How to protect .Net exe from Decompiling/Cracking

Asked 29/7, 2012 at 17:39 Answered 1/1, 2014 at 19:58

I am really sad because a few days ago we launched our software developed in .Net 4.0 (Desktop application). After 3 days, its crack was available on the internet. We tried to protect the software from this but somehow people got away cracking it.

Here is the scenario: When the application launches the first time it communicates with the web server and checks the credentials passed by the user. If the credentials are correct, the software saves the values in the Registry, sends the MachineID back to the server and stores it in the database.

Now, the hacker has replaced the Server communication with a "return true;" statement (I checked that with Telrik JustDecompile). and he has uploaded the cracked software on the internet.

Now, following are my questions:
1- How to make sure that .Net application will not get cracked ?
2- The hacker now knows my code since he has done the modification. What steps should i take ?
3- I read on the internet about - obfuscators . But the hacker knows my code what should i do ?
4- Any other pro tips that i can use to avoid getting the software cracked ?
5- I am not sure but can these reflector softwares also decompile the App.Config with sensitive data ?

Scapegrace answered 29/7, 2012 at 17:39 Comment(8)

Get a lawyer.... – Footpoundsecond 29/7, 2012 at 17:43

The fact that you are using C# does not help either, anyway you can't do too much about this, just work on the business logic and the algorithm and improve them. – Tamp 29/7, 2012 at 17:49

There is bright side to all this. Apparently your application is worth cracking, you should consider that a compliment. – Timeworn 29/7, 2012 at 17:54

Well, we have spent alot of time in making that and target market was also big. Man, i never saw this recompiling thing coming :@ – Scapegrace 29/7, 2012 at 18:27

Is this really a bad thing? You now have a customer base that knows your application, and wants it so bad that they are looking at other sources then the official distribution to get it. Once they start working for a company (or start their own), and need your functionality, what do you think they'll do? Go for something they known, or go with another application? Can't you consider the cracked version as an educational tool for future customers? Have you seen any serious company using pirated software intentionally? Have this caused any lost sales? – Manageable 29/7, 2012 at 19:37

One thing to ponder: the people using it illegally - were they ever going t pay for it? Are these actually "lost sales"? I'd wager that in many cases: no. That doesn't make it any less annoying, of course. – Seton 29/7, 2012 at 19:41

My 2c - create your own 'crack' and upload it to the net. Put tracking in it, so at least you can figure out how much you're 'losing'. – Christiachristian 30/7, 2012 at 4:44

Next release Obfuscate it. It makes it 20 times more difficult to crack. – Escalator 6/6, 2017 at 22:17

1- How to make sure that .Net application will not get cracked ?

If a computer can run your code + The hacker can run his own code at a higher privilege level than you, there is nothing that can 100% prevent your app from being cracked. Even if they just have access to the executable but not the target platform they still can step through and mimic what the target platform would do and figure out how the protection is being done.

2- The hacker now knows my code since he has done the modification. What steps should i take ?

Totally rewrite the authentication portion so they have to start from scratch but they will get it again, it is just a matter of how long.

3- I read on the internet about - obfuscators . But the hacker knows my code what should i do ?

The jinni is out of the bottle now that they have the non-obfuscated code. There is not much you can do unless you drastically re-write the software so they have to start from scratch. A obfuscateor will not prevent a determined attacker, they only thing that can prevent it is keeping the binary out of their hands.

4- Any other Pro tips that i can use to avoid getting the software cracked ?

The only copy protection I have seen to remotely delay for any period of time is what Ubisoft did with Assassin's Creed: Brotherhood. They encrypted ther levels with the game disk and it had to download the decryption key from the internet as it was needed (This is the keeping the binary out of their hands approach). But that did not work forever, eventually the hackers did get those levels decrypted and it was fully cracked. This approach is just what I saw take the longest time to get around without legal involvement (See point 2 at the bottom)

5- I am not sure but can these reflector softwares also decompile the App.Config with sensitive data ?

All the reflector software needs to do is look for the section that loads App.config and read what the defaults are. There is no secure place to store information on a computer you do not have full control over. If it is on the computer, it can be read. If it can be read, it can be reverse engineered.

The only real solution I can see to prevent piracy is one of two options.

The person never gets your app, it is streamed from a server under your control and they never get to see the binary. The only thing you send them is the information they need to drive the UI. This is the approach that all MMO's work on. People can reverse engineer what you are sending to the UI and mimic the logic that is going on on your servers but they will never be able to outright see what it is doing and if your software is complex enough it may not be feeseable for the attacker to recreate the server side code. The downside to this approach is you will need to host servers for your users to connect to, this will be a reoccurring cost you will need a way to re-coup. Often this method is called a "Rich Client" or "Thin Client" depending on how much processing is done client side and how much processing is done server side. See Chapter 22 of "Microsoft Application Architecture Guide, 2nd Edition". Specifically I am describing what is shown in figure 4 and 5
The seccond option is whoever you sell your software too have them sign a legal contract not to distribute the software (not a EULA, a actual contract that must be physically signed by the client). In that contract have large fines be applied to the person who leaks the software, then riddle your program with fingerprints that are unique to the person who buys the software so that when the program is leaked you can see who did it. (This is the method the vendor Hex-Rays use for their disassembler IDA. A quick google search could not turn up any cracked versions newer than 6.1, they are on 6.3). This method will not stop piracy, but it may discourage the copy to be leaked in the first place. This also lets you recover some lost costs associated with the program being leaked in the first place. One issue is that you will need to put a lot of fingerprints and they will need to be subtle, if a attacker can get two copies of the program and can compare the files between the two he will be able to tell what is the identifying information and just put whatever they want in so they can't tell who they got it from. The only way to do this is put a lot of red-herrings in that can't just be stripped out or randomized, also make the identifying code non-critical to running the software, if they don't have to work to crack it they are more likely to leave it in.

