How to protect my source code from reverse engineering

[Guest]

Hi while browsing the net i noticed that there is sites publishing some
software that claim that it can decompile .net applications i didn't bleave
it in fact but after trying it i was surprised that i could retrieve my code
from my applications after i compile it so i need to know to prevent this
from happening to my applications
Thanx in advance

 

[Michael C#]

Do a search on ".NET obfuscator".

 

[Guest]

Thanx but the funny thing at this site for example
http://www.remotesoft.com/salamander/obfuscator.html
that they also provide a decompiler that can decrypt the code that have been
encrypted with there obfuscator
is there is any better solutions?
thanx in advance

 

[jpierce]

Thanx but the funny thing at this site for example
http://www.remotesoft.com/salamander/obfuscator.html
that they also provide a decompiler that can decrypt the code that have been
encrypted with there obfuscator
is there is any better solutions?

Fady,
This question has been discussed many times in these forums.
Obfuscators sufficiently rename members so that the decompiled code is
not readable or very usable as a source codebase. Obfuscation is not
intented to hide sensitive data which should be kept server side.

We also sell a combination .NET Decompiler/Obfuscator product that
provides both capabilities. We use the product on itself to protect the
versions we ship. You can download a free trial version our
Decompiler.NET product from our web site at
http://www.junglecreatures.com/ and see the obfuscation and
decompilation capabilities in the browser user interface that we
provide.

Jonathan Pierce
President
Jungle Creatures, Inc.
http://www.junglecreatures.com/

 

[Guest]

well that didn't really solve my probelm
i still need a way to pervent other ppl from reading my code in plain text
thanx anyway

 

[jpierce]

well that didn't really solve my probelm
i still need a way to pervent other ppl from reading my code in plain text
thanx anyway

Fady,

I does solve your problem. The obfuscated code is no longer
understandable, and our obfuscator encrypts string literals and removes
them from your code by replacing them with lookups. You should try the
free trial version so you can see how unreadable your code becomes when
it is obfuscated. If you decompile the obfuscated code, the decompiled
code will only contain the obfuscated version, not your original
version that you wrote.

Jonathan

 

[Michael C#]

What are you trying to prevent people from reading exactly? String values
stored within your code? Your actual MSIL code? MSIL code can be
decompiled, and that's a fact of life! However, even C++ or (gasp) x86
Machine Language can be disassembled into human-readable Assembler Language
code. There are tools to obfuscate your code, and you can encrypt internal
strings, but bottom line is this: if you're that worried that people will
"read your code in plain text", you probably shouldn't release it to the
public... After all, if someone wants to see the internal workings of your
code *that badly*, they *will* find a way to do it. All you can do is make
it harder for them.

So to answer your question, the only 100% full-proof method of protecting
your code is to lock it in your cellar when you're done coding it. And even
then someone could always break into your house and steal it and then
decompile it...

Thanks,
Michael C

 

[LP]

Fady,

There is no 100% to protect from reverse engineering anything. No matter how
smart you are, no matter what kind of advanced obfuscator, encryption tool
you use, there'll be always someone out there smarter than you, who can
figure out how to decompile, decrypt your code (if they really want to).
Besides, don't you think that programmer(s) who can figure out how to
decompile and decrypt obfuscated assembly, can as easily reverse engineer
your algorithms without even seeing your sourcecode. If you have some kind
of super complex algorithms that you don't want others to "steal", I suggest
you get legal IP (Intelectuall Property) protection; copy right, patent.
It doesn't mean that you should not obfuscate your assemblies, just keep in
mind there's always someone out there one step ahead of the latest
obfuscator.

 

[Guest]

Well at least i need some method that prevent anybody who have a decompiler
to see my plain code in *C#* and it's not a problem if he can see my code in
msil (lets see what can he get use of it ) and if there is no such method i
think that microsoft is going to be an open source community soon

 

[Clint (cmueller]

It isn't so much that they can read it, as it becomes a real pain to
read. Depending on the size of your application, de-obfuscating it (so
to speak) would take a significant amount of time once decompiled.

Sure, your algorithms would be in plain-text, but without actually
being able to understand what each variable means in a complex
algorithm, the ability to simply READ it becomes useless; you can't
translate it into something that makes sense.

As far as I know, anything that uses an intermediate language can be
decompiled readily (meaning .NET and Java). As someone mentioned, C++
et all can be broken down to assembler, which can be understood by
people with a lot better understanding of assembly language than myself

 

[Jon Skeet [C# MVP]]

Well at least i need some method that prevent anybody who have a decompiler
to see my plain code in *C#* and it's not a problem if he can see my code in
msil (lets see what can he get use of it ) and if there is no such method i
think that microsoft is going to be an open source community soon

<sigh>

There's a big difference between "able to read the code" and "open
source". However, you're not going to prevent people from converting
MSIL into C#. You need to accept that and work out what you're really
trying to protect.

