T
T
Taras Labiak2017-03-12 21:39:37
Python
Taras Labiak, 2017-03-12 21:39:37

On what to write the server to complicate decompilation?

There is a server, implemented in Node.js, which is accessed by applications to check the license and bind to the hardware, as well as to receive and save a certain list. We do not provide access to this server to the customer. But the customer wants the application server to be on his hosting and he has access to it, so the only way out that I see is to rewrite the part of the server application that serves the client applications in Go. I haven't written in Go, but that's not a problem. The only question is how much the compiled Go code is subject to reverse engineering, or is it possible to use something else for this, for example, Cython (but I know Python quite well)?
The customer must not remove the restrictions on the number of licenses, and the customer's server must also transfer data about the registered user to our server. And this, perhaps, is not all that the customer should not change. In any case, it was necessary to find a specialist who would hack the server, it was expensive, long/difficult

Answer the question

In order to leave comments, you need to log in

5 answer(s)
D
dinegnet, 2017-03-12
@dinegnet

Rewriting everything is not cool.
A fairly small piece with key algorithms.
Not necessarily the entire server.
Decompilation is always possible, but the question is at what level the decompiled code will be. If you get almost an assembler, there is little point in decompiling.
Any compiled to native is fine - Go, C/C++, Pascal, Haskell are orders of magnitude better than Python, Java, NodeJS.
Don't forget to strip the debug characters.
After that, decompiling from this is able to revive back such horror, which few people want to understand cheaply.
But in the end, it all comes down to how interested a person is.
If the product is very massive or very expensive, there is more interest in hacking.
And what, the customer is an idiot?
If he wants to get the server as a kind of guarantor, then doesn't he also want the source?
IMHO, developer support (fixing bugs that can be revealed even a year later) is a significant plus to stay with you.

S
Sly_tom_cat ., 2017-03-12
@Sly_tom_cat

Decompiling a compiled one is always a matter of time/money.
I would consider building a check using asymmetric encryption schemes. And since you still have information going to your server, then give permissions / check it on it.
But it's better not to bend the price tag - they won't break it either.

R
rustler2000, 2017-03-12
@rustler2000

Coreos rkt probably supports encrypted images. If the hardware is with TPM and UEFI Secure Boot, then everything should theoretically be fine with the node

S
sim3x, 2017-03-13
@sim3x

cython vs golang vs js (obfuscated)
In the case of a banal check, the licenses will be the same in stability
Or you need to write code that will resist debuggers, then counteract debugging, then complicate debugging, then tricks to divert attention
The stakeholder will only need to figure out which block of code is responsible for the "license" and cut it or do the same, but after completing the quest Binding
to hardware - emulated by
IMO, 40% for setting norms share for developers
features + second lvl support), except for financial

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question