Decompiling, is this a problem?

G

Grant

I've seen a couple of articles on the internet that VB.NET applications
can be decompiled very easy. For those who have had experience with
this, is it true? What steps can be taken to avoid this? I am using
VB.NET Express but am willing to buy something (within reason) to
prevent easy decompiling. Any suggestions are much appreciated.
 
A

AGP

Grant said:
I've seen a couple of articles on the internet that VB.NET applications
can be decompiled very easy. For those who have had experience with this,
is it true? What steps can be taken to avoid this? I am using VB.NET
Express but am willing to buy something (within reason) to prevent easy
decompiling. Any suggestions are much appreciated.
Click to expand...

download the free Reflector from http://www.red-gate.com/products/reflector/
and see how easy it is to see your source. VS2005 comes with a version of
Dotfuscator (reach it from the Tools menu) that will do some obfuscation.
ive had moderate success with it. you should probably look for a commercial
aplication that will obfuscate your source.

AGP
 
M

Michel Posseth [MCP]

Please note that the same is true for all .Net languages ( VB.Net , C# ,
J# , Delphi.Net etc etc etc )
and also for Java

Yes ....

There are lots of obfuscating tools out there , however none of them can
give 100% guarantee
that it is really impossible to reverse engineer your app .

hth
Michel
 
C

Cor Ligthert[MVP]

Second attempt
Grant,


And then? It is easier to create a program with VB.Net then to decompile
it and to try to make another program from it.
Those who are not able to do the first, are for sure not able to do the
second.

As it is about security, then think that is it possible to decompile every
program, it is just how smart you are.
Use for security the security options or find more ways to do that outside
the code.

Just my opinion.

Cor
Click to expand...
 
H

Herfried K. Wagner [MVP]

Grant said:
I've seen a couple of articles on the internet that VB.NET applications
can be decompiled very easy. For those who have had experience with
this, is it true? What steps can be taken to avoid this? I am using
VB.NET Express but am willing to buy something (within reason) to
prevent easy decompiling.
Click to expand...

There are three solutions:

* Obfuscation
* Encryption
* Services


Microsoft's solution:


SLP Services Home
<URL:http://www.microsoft.com/slps/Default.aspx>


You can use obfuscation (VS comes with a cut down version of a commecial
obfuscator) to make reverse engineering harder.


However, this is not a perfect solution. The only 100 % solution is to
place the code on a server you own and expose the functionality via a
service (Web service).
 
R

rowe_newsgroups

I've seen a couple of articles on the internet that VB.NET applications
can be decompiled very easy.  For those who have had experience with
this, is it true?  What steps can be taken to avoid this?  I am using
VB.NET Express but am willing to buy something (within reason) to
prevent easy decompiling.  Any suggestions are much appreciated.
Click to expand...

You have to ask yourself if you're actually writing anything that has
a risk of being disassembled and "stolen". If you're not, then you
have reason to muddy your development waters with obfuscation. Also
evaluate the business value, are you going to get a good ROI for the
additional work? Is your user base really interested in disassembling
your code?

Personally, I'd be willing to give my code to anyone that uses the
application, the more eyes on my code the more bugs will be found.

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
 
A

AGP

Herfried K. Wagner said:
There are three solutions:
* Obfuscation * Encryption * Services

Microsoft's solution:

SLP Services Home <URL:http://www.microsoft.com/slps/Default.aspx>

You can use obfuscation (VS comes with a cut down version of a commecial
obfuscator) to make reverse engineering harder.

However, this is not a perfect solution. The only 100 % solution is to
place the code on a server you own and expose the functionality via a
service (Web service).
Click to expand...

im glad that MS has a solution but IMHO that should have been built into VS.
It seems thats just another way to suck money out of the developer. I just
transitioned to .NET after some years of reluctance and am now finding out
that the source is easily decompiled from my app. i've read some articles on
why this is so easy and i understand but MS should have included something
more than the dotfustactor. Ive tried it and it doesnt seem to work. their
website is poorly arranged and they have yet to answer my inquiries. as a
small devloper my options are limited as I cant go out and spend thousnds of
dollars for better protection, yet i have to release updates in a timely
manner. anyway, im looking for a good solution that is reasonable for a
small developer. anyone have any suggestions?

AGP
 
R

rowe_newsgroups

im glad that MS has a solution but IMHO that should have been built into VS.
It seems thats just another way to suck money out of the developer. I just
transitioned to .NET after some years of reluctance and am now finding out
that the source is easily decompiled from my app. i've read some articleson
why this is so easy and i understand but MS should have included something
more than the dotfustactor. Ive tried it and it doesnt seem to work. their
website is poorly arranged and they have yet to answer my inquiries. as a
small devloper my options are limited as I cant go out and spend thousndsof
dollars for better protection, yet i have to release updates in a timely
manner. anyway, im looking for a good solution that is reasonable for a
small developer. anyone have any suggestions?

