I'm concerned a commercial application I've completed could be stolen by
deobsfuscation. However it's not clear to me what information is gained
when my .net executable is deobsfuscated (decompiled?). Any insight on the
subject would be greatly appreciated.

-Alex

"Alex Glass" <(E-Mail Removed)> wrote in message
news:k_ake.655$(E-Mail Removed)...
> I'm concerned a commercial application I've completed could be stolen by
> deobsfuscation. However it's not clear to me what information is gained
> when my .net executable is deobsfuscated (decompiled?). Any insight on
> the subject would be greatly appreciated.

I blogged a bit about this recurring concern here:
http://codingsanity.blogspot.com/2005/05/yawgan.html

Alex Glass <(E-Mail Removed)> wrote:
> I'm concerned a commercial application I've completed could be stolen by
> deobsfuscation. However it's not clear to me what information is gained
> when my .net executable is deobsfuscated (decompiled?). Any insight on the
> subject would be greatly appreciated.

Obfuscation and decompilation are separate things - obfuscation just
makes it harder to read the decompiled code.

The easiest way to find out what someone would see is to try it
yourself. Personally I think it's not too much of a problem for most
people - code is very hard to understand as a whole when you haven't
got local variable names or any comments.

I wouldn't worry about other comparnies stealing your code, unless
you've got an important algorithm in there (which most applications
don't - the IP is in the design, usually) but you might legitimately
worry about people getting round your licensing code (if you use a
licence key etc). However, the proportion of the population who can do
this is very small - so long as they don't distribute the cracked
version (which is something you might want to search for on a regular
basis) you shouldn't lose many sales.

--
Jon Skeet - <(E-Mail Removed)>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

beside sign your assembly.
it makes cracked version of your assembly less usable! (I believe...)

"Jon Skeet [C# MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Alex Glass <(E-Mail Removed)> wrote:
>> I'm concerned a commercial application I've completed could be stolen by
>> deobsfuscation. However it's not clear to me what information is gained
>> when my .net executable is deobsfuscated (decompiled?). Any insight on
>> the
>> subject would be greatly appreciated.
>
> Obfuscation and decompilation are separate things - obfuscation just
> makes it harder to read the decompiled code.
>
> The easiest way to find out what someone would see is to try it
> yourself. Personally I think it's not too much of a problem for most
> people - code is very hard to understand as a whole when you haven't
> got local variable names or any comments.
>
> I wouldn't worry about other comparnies stealing your code, unless
> you've got an important algorithm in there (which most applications
> don't - the IP is in the design, usually) but you might legitimately
> worry about people getting round your licensing code (if you use a
> licence key etc). However, the proportion of the population who can do
> this is very small - so long as they don't distribute the cracked
> version (which is something you might want to search for on a regular
> basis) you shouldn't lose many sales.
>
> --
> Jon Skeet - <(E-Mail Removed)>
> http://www.pobox.com/~skeet
> If replying to the group, please do not mail me too

Lloyd Dupont <(E-Mail Removed)> wrote:
> beside sign your assembly.
> it makes cracked version of your assembly less usable! (I believe...)

Not really. The cracker just needs to find all the things which depend
on the assembly being signed, and remove those dependencies. It makes
it a little bit harder, but not a lot.

Assembly signing is really there to allow the end user to prove that
the software came from you; it doesn't make sure that someone who
doesn't care about signatures can't run code.

--
Jon Skeet - <(E-Mail Removed)>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Yes john this is what I had assumed, my IP is in the design but I was still
concerned about whether or not people who deobfuscate would be able to
somehow recreate the code as it looks in my compiler.

"Jon Skeet [C# MVP]" <(E-Mail Removed)> wrote in message
news:<(E-Mail Removed)>...

> Alex Glass <(E-Mail Removed)> wrote:

> > I'm concerned a commercial application I've completed could be stolen by

> > deobsfuscation. However it's not clear to me what information is gained

> > when my .net executable is deobsfuscated (decompiled?). Any insight on
> > the

> > subject would be greatly appreciated.

>

> Obfuscation and decompilation are separate things - obfuscation just

> makes it harder to read the decompiled code.

>

> The easiest way to find out what someone would see is to try it

> yourself. Personally I think it's not too much of a problem for most

> people - code is very hard to understand as a whole when you haven't

> got local variable names or any comments.

>

> I wouldn't worry about other comparnies stealing your code, unless

> you've got an important algorithm in there (which most applications

> don't - the IP is in the design, usually) but you might legitimately

> worry about people getting round your licensing code (if you use a

> licence key etc). However, the proportion of the population who can do

> this is very small - so long as they don't distribute the cracked

> version (which is something you might want to search for on a regular

> basis) you shouldn't lose many sales.

>

> --

> Jon Skeet - <(E-Mail Removed)>

> http://www.pobox.com/~skeet

> If replying to the group, please do not mail me too

"Jon Skeet [C# MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Alex Glass <(E-Mail Removed)> wrote:
>> I'm concerned a commercial application I've completed could be stolen by
>> deobsfuscation. However it's not clear to me what information is gained
>> when my .net executable is deobsfuscated (decompiled?). Any insight on
>> the
>> subject would be greatly appreciated.
>
> Obfuscation and decompilation are separate things - obfuscation just
> makes it harder to read the decompiled code.
>
> The easiest way to find out what someone would see is to try it
> yourself. Personally I think it's not too much of a problem for most
> people - code is very hard to understand as a whole when you haven't
> got local variable names or any comments.
>
> I wouldn't worry about other comparnies stealing your code, unless
> you've got an important algorithm in there (which most applications
> don't - the IP is in the design, usually) but you might legitimately
> worry about people getting round your licensing code (if you use a
> licence key etc). However, the proportion of the population who can do
> this is very small - so long as they don't distribute the cracked
> version (which is something you might want to search for on a regular
> basis) you shouldn't lose many sales.
>
> --
> Jon Skeet - <(E-Mail Removed)>
> http://www.pobox.com/~skeet
> If replying to the group, please do not mail me too

Alex Glass <(E-Mail Removed)> wrote:
> Yes john this is what I had assumed, my IP is in the design but I was still
> concerned about whether or not people who deobfuscate would be able to
> somehow recreate the code as it looks in my compiler.

Well, if you were to give people a debug build (with the pdb), they'd
have pretty much your code minus the comments. If you give them a
release build (without a pdb) they'll have the code without comments or
local variables. If you obfuscate the code, that will remove as many
meaningful names as possible (within the bounds of implementing public
interfaces etc).

--
Jon Skeet - <(E-Mail Removed)>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too