Reputation: 165
C# Desktop Application. Code obfuscation. Code obfuscated by .Net Reactor was easily deobfuscated
We are developing a Desktop Application (Windows Service) with C#. And we are trying to protect our intellectual property and this is why we decided to .Net Reactor
Initially, it looked like a powerful tool. When obfuscating I've selected all available options except of 'Native exe file'. (Necrobit, Anti ILDASM, Anti Tampering, Control Flow obfuscation, Obfuscation, String Encryption, Compress & Encrypt Resources)
I tried to use DotPeek to check the results and was happy with the results
But it turned out that there is a tool out there that can easily deobfuscates all assemblies (for apparent reasons I'm not going to mention what is it the tool). But I'm curious if anyone has faced similar type of problem. Does anyone know a reliable way to protect C# code that will be running on clients desktops/servers
**Please don't suggest to rewrite the app using C++
Upvotes: 3
Views: 7027
Answers (2)
Reputation: 16167
In general, the cost of writing software is many orders of magnitude greater than paying for a license to use it. Similarly, it is expensive to maintain. Thus, in most cases, the value of the intellectual property is low compared to the operations cost. Thus, few, if any, users are going to be sophisticated enough and economically advantages enough to reverse-engineer your software for any purpose they might have.
Also, in general, if you hand out physical access to something, whether it’s a phone, a computer, or a compiled piece of software, you no longer have any expectation of security of whatever that is.
Therefore, I think your efforts are misguided. If there is a particularly valuable algorithm or approach, consider hosting on a server as an API, or pursing a patent. If you must distribute this special piece, secure strong non disclosure agreements with your clients. Make it economically risky for them to try to benefit from reverse-engineering.
Upvotes: 4
Reputation: 1633
Option 1)
Extract out an important part (or several - the more the better) of your program to run remotely on your servers - would mean the user would need to be connected to the internet to run your program. Don't just add a remote key check because a cracker will just NOP that out. Instead, run a non-trivial algorithm there.
Option 2)
Build a hardware dongle & distribute it with your software. Again, implement one or more key algorithms on the dongle rather than just a key check.
Option 3)
After compiling, compress the resulting DLLs as an archive THEN encrypt it. You will then use assembler to write a hand-coded "loader" (which attempts to hide what it's doing). Note that the loader will need to include the decryption key somewhere, however there are things you can do to hide it better. The idea being to hide the fact that it's running on the .NET framework (will certainly beat all the off the shelf decryption tools). It won't however disuade crackers (who will see that the process in memory is .NET & will dump the process).
HTH
Upvotes: 0
Related Questions
- How do I get the color from a hexadecimal color code using .NET?
- How can I get the application's path in a .NET console application?
- Debug obfuscated by .NET Reactor release with pdb files
- .NET Reactor encryption vs obfuscation
- Protect .NET code from reverse engineering?
- How do I force my .NET application to run as administrator?
- How do I specify the exit code of a console application in .NET?
- Detect is already obfuscated with .Net Reactor
- Create Obfuscated Setup in VS2010 Using .Net Reactor
- Obfuscated C Code Contest 2006. Please explain sykes2.c