Copy protection for a .NET application

[William Stacey [MVP]]

1. you have definetely no access to th code that is encsrypted, because it

is stored in a flash memory of the smartcard, which is also immune to
physical investigation of data under Electron Scanning Microscope.

I may have missed it, but that was not what the docs said that I read. The
code is not stored on the HL. Only the private keys are stored on the HL.
The HL decrypts the secrets to return the text so it can decrypt the
assembly. Then the assembly can run as normal in memory.

2. nobody, even the developer doesn't know the private key to encrypt and to
run the code required.
Remember, the code "doesn't" run on th CPU of the target machine, but on
another place.

Your .Net code running inside the little usb device? That would have some
scalability issues I would think.

 

[Christian Gudrian]

And assume that the algorithm that calculates this value is the main
part of your program.

Bear in mind that the memory available on smart cards is very limited.
I doubt that one will be able to put "the main part of your program"
within a couple of kibibytes.

Christian

 

[C-Services Holland b.v.]

like you would do in normal digital envelope. But the RSA private key is
stored in the lock. Like all crypto, it comes down to protecting the keys
and to use the resulting clear text for only a very short time and remove it
from memory. Here is where it comes back to the same problem we all have -
protecting the clear text in memory. The driver api call to decrypt the rj
keys *has to return clear text to init Rijndael with - just has to be done.

AFAIK the hardlock itself decodes the encrypted part, it doesn't send
the key to the computer. So the key is never visible.

Ofcourse I don't have detailed insight into their methods, but if I had
to develop something like that, I would also decrypt the exe in (random)
chunks or on demand so that at no particular time the entire decrypted
code is stored in memory.

It probably isn't impossible to break, but it won't be as easy as you
make it seem IMHO.

 

[Guest]

Well, William, there are many devices around that work as the hrdware locks.
That you may put on Parallel port (the earliest), serial port, USB, even I
saw some using ISA or PCI expansion boards...

Unlike EPROM's and EEPROM's of earlier, Flash RAM modules hold data
electrically, which makes them immune to ESM... If you emit electrons or
photons on such a device, you just erase what's written inside...

And for the scalablility issue. I accept this is a fact. But, if you
application needs to run as a server and needs scalability, there are really
good alternative scenarios. My approach is just for desktop applications.

Salih Goncu

 

[Guest]

Believe me Christian, in most of the applications around, the code or
algoritm that makes the application unique is so small... And 2K of ram is
not so little... I remember I was able to use my spreadsheet program on my
Sinclair ZX Spectrum (an 8 bit computer with just 8 K of ram)...

If you don't have to deal with graphical UI, the memory requirements of
applications are just fractions on the order of 10, with the GUI enabled
application.

Salih Goncu

 

[Christian Gudrian]

Believe me Christian, in most of the applications around, the code or
algoritm that makes the application unique is so small...

That's certainly not the case for our application.

Christian

 

[William Stacey [MVP]]

I think (using HL envelope method) just returns the AES key to allow the api
to decrypt your local code in the wrapper. But have seen reference to both
ways in the docs that are not very helpful to see what goes on. However,
either way, clear data comes back from the HL. Either a clear encryption
key, or the clear data itself. The dll(s) eventually has to be
reconstituted completely in memory, so that will always be the weak spot for
any encryption method. In this regard, it is not much different from
downloading a decrypted dll from a remote server and loading it. In this
case, the HL is the server. The difference is one uses Ethernet and one
uses USB as the transfer media.

 

[William Stacey [MVP]]

It has an OS, the CLR, and a subset of the framework, and your program in
8K?

 

[Guest]

Hey !

There are lots of tools available in the market which can encrypt the IL.
One of the tool ships with Visual Studio 2003 too. Check with that tool. Hope
this helps !

Thanks,
Nikhilesh

 

[Frank]

Hello Massimo,

..NET programs are always Open-Source, if you do not protect it with a third
party tool. Have a look at programs like Anakrino and you see that all your
code (obfuscated or not) is visible in source.

