Obfuscation and Salamander

[Matt]

Much question is simple, why should I, as a freelance developer, spend good
time producing client/server software and libraries in .net when any stupid
monkey can extract all of my source using Salamander? And what's more, for
those that don't get Salamander, what is the point of using obfuscation (the
main use being its obscure class overloading and variable renaming) when
your own application 'ildasm.exe' will give anyone all the original friking
names, types and variables??

Is my only choice to use managed C++? If so what level of source is exposed
in its assemblies/builds?

I'm p**sed and want some good answers or delphi might well become my
language of choice

 

[Matt]

Ment to say My question*

 

[Jon Skeet [C# MVP]]

Much question is simple, why should I, as a freelance developer, spend good
time producing client/server software and libraries in .net when any stupid
monkey can extract all of my source using Salamander? And what's more, for
those that don't get Salamander, what is the point of using obfuscation (the
main use being its obscure class overloading and variable renaming) when
your own application 'ildasm.exe' will give anyone all the original friking
names, types and variables??

What obfuscator are you using if it doesn't get rename variables etc?

See http://www.pobox.com/~skeet/csharp/faq/#obfuscation in general
though.

 

[Matt]

I'm using Dotfuscator, as far as i know im using it to its best potential
but actual notes on how to use it arent in the supplied help (always
useful). All the tree nodes are selected in the 'Rename' category, not much
else is made available.

Thanks for the link but the person who wrote it is clearly an idiot for
saying:

"If your application becomes sufficiently popular that people are
decompiling it, chances are you're making significant money from it anyway."

So its okay for the licensing to be hacked out and for everyone to use a
cracked version at that point is it? Okay, lets see microsoft release
longhorn like it shall we....

 

[Jon Skeet [C# MVP]]

I'm using Dotfuscator, as far as i know im using it to its best potential
but actual notes on how to use it arent in the supplied help (always
useful). All the tree nodes are selected in the 'Rename' category, not much
else is made available.

Thanks for the link but the person who wrote it is clearly an idiot for
saying:

"If your application becomes sufficiently popular that people are
decompiling it, chances are you're making significant money from it anyway."

So its okay for the licensing to be hacked out and for everyone to use a
cracked version at that point is it? Okay, lets see microsoft release
longhorn like it shall we....

How many versions of Windows do you know which *haven't* been pretty
widely pirated? Or any other software, for that matter? Native code
isn't impenetrable.

 

[Matt]

Ah but i think you'll find that the difference here is that the whole of
windows' source wasnt a piece of p*ss to extract, not at all in fact

 

[S. B@RTHES]

Hi Matt,

Why do you obfuscate code :
1/ to make sure that no other coder can reuse you source code?
2/ to avoid other people using your software without paying you?

If your goal is #2 just use a public key encoding scheme, and any hacker
that get through it is probably good enough to be allowed to use your
software freely

 

[Jon Skeet [C# MVP]]

Ah but i think you'll find that the difference here is that the whole of
windows' source wasnt a piece of p*ss to extract, not at all in fact

No, but I think you've missed the point: people who are determined to
break your licence will do so whether the code is native or not. They
don't *need* to get the source code for the whole of Windows - they
just need to work out enough of what's going on to break the licensing
code. You can make that harder or easier, but sooner or later you have
to accept that some people are going to pirate your software if they
really want to.

I think you might also be overestimating how easy it is to understand
source code from a large project which has been obfuscated (so only the
public names are visible). Even *without* obfuscation, most software
projects of significant size are fairly hard to understand without any
comments of any form, and with obfuscation it can be very difficult
indeed.

 

[Jon Skeet [C# MVP]]

Why do you obfuscate code :
1/ to make sure that no other coder can reuse you source code?
2/ to avoid other people using your software without paying you?

If your goal is #2 just use a public key encoding scheme, and any hacker
that get through it is probably good enough to be allowed to use your
software freely

How exactly would a public key encoding scheme help? If the computer
can run the code, a cracker can see it.

 

[S. B@RTHES]

The idea about the public key is that it is not possible for the hacker to
generate he's own working key.

As a consequence the hacker needs to change the generated code to get around
all licence control that can easily be dropped at various point of the
source code. The code can include a signature scheme that will fail any
modification of the generated code (this can add fun to the hacking, since
the signature protection also has to be worked around).

