1

For security reasons a customer is asking us if we could build a version of his executable which contains no references to procedure names we use in the code. At first I thought this was relatively easy and could be achieved by not building using Debug Information.

Sadly ... when opening the EXE using a text editor like NotePad, we are still able to see a lot of information if our EXE. Especially procedure names which are public. I thought that without debug information all this would be obfuscated.

Now I'm wondering if there is an easy way to achieve this. Build my EXE which has no references to procedure names.

Any suggestion is welcome.

LU RD
  • 34,438
  • 5
  • 88
  • 296
Stefaan
  • 492
  • 4
  • 19
  • We'll need to know which Delphi version you use. That said, you won't be able to remove all of the names. You can't get rid of all RTTI for the RTL/VCL/FMX that you don't compile. – David Heffernan Mar 20 '15 at 11:55
  • If using Delphi 2010 you can turn off the extended RTTI (but be careful if you are using any features that rely on it) - see http://stackoverflow.com/questions/2068325/how-can-i-set-the-rtti-directive-for-the-entire-project Also if you are using XE6 or higher pay attention to my answer there. – Stefan Glienke Mar 20 '15 at 12:20
  • 2
    Those "security reasons" are pretty strange, anyway. – Free Consulting Mar 20 '15 at 13:36
  • You should run your code through an obfuscator, don't know what supports Delphi, right now. You can also use an exe compressos for which a decompressor is not readily available. Otherwise it's just very little security, it's not so complex to reverse and understand code today. Good disassembler are able to create API and standard libraries functions signatures, and found them in code, telling which function is called where, making understanding applications functions much easier. – LDS Mar 23 '15 at 15:55

2 Answers2

1

You can include following compiler directive in units you don't want to emit extended RTTI information, and leave only RTTI for published properties, fields and methods that are usually used by streaming or other RTTI based mechanisms. 

{$RTTI EXPLICIT METHODS([vcPublished]) PROPERTIES([vcPublished]) FIELDS([vcPublished])}

However, that will not obfuscate class names and will leave RTL/VCL/FMX RTII information intact.

Dalija Prasnikar
  • 27,212
  • 44
  • 82
  • 159
  • dfm streaming works fine with `{$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])}` since dfm streaming doesn't use extended RTTI – David Heffernan Mar 20 '15 at 12:31
  • @DavidHeffernan, since published names will get included anyway, with this kind of directive that includes published, you don't have to worry about implementation details that may change. – Dalija Prasnikar Mar 20 '15 at 12:33
  • Ended up adding {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([] } and everything seems to be OK for now. Will do some further testing. – Stefaan Mar 20 '15 at 13:00
  • 2
    You can glean a lot of information about a Delphi program by examining the dfms, which are stored as a plain text embedded resource by default. Converting these to the binary format will make this harder. Though honestly any experienced cracker will have no trouble dissecting an application he has physical access to regardless of any attempt to obfuscate the code. The only way to prevent this is to move any significant code to a secure server side application. – Kenneth Cochran Mar 20 '15 at 20:55
  • 1
    The somewhat snarky answer by @mjn is actually the only real solution to securing an application from a determined cracker. – Kenneth Cochran Mar 20 '15 at 21:03
  • 1
    @KennethCochran - on a minor point, DFMs are linked in using the DFM binary format already. The DFM text format is just the default for project sources. – Chris Rolliston Mar 21 '15 at 09:30
-3

Any suggestion is welcome.

Embed a web browser in the main form and move all code to a web application. Then launch the web app home page in your Delphi program. Try to use notepad now - and Bingo. :)

mjn
  • 36,362
  • 28
  • 176
  • 378