protect my code

[Alain R.]

Hi,

I already asked about this topic few months ago, but i did not get any
answer which satisfied me, therefore i'm asking it again.

I would like to know how i can protect my code (C#.NET) from being
decompiled and abuse.
in C++, we write in "Win32 native" so you are not able to see any
commandline, or variables,...

I would like to develop an application in C# as also some controls, but
i will not do it if i'm not sure that my code will not be protected at
100% (or at least to maximum...for perfectionists).

So what is your point of view on that topic ?
the purpose is to be able to sell this application or control later on...

thanks a lot,

A.

 

[Olie]

From what I understand it is almost impossible for you to ensure your
code is 100% safe. You can only take steps to make it harder for
people to decompile and understand the code.

There are two different aspects to ensuring your code is safe.

The first is to ensure that no one can modify your program to change
its functionality. There is a solution to this which is fairly secure
and is built into visual studio. It is called signing and allows you
to sign your code so that if others change the binary the dotnet
framework simply will not run the software. You should be able to find
plenty of examples on signing your assemblies.

The second step is to stop others from decompiling the code and then
re-compilling it with changes or modifications. This is allot harder
to prevent and as it stands almost impossible to stop 100%. The
problem is at the end of the day you need the computer to understand
your program and so a hacker will also be able to gain access to it.
What you can do though is make it as hard as possible for a hacker to
understand your code once it has been decompiled. This is where
obfuscation comes in. What this does is try and make your code as
unreadable as possible so that when it is decompiled all you see is
lots of meaningless variables and difficult to follow program flows.
You get an obfuscater with Visual Studio 2005 and there are lots of
third party ones. It is a simple tool that you run on your compiled
binaries.

 

[Martijn Mulder]

I would like to know how i can protect my code (C#.NET) from being

decompiled and abuse.

It seems that the non-Express Editions of Visual Studio ship with an
obfuscator 'Dotfuscator' (what's in a name) but you probably do not have
access to it. I found a freeware obfuscator at

http://www.rustemsoft.com/SkaterLight.zip

but I have no idea how good it is

 

[Olie]

The best way to test this sort of thing is to try and hack it
yourself. You can easily download .net decompilers and then look at
how easy it is to see the code.

I would also do a search on forum posts to see if anyone is
recommending or criticizing it. I have always found though with
security that it is best not to go for free stuff as you have no way
of knowing who has access to it. A company that sells security
software has an interest in ensuring its security.

 

[Jon Skeet [C# MVP]]

The best way to test this sort of thing is to try and hack it
yourself. You can easily download .net decompilers and then look at
how easy it is to see the code.

I would also do a search on forum posts to see if anyone is
recommending or criticizing it. I have always found though with
security that it is best not to go for free stuff as you have no way
of knowing who has access to it. A company that sells security
software has an interest in ensuring its security.

On the other hand, with free open source stuff, you can look at the
code yourself to check that it's not just "security through
obscurity". There's a reason why none of the security algorithms are
secret

Jon

 

[KWienhold]

Hi,

I already asked about this topic few months ago, but i did not get any
answer which satisfied me, therefore i'm asking it again.

I would like to know how i can protect my code (C#.NET) from being
decompiled and abuse.
in C++, we write in "Win32 native" so you are not able to see any
commandline, or variables,...

I would like to develop an application in C# as also some controls, but
i will not do it if i'm not sure that my code will not be protected at
100% (or at least to maximum...for perfectionists).

So what is your point of view on that topic ?
the purpose is to be able to sell this application or control later on...

thanks a lot,

A.

As a sidenote:
You may not want to invest too much time into security before you know
it is worth it.
Most of the people who will use your software are decent enough to pay
for it. Of course there are those who won't, but if you make your
software hard to crack, these people will simply not use it, leaving
you with just as much money as you would have earned without the added
security.
That's not to say you should ignore the issue entirely, but spending
loads of time and money on something that won't benefit you in the end
is not generally a good idea.
A basic security implementation is pretty easy to pull off (signing,
strong naming, obfuscating), but it will not be 100% secure. The
closer you get to complete security (which doesn't exist, as mentioned
above), the more time it takes to implement.
I guess in the end it comes down to the old "premature optimization is
the root of all evil"-paradigm, don't go ballistic with security
unless you have made sure you need it.

