how can i protect against decompilers

  • Thread starter Thread starter Tolga Tanriverdi
  • Start date Start date
T

Tolga Tanriverdi

i saw something named obfuscator and its decompiling the source code of my
program which written in c# and my program includes mysql root password
inside of it
is there anyway to protect my program against this decompilers.
Thanks
 
i has some expirience working with:
9Rays (Spices), RemoteSoft (Salamander) and PreEmptive Solutions
(DotFuscator), Demeanor.

I found that all above obfuscators just do renaming of custom properties,
classes, and method names.
Some provide good strings encryption and even some refactoring.
Here is an hidden problem for commercial applications.

..Net is not translatable to java-like opcodes - its an assembler for virtual
machine, so all the main calls and method names will remain (it helps with
orientation).
For example, if you're using Licensing Class - the only thing you need to do
to brake 'licensed' application is replace 'throw' with 'ret' (in MSIL),
and it will not die on left license; as general licensing logic is:
'validate or die' - this is very breakable.

So the obfuscators are good to complicate code insight, but not enough to
make real protection in most cases.
The way is custom loaders with advanced polymorphic logic, but you will
loose interpretability.

Regards,
Dm.
 
Tolga Tanriverdi said:
i saw something named obfuscator and its decompiling the source code of my
program which written in c# and my program includes mysql root password
inside of it
is there anyway to protect my program against this decompilers.
Click to expand...

You should not encode secrets into your compiled code. Do you have
individual clients access the database directly? Run the request through a
service layer instead of accessing the database directly.
 
.Net is not translatable to java-like opcodes - its an assembler for virtual
machine, so all the main calls and method names will remain (it helps with
orientation).
Click to expand...

In what way is that not like Java? It's *exactly* like Java - you can
use ildasm instead of javap and you get to see the IL rather than the
byte code, but that's all.

<snip>
 
Note that even if you wrote your app in straight C, a string password can be
found pretty easily. Again, don't put passwords in exes unless you are
trying to keep out pre-schoolers.

-sb
 
Back
Top