Real Software Forums

The forum for Real Studio and other Real Software products.
[ REAL Software Website | Board Index ]
It is currently Sun Aug 19, 2018 3:02 am
xojo

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Symbol names in the executable file
PostPosted: Wed Oct 12, 2005 12:29 pm 
Offline
User avatar

Joined: Tue Oct 04, 2005 12:06 pm
Posts: 27
Location: Hans Island, Canada
I dumped an executable file built with RB2005 into a hex editor and there is a whole bunch of symbol names in there that I wouldn't have normally expected.

In the mailing list archives Jonathan Johnson helpfully replied to someone:
Quote:
You can just turn off symbols via the Build Settings dialog. Then they're just hex addresses.


Do these settings only show up the Pro edition, or have they been moved elsewhere in RB2005? Do people typically need to use any other forms of obfuscation, other than hiding/encoding sensitive strings and numbers and reconstructing them at runtime?

Thanks

_________________
RB2005r4 WinXPPro


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 12, 2005 12:34 pm 
Offline
User avatar

Joined: Wed Sep 28, 2005 8:39 am
Posts: 9341
Location: St Augusta, MN
Well, there's a few different sets of symbol names to wonder about -- there's the debugging symbols, which you can turn on and off on the App object (along with the other project-level properties, like version information, etc). Look for the App.IncludeFunctionNames property in the properties list. This property is off by default. This feature is available in all versions of the product, I think since 5.5.

But there are also symbols baked into the application for things like RBScript to work which you cannot turn off -- this would be things like the name of classes. Finally, there are C++ symbols from the framework as well (such as import and export tables).

You don't need to obfuscate your code or anything though -- REALbasic creates native compiled executables. So people can disassemble like in C/C++, but they can't reconstruct source code like they can with Java or .NET.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 12, 2005 4:16 pm 
Offline
User avatar

Joined: Tue Oct 04, 2005 12:06 pm
Posts: 27
Location: Hans Island, Canada
Quote:
But there are also symbols baked into the application for things like RBScript to work which you cannot turn off -- this would be things like the name of classes.


What exactly does this mean? That all the names of my classes will always be available as plaintext somewhere in the binary?

_________________
RB2005r4 WinXPPro


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 12, 2005 4:54 pm 
Offline
User avatar

Joined: Wed Sep 28, 2005 8:39 am
Posts: 9341
Location: St Augusta, MN
It means that there are going to be strings in your application for things like your classes, properties, etc. But they're not debugger symbols -- they're just class metadata baked in for RBScript to function (or someday if we support introspection, for example). The IncludeFunctionNames property is only for debugger symbol inclusion.

But yes, your class names will be accessible in the hex.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 12, 2005 6:19 pm 
Offline
User avatar

Joined: Tue Oct 04, 2005 12:06 pm
Posts: 27
Location: Hans Island, Canada
Quote:
But yes, your class names will be accessible in the hex.


There's no way of turning this off?

Is this RB scripting necessary for the normal execution of an application. In other words if those symbols only exist for the purpose of RB script, what would happen I alter the binary and mangle all those identifiers?

My only other alternative would be to pre-obfuscate the source code, like one has to do with Java. Java has a number of good tools for doing this, such as RetroGuard, are there any for RB?

_________________
RB2005r4 WinXPPro


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 12, 2005 6:24 pm 
Offline
User avatar

Joined: Wed Sep 28, 2005 8:39 am
Posts: 9341
Location: St Augusta, MN
LudwigHarvester wrote:
There's no way of turning this off?


Correct.

Quote:
Is this RB scripting necessary for the normal execution of an application. In other words if those symbols only exist for the purpose of RB script, what would happen I alter the binary and mangle all those identifiers?


Anything from running fine to crashing horribly.

Quote:
My only other alternative would be to pre-obfuscate the source code, like one has to do with Java. Java has a number of good tools for doing this, such as RetroGuard, are there any for RB?


There's not -- but to be honest, I don't think you need to. Reverse engineering an RB application is an extremely difficult task even with these extra symbols (which, I might add, are not in a typical format).


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Oct 13, 2005 1:02 pm 
Offline
User avatar

Joined: Tue Oct 04, 2005 12:06 pm
Posts: 27
Location: Hans Island, Canada
Thanks Aaron.

No, I wasn't worried about the Java "reverse engineering the source code" phenomenon, but I can come up with a bunch of reasons why I might not want class names etc to be visible in my application.

I'll make one trivial example. Let's say I have a single build that contains custom objects for various customers of mine. Perhaps I have a ChevronOilTempMonitor and a ShellOilTempMonitor object in there. I may not want either of them know I am doing work for the other. OK a bit far fetched to literally name your customers in the code, but even if they see CompanyAOilTempMonitor and CompanyBOilTempMonitor in the binary, they might ask questions.

Another example would be a choice of algorithm. Maybe you dont want your competitors to know that you are using the new "chicken skinning" algorithm to do the grunt work in your scheduling app, but what if they see a class called ChickenSkinningScheduler in there.

Lastly, you have the registration and licensing thing. Naming classes and other things LicenseChecker, RSA, ElGamal, PublicKey, SHA-2, MD5, StringDemangler etc might give those people a little clue to what you are up to, when they get around to using their disassembler.

I guess I can either obfuscate the code prior to it being built, as part of the release process, or I could place anything really deemed sensitive into a DLL/library and call into it. Can you suggest anything else I might consider?

_________________
RB2005r4 WinXPPro


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Oct 13, 2005 1:40 pm 
Offline
User avatar

Joined: Wed Sep 28, 2005 8:39 am
Posts: 9341
Location: St Augusta, MN
In all my years of computing, I've never heard of companies doing hex dumps on applications to see symbol names except for evil purposes (cracking stuff). But that doesn't solve your problem. ;-)

You can pre-obfuscate if you'd like by just naming classes differently (use search and replace so you can change the names as part of the release process).

But here's a complete unsupported, off the cuff, possibility of a hack. You can change the class names for classes you've written (but not ones that you haven't!) to X's in the built app and see if it works. So if you have a Registration class, you could find the Registration word in the executable, and change it to XXXXXXXXXXXX (note the length of the string must be the same!) and try running the app. You may get failed assertions, it may run fine. But you must test everything that would touch the class though -- failure cases wouldn't be up front. Again, totally unsupported and use at your own risk.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group