Preventing decompilation
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
You can use a tool to obfuscate your assembly's IL (aka "byte code" in Java). Google for DotObfuscator and you'll see what I mean. :josh: My WPF Blog[^]
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
"Don't hesitate, obfuscate"
-
You can use a tool to obfuscate your assembly's IL (aka "byte code" in Java). Google for DotObfuscator and you'll see what I mean. :josh: My WPF Blog[^]
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
Well it's not that bad... If you ever had to modify some big project written by someone else you know that the risks of decompilation are grossly overstated... ;P
-
Do most people that distribute byte code use an obfuscator? If you were going to distribute an application that was compiled into byte code would you use an obfuscator?
For Java: Zelix Klassmaster and I think it's a great product.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
This is not a problem to which a technical solution (obfuscation) is the best approach. It is better to put a "no reverse engineering/decompilation" clause in your license document... Bear in mind that obfuscation: (*) Wrecks any code that uses reflection (*) Makes stack traces useless '--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd
-
For Java: Zelix Klassmaster and I think it's a great product.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
Is this something that you do when you are writing java or .net applications? I am just wondering if this is something that I should do when distributing applications to clients. Is there draw backs or any other issues you have seen when using obfuscators?
-
This is not a problem to which a technical solution (obfuscation) is the best approach. It is better to put a "no reverse engineering/decompilation" clause in your license document... Bear in mind that obfuscation: (*) Wrecks any code that uses reflection (*) Makes stack traces useless '--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd
Duncan Edwards Jones wrote:
It is better to put a "no reverse engineering/decompilation" clause in your license document...
Duncan Edwards Jones wrote:
(*) Wrecks any code that uses reflection (*) Makes stack traces useless
Excellent points.
-
This is not a problem to which a technical solution (obfuscation) is the best approach. It is better to put a "no reverse engineering/decompilation" clause in your license document... Bear in mind that obfuscation: (*) Wrecks any code that uses reflection (*) Makes stack traces useless '--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd
I was thinking of this approach also. If I did not use obfuscation and I just had a no reverse engineering/decompilation clause is there any way to see if someone broke it? I am also not sure if this is something that clients/customers do often. My first guess would be to say no, but just the thought of it worries me somewhat.
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
Most code is not that important taken individually. Unless you have a trade-secret algorithm (which is patentable BTW? (idk) there is nothing that can be gained. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
-
Do most people that distribute byte code use an obfuscator? If you were going to distribute an application that was compiled into byte code would you use an obfuscator?
The only way to distribute a .NET application is as "byte code" (IL, to be exact). An assembly, either an EXE or DLL, contains IL. Decompilers turn IL into equivalent code in a higher-level language (ex. IL -> C#). If you obfuscate the IL, it's extremely difficult to make sense out of the decompiled C#. :josh: My WPF Blog[^]
-
So yesterday a colleague of mine was telling me how easy it is to decompile .Net and Java compiled code. So this made me a little uneasy and I did a quick Google search to find out that this was something that could be done easily. I know a lot of people here write .Net code and some of use write java code. What do you do to prevent people from decompiling your compiled code? Is there any secure way to prevent this?
-
Duncan Edwards Jones wrote:
It is better to put a "no reverse engineering/decompilation" clause in your license document...
Duncan Edwards Jones wrote:
(*) Wrecks any code that uses reflection (*) Makes stack traces useless
Excellent points.
Not really, if it's important to obfuscate and encrypt it then it should be done. It's trivial to set the obfuscator to not obfuscate the method names for the reflected methods anyway. We do it all the time. As for stack traces being useless it's not entirely true either, sure some of the method names etc will be obfuscated but it's pretty easy to follow the stack trace if you wrote the software in the first place. We use an Encryptor and obfuscator so it's not an issue in any case.
-
Most code is not that important taken individually. Unless you have a trade-secret algorithm (which is patentable BTW? (idk) there is nothing that can be gained. "Until the day of his death, no man can be sure of his courage" -- Jean Anouilh
Right, and I have a bridge in Brooklyn you might want to buy. :rolleyes: Unless you are specifically excluding commercial software in your comment then I couldn't possibly disagree with you more. We have built and sold commercial software via the internet for over 10 years now and I could write a good sized novel on all the nefarious stuff I've seen people do when they have any kind of access to your code and the motivation to do so. Not obfuscating commercial software is negligent at best.
-
This is not a problem to which a technical solution (obfuscation) is the best approach. It is better to put a "no reverse engineering/decompilation" clause in your license document... Bear in mind that obfuscation: (*) Wrecks any code that uses reflection (*) Makes stack traces useless '--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd
That clause is a given, but useless in practical terms. Licensed customers are not interested in pirating your software, they already paid. When you see requests for hacks and cracks of the software you spent years of your life working on posted on the internet and then people trying to fulfil them you will have a slightly different opinion about this subject. Not to mention it's very minor to exclude reflected methods from obfuscation and relatively inexpensive to buy an obfuscator / encryptor than a simple encryptor. And it's trivially easy to read your own software's stack trace even with the method names obfuscated. -- modified at 11:58 Thursday 6th July, 2006
-
Is this something that you do when you are writing java or .net applications? I am just wondering if this is something that I should do when distributing applications to clients. Is there draw backs or any other issues you have seen when using obfuscators?
I do it for anything I release to be used. Whether it's a demo or just what. I do it because I've spent 1000's of hours on some Java code I was paid to write. If that code gets decompiled and used by anyone it's my fault and a disservice to my clients. I obfuscate *everything* to the degree that it would take some real effort to get at the code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
I do it for anything I release to be used. Whether it's a demo or just what. I do it because I've spent 1000's of hours on some Java code I was paid to write. If that code gets decompiled and used by anyone it's my fault and a disservice to my clients. I obfuscate *everything* to the degree that it would take some real effort to get at the code.
"You have an arrow in your butt!" - Fiona:cool:
Welcome to CP in your language. Post the unicode version in My CP Blog [ ^ ] now.People who don't understand how awesome Firefox is have never used CPhog[^]CPhog. The act of using CPhog (Firefox)[^] alone doesn't make Firefox cool. It opens your eyes to the possibilities and then you start looking for other things like CPhog (Firefox)[^] and your eyes are suddenly open to all sorts of useful things all through Firefox. - (Self Quote)
-
Not really, if it's important to obfuscate and encrypt it then it should be done. It's trivial to set the obfuscator to not obfuscate the method names for the reflected methods anyway. We do it all the time. As for stack traces being useless it's not entirely true either, sure some of the method names etc will be obfuscated but it's pretty easy to follow the stack trace if you wrote the software in the first place. We use an Encryptor and obfuscator so it's not an issue in any case.
-
That clause is a given, but useless in practical terms. Licensed customers are not interested in pirating your software, they already paid. When you see requests for hacks and cracks of the software you spent years of your life working on posted on the internet and then people trying to fulfil them you will have a slightly different opinion about this subject. Not to mention it's very minor to exclude reflected methods from obfuscation and relatively inexpensive to buy an obfuscator / encryptor than a simple encryptor. And it's trivially easy to read your own software's stack trace even with the method names obfuscated. -- modified at 11:58 Thursday 6th July, 2006