Decompiling Objective-C libraries
Asked Answered
L

3

46

I've just finished a library in Objective-C that I compiled as a Static Library for distribution.

I'd wanted to know what chances to get this decompiled are out there.

  • Do you know any software that can do this?
  • If so, how could I protect me better?

EDIT: My static lib is made for iPhone / ARM

I created an algorithm that depending on the some parameters of the app, it can run as demo or as full code. You init the object with X variables and unlock the full version. I was wondering if they'll be able to see this algorithm so they can create a key generator.

Lui answered 25/2, 2010 at 12:56 Comment(3)
FYI, having users enter a code to use the full version sounds iffy for an iPhone app. If they're buying the full game from the App Store, there's no need to enter a code. If they're buying it outside of the App Store, Apple will not be happy.Castlereagh
Thanks, I don't mean end users but the developers. [[myLib alloc] initWithMySecretKey: @XXX]]Lui
Your algorithm will run to check the key; they can see the instructions (like the machine, it needs to know the instructions to run it), then they can see it and develop a generator.Perfecto
M
60

It's not clear what you are trying to protect yourself from. Yes, it can be reverse engineered. The simplest tool is otool, part of the standard developer distribution:

otool -tV <library>

From that they run up to things like IDA Pro, which has iPhone support and is very nice for this kind of work. In between, I'm really surprised that I haven't seen a rework of otx for iPhone/ARM yet. I wouldn't be surprised to see one show up eventually. And of course there's gdb if you're trying to work out how things flow and what the data is at various points.

If you have more details about what you're trying to protect yourself from, there may be some targeted answers. Beyond that, read Chuck's comments.

Motorboating answered 25/2, 2010 at 18:43 Comment(5)
Thanks Rob, this has been very enlightening. I've added more information of what I am trying to protect.Lui
I see the edit. To your question, yes, with a debugger they will be able to create a key generator. But they won't bother. They'll just modify the binary to skip the key check. Don't worry about it too much. If your library is so popular that people are taking the trouble to create fake keys, then it's popular enough that you'll be making a lot of money anyway. Worry about it when you're rolling in all that dough. If you waste your time on obfuscation (which won't help much), then you'll never have enough time to make the awesome product that anyone will buy anyway.Motorboating
In any case, I'd recommend building separate versions rather than using a key. When people pay for it, send them the full version. Less stuff to go wrong that way, less code bloat, much harder to break by random people (because they won't have the full code).Motorboating
@RobNapier Using this tool i'm able to disassemble the framework file but not able to get the function prototype(in order to know the number of parameters and their data type )Bitternut
I assume you mean otool. That's correct, otool doesn't report the types (you can infer the number of parameters from the method name). If you have a particular question, you should start a new SO question.Motorboating
C
84

If it executes, it can be decompiled. Objective-C is particularly easy to decompile into readable code thanks to its dynamic features. If you want to make things a little bit harder, you could write most of your code in plain C and strip the executable — which of course has the tradeoff of making your application design harder to manage. But be honest with yourself: If somebody wants to crack your code, you are not going to be able to stop them. Crackers have practically unlimited amounts of time and enthusiasm and will actually be excited by any novel efforts you put in to stop them. Nobody has yet made uncrackable software, and the biggest corporations in the world have tried. You're not going to do better than them, especially if you need to ask about it on Stack Overflow.

Take the time that you would have put into thwarting decompilation and use it to make your product better — that will have a much better ROI.

Castlereagh answered 25/2, 2010 at 18:32 Comment(3)
You're not going to do better than them, especially if you need to ask about it on Stack Overflow. - Lol...Osteophyte
"and will actually be excited by any novel efforts you put in to stop them" Lol... Well put.Ignorant
Can you please tell me any tool or way that useful for decompile ios library. i extract object file but that is not useful cause it is binary. i want source code from static library. ar -xv MyLib.a MyObj.o this command give only binary file. how can i extract class file from that.Clytemnestra
M
60

It's not clear what you are trying to protect yourself from. Yes, it can be reverse engineered. The simplest tool is otool, part of the standard developer distribution:

otool -tV <library>

From that they run up to things like IDA Pro, which has iPhone support and is very nice for this kind of work. In between, I'm really surprised that I haven't seen a rework of otx for iPhone/ARM yet. I wouldn't be surprised to see one show up eventually. And of course there's gdb if you're trying to work out how things flow and what the data is at various points.

If you have more details about what you're trying to protect yourself from, there may be some targeted answers. Beyond that, read Chuck's comments.

Motorboating answered 25/2, 2010 at 18:43 Comment(5)
Thanks Rob, this has been very enlightening. I've added more information of what I am trying to protect.Lui
I see the edit. To your question, yes, with a debugger they will be able to create a key generator. But they won't bother. They'll just modify the binary to skip the key check. Don't worry about it too much. If your library is so popular that people are taking the trouble to create fake keys, then it's popular enough that you'll be making a lot of money anyway. Worry about it when you're rolling in all that dough. If you waste your time on obfuscation (which won't help much), then you'll never have enough time to make the awesome product that anyone will buy anyway.Motorboating
In any case, I'd recommend building separate versions rather than using a key. When people pay for it, send them the full version. Less stuff to go wrong that way, less code bloat, much harder to break by random people (because they won't have the full code).Motorboating
@RobNapier Using this tool i'm able to disassemble the framework file but not able to get the function prototype(in order to know the number of parameters and their data type )Bitternut
I assume you mean otool. That's correct, otool doesn't report the types (you can infer the number of parameters from the method name). If you have a particular question, you should start a new SO question.Motorboating
V
5

ChanceGetsDecompiled = ExpectedGainFromBeingDecompiled / PopularityOfLibrary

Well if you REALLY want to know I would try decompiling it your self. You don't say if this is for PPC, Intel, or ARM which makes a difference. Here is a decompiler for Intel i386 Decompiler

I don't know what you could do (I don't think there is much) to limit this. Code can always be reverse engineered. Be happy that your not using java or .net. Their decompilation is so nice.

Venessavenetia answered 25/2, 2010 at 13:23 Comment(2)
Hi Jamone, thank you for your post. Actually the lib I built is for iPhone SDK.Lui
The link provided is brokenTotalitarianism

© 2022 - 2024 — McMap. All rights reserved.