Preventing Dissasembling

[pcwhiz78]

Is there any way to prevent a program such as .Net Reflection(http://www.aisto.com/roeder/dotnet/) from viewing my program's code. In my program, I have the serial number scheme, which I don't want users to be able to see.

[PlausiblyDamp]

There are a few available obfuscators which will make the program harder to disassemble the following being two such products.

http://www.wiseowl.com/products/products.aspx

http://preemptive.com/products/dotfuscator/index.html

 

Although if you wish to hide a serial number you may be better of looking at using some form of encryption instead.

[pcwhiz78]

Looks like those might work, but they're so expensive! Is there any cheaper option? What about compressing the EXE with UPX?

[PlausiblyDamp]

Not entirely sure how UPX would fare with .Net as the executables aren't normal windows executables - there may be issues with the metadata aspects.

I personally would go with encrypting the data using .Net's built in classes - not too difficult and far cheaper than a 3rd party product.

[mskeel]

And if you want something really scary (from an intellectual property standpoint), try running ildasm.exe on one of your programs. ildasm comes free with Visual Studio. You may need to put it in your path to run it from a command prompt.

 

The main problem is the new .Net Intermediate Language (IL) which lies somewhere between traditional assembler and high level code. Its low level enough to not BE the code, but high level enough so that it can still be easily read.

 

And the worst part is, Microsoft was going to distribute an obfuscator with VS but didn't!

 

http://www.ftponline.com/wss/2002%5F07/magazine/departments/guestop/

 

Keep in mind that obfuscation will only make it more difficult for someone to capture logic or malicously attack your code. A witty and determined attacker will still find a way to hack/steal others code, even if it has been obfuscated.

 

If anyone else knows anything about these subjects, I am very interested to learn more.

[PlausiblyDamp]

In general though how often do people come out with such a unique and amazing piece of code that somebody would take the time and trouble to decompile it, just to see how it works? If it really is an algorithm that is so special then you can patent them (don't get me started on my opinions of this though :mad: ) and protect your IP that way.

If it's for security reasons then there are plenty of ways to encrypt sensitive data that aren't breakable by seeing the code - in fact I personally wouldn't trust any closed source / algorithm encryption techniques in the slightest.

[mskeel]

Military/Government for one. I would think any company would want to protect what they write from being "borrowed". And patenting algorithms doesn't really protect it from unauthorized use e.g. the digital music craze and the original napster. Further, just a minor tweak to a patented algorithm will take it out of scope of the patent.

 

The problem is keeping secret information secret. Obfuscation will help but it won't stop everything. From decompilation standpoint, encryption would do the trick.

 

The big problem...how do you encrpyt an assembly to prevent decompilation? From what I understand, there is still an entry point for the assembly that is unencrypted and that is where the executable will unencrypt itself for execution (becuase it can't actaully run while encrypted). So the decompiler will decompile the first part then choke? But how do you encrypt it in the first place?

 

And becuase the executable must unencrypt before execution, it is still vulnerable to information capture -- just walk through it using special software like you do with a debugger.

[Denaes]

And a quick run on the web, you find 'hacking' or 'cracking' tutorials that involve little apps that run a program and read memory. Not .Net, but C/C++/win32. This is how they get the cracks and keycodes. Sure it's a 1-5 step process sometimes, but still.

 

No matter what precautions you take, they'll be broken by someone... probobly within hours or days - if they care to do so.

 

The problem is that no matter what you do to protect your code/information, the computer has got to ultimately read it, which gives people a key to read it themselves.

 

I don't particularily like how .Net apps are so easy to get the code for. I don't like the idea of me spending 3 weeks coding something and some punk decompiling then changing the variables or properties and reselling/distributing it himself as his.

 

You think this is bad. The "Future" of .Net isn't with winForms, but with these .Net apps written using XML... basically scripting. Looks mostly like a cross between the features of winForms with the coding of ASP.Net (similar), which can also be viewed on the web.

 

I like the idea of writing an MP3 sorting program in notepad. Nice. I don't like the idea of being a professional programmer and anyone being able to open your "app" with notepad and change/copy anything.

[Nerseus]

Personally, I wouldn't worry about anyone decompiling code. As mentioned, it's ALWAYS available in some form, even if it's just machine code (assembly). Some argue the merits of making it harder for the average hacker to see the code and that's probably good enough for most - any obfuscator will do that. I haven't tried it, but Visual Studio 2003 even comes with one (at least the Enterprise Edition does) - the community edition of Dotfuscator.

 

Besides obfuscating your code, just use the rule of thumb that you never put passwords, serial numbers, etc. - ie, sensitive data - in your code. That makes it easier for the simpleton hackers to view the EXE and see it. If you validate against a webserver, database server, etc., you'll stop the majority of average hackers since you won't be embedding anything. You will never be able to stop the "good" hackers if they really want to get at your code.

 

And remember, if your product/software is so good that someone wants to decompile it or change it, someone will be able to do it. You can't stop them, period. The only thing you can do is make it harder for them to read it, which is what the obfuscator does. If you really want/need to embed sensitive data, then you can try and make it as hard as possible, but nothing is fullproof. That isn't meant to sound scary, it's just a fact - the code is always available for viewing.

 

I'd love to hear about a specific program someone's written or knows about that would definitely need some kind of encryption beyond an obfuscator. I tried to think of one but I just can't. I can always think of a better solution to slow down (not prevent) a user from getting at what I wouldn't want them to.

 

-ner

[Jay1b]

Program's themselves arent that special - its the idea behind them thats worth money.

[travisowens]

No dissassemble Johnny 5!

 

 

(sorry, I couldn't resist)

[divil]

http://www.remotesoft.com/salamander/protector.html

 

This product will completely stop any automated decompilation or disassembly of your .net assemblies back to IL or source code. The most anyone would be able to do is get a machine code disassembly, which you can do for any windows program.