tags:

views:

2132

answers:

9
+12  Q: 

Obfuscating C/C++ Code

Hi there

What tools are available to obfuscate C/C++ code. I would prefer an open source solution. Thanks

Update: Regarding the "use the compiler" responses

I am aware of that but I have a client that wants to obfuscate their C/C++ code none the less I personally don't understand why, I have just been made responsible to implement a solution.

Are there any tools to perform such a task?

Regarding the down votes, if you have a problem with the question please leave a comment or an answer thanks

+2  A: 

It's not really necessary to obfuscate C/C++ code. Since it is compiled to "machine code" and not MSIL like C# or other .NET languages ... it doesn't contain and cannot be reverse engineered to the original source.

Compiling it is "obfuscation" enough. :-)

Ron

Ron Savage  2009-06-22 04:52:20
I am aware of that but I have a client that wants to obfuscate their C/C++ code none the less? I personally don't understand why, I have just been made responsible to implement a solution.
hhafez  2009-06-22 04:55:00
So you want an open source solution that you're then going to sell as a solution to a client? ...
Sugerman  2009-06-22 04:55:42
Give them the binary compilation, and tell them "here you go", obfuscation complete. Non-technical business users often don't really understand what they are asking for. :-)
Ron Savage  2009-06-22 04:57:02
Who said I am going to sell the software to the client? have you ever used open source tools in a commercial environment?
hhafez  2009-06-22 04:57:16
@Ran Savage I am tempted to do that :p but I want to see what I can do first
hhafez  2009-06-22 04:57:49
@Sugerman: no, the results of the OS solution would be sold to the client.
ysth  2009-06-22 05:09:19
@ysth Why would you deliver obfuscated code to a client? What purpose could that possibly serve?
Sugerman  2009-06-22 05:14:51
@sugerman: So the customer can compile the code of their odd ball unix platform, and use the solution, but not easily re-sale the algorithm. FlexLint is sold this way. gimpel.com/html/flex.htm
Simeon Pilgrim  2009-06-22 05:23:49
And there are other scenarios specifically for C++ where someone may feel more comfortable giving out obfuscated code, templates and inline implementations. Both require code to be delivered, reverse engineering obfuscated code is ideally as hard as reverse engineering binary code also I don't have enough experience to say if that ideal is ever actually achieved.
Chris  2009-06-22 05:35:24
+2  A: 

It's somewhat unlikely that you'll find open-source obfuscators.

For commercial ones, google finds: semanticdesigns and stunnix. I have no experience with either, except I did look at FlexLint source, and it is pretty much incomprehensible.

Employed Russian  2009-06-22 05:15:29
Full disclosure: I'm the Thicket (Semantic Designs) author. Source code scale matters. At a 1000+ lines, obfuscated code is extremely hard to reverse engineer.
Ira Baxter  2009-09-04 04:12:56
+11  A: 

Not sure how much you're getting paid for this search, but Mangle-It C++ Code Obfuscator licenses for $69.99 -- surely a few hours of your time cost the customer more than that?!

Alex Martelli  2009-06-22 05:16:23
That is a very good point
hhafez  2009-06-22 05:19:33
I've decided to write my own one in python after thinking about it should be easy and fun
hhafez  2009-06-22 10:22:43
I agree on the "fun" -- see http://en.wikipedia.org/wiki/Obfuscated_code#Recreational_obfuscation for some examples;-).
Alex Martelli  2009-06-22 14:55:15
Writing a good obfuscator which produces *portable* source (and that's the only point -- if you don't need portability, then just ship assembly or object output) is entirely non-trivial task, requiring that you properly parse and reconstruct the original source. I highly doubt you'll find the task easy (in Python, or any other language).
Employed Russian  2009-06-22 15:08:43
@employed, right: that's why I said I agree on the "fun" and pointedly kept mum on the "easy";-) [Hint, though: gccxml and similar tools are pretty good at parsing C++...;-)]
Alex Martelli  2009-06-22 15:31:31
lol I'm going to give it a a shot in my own time. I want to see how far I can go. I will report back on the difficulty or otherwise :p
hhafez  2009-06-22 21:17:31
+3  A: 

A compiler is halfway there. If they want obfuscated C, just compile it and then decompile it.

