Comments (11)
In theory, no-op APIs should be more flexible. They allow you to wrap multi-line logic.
garble.ObfuscateBlock(func() {
// open license file
// check rsa signature
// something else
}) // I think () are not needed, let api guarantee a lambda call
from garble.
How would you implement this in a way that doesn't blow up the binary size, compile time, and run-time speed of the program? We definitely can't do this for all statements. Would you just do a small portion of statements at random? Or would you depend on some sort of annotation like "please make this statement harder to deobfuscate"?
from garble.
I like the idea of explicitly indicating which expressions to obfuscate. For example, we can obfuscate the logic of checking a license without regard to speed and size, but do not touch the recursive calculation of the number of fibonacci
he-he, goroutines quite expensive
BenchmarkOriginal
BenchmarkOriginal-24 13812631 77.4 ns/op
BenchmarkStep1
BenchmarkStep1-24 14489564 80.0 ns/op
BenchmarkStep2
BenchmarkStep2-24 526202 2803 ns/op
BenchmarkStep2Optimized
BenchmarkStep2Optimized-24 2433956 504 ns/op
https://gist.github.com/pagran/29cfbd713119e7395b12ed134145be91
from garble.
I'd be fine with some form of annotation. Here are two ideas:
- special comments, like:
//go:garble obfuscate-statement
someHiddenValue = ...
- special no-op APIs, like:
garble.ObfuscateBlock(func() {
someHiddenValue = ...
}())
With option 2, we would replace the func call with the logic to hide the code inside the anonymous func.
from garble.
I can continue the idea:
- Add protection levels
- Add special methods for string (and other default types)
- Add obfuscated resources (not sure)
Something like:
garble.ObfuscateBlock{Low,...,Ultra}(func() {
// logic
})
gargble.ObfuscateString{Low,Hight,Ultra}("Some string") // return string type
gargble.LoadFile("assets/logo.png")
On ultra we can generate megabytes trash code :)
from garble.
I wonder if options like -literals
could be replaced by such annotations too. It certainly feels more powerful, given that you can narrow down your needs. It seems less useful if one wants to obfuscate all strings, but I wonder if that's something we should encourage to begin with.
An option in the code is the route we took with hiding panics with @capnspacehook, though that is just a single global setting.
from garble.
I think the function "obfuscate all lines" may be convenient for typical functions where it makes no sense to manually manage obfuscation (error handling, logs, etc.), but it should be as lightweight as possible
from garble.
The only problem I see with no-op APIs, is that it won't allow wrapping top-level declarations. For example, if I wanted to obfuscate several function declarations in a file, wrapping it in another function call is illegal syntax. I know that garble would replace the calls etc and the code could compile cleanly, but this would disallow any other tools from operating on the source code, such as gofmt
for example.
Example code:
package main
import (
"fmt"
)
garble.ObfuscateBlock{
func foo() { fmt.Println("foo") }
func bar() { fmt.Println("bar") }
func baz() { fmt.Println("baz") }
}
func main() {
fmt.Println("Hello, playground")
}
from garble.
Well, you could do one of:
var secretVar
func init() { garble.ObfuscateBlock(func() { secretVar = ... }) }
func foo() { garble.ObfuscateBlock(func() { body ... }) }
Not ideal, but still better than using comments everywhere, I think.
from garble.
Why do you prefer that syntax over using comments? To me, comments could be more flexible. We could allow block comments to annotate blocks of code without changing the source code much:
//garble:blockobfuscate
var secretVar ...
func init() { secretVar = ... }
func foo() { ... }
//garble:end
from garble.
@capnspacehook because that feels like inventing our own syntax on top of Go's syntax, almost like a meta-syntax that the user has to learn and remember. I would like to avoid that. Comment directives that just affect the following node/statement are OK-ish, but anything more than that feels too icky.
Go already has ways to group syntax: top-level declarations can use (
, and statements can use {
. So your example above could be like:
//garble:whatever
var (
...
...
)
//garble:whatever
func init() { secretVar = ... }
The alternative is pure Go syntax like garble.ObfuscateBlock
, but then we force the user to move global variable assignments to init
statements, which isn't super nice. Perhaps we could instead have them do:
var secretVar = garble.ObfuscateValue(expression...)
I'm thinking outloud here. I don't have a strong opinion overall, but I would like to stick to "plain Go" syntax as much as possible, i.e. ideally without magic comments.
from garble.
Related Issues (20)
- Compiling for macos/darwin on linux HOT 4
- 混淆后gorm的hooks无法生效 HOT 1
- run binary got fatal error: invalid function symbol table after garble build with go 1.22+ HOT 2
- Support for //build +windows, linux and so on HOT 2
- Errors while working with anonymous structs HOT 2
- Can't work with github.com/robotn/gohook
- add a module or file to exceptions? HOT 1
- Why does garble remove the flags I need? HOT 1
- json.unmarshel does not work HOT 8
- Feature proposal: new subcommand for computing obfuscation map HOT 2
- How to Use control Flow ? HOT 4
- Problem when compiling with control flow enable HOT 2
- Go-jet compatibility HOT 1
- CGO-related structs are not obfuscated while their usage is obfuscated
- error on parse github.com/go-openapi HOT 2
- Support for Go 1.23 HOT 1
- Effect of reflection on obfuscation HOT 3
- -literals not working with -ldflags HOT 1
- Trojan:Win32/Gracing.I reported HOT 2
- Problems with gin template rendering HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from garble.