AGP
Click to expand...

I still stick to my above statements.

What are you writing that's so important that no unauthorized people
can see the code?

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
 
C

Cor Ligthert[MVP]

AGP,

Then make it yourself, nobody forbids you to do that. (As long as you are
not using illegal others inteligence).

Cor
 
A

AGP

im glad that MS has a solution but IMHO that should have been built into
VS.
It seems thats just another way to suck money out of the developer. I just
transitioned to .NET after some years of reluctance and am now finding out
that the source is easily decompiled from my app. i've read some articles
on
why this is so easy and i understand but MS should have included something
more than the dotfustactor. Ive tried it and it doesnt seem to work. their
website is poorly arranged and they have yet to answer my inquiries. as a
small devloper my options are limited as I cant go out and spend thousnds
of
dollars for better protection, yet i have to release updates in a timely
manner. anyway, im looking for a good solution that is reasonable for a
small developer. anyone have any suggestions?

AGP
Click to expand...

I still stick to my above statements.

What are you writing that's so important that no unauthorized people
can see the code?

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
I guess what is in my code is not really releveant. some of it is
proprietary algorithms and other stuff is common. just like any other
developer that makes commercial apps i dont want competing devlopers from
just decompiling and using code that i have worked long and hard to perfect.
if you are willing to open source your code then that is great and i have no
problems with that. but i dont want my code to be out in the open for
everyone to see. its just that simple. if the case was that every piece of
code should be seen then there wouldnt be a need for obfustcators and
encryption services like the one that MS is offering.

AGP
 
A

AGP

Cor Ligthert said:
AGP,

Then make it yourself, nobody forbids you to do that. (As long as you are
not using illegal others inteligence).

Cor
Click to expand...

make what? an obfuscator? im not saying that i want to make one i just want
to know what options are out there.

AGp
 
G

Grant

rowe_newsgroups said:
I still stick to my above statements.

What are you writing that's so important that no unauthorized people
can see the code?

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
Click to expand...


My has a key stored as a string variable for encryption which I want
hidden. Don't care too much about the rest. Any better ways to hide this?
 
R

rowe_newsgroups

I still stick to my above statements.

What are you writing that's so important that no unauthorized people
can see the code?

Thanks,

Seth Rowe [MVP]http://sethrowe.blogspot.com/



I guess what is in my code is not really releveant. some of it is
proprietary algorithms and other stuff is common. just like any other
developer that makes commercial apps i dont want competing devlopers from
just decompiling and using code that i have worked long and hard to perfect.
if you are willing to open source your code then that is great and i haveno
problems with that. but i dont want my code to be out in the open for
everyone to see. its just that simple. if the case was that every piece of
code should be seen then there wouldnt be a need for obfustcators and
encryption services like the one that MS is offering.

AGP
Click to expand...

Granted if you are using proprietary algorithms I can understand why
you would want to protect them, but in my experience I rarely see
something so special that another skilled developer couldn't simple
write it again. In my opinion, your competitor would be silly to just
disassemble and try to pass the code off as there own, especially
since products like Reflector aren't perfect and a lack on unit tests
(surely you are using unit tests right?) would put them in an
extremely dangerous situation.

Also, please understand I didn't say you should open source your
applications, I merely said I wouldn't worry about disassembly. Open
source is a massive commitment, and it doesn't make good business
sense for many businesses to implement.

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
 
R

rowe_newsgroups

My has a key stored as a string variable for encryption which I want
hidden.  Don't care too much about the rest.  Any better ways to hidethis?
Click to expand...

Very, very, very, very dangerous. Even in "classic" vb, I used to open
up executables in notepad and pull out any string constructs. This is
basically "security by obscurity" and you are opening up yourself for
disaster if this encryption key is protecting something very valuable.
Unfortunately, without doing a full review of your application it'd be
hard to recommend a good alternative, but I recommend you do a system
review.

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Learning curve for Visual Basic 6 programmers moving to Visual Basic.net 8
Moving from VB.NET to C# 11
newbie: is this the appropriate use of a class? 4
questions about VB.NET, and uses in education 2
OT: Choosing a new laptop 15
Good Application Example 1
HELP! Marketing Campaign Snags (you have this problem too) 3
Follow-on for HP Deskjet 1220? 4

Top