如何确保您的代码安全?

发布于 2024-08-07 04:03:34 字数 354 浏览 6 评论 0原文

我是电脑程序编制员。我有大约 5 年不同语言的编程经验。我关心的是我的代码速度、优化使用我的代码的内存以及良好的编码风格等等。但从来没有想过我的代码有多安全。所以我反汇编了我的代码,看看黑客能做什么。破解我的代码容易吗? 我看到确实如此!这很容易,因为我也将

  1. 序列号存储为字符串
  2. 加密解密代码,

所以如果有人对汇编程序了解很少,他/她就可以简单地反汇编,经过 10-20 分钟的调试,我的代码就被破解了! !我想甚至可以通过用记事本打开exe来完成! :-)

所以我要问的是:

  1. 我应该在哪里存储这种安全信息?
  2. 提供安全代码的常见策略有哪些?

I am a programmer. I have about 5 years experience of programming in different kind of languages. I was concerning about my code speed, about optimizing the memory that uses my code, and about good coding style and so on. But have never thought how secure my code is. So I have disassembled my code to see what can do a hacker. Would it be easy to crack my code?
And I saw that it is! It is very easy, because I was storing

  1. serial number as a string
  2. encryption-decryption codes as well

So if someone has the minimal knowledge of assembler he/she can just simple dissembler and after 10-20 minutes of debugging my code is cracked!!! Even it could be done by opening the exe with notepad I guess! :-)

So what I am asking are the following:

  1. Where I should store that kind of secure information’s?
  2. What are the common strategies of delivering a secure code?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

妖妓 2024-08-14 04:03:34

您必须意识到的第一件事是,您永远无法阻止坚定的逆向者破解任何保护方案,因为代码可以执行的任何操作,逆向者最终都会找到如何复制它。实现任何类型的可靠保护的唯一方法是让附带的程序只不过是一个愚蠢的客户端,并在逆向者无法访问的某些服务器上首当其冲地使用该软件。

排除了这一点,您肯定可以让潜在的逆向者更难破坏您的保护。 混淆是实现这一目标的第一步。我没有使用混淆器的经验,但我相信你可以找到一些关于SO的建议。此外,如果您使用的是 C/C++ 等较低级语言,只需通过完全优化来编译代码并删除所有调试符号即可获得相当多的混淆。

我几年前读过这篇文章,但我仍然认为这是技巧今天起来。这是一款名为《小龙斯派罗》的视频游戏的开发者之一,他正在谈论他们用来防止盗版的一系列技术。他们声称直到发布3个月后才推出破解版,这相当令人印象深刻。

First thing you must realize is that you'll never prevent a determined reverser from cracking any protection schemes because anything that the code can do, the reverser will eventually find out how to replicate it. The only way you can achieve any sort of reliable protection is to have the shipped program be nothing more than a dumb client and have the brunt of the software on some server the reverser has no access to.

With that out of the way, you can certainly make it harder for a would be reverser to break your protections. Obfuscation is the sort of first step in achieving this. I have no experience using obfuscators but I'm sure you can find some suggestions for some on SO. Also if you're using a lower level language like C/C++, simply compiling the code with full optimization and stripping all debugging symbols gets you a decent amount of obfuscation.

I read this article a few years ago, but I still think it's techniques hold up today. It's one of the developers of a video game called Spyro talking about the set of techniques they used to prevent piracy. They claim it wasn't until 3 months after the release that a cracked version became available, which is fairly impressive.

花开半夏魅人心 2024-08-14 04:03:34

如果您担心盗版,那么您可以采取多种途径。提高代码安全性(混淆、许可证代码、将软件绑定到特定 PC、硬件/加密狗保护等)是其中之一,但值得记住的是,每个软件都可以被破解如果一个足够有才华的人会被打扰。

另一种方法是考虑软件的定价模型。如果每份收费 1000 美元,那么就会有很大的动力去尝试破解它。如果你只收取 5 美元,那么为什么有人要费心去破解它呢?

所以需要的是一个平衡。即使是最基本的保护也能阻止普通人随意复制。除此之外,简单的技术(混淆和许可证代码)和合理的定价策略将阻止大多数潜在的破解者,使其不值得破解。之后,您开始学习更复杂的技术(需要存在加密狗/CD才能运行软件,只有在登录在线许可系统后才能运行该软件),这些技术需要花费大量的精力/成本来实施并显着增加惹恼真正客户的风险(还记得每个人购买《半条命》却不允许他们玩游戏时有多恼火吗?) - 除非您拥有流行的主流产品(即需要保护的巨大收入流),付出那么多努力可能没有多大意义。

If you are concerned about piracy, then there are many avenues you can take. Making the code security tighter (obfuscation, license codes, binding the software to a particular PC, hardware/dongle protection, etc) is one, but it's worth bearing in mind that every piece of software can be cracked if someone sufficiently talented can be bothered.

Another approach is to consider the pricing model for your software. If you charge $1000 a copy, then there is a big incentive for someone to have a go at cracking it. If you only charge $5 then why should anyone bother to crack it?

