Recently I've tried an super easy way to protect any interpreted code written in Node.JS or any interpreted language out there. I've really tried hard to find similar solution on stack overflow without success.
The method is so easy that it is difficult for me to believe that it could not be easily broken as well. Before I come with the question, let me show you what it is:
The goals are:
- make the simplest (and quite difficult) method to protect source code interpreted by node binary.
- the may to be difficult to hack by the average person. I don't want protect my code against professionals.
- do not change the Node source code itself. What I need is just the use of already compiled Node binary.
The solution:
Write a simple wrapper with C to read encrypted source code, decrypt it and then put decrypted code to the standard input of the node binary using "popen" function from stdio.h. Since the C code can be compiled (and eventualy obfuscated before) it can be quite difficult to reverse-engineer it. Let me describe it in pseudo code snippet below:
#include <stdio.h>
void main() {
encr_fp = fopen("the_encrypted_code_file", "r");
pipe_fp = popen("/usr/local/bin/node", "w");
while (read bunch of bytes from encr_fp != EOF) {
decrypt bunch of bytes
put decrypted bunch of bytes to pipe_fp
}
pclose(pipe_fp);
}
So, finally the question is
Can you point some weakness of the method described above ?
the only two drawbacks I can imagine are:
- is is very easy to replace "/usr/local/bin/node" with my own script to intercept the stdin
- since the popen starts /bin/sh it can be easy to replace /bin/sh as well to do the same
Fortunately it is very easy to protect the code by adding simple CRC checking of /usr/local/bin/node and /bin/sh binaries before actual decryption.
Can you find some more?
Aucun commentaire:
Enregistrer un commentaire