How to protect the source of a delphi app?
https://stackoverflow.com/questions/1926261
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How could I protect my delphi app from being decompiled? I know there are some software like themida that I think will do that but then the protected exe trigger the antivirus.
Solution
It depends what your goal is.
If it's really just protecting the source, it's already done! Provided you don't include debug and symbols information and add some heavy inlining, good luck to reconstruct some usable Pascal code from disassembling the exe.
If it's preventing people from seeing how it functions and hack it, then you have to include some anti-disassemble protection. It's harder but doable. Often done as a collateral to anti-piracy protection.
OTHER TIPS
Everything that a CPU can read, can also be "decompiled", so there is no ultimate security. But usually it is quite hard to decompile compiled Delphi code, and almost all identifiers and all comments are gone, of course.
The published parts of classes, DFM file information and constants (including string constants) are present in the exe file, in an easily readable way. You can reduce this problem by encrypting your strings and not using published and not use DFM files. However, all the information will still be present in your exe file, so often this will just be hard work that gives no real security.
If you just want parts of your source code to be difficult to read, make your algorithms difficult...
In the end, everything can be hacked. The only real way to avoid your app from being decompiled, is to keep the exe file away from those that can do it, like when you deploy it on your own server but not on the customer's server.
If you're using Delphi Prism then one of the many .Net decompilation tools will make it a trivial task to get access to (a form) of your source code.
The only solution is to use one of the numerous .Net obfuscation tools. Unfortunately I can't make a recommendation as I've never had to use one, but Google should show you the way...
If you're compiling to native Win32 then any form of obfuscation, or even anti-debugging mechanism, is pretty much a waste of time. There are people out there who can read assembly as easily as you or I read our native language. These things only slow the reverse engineering process down somewhat (and only barely at that).
Few years ago, I've had to rewrite an application, what abandoned by its developer.
I can recover all things from DFM-s, Forms (with components) Query strings stored in TxyzQueries, bitmaps from image lists, some strings with decompiler, but application logic can not be recovered, only method names with asm source inside.
There are loaders (like UPX http://upx.sourceforge.net), what extracts crypted, compressed application to memory and loads it on start, but the AV's often marks such applications as infected. :(
You can write a small app like that, some tips:
www.codeproject.com/KB/cs/LoadExeIntoAssembly.aspx (.net) www.joachim-bauch.de/tutorials/load_dll_memory.html (for dll-s)
Only applications protected with stolen Themida keys should trigger an antivirus (Win32.Black detected by Kaspersky for example).
In general, you cannot really protect your code from decompilation. However, by using a tool such as Code Virtualizer you can protect key areas, such as your install code decoder. Code that is virtualised is much slower, and has certain restrictions, but it adds a suitable hurdle to the casual hackers trouble. This is best done in a build script so that it is consistently added for release - that way you ensure proper protection every time.
I recommend separating the install code from the protection BTW, so that you can switch protection at any time without worrying about existing users.
Finally, Delphi forms are easily accessed, but they are generally not useful to change.
A complete disassembly is never achieved I think for native Win platform. If you don't include debug symbols etc during compile time or hide these using some tool, it's very unlikely your exe could be decoded. No idea about .NET thing.
An easy way to protect the executable is to run it as a web application on an Internet server. With Delphi and an Ajax library (for example ExtJS over extpascal, or IntraWeb/VCL for the Web), it is possible to convert desktop and client/server applications to web applications. (Examples) - this also makes the application available for other operating systems and mobile devices.
