Slashdot Mirror
Stolen Android Anti-Piracy Software Dumped On Github (torrentfreak.com)
Dexguard, a tool used to protect Android software from piracy, tampering and cloning attacks, has been removed after being illegally posted on Github. A version of the tool exposed on the code repository was stolen from a customer of Guardsquare, the software's creator. TorrentFreak reports: "We develop premium software for the protection of mobile applications against reverse engineering and hacking," the [security company Guardsquare's] website reads. "Our products are used across the world in a broad range of industries, from financial services, e-commerce and the public sector to telecommunication, gaming and media." One of Guardsquare's products is Dexguard, a tool to protect Android applications from being decompiled, something that can lead to piracy, credential harvesting, tampering and cloning. Unfortunately, a version of Dexguard itself ended up on Github.
In a takedown notice filed with the Microsoft-owned code platform, Guardsquare explains that the code is unauthorized and was obtained illegally. "The listed folders... contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers," Guardsquare writes. Guardsquare found almost 300 "forks" of the stolen software on Github and filed a request to have them all taken down.
In a takedown notice filed with the Microsoft-owned code platform, Guardsquare explains that the code is unauthorized and was obtained illegally. "The listed folders... contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers," Guardsquare writes. Guardsquare found almost 300 "forks" of the stolen software on Github and filed a request to have them all taken down.
Such schemes have been in use since the days of Apple ][.
First, they mangle the symbol table turning meaningful names into random short strings (and patch up the relocation table to match). Then they encrypt critical code and replace the standard loader with one that first locates the key and decrypts the segments. They also encrypt the strings table so you can't get a decent hint at what a given piece of code does based on the strings it uses.
Naturally, since the code still runs, you can get everything decrypted by running in a debugger, but it makes that a pain since you have to trace your way through the loader and deal with strings being decrypted just in time.
Other tricks include adding junk into the code and adjusting jumps and brtanch inctructions to skip it. You can still figure it all out, but a simple disassembler won't give you a proper assembly listing in one go that way,
Essentially it's an advanced form of taking a nice bit of readable C source, using search and replace to change meaningful variable names like bNeedScreenUpdate with x, and removing all tab, space, and CR not actually needed by the compiler in order to make it hard to understand.
It doesn't actually stop you from decompiling the code but it does make it take a lot more time and effort.