如何保护(混淆)Go二进制文件免受破解?

huangapple go评论88阅读模式
英文:

How to protect (obsfucate) Go binary from cracking

问题

我希望出售Go应用程序。我将向我的客户提供序列号。有没有办法使破解应用程序变得更加复杂?

我说破解C语言应用程序很复杂,而破解Java应用程序很容易。是否有工具可以使破解Go应用程序的工作像破解C语言应用程序一样困难?或者有一些教程吗?至少有些我可以做的事情来保护我的项目。我并不要求超级严格的保护措施。

英文:

I wish to sell Go application. I will provide serial number to my clients. Is there ways to make it a bit more complex to crack app?

I say it is complex to crack C app and it is easy to crack Java app. Is there tools that will make Go app cracking job as hard as cracking C app? or some tutorial? At least something I could do to protect my project a bit. I do not ask about super heavy protection.

答案1

得分: 8

一旦你拥有了二进制文件本身,混淆就变得相当困难。人们曾尝试过从Go二进制文件中剥离符号,但通常会导致不稳定和不可预测的行为,因为某些反射操作需要符号。

虽然你不能对静态链接的库进行混淆,但你可以在编译之前将变量、类型和函数名称更改为无意义的名称,从而对你自己的代码进行混淆。如果你想更进一步,可以尝试获取你使用的库的源代码(标准库的源代码可在大多数Go安装中找到),并将这种混淆应用于库的源代码。

至于编译后的二进制文件修改,如我之前提到的,最好还是避免这样做。

英文:

Once you have the binary itself, obfuscation is pretty difficult. People have tried stripping the symbols out of Go binaries before, but it usually leads to instability and unpredictable behavior, since symbols are required for certain reflection operations.

While you can't necessarily obfuscate the libraries you're statically linking against, you can certainly obfuscate your /own/ code by changing variable, type, and function names prior to compilation to names that are meaningless. If you want to go one step further, you can try obtaining the source code for the libraries you're using (the source code for the standard libraries is available and is included in most Go installations), and applying this obfuscation to the library source code as well.

As for post-compilation binary modification, as I mentioned before, it's probably best to stay away from it.

答案2

得分: 7

为了补充joshlf13的回答:虽然不建议剥离Go二进制文件,但有一个标志可以传递给链接器以省略调试符号:

通过将“-s”标志传递给链接器来省略调试信息(例如,go build -ldflags "-s" prog.go)。

使用GDB调试Go代码

这应该至少是一个更好的方法,因为我没有看到关于剥离符号后编译的警告。

英文:

To add on joshlf13's answer: while stripping Go binaries is not recommended, there's a flag you can pass to the linker to omit the debugging symbols all along:

> Pass the '-s' flag to the linker to omit the debug information (for example, go build -ldflags "-s" prog.go).
>
> (Debugging Go Code with GDB)

This should at least be a better way, since I haven't seen any warnings for this like the ones about stripping symbols post-compilation.

答案3

得分: 3

另一个选择是使用Go 1.16+(2021年2月)burrowers/garble工具:

burrowers/garble

生成一个二进制文件,与常规构建一样工作,但对原始源代码的信息尽可能少。

该工具的设计目标是:

  • cmd/go配合使用,支持模块和构建缓存
  • 给定相同的初始源代码,具有确定性和可重现性
  • 可以通过原始源代码进行逆向操作,以解除恐慌堆栈跟踪的混淆

这可能对你的需求来说还不够混淆,但是这是一个很好的起点。

英文:

Another option, with Go 1.16+ (Feb. 2021:

> ## burrowers/garble

> Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.
>
>The tool is designed to be:
>
>- Coupled with cmd/go, to support modules and build caching
>- Deterministic and reproducible, given the same initial source code
>- Reversible given the original source, to de-obfuscate panic stack traces

That might not be obfuscated enough for your need, but it is a good start.

huangapple
  • 本文由 发表于 2014年1月5日 05:58:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/20927250.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定