CHAPTER 12Defense

How do you defend against cracking? To start, it's essential to have a good key check design (don't pull a Starcraft/Half-Life). From there, you can implement additional defensive options.

However, it's important to remember that there is no such thing as uncrackable software. As a defender, your job is to slow attackers down in the critical parts of your software and make them frustrated enough they go to a different target.

Like many things in cybersecurity, you just don't want to be the low-hanging fruit. “When swimming in shark-infested water, you don't have to be the fastest…just faster than the guy next to you.”


Obfuscation is the practice of hiding the intended meaning of code by purposefully making logic ambiguous and unclear. It can be valuable for slowing reverse engineering to do the following:

  • Slow cracking
  • Slow tampering
  • Protect intellectual property

Done well, obfuscation can make code essentially unreadable. For example, the following C code (available from, when compiled and run, prints out the lyrics to the entire 12 days of Christmas song. It was one of the IOCCC winners, which is a competition to hand-obfuscate code. Looking at it makes my brain hurt, and I can't guess at how long I'd have to reverse engineer the code before I figured out what it did.

#include <stdio.h>
main(-86, 0, a+1 )
main(t+1, _, ...

Get x86 Software Reverse-Engineering, Cracking, and Counter-Measures now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.