whichever you want.

There are disassemblers, and there are tools that help transform assembler to higher languages. Though by far not as readable as the original source.

Now saying "there are tools"... They do not work all on there own. It takes a lot of extra work for a hacker to make it to a source...
But a hacker doesnt even need the source. They analyse the assembler. And they debug and analyse behaviour.

There is now way to stop a hacker. You can only make it harder.

---------------
For example, with RTTI (and that is required to have forms, unless you do not use the form designer at all) your application (without debug info) contains the name of every form, button, label. That is information a hacker can use.
If an obfuscater renames your "activation success" label, into "etouhr" then that is less helpful.
The hacker can still search for the actual text though. So next you need to encrypt all captions, (or have an obfuscater that does this)...

Still you can spend any amount of time, a good hacker still will break it.

Title: Re: Some questions about program protection
Post by: justnewbie on March 22, 2018, 09:08:27 pm

"There is no way to stop a hacker. You can only make it harder. "
Yes, I know, but want to make it a bit harder.

You wrote about RTTI in connection with forms and visual components.
What if it is a DLL without any form? If it is a DLL that only contains mathematical functions?
Also, is it possible to get back the original function names and variable names?

What does "without debug info" mean?

Title: Re: Some questions about program protection
Post by: balazsszekely on March 22, 2018, 09:49:21 pm

Quote

Also, is it possible to get back the original function names and variable names?

No, but you don't need it. Take a look at the attached image: http://forum.lazarus.freepascal.org/index.php/topic,37045.msg247844.html#msg247844 You can debug it line by line.

Title: Re: Some questions about program protection
Post by: Martin_fr on March 22, 2018, 09:49:48 pm

In the dll case you probably have no rtti. You should avoid any "published" section, as they cause rtti with names. (there may be an option, to disable this)

Enums and sets also cause rtti. Nothing you can do about this. (except obfuscate)

Some managed types (arrays) have rtti (but not sure if they include names), just so the data can be managed (eg refcounts of nested elements). That is probably not to big an issue.

Debug info is in "project options" (and packages too).
You will notice an increase in exe size.
You can always use strip.exe to remove it.

Debug info contains the original names of each function, line numbers, variable names....

Title: Re: Some questions about program protection
Post by: justnewbie on March 22, 2018, 09:57:47 pm

OK guys, thank you, I'm trying to digest these things (am just a newbie).
Probably I will come again with some questions ...

Title: Re: Some questions about program protection
Post by: avra on March 23, 2018, 01:26:08 am

This thread might be interesting to you: https://forum.lazarus.freepascal.org/index.php/topic,13000.msg

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 10:17:40 am

Thank you, I will study it.

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 12:26:19 pm

Martin_fr mentioned strip.exe.
Is it a standalone program from a 3rd party? How do I get it?

Title: Re: Some questions about program protection
Post by: Martin_fr on March 23, 2018, 12:29:25 pm

On *nix systems it is usually installed as "strip"

On Windows, in is part of the Lazarus installer, look into the fpc/....../bin directory

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 12:40:54 pm

Got it, thanks! It made a 1.9MB file from my original 16MB. Awesome.

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 12:43:54 pm

I was reading somewhere earlier that a stripped binary can be made within Lazarus by using a certain settings in options.
Is it true and how?

Title: Re: Some questions about program protection
Post by: Handoko on March 23, 2018, 01:02:58 pm

You can try:
- Using Build Modes
- Manually configure the settings

Using Build Modes:
01. Lazarus main menu > Project > Project Options > Compiler Options
02. On the right panel > click the 3 dots at the right of "Build modes (Default)"
03. Click "Create Debug and Release Modes"
04. Change the "Build modes (Debug)" to "Build modes (Release)"
05. Click "OK" and rebuild the program

Do It Manually:
01. Lazarus main menu > Project Options > Compiler Options > Compilation and Linking
02. Enable "Smaller rather than faster (-Os)"
03. Enable "Smart linkable (-CX)"
04. Enable "Link smart (-XX)"
05. Lazarus main menu > Project Options > Compiler Options > Debugging
06. Disable all items of "Checks and assertion"
07. Disable "Generate debugging info for GDB"
08. Enable "Strip symbols from execuable (-Xs)"
09. Click "Ok" and rebuild the program

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 01:28:29 pm

@Handoko: Tried, works. Thank you for the detailed and helpful answer!

Title: Re: Some questions about program protection
Post by: Martin_fr on March 23, 2018, 03:34:35 pm

Make sure you use -Xs

Because the rest only affects files in the project, but not the packages used.
For example you want -O3 for everything, you need to add it to packages too (or use "additions and overrides").

Also test, that strip.exe can not remove further info. It never happened to me, but IIRC some people reported in the past that on some platform -Xs would not do a 100% complete job.

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 04:34:16 pm

OK, thank you for the additions.
Just a question about Handoko's answer:

Quote

01. Lazarus main menu > Project Options > Compiler Options > Compilation and Linking
02. Enable "Smaller rather than faster (-Os)"
03. Enable "Smart linkable (-CX)"
04. Enable "Link smart (-XX)"
05. Lazarus main menu > Project Options > Compiler Options > Debugging
06. Disable all items of "Checks and assertion"
07. Disable "Generate debugging info for GDB"
08. Enable "Strip symbols from execuable (-Xs)"
09. Click "Ok" and rebuild the program

Is it the "safest" settings (against any hacking)?

Title: Re: Some questions about program protection
Post by: Handoko on March 23, 2018, 05:28:50 pm

As Martin_fr already said, the most important one is the -Xs (strip symbols). The others - not very sure - but I think are not very important.

Simply configuring the settings 'properly' including striping the symbols are not very useful. Hackers can easily peek into your exe file to find important texts using hex tools, for example you save your password using const:

Code: Pascal [Select][+]

const
  MyPassword = 'rainbow';

You should save only encrypted version of the text and decrypt it runtime. For example, you can write a simple function to get the decrypted text by combining 2 strings:

Code: Pascal [Select][+]

const
  MyPassword1 = 'ribw'; 
  MyPassword2 = 'ano';
 
function CombinePass(Input1, Input2: string): string;

I tell you a story. When I was around 16, I got a pirated copy of Lotus 123. Starting the program, I saw the splash screen said "Lotus 123, licensed to [xxxxx]". So I was thinking could I change the name? Using a hex tool, I changed the [xxxxx] to my name, but the program won't start after being modified. Using debug.com (or maybe debug.exe), I managed to trace the program. I found that it used a simple checksum to make sure the licensed info hasn't changed. Yep, as you guess, I managed to make it to show my name on the splash screen.

FYI, Lotus 123 is one of the world class applications in that old era. With some tools and knowledge it was easy to hack. Ssst, don't tell the Lotus company I hacked their software, or I will be trouble. :-X

Even you have encrypted the password string, hackers still can hack it. They don't have to know how to decrypt your password, they just need find the code that handling the login process, and use a jmp command to skip it.

If you want to understand how to 'better' protect your program, I suggest you should learn some assembly language and try to hack some programs. I felt shameful to hack someone's program, so I don't pursue my career as a hacker.

Title: Re: Some questions about program protection
Post by: justnewbie on March 23, 2018, 06:15:40 pm

Thank you for clarifying!