Obfuscating has the only effect, that understanding your program needs much
more time. If you want to protect it secure, you need an additional tool
like Thinstall or others. These tools have the great disadvantage that your
protected program is not longer a real .NET program for the environment.
That means, it is, for example, not possible to change the security with the
..NET Framework wizard,

A ideal solution is not available! I think this must be realized by
microsoft.

I think it's a joke: Microsoft have many reason's against open-source and
protect it's own software very well and create a developer suite without any
effective copy protection.

Bye

Frank

 

[Jon Skeet [C# MVP]]

.NET programs are always Open-Source, if you do not protect it with a third
party tool.

Either you don't understand Open Source, or you're wilfully ignoring
whole rafts of implications of the phrase beyond being able to get
(probably illegally, depending on the licence of the application) some
source which you can compile.

Have a look at programs like Anakrino and you see that all your
code (obfuscated or not) is visible in source.

Only if you don't put any comments in your code. What comes out of a
decompiler is nothing like my code...

Have you ever tried to understand a large and complex piece of software
without any comments? Even without obfuscation, it's still a
significantly difficult undertaking.

Obfuscating has the only effect, that understanding your program needs much
more time.

So do all other solutions. If the code runs on someone's computer,
ultimately that person can see the code in some form or other.

If you want to protect it secure, you need an additional tool
like Thinstall or others.

If you think those give 100% security, you're deluding yourself. They
make it another level harder, certainly.

These tools have the great disadvantage that your
protected program is not longer a real .NET program for the environment.
That means, it is, for example, not possible to change the security with the
.NET Framework wizard,

A ideal solution is not available! I think this must be realized by
microsoft.

I think it's a joke: Microsoft have many reason's against open-source and
protect it's own software very well and create a developer suite without any
effective copy protection.

Yes, because the games industry is proof positive that native code is
uncrackable, isn't it?

 

[Frank]

Hello Jon,

you are right. Open-Source means not only the available of the source code,
but also a copy license (like GPL, LGPL or so on). In this case i only mean
the easy available of the source code. It's included in the .NET
application.

If you use tools like Anakrino you get only the source code without
comments, but it is much more than a reverse engeneering of the program
code, which offers you only the assembly code of the program. I must
sometimes take the code of a colleague (who left our company) in my company
and add additional functions to this programs. Especially the older code has
no or poor comments, but it's possible and much more easier than getting
only the assembler code!

I think there is a fault in your view. The goal is not a 100% security (this
does not exist). The goal is to make code copy much more difficult. So the
time for creating the program should less than the time for copy another
program and understand the philosophy of the source code. This is the goal
for copy protection of a program. And for copy protection i do not only mean
safety for cracking program, but safety for avoiding changing source code or
copy of a part of the program like an algorithm.

Frank

 

[Jon Skeet [C# MVP]]

you are right. Open-Source means not only the available of the source code,
but also a copy license (like GPL, LGPL or so on). In this case i only mean
the easy available of the source code. It's included in the .NET
application.

If you use tools like Anakrino you get only the source code without
comments, but it is much more than a reverse engeneering of the program
code, which offers you only the assembly code of the program. I must
sometimes take the code of a colleague (who left our company) in my company
and add additional functions to this programs. Especially the older code has
no or poor comments, but it's possible and much more easier than getting
only the assembler code!

I think there is a fault in your view. The goal is not a 100% security (this
does not exist). The goal is to make code copy much more difficult. So the
time for creating the program should less than the time for copy another
program and understand the philosophy of the source code. This is the goal
for copy protection of a program. And for copy protection i do not only mean
safety for cracking program, but safety for avoiding changing source code or
copy of a part of the program like an algorithm.

I agree that it's just a case of making it harder - which is what an
obfuscator does. It was when you suggested that turning it into native
code suddenly made it actually secure that I was disagreeing.

 

[Guest]

Do you know if there are there any tools that help with licensing and
activation? Do any of them come with Visual Studio .NET?

Jeff

 

[John Vottero]

Do you know if there are there any tools that help with licensing and
activation? Do any of them come with Visual Studio .NET?

I have found:

www.xheo.com
www.desaware.com

I haven't used either of these.

 

[msnews.microsoft.com]

Same freeware tools are absent?