(MSIL isn't actually that hard to read, by the way - even if you
*could* find a way of preventing full decompilation to C#, you wouldn't
want to try to hide passwords etc in the code.)

 

[SB]

99.99% of all code today is nothing completely new, innovative, or
revolutionary... That being said, if someone wants to take the time to
figure out every class, method, variable, code path, then no matter what
language you write it in, they will do it. If you're storing password
information or other such data in the code, then your approach is the
problem to begin with...not the fact that someone can decompile it.

-sb

 

[Guest]

well at least if i'm into the open source community i would have the choice
to release the code which in my point of view is better than releasing my
code as .net app which can be decompiled against my well and everybody can
read my code if i do like it or not

theoretically every app can reverse engineered and every system can be
hacked and every encryption can be cracked but statistically thats not
happening in the real world simply because every cracking hacking or reverse
engineering technique have it's counter techniqe which can stop it and if not
it at least slow it or make it harder

i had upgraded from the unmanaged code world and i have seen alot of
techniques that stop or slow cracking or make it harder so i suggest that
rather than than saying it's impossible to protect our codes and apps from
hacking and cracking we should search for a more effecient way to stop it
(more effecient than the so called obfuscators which can be reversed also by
it's own vendors decompilers)

so i suggest the first question to ask is how does these decopilers work? so
we can know how to stop it

 

[Jonathan Pierce]

Fady,

Obfuscators do not always reduce efficiency. The obfuscator in our
product actually often improves efficiency in many cases by recognizing
higher level code constructs that can be more effiently compiled.
Obfuscators sufficiently rename types and members to make decompiler
code sufficiently unreadable and unmaintainable. They are not intended
to hide secrets. Sensitive data and algorithms should be kept server
side. All programs contain instruction sequences that processors
understand for execution. Decompilers work by recognizing these
sequences and replacing them with higher level constructs. The code that
they generate is not identical to the original code, but is high level
and readable. Programs compiled for virtual machines like .NET and Java
also contain metadata necessary for execution that includes type
information and calling conventions among other things. Obfuscators
rename this metadata so that the code is not directly understandable or
maintainable. This renaming does not impact performance. You may want to
read about Next Generation Secure Computing Base
(http://www.microsoft.com/resources/ngscb/default.mspx) which will
improve client side security by restricting programs so they can be
loaded into a protected memory space for execution that is not readable
by external processes or devices. The code can exist in encrypted form
on disk and in memory until it is loaded into the secure hardware
environment.

You may want to review our Decompiler.NET product which contains both
advanced obfuscation and high level decompilation capabilities. It also
improves code readability and efficiency through it's code analysis,
optimization, and automatic refactoring features. Many customers also
use it as a .NET source language translator that produces code that
always compiles and runs correctly. You can download a free trial
version from our web site at http://www.junglecreatures.com/

Jonathan Pierce
President
Jungle Creatures, Inc.
http://www.junglecreatures.com/
Email: (e-mail address removed)

 

[Michael C#]

well at least if i'm into the open source community i would have the
choice
to release the code which in my point of view is better than releasing my
code as .net app which can be decompiled against my well and everybody can
read my code if i do like it or not

What language would you prefer to write this in, in which this is not true?
Delphi? Nope, that can be reverse-engineered also. How about good old C++?
Nope, there are decompilers for that also. Well hey, how about x86
Assembler? Wrong again. There are freeware disassemblers out there. What
option do you propose?

theoretically every app can reverse engineered and every system can be
hacked and every encryption can be cracked but statistically thats not
happening in the real world simply because every cracking hacking or
reverse
engineering technique have it's counter techniqe which can stop it and if
not
it at least slow it or make it harder

"counter technique... stop it and if not it at least slow down or make it
harder." If you scroll through the discussion here, you will find mention
of "obfuscators", which do EXACTLY what you specified here.

i had upgraded from the unmanaged code world and i have seen alot of
techniques that stop or slow cracking or make it harder so i suggest that
rather than than saying it's impossible to protect our codes and apps from
hacking and cracking we should search for a more effecient way to stop it
(more effecient than the so called obfuscators which can be reversed also
by
it's own vendors decompilers)

So drop back out of unmanaged code and see how successful you are at writing
code that cannot be decompiled or disassembled by anybody's decompilers.
Nobody said it's impossible to protect your code 100%. Just never let
anyone use or see it. Too easy.

so i suggest the first question to ask is how does these decopilers work?
so
we can know how to stop it

That's easy. You have a baseline set of instructions. A decompiler
converts those baseline set of instructions into a human readable format. I
already suggested to you one method of getting around that, which basically
involves creating your own baseline set of instructions from the ground up.
And then not letting anyone, anywhere, know about it. As long as no one
breaks into your house (past those darn locks that aren't 100% effective, or
those thin glass windows that are even less effective), your code should be
100% safe from hacking.