Have you ever obfuscated your code before? Are there ever legitimate reasons to do so?
Yes. Harder, but not impossible. :-)
Jesse Weigert
2009-05-16 03:03:19
Yes we all know its impossible to make something unhackable. Just like it is impossible for a building to be 100% safe, we still try as much as we can.
Unknown
2009-05-16 03:16:09
@Unkown - +1 for your short and to the point answer
Yatendra Goel
2010-01-23 17:43:33
A:
It's most commonly done when you need to provide something in source (usually due to the environment it's being built in, such as systems without shared libraries, especially if you as the seller don't have the exact system being build for), but you don't want the person you're giving it to to be able to modify or extend it significantly (or at all).
This used to be far more common than today. It also led to the (defunct?) Obfuscated C Contest.
A legal (though arguably not "legitimate") use might be to release "source" for an app you're linking with GPL code in obfuscated fashion. It's source, it can be modified, it's just very hard. That would be a more extreme version of releasing it without comments, or releasing with all whitespace trimmed, or (and this would be pushing the legal grounds probably) releasing assembler source generated from C (and perhaps hand-tweaked so you can say it's not just intermediate code).
jesup
2009-05-16 03:06:27
enh. If that was true, then what's stopping you from releasing it as assembly?
sharth
2009-05-16 05:05:13
Obfuscated source does not comply with the GPL requirements. GPL-2 and GPL-3 both say "The source code for a work means the preferred form of the work for making modifications to it." Clearly, that is not the obfuscated version. And definitely not the assembly output.
derobert
2009-05-16 05:06:53
I hadn't checked if there was such language; certainly such a release violates the intention of the GPL. I suspect there's considerable legal gray area there (stripping comments? Not including external documentation?) but true obfuscation would seem to violate that clause.
jesup
2009-05-16 20:12:20
+7
A:
I have obfuscated my JavaScript. It made it smaller, thus reducing download times. In addition, since the code is handed to the client, my company didn't want them to be able to read it.
geowa4
2009-05-16 03:09:23
And you dodn't tell your bosses, that the obfuscation is reversible? If you have Javascript in Browser, everyone with access to the page can get the script. Obfuscation is only a little hurdle.
Mnementh
2009-05-16 05:54:23
I tell them, buy they get what they want. The code isn't worth stealing anyway.
geowa4
2009-05-16 15:19:06
haha, everything in software is "20% of ____________________ for 80% of ___________________"
Carson Myers
2009-06-15 17:55:04
+3
A:
I don't believe making reverse engineering harder is a valid reason.
One rather good reason to obfuscate your code is to reduce the compiled footprint. For instance, J2ME appliactions need to be as small as possible. If you run you app through an obfuscator (and optimiser) then you can reduce the jar from a couple of Mb to a few hundred Kb.
The other point, nestled above, is that most obfuscators are also optimisers which can improve your application's performance.
The reason I don't think that making reverse engineering harder is a legitimate reason is that it making something difficult doesn't stop it from happening.
2009-05-16 03:13:09
That's called compiler optimization. The fact that it happens to obfuscate is a side effect, not the main purpose.
Unknown
2009-05-16 03:17:45
Locks don't stop cars from being stolen, but they do make it harder. Someone has to really want the car rather than just an average Joe wanting a joy-ride. Obfuscation makes it harder to steal the code. Someone that really wants it will still do it, but it'll stop your average script-kiddie. (-1)
pyrochild
2009-05-16 04:27:59
-1, it makes RCE harder, I've done so many RCE tasks for security reasons and I hate obfuscated code, it takes so much more time to figure out what the hell is going on.
dr. evil
2009-05-16 05:23:40
-1 "Not a valid reason"? Why not. while not impossible, sure makes it harder. Probably enough to discourage most people.
Ed Swangren
2009-05-16 05:49:57
Most legit companies have something better to do with employee time than set them on the laborious task of reverse-engineering obfuscated code into something maintainable. Most intelligent people will weigh the cost (in hourly wages) of de-obfuscation versus purchase. With the right price-point, purchasing becomes the more cost-effective solution.
