Is VB.NET Code Secure?

[Don Wash]

Hi Everyone!

I'm new to .NET but I'm a experienced VB programmer (since VB 4) and wanting
to move to VB.NET from VB 6.

But as I read about .NET, I came across that compiled VB.NET code is stored
in MSIL (instead of binary) which is easily decryptable by the "hackers" to
reverse engineer your VB.NET application.

Is this true?

Thanks in advance!

Don

 

[Herfried K. Wagner [MVP]]

I'm new to .NET but I'm a experienced VB programmer (since VB 4) and wanting
to move to VB.NET from VB 6.

But as I read about .NET, I came across that compiled VB.NET code is stored
in MSIL (instead of binary) which is easily decryptable by the "hackers" to
reverse engineer your VB.NET application.

Is this true?

Yes.

Nevertheless, you can make their work harder by obfuscating the
code. You will find some links here:

<URL:http://www.cetus-links.org/oo_dotnet.html#oo_dotnet_utilities_tools>

Notice that VS.NET 2003 includes the Light Version of Preemptive's
obfuscator.

BTW: Do you really think that somebody wants to have a look at
the code of /your/ application? What I want to say: Reverse
Engineering often doesn't make much sense, it's "interesting" if there
are some complicated algorithms implemented, but not for most normal
apps.

 

[Don Wash]

Thanks for the links Herfried,

Yes, I do think when you are developing a software with your own unique
aglorithm (or even simple applications) competitors can just look up your
code and get the idea where you've scarificied hours and hours of good night
sleep to get the aglorithm and get the app up and running. This is also the
case for simple applications. That's something I don't want and I'm sure
most developers will agree with me.

Do you think .NET will become binary in the future?

Don
P.S. This VB.NET newsgroup is damn fast!!! I love it!

 

[Herfried K. Wagner [MVP]]

Yes, I do think when you are developing a software with your own unique
aglorithm (or even simple applications) competitors can just look up your
code and get the idea where you've scarificied hours and hours of good night
sleep to get the aglorithm and get the app up and running. This is also the
case for simple applications. That's something I don't want and I'm sure
most developers will agree with me.

Do you think .NET will become binary in the future?

No, that's against the concept of .NET. As mentioned before, I would
obfuscate the application, so it's harder to understand the
reconstructed source code.

P.S. This VB.NET newsgroup is damn fast!!! I love it!

A lot of traffic here... ;-).

 

[John]

But we can get the setup to "compile" the app at installation so after that
the app is as secure as a regular executable?

Thanks

Regards

 

[Armin Zingler]

But as I read about .NET, I came across that compiled VB.NET code is
stored in MSIL (instead of binary) which is easily decryptable by the
"hackers" to reverse engineer your VB.NET application.

Is this true?

In addition to Herfried..
I think, if somebody is /really/ interested in your code, he will also
decompile assembler code, so the only 100% safe way is not to distribute the
application.


--
Armin

How to quote and why:
http://www.plig.net/nnq/nquote.html
http://www.netmeister.org/news/learn2quote.html

 

[CJ Taylor]

I wanted to follow up with Herfried on this one. He makes a valid point
about the reverse engineering. Would they actually want to? In most cases
code would be reverse engineered, the "hacker" would look at it and be like
"wtf is this?" Why? Because 1, variable names are not retained with most
decompilers (all I'm pretty sure, as it is a tokenized compiler) So, it may
or may not make much sense.

Second of all, people will look at it and be like "well I can do this better
here." Long story short, it doesn't really happen that much. At least from
what I've seen.

I've decompiled programs before, but mainly to debug an existing application
and notify the author. However, I wouldn't recommend writing oh lets say an
encryption algorithm without obfusicating (hell, I would go to a binary
format instead.)

HTH,
CJ'

Thanks for the links Herfried,

Yes, I do think when you are developing a software with your own unique
aglorithm (or even simple applications) competitors can just look up your
code and get the idea where you've scarificied hours and hours of good night
sleep to get the aglorithm and get the app up and running. This is also the
case for simple applications. That's something I don't want and I'm sure
most developers will agree with me.

Do you think .NET will become binary in the future?

Don
P.S. This VB.NET newsgroup is damn fast!!! I love it!

"hackers"

 

[Cor Ligthert]

In addition to Herfried..
I think, if somebody is /really/ interested in your code, he will also
decompile assembler code, so the only 100% safe way is not to distribute the
application.

Same idea here, are you going to serverside webapplications Armin?

Cor

 

[Jay B. Harlow [MVP - Outlook]]

Don,
You do realize, as Armin stated, that any one who wanted to get your code,
will!

Independent of if it is written in ASM, C++, VB4, VB6, VB.NET or C#!

All computer languages have tools available that can reverse engineer them,
included compiled programs.