So what is needed is a balance. Even the most basic protection will stop ordinary people making casual copies. Beyond that, simple techniques (obfuscation and license codes) and a sensible pricing strategy will hold most would-be crackers at bay by making it not worth the bother of cracking. After that, you start getting into ever more sophisticated techniques (dongles/CDs needing to be present to run the software, only being able to run the software after logging on to an online licensing system) that take a lot of effort/cost to implement and significantly increase the risk of annoying genuine customers (remember how annoyed everyone got when they bought half life but it wouldn't let them play the game?) - unless you have a popular mainstream product (i.e. a huge revenue stream to protect), there probably isn't much point going to that much effort.

随梦而飞# 2024-08-14 04:03:34

使其成为网络应用程序。

Make it web app.

┈┾☆殇 2024-08-14 04:03:34

除非有外部服务进行您可以控制的检查,否则它通常不会得到很好的保护 - 并且该服务仍然可能被真正想要“破解”它的人欺骗。相反,信任客户并仅提供最低限度的版权保护。我确信 Joel Spolsky 在某处有一篇关于此问题的文章或播客...这是另一个 相关SO问题

我不知道这是否有帮助,但 Windows 提供了(自 2000 年以来)一种检索和存储加密信息的机制,如果需要,您还可以根据每个应用程序对此存储进行加盐:数据保护 API (DPAPI)

这是在计算机或用户级别上,但存储序列号,也许使用它的一些密钥可能比将它们隐藏在应用程序中更好吗?

It will generally not be well-protected unless there's an external service doing the checking that you are in control of - and that service can still be spoofed by those who really wants to "crack" it. Instead, trust the customer and provide only minimal copyright protection. I'm sure there was an article or podcast about this by Joel Spolsky somewhere... here's another related SO question.

I have no idea if it will help but Windows provides (since 2000) a mechanism to retrieve and store encrypted information and you can also salt this storage on a per-application basis if needed: Data Protection API (DPAPI)

This is on a machine or a user level but storing serials and perhaps some keys using it might be better than having them hidden in the application?

仙女 2024-08-14 04:03:34

你说的是哪种安全?
从保护用户数据的角度来看是否安全?如果是这样,请研究一些真正的密码学并利用现有库来加密您的数据。 win32 API 对此非常有用。

但如果您正在谈论阻止破解者窃取您的应用程序呢?方法有很多,但只能放弃。他们会减慢饼干的速度,但不会阻止它们。

What sort of secure are you talking about?
Secure from the perspective that you are guarding your users data well? If so, study some real cryptography and utilize Existing libraries to encrypt your data. The win32 API is pretty good for this.

But if you're talking about stopping a cracker from stealing your application? There are many methods, but just give up. They slow crackers down, they don't stop them.

巴黎夜雨 2024-08-14 04:03:34

首先,您必须定义您的代码应该针对什么进行安全保护,这样的安全是没有意义的。

您似乎担心逆向工程和用户在不付费的情况下生成许可证代码,尽管您没有这么说。为了让这变得更困难,您可以通过各种方式混淆您的代码和关键信息。还有一些技术可以使调试器的使用更加困难,以防止逆向工程师单步调试代码并清楚地看到信息。
但这只会使逆向工程变得更加困难,但并非不可能。

另一个常见的安全威胁是执行不需要的代码,例如通过缓冲区溢出。

First you have to define what your code should be secure against, being secure as such is meaningless.

You seem to be worried about reverse engineering and users generating license codes without paying, though you don't say so. To make this harder you can obfuscate your code and key information in various ways. There area also techniques to make the use of debuggers harder, to prevent the reverse engineer from stepping through the code and seeing the information in clear.
But this only makes reverse engineering somewhat harder, not impossible

Another common security threat is execution of unwanted code, for example via buffer overflows.

强者自强 2024-08-14 04:03:34

执行此操作的一个简单技术是对所有代码进行异或,然后在需要时进行异或回来...但这需要天生的汇编知识...我不确定,但您可以尝试以下操作:

void (*encryptionFunctn)(void);
void hideEncryptnFunctn(void)
{
    volatile char * i;
    while(*i!=0xC0) // 0xC0 is the opcode for ret
    {
        *i++^=0x45; // or any other code
    }
}

A simple technique for doing this is to xor over all your code and xor back when you need it... but this needs an innate knowledge of assembly... I'm not sure, but you could try this:

void (*encryptionFunctn)(void);
void hideEncryptnFunctn(void)
{
    volatile char * i;
    while(*i!=0xC0) // 0xC0 is the opcode for ret
    {
        *i++^=0x45; // or any other code
    }
}
浮生面具三千个 2024-08-14 04:03:34

为了防止黑客查看您的代码,您应该使用混淆器。混淆器将使用各种技术,这使得理解混淆的代码变得极其困难。使用的一些技术包括字符串加密、符号重命名、控制流混淆等。查看 Crypto Obfuscator 另外还具有外部方法调用隐藏、反反射器、反调试等功能。

目标是在潜在黑客的道路上设置尽可能多的障碍。

To prevent against hackers viewing your code, you should use an obfuscator. An obfuscator will use various techniques which make it extremely difficult to make sense of the obfuscated code. Some techniques used are string encryption, symbol renaming, control flow obfuscation, etc. Check out Crypto Obfuscator which additionally also has external method call hiding, Anti-Reflector, Anti-Debugging, etc

The goal is to erect as many obstacles as possible in the path of a would-be hacker.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文