How to prevent reverse engineering of VB.NET apps

Hello, everybody. I gave an executable file created with VB.NET to a friend of mine, who is an experienced programmer, and the next day he gave it back to me... together with the source files!!!

He explained to me that disassembling an exe created with managed code is a piece of cake. Is there any way you can protect your programs developed in VB.NET?

TIA

Note this... You could also see the code in non manage code... maybe not that easy but it was possible too...

In .net, the EXE code isn't compiled in native mode, it's in IL.

The IL is sort of easy to understand... You shouln't put any passwords or sensetive texts on the code cause you can see all plain code perfectly using a tool called ILDASM :D

What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...:D NICE...

You can also use another tool to compile your code that is NGen that, as long as I know, it compiles your app directly to Native Mode... but it brings good and bad things too...

I gave you all the names... search for them on the net and take your conclusions... :D Good luck ...

As far as I know, you can only get assembly code from standard exe files, but no source. Moreover, in order to do so, you should be able to use specific tools, such as SoftIce and a hex editor. This means that programming applications with the previous version of VB is much safer, isn't it? Now, my question is, do you think it makes more sense to stick to VB5/VB6 than migrate to VB.NET if you want to develop desktop applications? As I said, cracking VB.NET apps seems to be as easy as pie.

Note this... You could also see the code in non manage code... maybe not that easy but it was possible too...

 

In .net, the EXE code isn't compiled in native mode, it's in IL.

The IL is sort of easy to understand... You shouln't put any passwords or sensetive texts on the code cause you can see all plain code perfectly using a tool called ILDASM :D

 

What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...:D NICE...

 

You can also use another tool to compile your code that is NGen that, as long as I know, it compiles your app directly to Native Mode... but it brings good and bad things too...

 

I gave you all the names... search for them on the net and take your conclusions... :D Good luck ...

Dear Derek, I'm afraid VB.NET makes a muck with security issues, unless you buy third party products. I currently produce desktop based applications with VB5/VB6 and so far nobody has ever managed to decompile my software in the way my friend did with a VB.NET executable.

So, unless I need to produce something for the Web, I think I'm going to stay with VB5.

http://www.xtremedotnettalk.com/showthread.php?s=&threadid=75908

You are right: turning decompiled source files into a working program would require a big effort. Anyway, I was referring to security issues from another point of view, i.e. reverse engineering in order to crack a protected program, e.g. shareware. You will agree with me that, with VB.NET, things have become much easier for hackers.

Derek raises an excellent point. People may be able to get the source dump, but it really doesn't matter even if they do. In order to turn your decompiled source into a working program would probably be more work than writing it from scratch. The only really useful thing you can get from a decompilation is logic, and much of the logic is changed drastically (i.e. the IL uses goto constantly rather than many of the other equivilants, like calling internal subs or Select Case statements).

Dear VolteFace, I know no security system is perfect but, as you said, crippling software has now become too easy. That friend of mine who managed to get the source files of my VB.NET executable cannot use, for example, SoftIce nor can he program in C++.

Again, what concerns me is that now reverse engineering is within the reach of inexperienced programmers. So, unless you devise a very complicated protection system for your software, you may have reason to believe that sooner or later it will be cracked by the first newbie who wants to show how clever he is.

This still makes me prefer VB5/VB6 to VB.NET.

The only real effective kind of shareware is the kind where you cripple the software, taking away some key functionality. Any shareware which contains full functionality ("locked" or otherwise) anywhere in the program is simply ineffective to anyone who knows how it is done, and regardless of whether it is done in .NET or not, it isn't that hard to figure it out.

 

Another effective way to do it would be to require an encrypted evaluation key to be entered on install, which needs to be emailed to the user. The key would expire after 30 days, and since you already have the user's email stored in your database, you don't send another one. It is fairly effective, but takes a lot more work to set up. Look at the VMWare site to see what I mean.

 

However, if you need to securely store algorithms and such, you might try using a C++ DLL. However, an assembler programmer would usually be able to extract stuff like that from the C++ DLL.

This thread is going deep :)

esposito: I don't know what kind of programing u do, nor how much time do you have to develop each application but VB5!!! You got to be kidding with us...

Derek gave you the URL to other Thread on this forum where is something really true... If you really devellop something that really worth the work of reverse engeneering there's no language or security method that can protect you!!

