Obfuscating C-based binaries to avoid decompilation

Question

Is there some way to obfuscate C-based executables or libraries to prevent decompilation?

Answer 1

Decompilation (No More Gotos) and both obfuscation practice (Flowtables) and theory (Indistinguishability Obfuscation) are active areas of research and therefore there are no solutions - only tools, techniques and expertise. If you really want your code to be impervious to decomplilation, create a web app, and put the sensitive code server side. But if you're stuck to the model of giving someone a binary, then you must wisely judge the trade-off you want to make between security and performance. Obfuscation comes at a cost, and still is never perfect. Some options

• Use a packer other than UPX (UPX comes installed in many linux distros). The performance cost is low and most people do not have the skills to manually unpack a binary for static analysis. But to experienced reversers, the cost of unpacking is immaterial
• Check out Tigress, a diversifying virtualizer/obfuscator with rich features for C source-to-source obfuscation. For better performance, rely on the supporting transformations, control flow flattening, function merging/splitting, literal encoding
• If you want even greater protection, check out Tigress's major transformations: virtualization, JITing, etc, but I'm fairly certain these are more expensive and your users may notice a slow down if you use these transformations.

Don't be discouraged by Barak et al's seminal work on the impossibility of black box obfuscation. He only proves the impossibility of black box obfuscators, not the impossibility of many practical and worthwhile obfuscations. (Black box obfuscation being the inner workings of the program are completely unintelligible) Also don't be discouraged by pirates. There's always people who make it a point to buy your product if it is good.