Fog Creek Software
Discussion Board

What ever happened to "shrouded" source code?

This question is inspired by the thread on Kylix abandonment.

What ever happened to the concept of selling "shrouded source code"? Did any company ever do this successfully with commercial products?

This is source code where all identifiers have been bulk replaced with randomly assigned names, all whitespace has been compressed out, and expressions may have been replaced with functionally identical but hard to understand expressions.  The company that made "PC-Lint" (a tool that inspected C code for correctness) years ago had a product that created shrouded, "obfuscated" C from readable and formatted C code.

I'm just curious if this was ever used by real companies. I never heard of products distributed in this way. It seems to me that the degree of mangling that this implies would be useful even to keep a compiled binary product from being reverse-engineered, since the table of exports, etc would be unreadable in the executable.

Bored Bystander
Saturday, November 8, 2003

There are several commercial obfuscators for .NET since the .NET assemblies (MSIL code) can be easily disassembled. Infact VS 2003 has one in-built.

Saturday, November 8, 2003

There are lots of Java Obfuscators out there.

Saturday, November 8, 2003

Why ship obfuscated source code when you can just ship a binary?

NVIDIA sort of does this with their Linux driver. Most of the code is shipped as an unlinked object, but with the symbols obfuscated out. This is because the linking step depends heavily on kernel configuration, so they couldn't just ship a linked binary.

Dan Maas
Saturday, November 8, 2003

Most people are aware, but some might not be, that Java "binaries" can be decompiled right back to source using standard tools that ship with the JDK. So lots of people already use obfuscators to try to jumble up the names and relationships in the source.

Same thing for .NET.

Saturday, November 8, 2003

Ok, these responses make me feel properly clueless. ;-) Thanks for dragging me into the 21st century.

Bored Bystander
Saturday, November 8, 2003

That's not quite true. There's no tool in the JDK which can build a class out of the output of javap (the "decompiler" I assume you're referring to, which is closer to a disassembler really). Such tools do exist though.

Tuesday, November 11, 2003

*  Recent Topics

*  Fog Creek Home