Don't u thing if it exists the games developer wold use it?? :D

Think about it...

No present security issue worth sticking with VB5... :p

I think I'm going to have nightmares with that tonight ! :D

AlexCode: I'm not sure I grasped the gist of your last post. Anyway, to sum up what I said, I am afraid that, if you develop commercial software using VB.NET, anybody could decompile it, make some modifications to the code and graphic interface and become the owner of a new program based on your production.

I produce shareware for the Italian market. If you are curious, you can download my software from

http://www.geocities.com/espositosoftware

which is a mirror of my Web site.

I know no language can guarantee perfect protection from hackers but I also know that VB.NET makes decompiling too easy.

This thread is going deep :)

 

esposito: I don't know what kind of programing u do, nor how much time do you have to develop each application but VB5!!! You got to be kidding with us...

 

Derek gave you the URL to other Thread on this forum where is something really true... If you really devellop something that really worth the work of reverse engeneering there's no language or security method that can protect you!!

 

Don't u thing if it exists the games developer wold use it?? :D

Think about it...

 

No present security issue worth sticking with VB5... :p

 

I think I'm going to have nightmares with that tonight ! :D

I respect your point of view but I have a different opinion about it.

I think the copyright on your source code is still important, otherwise commercial software would disappear from our "world of delusion".

What you are saying would mean that I could easily become the owner of any software I can find on the market, because "no one cares what your source code looks like".

Open source is a generous project but it does not allow you to make ends meet. Developing software is a job like any other. If you deprive programmers of the possibility of selling their products, you will force them to look for a new job.

That's why I'm still looking for a secure way of protecting my applications.

You're absolutely kidding yourself if you think it's harder to replace a jmp command with a nop command in a natively compiled executable than to do the same in an assembly code in IL. Shareware programs are just as vunerable then as they are now, and anyone that says otherwise is living in a world of delusion. With that said you also need to remember that no one cares what your source code looks like. .NET has almost completely removed the need for "creative coding", since most of the functionality one needs is already available in the BCLs.

 

Software is created to meet the needs of a customer. Generally it isn't created to break creative boundaries or to be looked upon as something unique, since within time someone is going to capitalize on your idea and there's little you can do about. What it boils down to is that all software developers need to accept this and move on with their work. The time you're wasting on obscuring your "masterpiece" is time you should be using to entice users to your product.

Derek... I think we're out of arguments :D

What can we say to meke him see that he gains more money developing better and faster apps than more secure ones :confused: ?

We always got to supply some security but beeng obseced about it it's a run that will never end...

I'm no expert on Reverse Engeneer but if you build som app in VB5 and offer $1000 to a good hacker he gives you the code just like your friend gave you the .net code... :D

Maybe if the hacker is a smart one... he builds the entire program from scratch faster than he would reverse it !! and this is the logic...

Use ILDasm in one of yours EXE's and telme what u see!

Can you understand the logic of it from there?

It's what I told you... the onle security break I see here it's if you place a plain text password there... on a database connection to a database for example... despite of this do yourself a huge favor... leave all those VB5 spider webs and put your hands on really OOP and RAD programming!

The main idea I want u to retain is:

You'll earn more money developing better and faster than securer... Trust me on this...!

Perhaps I should have put this posting in a separate thread, so if I should have please forgive me as I'm still very new here and just learning my way around.

I do have a question in seeking some advice. One of my goals in learning VB.NET is to write class libraries that can be used by other applications.

I realize in VB.NET you complile class libraries to a file. I have not gotten that far yet in my studies, so I do not know if the file takes on the form of an exe file or not.

But is it possible to use an obfuscator on a class library and would you suggest using one?

I mean no disrespect to anyone by asking this and acknowledge all that has been said so far in this thread. I am not seeking an absolute solution here as I realize that nothing, no matter what it is, is absolutely secure. If someone is determined enough to get something then it will happen.

Thanks,

Ira

Thank you for the input and clarification on that. I have made a note of it for when I get to the class libraries portion of my studies.

Ira

Sorry to disappoint you but I just want to remind you how unreliable an obfuscator is quoting AlexCode's words: What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...

Thank you for the input and clarification on that. I have made a note of it for when I get to the class libraries portion of my studies.

