How can I protect my .NET assemblies from decompilation?
Asked Answered
T

13

90

One if the first things I learned when I started with C# was the most important one. You can decompile any .NET assembly with Reflector or other tools. Many developers are not aware of this fact and most of them are shocked when I show them their source code.

Protection against decompilation is still a difficult task. I am still looking for a fast, easy and secure way to do it. I don't want to obfuscate my code so my method names will be a,b,c or so. Reflector or other tools should be unable to recognize my application as .NET assembly at all. I know about some tools already but they are very expensive. Is there any other way to protect my applications?

EDIT:

The reason for my question is not to prevent piracy. I only want to stop competitors from reading my code. I know they will and they already did. They even told me so. Maybe I am a bit paranoid but business rivals reading my code doesn't make me feel good.

Tours answered 19/3, 2010 at 14:57 Comment(3)
If reflector can't tell if your application is a .NET assembly, than how is the application trying to load it supposed to do so?Katrinakatrine
Re " I don't want to obfuscate my code so my method names will be a,b,c or so." Why not? That's the obvious thing to do to make it harder for competitors to make sense out of your logic.Moulmein
Yeah obfuscation 100% "just works". First you shouldn't put "secrets" into your code, things that "once found in code can compromise security". Second, did you ever take code on GitHub and tried to repurpose it? I mean, even non-obfuscated code can be insane to repurpose due to used paradigms, class coupling, blurred class responsibilities, dependency fest, callback fests and more. That means, your obfuscated code is perfectly safe, until we get robot programmers able to understand programming logic and rewrite/refactor code fast, which is not happening soon.Biome
G
117

One thing to keep in mind is that you want to do this in a way that makes business sense. To do that, you need to define your goals. So, exactly what are your goals?

Preventing piracy? That goal is not achievable. Even native code can be decompiled or cracked; the multitude of warez available online (even for products like Windows and Photoshop) is proof a determined hacker can always gain access.

If you can't prevent piracy, then how about merely reducing it? This, too, is misguided. It only takes one person cracking your code for it to be available to everyone. You have to be lucky every time. The pirates only have to be lucky once.

I put it to you the goal should be to maximize profits. You appear to believe that stopping piracy is necessary to this endeavor. It is not. Profit is simply revenue minus costs. Stopping piracy increases costs. It takes effort, which means adding cost somewhere in the process, and so reduces that side of the equation. Protecting your product also fails to increase your revenue. I know you look at all those pirates and see all the money you could make if only they would pay your license fees instead, but the reality is this will never happen. There is some hyperbole here, but it generally holds that pirates who are unable to crack your security will either find a similar product they can crack or do without. They will never buy it instead, and therefore they do not represent lost sales.

Additionally, securing your product actually reduces revenue. There are two reasons for this. One is the small percentage of customers who have trouble with your activation or security, and therefore decide not to buy again or ask for their money back. The other is the small percentage of people who actually try a pirated version of software to make sure it works before buying. Limiting the pirated distribution of your product (if you are somehow able to succeed at this) prevents these people from ever trying your product, and so they will never buy it. Moreover, piracy can also help your product spread to a wider audience, thus reaching more people who will be willing to pay for it.

A better strategy is to assume that your product will be pirated, and think about ways to take advantage of the situation. A couple more links on the topic:
How do i prevent my code from being stolen?
Securing a .NET Application

Gallonage answered 19/3, 2010 at 14:57 Comment(12)
The main goal is not to prevent piracy. The goal is to prevent competitors from reading my code. I know they will do, they already did.Nasopharynx
If that is your goal, an obfuscator is sufficient.Gallonage
I wouldn't say, that pirates will never buy any licence if some software is not crackable. That's not 100% true. I've seen people saying I'm not gonna buy it that soft/game, can't afford, blah blah and then buying it after they noticed the cracked version is outdated, virused or does not allow them to access some online functionality.Messene
@Messene Of course that's hyperbole, but the actual percentage is very lowGallonage
Protecting your product does nothing to increase revenue? Where is your hard data to support that claim? That has not been the experience of any of the software sellers I know. In fact the reverse has been the case by a long ways. Securing your product reduces revenue? No, that just isn't consistent with the experience of the sellers I know. I've heard these kinds of claims made a lot, but I think they must be being made by people who haven't tried it both ways. Either that, or they're in very different corners of the industry from those in which the people I know sell their wares.Eel
-1 IMHO Not an answer to the question. Also, false, unless the software is very cheap - many users, few buyers. The reason why having even a partial barrier to piracy is a net win to profits is that there are many potential customers who won't bother buying something if they can get it free, BUT also hesitate to install pirated software (risk of viruses, inconvenience of updates). In my experience, the people who download cracked software are generally not potential customers, given their willingness to take that risk rather than pay money. Potential customers download legal trial versionMoulmein
Any suggestions about "ways to take advantage of the situation"?Raze
@Raze there's some info about that in the links at the bottom.Gallonage
Ah ok. I thought a different kind of discussion :P Such as "now that your software has been spread by piracy, you can do this and that so piracy is now working for you, instead of against you" (e.g. Microsoft diffusion of pirated versions of Windows to gain worldwide adoption).Raze
I fear not the piracy of my software but other competitors reusing the software i made spending millions, and changing my logo to theirs... and building on it to making something else...Reynold
Not an answer and patently false. Plenty of customers will pirate if its easy, and buy if forced to.Disrespectable
Agree; not a good answer at all. Doesn't address the question and doesn't take into account the type of individuals the questioner is concerned about.Ichor
I
16

At work here we use Dotfuscator from PreEmptive Solutions.