patros  2009-06-22 05:17:33
that is a good suggestion as well, what decompiling tools are accurate enough to do this job
hhafez  2009-06-22 05:22:43
Actually thinking about it that wouldn't work because decompiler output is quite readable, yes it is different from
hhafez  2009-06-22 05:27:35
Hex-rays is popular, but expensive. Boomerang is open source, but I think it's still alpha. You'd have to try it out.... but luckily, the worse the decompiler is, the more obfuscated the code will be :)
patros  2009-06-22 05:34:02
Actually I am not sure of that, if the decompiler is not accurate then I will have obfuscated code that doesn't work like the original. That would be bad :)
hhafez  2009-06-22 05:37:25
The code tends to be readable, but the logic is usually mangled beyond recognition and the variable names are also removed. Obfuscating the logic is far more pernicious than removing white space and obfuscating literals (which you can still do as step 2).
patros  2009-06-22 05:45:22
I am still worried about the decompiler being inaccurate, what if the decompiled code behaves different than the original? That would be a problem! If you could satisfy me that this situation could not arise then I would believe your solution is a good one. Otherwise it is quite risky.
hhafez  2009-06-22 21:11:54
It's no more likely that their code is proven 100% perfect than your own code. Or any obfuscator that you may choose to use or write. However, the problem of turning machine code into C is actually the easier part of decompiling. You may also consider simply disassembling if the only requirement is that the customer can build the code locally.
patros  2009-06-22 21:36:27
Ooops, forgot to mention the hard part of decompiling: making the output look like something written by a sane human.
patros  2009-06-22 21:37:37
A compiler doesn't work if the machine you intend to target isn't the one the compiler targets. An ARM compiler produces useless code for an x86 target.
Ira Baxter  2009-09-04 04:11:53
+1  A: 

Are you wanting the source code obfuscated, in that case follow Employed Russian's advice, or if your want the .exe obfuscated, then google for packers or protectors

Simeon Pilgrim  2009-06-22 05:19:44
+1  A: 

A possiblity would be to use LLVM to read the input source, and then have LLVM output C++ using it's C++ backend. From what I've heard, the generated code shouldn't be too readable.

sharth  2009-06-22 05:21:15
+8  A: 

You'd better understand why, or you'll be just a code monkey doing a poor job for your customer. If you want the customer to keep hiring you, I'd suggest that talk to your customer about why they want to obfuscate their code.

Remember, your customer has a problem they want solved. Code obfuscation is what they think is the solution, but it may or may not solve their problem. And if it doesn't solve their problem, they will blame you, and you will have lost a customer.

I know that Joel talked about this on one of the recent Stackoverflow podcasts.

JesperE  2009-06-22 05:22:33
A great point, making things clear to the client will mean more in the long run.
Copas  2009-06-22 05:32:18
The customer wants to be able to distribute the source code but with the source code unreadable :) It is simple, you can't really do that with out an obfuscation tool
hhafez  2009-06-22 05:34:59
But it can always be un-obfuscated. Pretty-print it and it'll be decodable. I agree with the others. What's the point?If they need it so that others can link to it, well, distribute a library.Obfuscation is pointless unless (as with javascript obfuscators) the main reason is to reduce download size.
Steve Lacey  2009-06-22 05:52:52
isn't that the case with all obfuscated code? lets not obfuscate anything then....
hhafez  2009-06-22 06:22:11
There's no way a pretty-printer will turn properly obfuscuated code into readable code. For instance, a good obfuscuator will use name-lookup rules to give many different variables from different scopes the same name. This may even include variables with overlapping scopes (e.g. global and locals) as long as no actual name lookup becomes formally ambiguous. Throw in a few fake templates to further complicate name lookup, an it can alias even more variables.
MSalters  2009-06-22 09:25:31
@hhafez: But you need to go further than just "they want to distribute the source code unreadable". Why do they need that? If they want to allow customers to link, then there are other, better solutions. If someone unobfuscated their code, the customer will blame you for not obfuscating the code properly.
JesperE  2009-06-22 20:40:15
They want to distribute the source code but without compromising their IP. This not difficult to understand
hhafez  2009-06-22 21:10:27
@hhafez: I'm still convinced that "distributing the source code" is their idea of a solution to a problem which has not been stated yet.
JesperE  2009-06-22 21:41:01
+1  A: 

The first few hits from a google search point to a commercial tool from Stunnix, which offers a free trial. I am guessing when you say open source, you are really saying free (as in beer), and maybe for a one off job the trial version will do. I am not going to preach against that, it's always easier to avoid the hassle of getting authorization to spend money, especially for a small one off kind of task.

Bill Forster  2009-06-22 05:30:29
I mean open source as in open source :) free as in speech
hhafez  2009-06-22 06:36:34
+2  A: 

It is my understanding that a properly written obfuscator's output after compilation with a properly written compiler would be identical to the unobfuscated output. As far as I am aware both should decompile to the same code.

I feel the best course would be to explain the situation to the client. They are likely to thank you for not carrying out a task that could in the long run make them seem foolish.

Copas  2009-06-22 05:38:29
Not really. An obsfucator does more than rename variables, it might replace a static string with a function that generates a string from an algorithm - no compile time optimization will replace that.
Martin Beckett  2010-03-06 18:26:26

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS