From - Sun May 18 10:40:24 1997
Newsgroups: comp.lang.java.security
Path: world5.bellatlantic.net!newsin.iconnet.net!news-xfer.netaxs.com!en.com!news.maxwell.syr.edu!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!uunet!in3.uu.net!uucp3.uu.net!world!news
From: David Chase <"mylastname "@ world dot std . com>
Subject: Re: Protecting Source Code
Sender: news@world.std.com (Mr Usenet Himself)
Message-ID: <E93IDx.Azp@world.std.com>
Date: Wed, 23 Apr 1997 14:46:44 GMT
Reply-To: mylastname, @, world, dot, std, ., com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <msadamsE8z0Io.Gx8@netcom.com> <335B0176.10746485@best.com> <msadamsE90CG1.9J0@netcom.com> <335CB354.41C6@widget.com> <335D4BDD.A4C@taligent.com>
Nntp-Posting-Host: world.std.com
Mime-Version: 1.0
X-Mailer: Mozilla 3.01Gold (WinNT; I)
Organization: Natural Bridge LLC
Lines: 38

Dean Roddey wrote:

> Not that I really give a hoot about the Java byte code vs. source
> protection problem; however, the above scenario seems very bogus to me.

> In a compiled program, optimized and without debug info, where is he
> getting the names of things like system entry points, program function
> names, RTL function names, global and local variable names, demangled
> C++ method names, etc...? Without these things, figuring out what a
> non-trivial appication does would be kind of difficult.

It could be stripped, which would indeed make life more difficult,
but you cannot strip a library (well, you can, but then it is
useless).  The symbol names are a big help.  The entry points are
well-known, else the program cannot be started by the operating
system.  Demangling C++ names is a mechanical process, and the
demangling algorithm provides information about the types of parameters.

Recovering comments, however, would be a good trick.  Automatic variable
names are also not visible unless you have a debuggable object file or
binary.

But, as to whether people can do back-assemble machine code to figure
out what is going on, sure, I've done it myself.  I've discovered,
reported, and fixed bugs, based on reading Sparc machine language.  I
can often tell which compiler was used to create an object file, and
at a certain level, how much optimization was applied.  I once
determined
how a competing company was cheating on a benchmark by walking through
a building (that had access to their code, we did not) and spotting a
modified dataflow diagram on an unerased white board.  It did not say
"here's how the benchmark was improved", it was just a simple picture,
and I recognized it.  Just because this sort of thing doesn't seem easy
to you, does not mean that it is hard for all people, or that there
aren't
people motivated to work hard to solve this sort of problem.

David Chase