Ira

Your reply does not give an answer to the problem I have already pointed out, i.e. if you develop commercial software using VB.NET, anybody could decompile it, make some modifications to the code and graphic interface and become the owner of a new program based on your production.

How can you make money in that way?

Derek... I think we're out of arguments :D

What can we say to meke him see that he gains more money developing better and faster apps than more secure ones :confused: ?

 

We always got to supply some security but beeng obseced about it it's a run that will never end...

 

I'm no expert on Reverse Engeneer but if you build som app in VB5 and offer $1000 to a good hacker he gives you the code just like your friend gave you the .net code... :D

 

Maybe if the hacker is a smart one... he builds the entire program from scratch faster than he would reverse it !! and this is the logic...

 

Use ILDasm in one of yours EXE's and telme what u see!

Can you understand the logic of it from there?

It's what I told you... the onle security break I see here it's if you place a plain text password there... on a database connection to a database for example... despite of this do yourself a huge favor... leave all those VB5 spider webs and put your hands on really OOP and RAD programming!

 

The main idea I want u to retain is:

You'll earn more money developing better and faster than securer... Trust me on this...!

Dear esposito... it's not that peace of cake to retrieve the code as it was... the vars don't have their primitive names and is not that easy to read that and I keep telling u... If your code worths it anyone can decompile VB5 too...

But as ALL programing languages it's easyer to take the logic of the program and buil one from scrach... faster and better...

Thinking on this "problem" it forces developer to develop better apps, with better algorithms to worth the price...

I make a question...

Does anyone want to reverse an accounting software rather than get the 3 best ones, take their logic, goods and bads and buid one of their own?

Dear AlexCode, I'm afraid I must contradict you when you say anybody can decompile VB5 applications: executables created with VB5 can only be disassembled, not decompiled as VB.NET apps can. This means that, while it is possible to get the full source files from a VB.NET exe, it is only possible to get the assembly code from a VB5 program (unless you select the P-code option before compiling).

As you probably know, the assembly code cannot give you the plain source files, so borrowing the technique of the software, i.e. the code that allows functions to work, is impossible. Now, the way I see things is that this makes a fundamental difference between software created with VB5/VB6, which can be copyrighted, and software created with VB.NET which should logically belong to the open source world. It doesn't make any sense to copyright a VB.NET application since anybody could decompile it, "steal" the code and produce a similar, if not identical, program.

So, the conclusion I have come to is, for commercial purposes VB5/VB6 is a better choice, especially if your software is addressed to the general public.

I agree with you when you say "thinking on this problem will force developers to develop better apps, with better algorithms to be worth the price", but the implied "threat" is that as soon as a better application is available on the market, somebody may decompile it, modify it a little bit and make money with it, i.e. with somebody else's work.

esposito... How many sharewares do you have to make to worth buying this Protector?

RemoteSoft:

Our protector is available now at $1899 for 1-5 users.

:D:D

Compiling Natively removes the main ability of .Net. A .Net app can structure itself to make full use of special hardware features whereas a native code application needs to manually make use of special features. .Net apps may also become cross-platform compatible, a native app needs a Windows version, Linux version and Macintosh version but a .Net app may eventually have a "one for all"

A native program, though more difficult, can be disassembled. You can view the assembly of any running program by opening VS.Net and choosing Debug>Processes and pick any program you like.

A .Net program is easier to understand and easier to disassemble but, as has been said, it is probably not worth the trouble because you still do need to be a reasonable programmer to understand the dump from ILDASM and if it's just a combination of existing algorythms and nothing that hasn't been done before, it may not be worth examining.

Most companies that distribute commercial applications/technologies use EULAs to make the user swear never to decompile/disassemble their application under threat of a law suit.

Just as a side note, I've disassembled a few of the .Net apps that came with VS.Net to see how ILDASM worked, most of the programs were far to complicated to understand unless you had a few weeks/months to read through all the MSIL to see how it fits together since the compiled MSIL is much longer than the source code and not immediately understandable. An obfuscated program is even worse since every variable/class/namespace is renamed to a alphabet letter(A to Z), at least in the one I used.

:D... I 've never mentioned that Manage vs Unmanaged advantages or why MS use the IL because I think wouldn't worth... :D

I think our frind esposito, thinking like this, will never experience the goods of, for example, .net Reflection!...