I don't have the link handy, my understanding is that the question is not so
much that we need to compile to binary machine code (which is easily
de-compiled or dis-assembled anyway). But the need is for digital
certificates & encryping the assembly, so it cannot be looked by opening the
file, yet can still be looked at to actual execute.

Hope this helps
Jay

Thanks for the links Herfried,

Yes, I do think when you are developing a software with your own unique
aglorithm (or even simple applications) competitors can just look up your
code and get the idea where you've scarificied hours and hours of good night
sleep to get the aglorithm and get the app up and running. This is also the
case for simple applications. That's something I don't want and I'm sure
most developers will agree with me.

Do you think .NET will become binary in the future?

Don
P.S. This VB.NET newsgroup is damn fast!!! I love it!

"hackers"

 

[CJ Taylor]

An idea like that would have to be implemented at kernel level would it not?
Encrypting the compiled program so that it couldn't be read? But then how
would it be decrypted. The OS right?

That would be a pretty interesting implementation. =)

Don,
You do realize, as Armin stated, that any one who wanted to get your code,
will!

Independent of if it is written in ASM, C++, VB4, VB6, VB.NET or C#!

All computer languages have tools available that can reverse engineer them,
included compiled programs.

I don't have the link handy, my understanding is that the question is not so
much that we need to compile to binary machine code (which is easily
de-compiled or dis-assembled anyway). But the need is for digital
certificates & encryping the assembly, so it cannot be looked by opening the
file, yet can still be looked at to actual execute.

Hope this helps
Jay

 

[Cor Ligthert]

Hi CJ,

It stays always impossible to prevent decompiling completly, at
processor(s) level all the instructions are standard whatever firmware you
place between it.

However mostly it will cost an enormous amount of time, while the result is
unussable, with the exception when there are a real intresting things as
Herfried already stated.

Just my 2 eurocents

Cor

 

[Jay B. Harlow [MVP - Outlook]]

CJ,
Yes it would be implemented at the kernel or the CLR level.

I want to saw Eric Gunnerson discussed this in the C# newsgroup, however I
just don't have the link handy right now.

Jay

 

[CJ Taylor]

Oh that eric... always stirring up trouble. =)

I think that would be really interesting.. you know how VB Package and
Deployment Wizard had the serial algorithm. You would almost have to have
the same thing at the CLR level in order to decrypt it. That way, you would
have to get a key from Microsoft (kinda like authenticode) to be
decrypted....

Hmmm.. don't know how well that would work...

 

[Armin Zingler]

Same idea here, are you going to serverside webapplications Armin?

What??

 

[Cor Ligthert]

Same idea here, are you going to serverside webapplications Armin?

What??

I assume you understand it, however to answer seriously, a user cannot reach
(normally I am not talking about hackers) the code from a serverside
webapplication, and therefore he cannot decompile it.

The first sentence (Same idea here) was serious from me, the second only to
prickle you.



Cor

 

[Jimi]

Reverse Engineering often doesn't make much sense, it's
"interesting" if there are some complicated algorithms implemented,
but not for most normal apps

There is also the other unfortunate aspect of .NET apps being so
easily reverse engineered. That is that if you're app becomes
popular it's a breeze to have all security checks removed from your
latest version that you'll slaved over and distributed free of
charge, even if it is uninteresting code. I think that is what most
people are worried about.

 

[Herfried K. Wagner [MVP]]

But we can get the setup to "compile" the app at installation so after that
the app is as secure as a regular executable?

You can run "ngen.exe" in setup, but still the MSIL image will be
required to do that and to run the app.

 

[Herfried K. Wagner [MVP]]

I assume you understand it, however to answer seriously, a user cannot reach
(normally I am not talking about hackers) the code from a serverside
webapplication, and therefore he cannot decompile it.

That's what I recommend too, but often there is no permanent internet
connection available. If I want to deploy an application that uses a
unique algorithm, I would have to provide a web service that works >
99,999 percent of time and most people won't be able to use if because
of lack of internet connections or secuurity policies.

 

[Don Wash]

Thank you for all the replies!

I'm overwhelmed by the number of replies in such short time and I apologize
for not being able to respond to all the people who replied.

I'll cap it all for everyone; Yep I think it's important for the complied
code to be protected for obvious reasons. While MSIL maybe easily decrypted,
I'll use obfuscators (that can also convert variable names as well) to
protect my code. And I also hope that MS will include built-in full versions
of obfuscators (or better method to protect MSIL code) in the future

Cheers all!
Don

 

[Don Wash]

You've mad a good point Jimi.

Don

Reverse Engineering often doesn't make much sense, it's

"interesting" if there are some complicated algorithms implemented,
but not for most normal apps

There is also the other unfortunate aspect of .NET apps being so
easily reverse engineered. That is that if you're app becomes
popular it's a breeze to have all security checks removed from your
latest version that you'll slaved over and distributed free of
charge, even if it is uninteresting code. I think that is what most
people are worried about.