Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tips to make reverse engineering a C shared library more difficult

I am interested in precautionary measures you could take to make reverse engineering a C shared library more difficult

It seems that it is impossible to prevent entirely but you can take steps that might make it take longer and therefore be less attractive/more costly to do

Things like code obfuscation, compiler optimisation options compiler debug flags etc. (I would be specifically interested in the gcc compiler)

Also interested in any thoughts on the relative difficulty of reverse engineering a ~5KLOC C shared library (.so size of ~200kb) in terms of $ or man hours etc.

like image 851
bph Avatar asked Nov 21 '12 15:11

bph


People also ask

Is reverse engineering difficult?

Reverse engineering isn't exactly a science that you can simple learn. It would help to learn the internals of what you want to reverse engineer. Usually, no one learns it with an intention of reverse engineering.

What is the issue with reverse engineering?

Some of the most common reverse engineering challenges that you are likely to face include: Not having the right equipment - Even if you have successfully reverse engineered an object in the past, the equipment you have in-house may not be sufficient for the next object you must scan.


2 Answers

Those are some tricks that I know of:

  • Use strip with the --strip-unneeded option to remove all symbols except the ones that are needed for relocation (since we're talking about a shared library):

    strip --strip-unneeded libmylib.so

  • Link with the standard libc statically, this results in a bigger library/binary which means more code to go through and also obfuscation since it will be more difficult to separate your functions from the library functions:

    gcc -static ...

  • Force the compiler to inline small functions, this embeds small functions in your code instead of calling them, so it makes it almost impossible to distinguish between your code and the standard library code.

Having said that, I must add that I've had a binary that used the above measures and I was able to reverse engineer it in a few hours, I started by rebuilding the symtab if you're curious, and I'm no reverse engineering guru.

like image 74
iabdalkader Avatar answered Sep 19 '22 01:09

iabdalkader


- No need of code obfuscation (as in C# or Java).

The name of your internal variables and functions do not exist in the object code.

However the name of your exported functions will still appear in clear in the shared object file. This sounds reasonable.

- Better to use gcc optimization flags -O2 or -O3.

Using compiler optimization, object code can largely differ from source code. It is actually very difficult to go back to the original C source code.

However it is always possible to revert engineer at the assembly level. Usually, not all your program is valuable. It will be easier to reverse engineer the interesting portion in assembly rather than the whole program in C.

like image 35
Didier Trosset Avatar answered Sep 22 '22 01:09

Didier Trosset