Most unlicensed copies go around copying the software and getting a working
key, if the key is specific to the machine most people will buy the software
(or use another one) to do the job.

I fully agree on the point that any good hacker will hack through any
software protection just by removing the controlling code from the software
(actually computing jump point from the activation code would nicely
complicate the hacker's job) .

 

[Matt]

No, havent missed the point at all, simply emphasising that the floodgates
have been busted open in both respects with .net, both from a source and
cracking point of view. You have gotten focused on licensing keys not me.
Obviously the point was that if windows went totally .net people would have
working source, the means to build their own windows, build variations of
windows and how could microsoft stop it? You dont think there'd be loads of
people out there who would work through the obfuscated code and work out the
sematics and give vairables, consts and objects relivant names? And at that
point microsoft would've lost everything, so they wont, and neither will
anyone else - lets face it .net is an in-house development platform and
thats it

 

[Jon Skeet [C# MVP]]

The idea about the public key is that it is not possible for the hacker to
generate he's own working key.

Sure, but I don't think that's really much of a problem...

As a consequence the hacker needs to change the generated code to get around
all licence control that can easily be dropped at various point of the
source code.

Yes, but that's not terribly tricky.

The code can include a signature scheme that will fail any
modification of the generated code (this can add fun to the hacking, since
the signature protection also has to be worked around).

Again, not *that* hard.

Alternatively, he could just substitute his *own* private/public key
pair and generate licenses...

Most unlicensed copies go around copying the software and getting a working
key, if the key is specific to the machine most people will buy the software
(or use another one) to do the job.

This would require a modified version of the software, but that's
pretty common in the piracy world, I believe. (Certainly in the gaming
world, where there are "'No CD' patches" etc.)

I fully agree on the point that any good hacker will hack through any
software protection just by removing the controlling code from the software
(actually computing jump point from the activation code would nicely
complicate the hacker's job) .

It would, but it would be hard to do in managed code...

My point is that protecting software which a hacker has access to is
pretty much impossible. It's slightly easier to crack with managed
code, but possible in *any* code.

 

[Jon Skeet [C# MVP]]

No, havent missed the point at all, simply emphasising that the floodgates
have been busted open in both respects with .net, both from a source and
cracking point of view. You have gotten focused on licensing keys not me.
Obviously the point was that if windows went totally .net people would have
working source, the means to build their own windows, build variations of
windows and how could microsoft stop it? You dont think there'd be loads of
people out there who would work through the obfuscated code and work out the
sematics and give vairables, consts and objects relivant names?

On that much code? Unlikely. Have you ever tried to wade through
thousands upon thousands of classes without any sensible names? Give it
a try some time... I believe it's almost always easier to reimplement
from scratch than to patch things up like that. The design of an
application, which is usually reasonably obvious from the outside, is
much harder to get right than the implementation.

And at that
point microsoft would've lost everything, so they wont, and neither will
anyone else - lets face it .net is an in-house development platform and
thats it

So you don't think that the Microsoft will be releasing .NET
applications themselves? I think you're very much mistaken.

 

[Matt]

Okay think im going to end it there, you are quite clearly a blinkered
microsoft biatch...With Linux seeing the possiblity of reaching mainstream
by supporting .net dont you think all its supporters would break up a MS OS'
..net source and work though it - anyway its all hypothetical but all i can
say is anyone who follows MS blindly, especially over this, stands to loose
out

 

[Jon Skeet [C# MVP]]

Okay think im going to end it there, you are quite clearly a blinkered
microsoft biatch... With Linux seeing the possiblity of reaching mainstream
by supporting .net dont you think all its supporters would break up a MS OS'
.net source and work though it - anyway its all hypothetical but all i can
say is anyone who follows MS blindly, especially over this, stands to loose
out

You might want to look at my posting history on the Java newsgroups
before assuming I'm biased in favour of Microsoft.

Again, I suggest you try to decompile a significant application
(whether it's obfuscated or not) and see whether you think it's
*really* as simple as you appear to currently believe it is.

It's fairly simple to understand bits. It's a completely different
matter to actually do significant damage with it.