3

Possible Duplicate:
Is it possible to decompile C++ Builder exe? Is C++ Builder exe safe?

I use Microsoft Visual C++ 2010 Express to write my programs. When i want to distribute my program I compile it with 'Release' configuration and also I set the linker to not add debug information. So my question is, Is my executable safe or anyone can decompile it and see the source code? If it is unsafe, how can I prevent it from being decompiled?

Community
  • 1
  • 1
Antares
  • 161
  • 1
  • 2
  • 6
  • 6
    It is not safe, it can never be safe – K-ballo Jan 01 '13 at 20:21
  • You must somehow forcing the linker to produce a code number as unreadable. For example you could try to fragment binary file that will be produced in several files, that it is difficult contact between them. – Mihai8 Jan 01 '13 at 20:26
  • 2
    Small note: string literals are always retrievable (often with very little effort). So if you want to hide a password forget about it. – Zeta Jan 01 '13 at 20:30
  • Thank you everybody for your help, that helped to clear my doubts – Antares Jan 01 '13 at 21:13

4 Answers4

9

All programs can be decompiled to a degree. However, the vast bulk of the useful information in your source code is removed during compilation. The source code that a decompiler produces is a pale imitation of the original.

The variable names, function names, class names etc. will not be available after decompilation. So the best that a decompiler can do is to turn your functions that look like this:

double CalculateWidgetStrength(int WidgetType, int WidgetFrobishness);

into rather meaningless code like this:

double Function85(int p1, int p2);

And even succeeding in doing that much accurately can be very hard for a decompiler.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • Sorry about that :) Those names are not removed in managed systems, though. Java archives still contain all class, field, and method names as-is, unless you obfuscate them. In those cases, these transformations might help, but a trained eye (or a sufficiently smart decompiler) might derive a function's purpose from its structure, and in turn, a name from its purpose. –  Jan 01 '13 at 20:28
  • @Tinctorius Yes, but this question isn't about Java ;-) – David Heffernan Jan 01 '13 at 20:32
  • @DavidHeffernan +1 , but just to note that reverse engineering an application from WinDbg or an api monitor (and network sniffer if the application uses network traffic) is always possible. It all boils down to how much time and effort someone would want to put forth into doing such a thing. Happens all the time though. – johnathan Jan 01 '13 at 20:45
  • @johnathon Reverse engineering and decompiling to source are not the same thing. I'm well aware of the difference. And I know how futile it is to try to stop reverse engineering, cracking etc. – David Heffernan Jan 01 '13 at 20:49
  • @DavidHeffernan I know, just figured you might want to mention that in your answer though, ultimately that what the OP is concerned about, intellectual property. – johnathan Jan 01 '13 at 20:52
2

Can anyone decompile it to see the original source code? Not likely, but the original source code isn't that important. For example:

int x = 1 - 1;

and

int x = 0;

will be equivalent in the binaries, but it doesn't really matter, does it?

For a large enough project, decompiling isn't really a concern, because you can't really make use of the generated code. It takes years to get to know even a small part of a large-scale project, taking into account you benefit from knowledge transfer, documentation and proper naming. I imagine it's impossible just with a decompiler.

For particular functionalities, yes, I imagine there's a risk, but one that can't be fully, 100% taken out.

Luchian Grigore
  • 253,575
  • 64
  • 457
  • 625
2

You cannot fully protect the code.

IMHO the time you spend protecting your code is better spent on making your product function rich and error free then do frequent releases. Making the code obfuscated in one way or the other has the potential to introduce hard to find bugs that become very difficult to fix.

AndersK
  • 35,813
  • 6
  • 60
  • 86
1

The only way to keep it "safe" in the way you imply is not to deploy it, i.e. you do a web service or some such. You can't make it safe from the people executing it without making it impossible for them to execute it.

Given what you've already done decompiling would require a amount significant effort, my question would be. Why would anyone bother, as it's likely that it would require more effort than simply "rolling your own"

Tony Hopkinson
  • 20,172
  • 3
  • 31
  • 39