Recommended protection/encryption tool for .net apps

[adiavn]

Hi
My application (.Net 2.0) uses a hardware key to prevent illegal copies.
The problem is it's very easy to reverse engineer the code to remove this
check.
As far as I know obfuscation tools are useless for this scenario, since
cracking the protection only requires searching the code for a use of the
protection tool's API assembly (I'm using a 3rd party dongle).
Which tools would you recommend?

 

[GhostInAK]

Hello adiavn,

My recommendation would be to not bother. You can spend hundreds of thousands
of dollars trying to protect your bits, but in the end, it will be cracked...
and it only takes once. So I suggest spending a minimum of effort and money
(perhaps just use a standard obfuscation pkg) and concentrating instead on
making your app salable. Make people WANT to buy your bits. That's all
you can really hope for ultimately. Oh, and once it IS cracked.. I would
suggest feeling flattered that someone found your application worthy enough
to spend time stealing. Either that or turn into a grumpy control freak
bastard..

-Boo

 

[adiavn]

Come on, is that a serious reply?
Suppose I am a "grumpy control freak bastard", which solutions do you
recommend?

 

[adiavn]

Currently I'm debating between those two:
http://www.sofpro.com/pcgw32.htm
http://dotnetprotector.pvlog.com/Home.aspx

Any recommendations?

 

[GhostInAK]

Hello adiavn,

Of course it's a serious reply. Did you miss the point? YOU CAN'T PROTECT
YOUR BITS FROM A DETERMINED CRACKER. PERIOD. All you can do is make it
more difficult. The return on investment though is (roughly) negatively
proportionate to the amount of effort you spend on it.

-Boo

 

[Ben Voigt]

Come on, is that a serious reply?
Suppose I am a "grumpy control freak bastard", which solutions do you
recommend?

You can do pretty well by storing some of your core application logic on the
hardware key, then using Assembly.LoadBytes. This will defeat static
analysis, because the data is only known at runtime, and removing the code
to talk the the key won't work, it has to be replaced with the code stored
on the key. Only someone who bought the product will be able to defeat the
copy protection.

Now, serialize each key. Implant into the key-hosted assembly some
customer-specific identifier, making it look as much as possible like
necessary code. Maybe if you have a sequence of blocks which can be
completed in any order, (creating controls on a Form comes to mind, or
initializing member variables in a constructor), you can scramble the
sequence. Then, if someone does use a debugger to grab the bytes retrieved
from the key, save them to an on-disk assembly, and patch your application
to load from disk instead of from key, you can at least find out who
violated your licensing agreement, and you'll have a big stick to use in
court.

 

[Ben Voigt]

You can do pretty well by storing some of your core application logic on
the hardware key, then using Assembly.LoadBytes. This will defeat static
analysis, because the data is only known at runtime, and removing the code
to talk the the key won't work, it has to be replaced with the code stored
on the key. Only someone who bought the product will be able to defeat
the copy protection.

Now, serialize each key. Implant into the key-hosted assembly some
customer-specific identifier, making it look as much as possible like
necessary code. Maybe if you have a sequence of blocks which can be
completed in any order, (creating controls on a Form comes to mind, or
initializing member variables in a constructor), you can scramble the
sequence. Then, if someone does use a debugger to grab the bytes
retrieved from the key, save them to an on-disk assembly, and patch your
application to load from disk instead of from key, you can at least find
out who violated your licensing agreement, and you'll have a big stick to
use in court.

PS If you're spending this kind of capital on copy-protection, do the right
thing and send me $1000 for telling you how.

 

[LogicNPSoftware]

[SIZE=+1]Obfuscation is better than nothing. Take a look at Crypto Obfuscator. It also has a companion licensing product - CryptoLicensing - with good integration between the two.[/SIZE]