Dave Jarvis
2009-07-16 18:48:57
A:
I remember creating a Windows Service for Online Backup application that was built in .NET. I could easily use either Visual Studio or tools like .NET Reflector to see the classes and the source code inside it.
I created a new Visual Studio Test application and added the Windows Service reference to it. Double clicked on the reference and I can see all the classes, namespaces everything (not the source code though). Anybody can figure out the internal working of your modules by looking at the class names. In my case, one such class was FTPHandler that clearly tells where the backups are going.
.NET Reflector goes beyond that by showing the actual code. It even has an option to Export the whole project so you get a VS project with all the classes and source code similar to what the developer had.
I think it makes sense to obfuscate, to make it atleast harder if not impossible for someone to disassemble. Also I think it makes sense for products involving large customer base where you do not want your competitors to know much about your products.
A9S6
2009-05-16 03:17:31
A:
If I am delivering Java Swing apps to clients, I always obfuscate the class files before distribution.
You can never be too careful - I once pointed a decent Java decompiler (I used the JD Java Decompiler - http://www.djjavadecompiler.com/ ) at my class files and was rewarded with an almost perfect reproduction of the original code. That was rather unnerving, so I started obfuscating my production code ever since. I use Klassmaster myself (http://www.zelix.com/klassmaster/)
Cheers,
-Richard
Huntrods
2009-05-16 03:17:36
The question is do you think you would lose business due to decompilation? Pirates will copy it anyway regardless of obfuscation. Legitimate business clients won't care one way or the other.
20th Century Boy
2009-05-16 05:06:19
We have people who would very much like to reverse engineer our code and put out a competing product. -R
Huntrods
2009-05-17 03:10:29
+4
A:
To ensure a job for life, of course (kidding).
This is pretty hilarious and educational: How to Write Unmaintanable Code.
hypoxide
2009-05-16 03:20:25
A:
I believe all TV cable boxes will have the java code obfuscated. This does make things harder to hack, and since the cable boxes will be in your home, they are theoretically hackable.
I'm not sure how much it will matter since the cable card will still control signal encryption and gets its authorization straight from the video source rather than the java code guide or java apps, but they are pretty dedicated to the concept.
By the way, it is not easy to trace exceptions thrown from an obfuscated stack! I actually memorized at one point that aH meant "Null Pointer Exception" for a particular build.
Bill K
2009-05-16 04:14:35
+2
A:
Isn't this also used as security through obscurity? When your source code is publically available (javascript etc) you might want to at least it somewhat harder to understand what is actually occuring on the client side.
Security is always full of compromises. but i think that security by obscurity is one of the least effective methods.
Harry
2009-05-16 04:18:41
A:
Looking at some of the code I wrote for my disk driver project makes me question what it means to be obfuscated.
((int8_t (*)( int32_t, void * )) hdd->_ctrl)( DISK_CMD_REQUEST, (void *) dr );
Or is that just system programming in C? Or should that line be written differently? Questions...
TURBOxSPOOL
2009-05-16 04:56:23
That's not that bad... They could have used a typedef on the function type though.For others, hdd->_ctrl is a function that takes (int32_t, void*), and returns an int8_t. We pass it the actual parameters DISK_CMD_REQUEST and dr.
sharth
2009-05-16 05:07:08
+3
A:
It's called "Job Security". This is also the reason to use Perl -- no need to do obfuscation as separate task, hence higher productivity, without loss of job security.
Call it "security through obsfuscability" if you will.
StaxMan
2009-05-16 05:17:38
A:
Yes and no, I haven't delivered apps with a tool that was easy decompilable.
I did run something like obfuscators for old Basic and UCSD Pascal interpreters, but that was for a different reason, optimizing run time.
Marco van de Voort
2009-05-22 15:41:59