简体繁体 English

如何保护delphi应用程序的源代码？

[英]How to protect the source of a delphi app?

原文 2009-12-18 04:21:17 6 8 delphi/ decompiling/ source-code-protection

How could I protect my delphi app from being decompiled? 我如何保护我的delphi应用程序不被反编译？ I know there are some software like themida that I think will do that but then the protected exe trigger the antivirus. 我知道有一些类似于itida的软件，我认为会这样做但是受保护的exe会触发防病毒软件。

8 个解决方案

It depends what your goal is. 这取决于你的目标。
If it's really just protecting the source, it's already done! 如果它真的只是保护源，它已经完成了！ Provided you don't include debug and symbols information and add some heavy inlining, good luck to reconstruct some usable Pascal code from disassembling the exe. 如果您不包含调试和符号信息并添加一些重型内联，那么通过反汇编重新构建一些可用的Pascal代码可以带来好运。
If it's preventing people from seeing how it functions and hack it, then you have to include some anti-disassemble protection. 如果它阻止人们看到它的功能和破解，那么你必须包括一些反拆卸保护。 It's harder but doable. 它更难但可行。 Often done as a collateral to anti-piracy protection. 通常作为反盗版保护的抵押品。

Everything that a CPU can read, can also be "decompiled", so there is no ultimate security. CPU可以读取的所有内容也可以“反编译”，因此没有最终的安全性。 But usually it is quite hard to decompile compiled Delphi code, and almost all identifiers and all comments are gone, of course. 但通常很难对编译好的Delphi代码进行反编译，当然，几乎所有标识符和所有注释都消失了。

The published parts of classes, DFM file information and constants (including string constants) are present in the exe file, in an easily readable way. 类的已发布部分，DFM文件信息和常量（包括字符串常量）以易于阅读的方式存在于exe文件中。 You can reduce this problem by encrypting your strings and not using published and not use DFM files. 您可以通过加密字符串而不使用已发布但不使用DFM文件来减少此问题。 However, all the information will still be present in your exe file, so often this will just be hard work that gives no real security. 但是，所有信息仍将出现在您的exe文件中，因此通常这只是一项难以确定的实际安全性。

If you just want parts of your source code to be difficult to read, make your algorithms difficult... 如果您只是希望部分源代码难以阅读，请使您的算法变得困难......

In the end, everything can be hacked. 最后，一切都可以被黑客入侵。 The only real way to avoid your app from being decompiled, is to keep the exe file away from those that can do it, like when you deploy it on your own server but not on the customer's server. 避免应用程序被反编译的唯一真正方法是使exe文件远离可以执行此操作的文件，例如在您自己的服务器上而不是在客户的服务器上部署它时。

If you're using Delphi Prism then one of the many .Net decompilation tools will make it a trivial task to get access to (a form) of your source code. 如果您正在使用Delphi Prism，那么许多.Net反编译工具中的一个将使访问源代码（的一种形式）成为一项微不足道的任务。

The only solution is to use one of the numerous .Net obfuscation tools. 唯一的解决方案是使用众多.Net混淆工具之一。 Unfortunately I can't make a recommendation as I've never had to use one, but Google should show you the way... 不幸的是我无法提出建议，因为我从来没有使用过，但谷歌应该告诉你的方式......

If you're compiling to native Win32 then any form of obfuscation, or even anti-debugging mechanism, is pretty much a waste of time. 如果您正在编译为本机Win32，那么任何形式的混淆，甚至反调试机制，都是浪费时间。 There are people out there who can read assembly as easily as you or I read our native language. 有些人可以像您一样轻松地阅读汇编或阅读我们的母语。 These things only slow the reverse engineering process down somewhat (and only barely at that). 这些事情只会使逆向工程过程有所缓慢（而且只是勉强）。

Few years ago, I've had to rewrite an application, what abandoned by its developer. 几年前，我不得不重写一个应用程序，它被开发人员放弃了。

I can recover all things from DFM-s, Forms (with components) Query strings stored in TxyzQueries, bitmaps from image lists, some strings with decompiler, but application logic can not be recovered, only method names with asm source inside. 我可以从DFM-s，Forms（带有组件）恢复所有东西查询存储在TxyzQueries中的字符串，来自图像列表的位图，带有反编译器的一些字符串，但是应用程序逻辑无法恢复，只有内部带有asm源的方法名称。

There are loaders (like UPX http://upx.sourceforge.net ), what extracts crypted, compressed application to memory and loads it on start, but the AV's often marks such applications as infected. 有加载器（如UPX http://upx.sourceforge.net ），将加密的压缩应用程序提取到内存并在启动时加载它，但AV通常将此类应用程序标记为已感染。 :( :(

You can write a small app like that, some tips: 你可以写一个像这样的小应用程序，一些提示：

www.codeproject.com/KB/cs/LoadExeIntoAssembly.aspx (.net) www.joachim-bauch.de/tutorials/load_dll_memory.html (for dll-s) www.codeproject.com/KB/cs/LoadExeIntoAssembly.aspx(net)www.joachim-bauch.de/tutorials/load_dll_memory.html（适用于dll-s）

只有使用被盗的 Themida密钥保护的应用程序才能触发防病毒软件（例如，卡巴斯基检测到Win32.Black）。

In general, you cannot really protect your code from decompilation. 通常，您无法真正保护代码免受反编译。 However, by using a tool such as Code Virtualizer you can protect key areas, such as your install code decoder. 但是，通过使用Code Virtualizer等工具，您可以保护关键区域，例如安装代码解码器。 Code that is virtualised is much slower, and has certain restrictions, but it adds a suitable hurdle to the casual hackers trouble. 虚拟化的代码要慢得多，并且有一定的限制，但它为随意的黑客麻烦增加了一个合适的障碍。 This is best done in a build script so that it is consistently added for release - that way you ensure proper protection every time. 这最好在构建脚本中完成，以便始终为发布添加 - 这样您就可以确保每次都得到适当的保护。

I recommend separating the install code from the protection BTW, so that you can switch protection at any time without worrying about existing users. 我建议将安装代码与保护BTW分开，以便您可以随时切换保护，而无需担心现有用户。

Finally, Delphi forms are easily accessed, but they are generally not useful to change. 最后，Delphi表单很容易访问，但它们通常对更改没有用。

A complete disassembly is never achieved I think for native Win platform. 对于原生的Win平台，我认为永远不会实现完整的反汇编。 If you don't include debug symbols etc during compile time or hide these using some tool, it's very unlikely your exe could be decoded. 如果在编译期间没有包含调试符号等，或者使用某些工具隐藏这些符号，则不太可能对exe进行解码。 No idea about .NET thing. 不知道.NET的事情。

An easy way to protect the executable is to run it as a web application on an Internet server. 保护可执行文件的一种简单方法是将其作为Internet服务器上的Web应用程序运行。 With Delphi and an Ajax library (for example ExtJS over extpascal , or IntraWeb/VCL for the Web), it is possible to convert desktop and client/server applications to web applications. 用Delphi和阿贾克斯库（例如ExtJS的超过extpascal ，或IntraWeb的/ VCL为Web），可以为桌面和客户端/服务器应用程序转换为Web应用程序。 (Examples) - this also makes the application available for other operating systems and mobile devices. （示例） - 这也使该应用程序可用于其他操作系统和移动设备。