I am interested in precautionary measures you could take to make reverse engineering a C shared library more difficult
It seems that it is impossible to prevent entirely but you can take steps that might make it take longer and therefore be less attractive/more costly to do
Things like code obfuscation, compiler optimisation options compiler debug flags etc. (I would be specifically interested in the gcc compiler)
Also interested in any thoughts on the relative difficulty of reverse engineering a ~5KLOC C shared library (.so size of ~200kb) in terms of $ or man hours etc.
Reverse engineering isn't exactly a science that you can simple learn. It would help to learn the internals of what you want to reverse engineer. Usually, no one learns it with an intention of reverse engineering.
Some of the most common reverse engineering challenges that you are likely to face include: Not having the right equipment - Even if you have successfully reverse engineered an object in the past, the equipment you have in-house may not be sufficient for the next object you must scan.
Those are some tricks that I know of:
Use strip
with the --strip-unneeded
option to remove all symbols except the ones that are needed for relocation (since we're talking about a shared library):
strip --strip-unneeded libmylib.so
Link with the standard libc statically, this results in a bigger library/binary which means more code to go through and also obfuscation since it will be more difficult to separate your functions from the library functions:
gcc -static ...
Force the compiler to inline small functions, this embeds small functions in your code instead of calling them, so it makes it almost impossible to distinguish between your code and the standard library code.
Having said that, I must add that I've had a binary that used the above measures and I was able to reverse engineer it in a few hours, I started by rebuilding the symtab
if you're curious, and I'm no reverse engineering guru.
- No need of code obfuscation (as in C# or Java).
The name of your internal variables and functions do not exist in the object code.
However the name of your exported functions will still appear in clear in the shared object file. This sounds reasonable.
- Better to use gcc
optimization flags -O2
or -O3
.
Using compiler optimization, object code can largely differ from source code. It is actually very difficult to go back to the original C source code.
However it is always possible to revert engineer at the assembly level. Usually, not all your program is valuable. It will be easier to reverse engineer the interesting portion in assembly rather than the whole program in C.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With