Source code !?

[dam]

Hi,

since there are tools that can decompile assemblies and
show ENTIRE SOURCE CODE (!?) is there any way for
developers to protect their work ?

Or, is famoues .NET framework just for companies who sell
their source code. If this is true - it is unbelievable
childish !

 

[Jon Skeet [C# MVP]]

since there are tools that can decompile assemblies and
show ENTIRE SOURCE CODE (!?) is there any way for
developers to protect their work ?

There are obfuscators which will make the code much harder to read.

Or, is famoues .NET framework just for companies who sell
their source code. If this is true - it is unbelievable
childish !

Any non-trivial app which has been obfuscated (and probably most which
haven't been obfuscated) will be *very* hard to fully understand. Don't
forget that you don't get any comments back when you decompile.

What *exactly* are you afraid of? One thing it *does* make easier is
simple cracking of licence code (or rather, simple bypassing of licence
code) but it's not like that's impossible with native code either.

For the most part, I believe it would be harder to steal intellectual
property by decompiling than to take the ideas that are apparent in the
app itself and redevelop them from scratch.

 

[Guest]

since there are tools that can decompile assemblies and

show ENTIRE SOURCE CODE (!?) is there any way for
developers to protect their work ?

In my opinion (seen enough examples) taking out of the protection from 99%
of the applications is just a matter of hours.
So don't concentrate too much in protecting, use that energy to improve your
application.

Or, is famoues .NET framework just for companies who sell
their source code. If this is true - it is unbelievable
childish !

There are things build in .NET that actually improves protection.
Compared to conventional exe applications, building-in a protection
mechanism is simpler, but not perfect.

Copy protection must be built in from te very first line of code that you
write and mixed in all your functions.
It must be part of your code, not some library that you link with. And when
the program discovers that something is wrong, it should wait an random
interval before reporting this dialog box with the error message somewhere
encrypted in your application.

 

[news.microsoft.com]

LicenseProvider. Is the component license model also at risk. Im supprised
somebody has not done this already, then again there may not be alot of
licensed components out there, and there is no framework for licensing apps.

 

[dam]

Obfuscators are certainly better than nothing. But, in my
opinion, the more logic in one method, the easier it gets
to understand. String protection (and there could be
important data) is poor by obfuscators. Here
http://www.remotesoft.com/salamander/obfuscator.html
is good discussion on that.

In my oppinion, the one should write source code,
obfuscate it, decompile it, and if it looks easy to
understand write it other way (by using more methods)
until it gets hard enough to understand. But, on the
other hand, calling a method puts extra overhead.

 

[Guest]

There are things build in .NET that actually improves protection.
Compared to conventional exe applications, building-in a protection
mechanism is simpler, but not perfect.

Copy protection must be built in from te very first line of code that you
write and mixed in all your functions.
It must be part of your code, not some library that you link with. And when
the program discovers that something is wrong, it should wait an random
interval before reporting this dialog box with the error message somewhere
encrypted in your application.

Could you, please, be more specific on that. I'm not sure
I understand this completely.

I mean, when somebody sees your source code, he sees the
heart of your application, he sees the competitive
advantage your application has over other application
that perform more or less the same task.

 

[dam]

There are bunch of applications that perform the same
tasks, but some do that better than the others.

And no mather how you obfuscate your application, the
competition will find what they are looking for.

 

[phoenix]

Ever heard of programs like softice (debugger), w32dasm (decompiler), ...
They gave you the full source code of any win32 app. Okay it was assembler
but if your competitors really wanted to steal it, that wouldn't have
stopped them.

Obfuscators are certainly better than nothing. But, in my
opinion, the more logic in one method, the easier it gets
to understand. String protection (and there could be
important data) is poor by obfuscators. Here
http://www.remotesoft.com/salamander/obfuscator.html
is good discussion on that.

Strings were never save. In "oldfashioned" win32 apps the only thing you had
to do was a memory dump and most of the time you could read everything you
needed to know.

 

[Jon Skeet [C# MVP]]

There are bunch of applications that perform the same
tasks, but some do that better than the others.

And no mather how you obfuscate your application, the
competition will find what they are looking for.

I think you're just guessing - and so am I, admittedly. I don't think
it *actually* happens much. By the time class names have been
obfuscated, the architecture of significant app really takes a long
time to understand.

Bearing in mind that most actual *algorithms* are well-known, you're
really just left with the architecture.

 

[Christian Boult]

The belief that native code protects your source code is false. How do you
think hackers find holes in software... By guessing ? Hell no you need to
look at the code that is running and find sweet spots. SoftIce or some other
tools that shows you code in the form of assembly language has always been
there. If someone is competent enough to understand your whole architecture
then he is no average bumbling fool and, no matter what, he will get to your
precious source code (or some interpretation of it).

Obfuscators exist out there that do a pretty decent job of keeping the
bumbling fool from easily reading your code, but a competent Joe will always
be able to read and understand (after some thinking) what your code does.

Anyways there's not much in terms of algorithm that's not already out there
somewhere.

Web services can help in this respect by putting sensitive code on the
server and not being accessible by a client and the code that's not so
sensitive (GUI stuff) on the client.

Chris.

 

[dam]

Thank you all for participating.
You made me believe that good obfuscator will get the job
done.
Now, I have seen the output from dotfuscator and I think
it is pretty good.

If anyone knows for better obfuscator, please post it.

Thanks.

 

[Michael Lang]

Thank you all for participating.
You made me believe that good obfuscator will get the job
done.
Now, I have seen the output from dotfuscator and I think
it is pretty good.

If anyone knows for better obfuscator, please post it.

Thanks.

This is what I am going to use when I am ready to deploy my app. It does
alot more than obfuscators. It actually encrpts the executeable. They
show samples on the web page what the source and outputs looks like.

http://www.remotesoft.com/salamander/protector.html

I haven't actually tested it yet, but it sounds better. I won't be ready
to actually buy it for another 6 months, when my application is in the beta
test phase. I'd be interested if anyone has been able to hack around code
that has been protected by this program.

Michael Lang, MCSD

 

[news.microsoft.com]

Does this affect the performance of the appliation when its obscfuated