Although it's impossible to protect .NET assemblies 100% Dotfuscator makes it hard enough I think. I comes with a lot of obfuscation techniques;

Cross Assembly Renaming
Renaming Schemes
Renaming Prefix
Enhanced Overload Induction
Incremental Obfuscation
HTML Renaming Report
Control Flow
String Encryption

And it turned out that they're not very expensive for small companies. They have a special pricing for small companies.

(No I'm not working for PreEmptive ;-))

There are freeware alternatives of course;

Implausible answered 19/3, 2010 at 14:57 Comment(1)
I use this too. Very good software although it has some useless features (to me) like the one that makes your program expire or the one that reports exceptions to you by email. But the rename and the logic flow thing are very good and I see no way for anyone to actually read your code after a good run though this program.Credible
H
14

Host your service in any cloud service provider.

Hake answered 19/3, 2010 at 14:57 Comment(0)
M
10

How to preventing decompilation of any C# application

Pretty much describes the entire situation.

At some point the code will have to be translated to VM bytecode, and the user can get at it then.

Machine code isn't that much different either. A good interactive disassembler/debugger like IDA Pro makes just about any native application transparent. The debugger is smart enough to use AI to identify common APIs, compiler optimizations, etc. it allows the user to meticuloulsy rebuild higher level constructs from the assembly generated from machine code.

And IDA Pro supports .Net to some extent too.

Honestly, after working on an reverse engineering ( for compatibility ) project for a few years, the main thing I got out of my experience is that I probably shouldn't worry too much about people stealing my code. If anyone wants it, it will never be very hard to get it no matter what scheme I implement.

Morphosis answered 19/3, 2010 at 14:57 Comment(1)
It is only necessary to make it more difficult to read the code than it is to write the code.Katrinakatrine
A
9

No obsfuscator can protect your application, not even any one described here. See this link, it's an deobsfuscator which can deobsfuscate almost every obsfuscator out there.

https://github.com/0xd4d/de4dot

The best way which can help you (but remember that they are also not full prof) is to use mixed codes, code your important codes in unmanaged language and make a DLL like in C or C++ and then protect them either with Armageddon or Themida. Themida is not for every cracker, it's one of the best protector in the market, it can also protect your .NET software.

Anticholinergic answered 19/3, 2010 at 14:57 Comment(0)
A
5

I know you don't want to obfuscate, but maybe you should check out dotfuscator, it will take your compiled assemblies and obfuscate them for you. I think it can even encrypt them.

Ammo answered 19/3, 2010 at 14:57 Comment(0)
E
3

We use SmartAssembly for .NET protection of an enterprise level distributed application, and it has worked great for us.

Eccrine answered 19/3, 2010 at 14:57 Comment(0)
O
3

I've heard about some projects that directly compile IL into native code. You can get some additional info from this post: Is it possible to compile .NET IL code to machine code?

Oribel answered 19/3, 2010 at 14:57 Comment(0)
T
2

If you want to fully protect your app from decompilation, look at Aladdin's Hasp. You can wrap your assemblies in an encrypted shell that can only be accessed by your application. Of course one wonders how they're able to do this but it works. I don't know however if they protect your app from runtime attachment/reflection which is what Crack.NET is able to do.

-- Edit Also be careful of compiling to native code as a solution...there are decompilers for native code as well.

Transpierce answered 19/3, 2010 at 14:57 Comment(0)
B
1

Do you API?

Instead of trying to protect your one ddl file in one of your products on all of your customers devices, why not create an API service for your precious product features? Let the actual product that is saved on a device consume that API to deliver the product as you want it.

I Think this way you are 100% sure that your code is not decompiled and you set your own limits in your API so that developers / hackers don't consume your API in a way you don't want it.

Sure is some more work, but in the end, you are in control.

Blakeley answered 19/3, 2010 at 14:57 Comment(0)
H
0

Besides the third party products listed here, there is another one: NetLib Encryptionizer. However it works in a different way than the obfuscators. Obfuscators modify the assembly itself with a deobfuscation "engine" built into it. Encryptionizer encrypts the DLLs (Managed or Unmanaged) at the file level. So it does not modify the DLL except to encrypt it. The "engine" in this case is a kernel mode driver that sits between your application and the operating system. (Disclaimer: I am from NetLib Security)

Howrah answered 19/3, 2010 at 14:57 Comment(0)
N
0

I know this is old but, Themida is the most advanced anti-cracking software I've ever used.
It's not free, though.

Nguyen answered 19/3, 2010 at 14:57 Comment(0)
R
0

If someone has to steal your code, it likely means your business model is not working. What do I mean by that? For example, I buy your product and then I ask for support. You're too busy or believe my request is not valid and a waste of your time. I decode your product in order to support my relative business. Your product becomes more valuable to me and I prioritize my time in a way to resolve the business model for leveraging your product. I recode and re-brand your product and then go out and make the money that you decided to leave on the table. There are reasons for protecting code, but most likely you are looking at the problem from the wrong perspective. Of course you are. You're the "coder", and I'm the business man. ;-) Cheers!

ps. I'm also a developer. i.e. "coder"

Razor answered 19/3, 2010 at 14:57 Comment(1)
It could be a competitor with an existing product who is trying to add your features to their product.Enormous

© 2022 - 2024 — McMap. All rights reserved.