Kevin Wienhold

 

[Martijn Mulder]

Olie schreef:

The best way to test this sort of thing is to try and hack it
yourself. You can easily download .net decompilers and then look at
how easy it is to see the code.

I would also do a search on forum posts to see if anyone is
recommending or criticizing it. I have always found though with
security that it is best not to go for free stuff as you have no way
of knowing who has access to it. A company that sells security
software has an interest in ensuring its security.

The Skater obfuscator seems pretty crappy. It takes administor rights to
run it, it eats all memory and tells you 'sorry, we couldn't obfuscate
foo.exe' or, when it does 'obfuscate', it leaves everything intact but
adds some volume to the file.

For people working with the Visual Studio Standard Edition, is there a
file 'dotfuscator.exe' somewhere in the SDK? (not for poor Express
Edition users I found out)

 

[Alain R.]

So if i understad well, it's not like in C++... it can not be secured
enough as it is under C++.
:-( this is a main issue from my point of view.

 

[Peter Duniho]

So if i understad well, it's not like in C++... it can not be secured
enough as it is under C++.
:-( this is a main issue from my point of view.

You are fooling yourself if you believe that your proprietary
algorithms, such as they may be, are in any significant way protected by
compiling them to native Win32 code.

If you have an algorithm worth stealing, someone will steal it, even if
you've compiled it to native, unmanaged Win32 code. The only way to
prevent that is to not publish it.

The truth is, any concerns about the theft of code are almost always
overblown. It's highly unlikely that your code is interesting enough to
anyone to be stolen in the first place, and assuming it is stolen it's
unlikely that any theft would present any significant risk to your
business model, whatever model that may be.

I really don't understand why you think you'll get different answers
from the same people asking the same question a second time. Nothing
has changed about the software business during the time between the
first time you asked the question and now.

Pete

 

[Chris Dunaway]

You are fooling yourself if you believe that your proprietary
algorithms, such as they may be, are in any significant way protected by
compiling them to native Win32 code.

If you have an algorithm worth stealing, someone will steal it, even if
you've compiled it to native, unmanaged Win32 code. The only way to
prevent that is to not publish it.

The truth is, any concerns about the theft of code are almost always
overblown. It's highly unlikely that your code is interesting enough to
anyone to be stolen in the first place, and assuming it is stolen it's
unlikely that any theft would present any significant risk to your
business model, whatever model that may be.

I really don't understand why you think you'll get different answers
from the same people asking the same question a second time. Nothing
has changed about the software business during the time between the
first time you asked the question and now.

Pete

Microsoft has just released (Oct 1) their Software Licensing and
Protection Services SDK. It is available at this link:

http://www.microsoft.com/downloads/...AA-8B7C-4E3A-AF83-B71B6877705B&displaylang=en

Perhaps this will help some

 

[Chris Dunaway]

Hi,

I already asked about this topic few months ago, but i did not get any
answer which satisfied me, therefore i'm asking it again.

I would like to know how i can protect my code (C#.NET) from being
decompiled and abuse.
in C++, we write in "Win32 native" so you are not able to see any
commandline, or variables,...

I would like to develop an application in C# as also some controls, but
i will not do it if i'm not sure that my code will not be protected at
100% (or at least to maximum...for perfectionists).

So what is your point of view on that topic ?
the purpose is to be able to sell this application or control later on...

thanks a lot,

A.

You can try Microsoft's Code Protector which was just released (Oct
1):

http://www.microsoft.com/downloads/...G8Q+zw1KPLn0TEIXhxSfFc4jM7+y4/cnew==#filelist

Chris

 

[Smithers]

The following e-book tells you practically everything there is to know about
obfuscating in .NET. After reading the e-book, you will be able to compare
obfuscators, different "levels" of obfuscation (it's not a 0/1 proposition),
and will be able to intelligently compare the various obfuscators on the
open market. The book also presents the role of obfuscation in protecting
your intellectual property, in addition to other things you must do in order
to "raise the bar" as high as possible for would-be hackers.

http://www.desaware.com/products/books/net/obfuscating/index.aspx

The company also offers a top-notch licensing system - which would be part
of any comprehensive intellectual property protection effort, in addition to
code signing, and some other stuff talked about in the eBook.

http://www.desaware.com/products/licensingsystem/index.aspx


I do not work for the company, and I don't know anybody who does, but I have
used their products in the past and have found them to be rock solid.

-HTH

-S