Update: After revisiting this answer to link to it for another question I thought of a easy way of implementing the #2 solution.

All you need to do is run your code through an obfuscateor and let it rename your classes for every person you sell your software to (I would still make them sign a license agreement, not just click a EULA so you can enforce the next part). You then make a database of the obfuscation mapping, when you see a leaked copy on the internet you just need to find one class anywhere in the project, look it up in your database, and you will know who leaked it and know who you need to go after for legal damages.

Pentobarbital answered 29/7, 2012 at 17:56 Comment(4)

If the app is streamed from a server to a client, it is still on the client. A hacker has a binary image they can start to hack. – Cad 29/7, 2012 at 18:3

@EricJ. Not stream the binary, stream just presentation layer in a 3 tier program, The business logic layer and the database layer would be server side. – Pentobarbital 29/7, 2012 at 18:9

"The person never gets your app, it is streamed from a server under your control and they never get to see the binary." <-- what do you call this in technical terms so that i can search on it ? Smart client ? – Scapegrace 29/7, 2012 at 18:39

@user1470127 That would be the "Thin Client" or "Rich Client" depending on how much processing you want to do client side. See Chapter 22 of "Microsoft Application Architecture Guide, 2nd Edition". Specifically I am describing what is shown in figure 4 and 5 – Pentobarbital 29/7, 2012 at 18:59

1: you can't. You can obfuscate, but the only way of preventing this is: don't give anyone the exe. Look how much games companies spend on this; they haven't solved it either.

2: obfuscation would help a little, although it is an arms race between obfuscators and de-obfuscators

3: too late to go back and undo that, but the obfuscation will slow them down a bit in future

5: app.config is usually very readable; you not much you can do here; encrypting will only slow them down a bit if the keys are in your app and therefore obtainable

Seton answered 29/7, 2012 at 17:43 Comment(4)

@1: They have solved it, have a look at steam and valve. At least for online games that is not totally true. – Quigley 29/7, 2012 at 17:49

@MareInfinitus At least one universal launcher exists for Steam games, and a few emulators, all of which bypass all their security. Even online can be broken (server emulators exist for Ubisoft's always-on). Marc is correct, this is unsolvable. – Cayuse 29/7, 2012 at 17:53

Oh my God. This is a bad new :@. So, probably making a desktop application was a bad decision. – Scapegrace 29/7, 2012 at 18:29

Okay if i cannot do much about this. Can you please tell me a "Must Do" list before launching a desktop application ? – Scapegrace 29/7, 2012 at 18:42

As others have said there really isn't anything you can do against a determined cracker if they have access to your code. Obfuscation will provide some protection against a lazy cracker. Dotfuscator is built into VS you can give it a try. Keep in mind that there is a real cost to obfuscation. It will make it very difficult to debug issues from stack traces that your (paying) customers send you.

Syncope answered 29/7, 2012 at 19:51 Comment(0)

The best answer is one you will have to accept. You can't. Just focus on giving your users a great user experience, and make licensing very easy. The possibility that your application can be cracked does not mean that choosing to build a desktop application was a bad idea. Pirates will be pirates and honest customers will be honest customers.

Banish answered 30/7, 2012 at 4:7 Comment(0)

Apparently there is enough commercial or intellectual value cracking your app that someone with reasonable skills tried it almost right away.

The only way you will win that war is to use commercial software protection packages.

If you try to implement copy protection yourself, you will be an easy target to hack again.

If you write a business application you would not also write the database engine that stores the data. You should also not write the crack prevention code for your application. That is not what solves your customer's problem, and it takes a tremendous skill set to do it right.

Cad answered 29/7, 2012 at 17:44 Comment(4)

@tremendous skill set: You will only have to be smarter than the crackers, which are in some cases very skilled. – Quigley 29/7, 2012 at 17:51

The only way you will win that war is to use commercial software protection packages. it might give you a little edge for a while, but you're still in a losing battle even if you use commercial protection packages. – Identity 29/7, 2012 at 22:31

Disagree with Lie Ryan--there are plenty of very strong anti-copying tools available commercially--look for answers I have already posted to similar questions. Try ours (CodeMeter) or others (SafeNet or KeyLoc). You don't have to get cracked, despite what many people believe. – Absorbing 30/7, 2012 at 15:10

@LieRyan: You can win in a commercial sense. If the worlds #1 hacker takes an interest in breaking your app, he can do that. Using strong commercial software protection tends to ensure that the vast majority of your real user base (the ones that really would pay for the app) purchase a license. After all, the world's #1 hacker will probably also insert a spam bot in the hacked version. – Cad 30/7, 2012 at 22:29

What you can do, in addition to the code obfuscation is, adding a mechanism of code decryption based on hardwareID, have in mind the following scenario, the send their HwID to your server, you identify the copy/owner/installation number/etc with that HwID, and you reply with a decription key BASED in that HwID for THAT specific binary (with the fingerprints mentioned before), so the hacking would be harder, since for fully functionality they need valid access to your server, otherwise they can't use the software.

Cheers,

Pence answered 1/1, 2014 at 19:58 Comment(0)

Recommended topics

Hot tags