Code Protection
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I've been using {smartassembly}[^] for my own products for about two years now. Very happy with it. Before I had used Spices.Net for a few years, which wasn't bad either.
Wout
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
I don't know anything about Java, I've never worked with it so I couldn't say but for .net there are numerous tools out there that can take an assembly and easily (one click) convert it back into source code in any supported .net language and when publishing commercial software it behooves one to make it at least difficult to circumvent a licensing system or prevent some chop shop in a 3rd world country from turning your entire application into their entire application and republishing it. Obfsucation is painless, cheap and easy and so it's a no brainer to use it with commercial software, I wouldn't bother of course with anything my livelihood wasn't depending on.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
You probably already know about dotfuscator. There is a commercial version, but it is EXPENSIVE.... I noticed another post about strong naming. Be aware that strong name signatures can be removed from a signed assembly. We actually did some of this to try and figure out how a hacker might get into our code easily. There are tools out there that will do this. David
An intelligent, determined hacker can circumvent *anything* that's not and never has been the point with these tools and it's no argument against taking reasonable precautions if they are cheap and easy and don't affect the software performance adversely. The old adage that locks are only designed to keep honest people out clearly applies to this situation as well. I don't want to spend forever and a lot of money on this, it's not worth it, but I'm not going to "flip up my skirt" either. :) In the end though, most if not the majority of piracy comes from the end users themselves being able to easily pass on your software to their friends not some uber hackers somewhere in a darkened room messing about. Take care of the casual stuff and you pretty much eliminate the problem to any degree worthwhile pursuing.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Jim Crafton wrote:
Is there some fundamental difference between how the two runtimes deal with the bytecode?
Not at all. My guess is that there are more desktop applications written with .NET than Java, or at least more commercial ones. Having said that, a simple search[^] shows that there are many Java bytecode obfuscators as well.
-
Jim Crafton wrote:
Is there some fundamental difference between how the two runtimes deal with the bytecode?
Not at all. My guess is that there are more desktop applications written with .NET than Java, or at least more commercial ones. Having said that, a simple search[^] shows that there are many Java bytecode obfuscators as well.
Weird, maybe Java was still new enough in 99 that people weren't as concerned, plus very little of our program was desktop based.
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
While what you say is true only an idiot would release licensed commercial .net code without any obfuscation at all because you're not trying to defend against *skilled* developers, that was never the point of any obfuscation scheme, you're protecting against the average moron with a copy of any of the zillion free tools for opening and generating source code from the assembly. Particularly the area that manages your licensing scheme whatever it happens to be or other proprietary and complex code that you don't want to just give away to an utter moron. And once you understand how it works it's pretty easy to ensure that the JIT is happy at all times.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
The average moron doesn't hack the binaries themselves. They download apps that does it for them, or serial number generators. Obfuscation is truly a waste of money.
-- Kein Mitleid Für Die Mehrheit
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I'll second Xenocode (see below). We used Spices.Net for a while, but I just found the customer support and desire to keep it up to date better with Xenocode. However, if you really want to know what the obfuscator is like open up the obfuscated code in Reflector and see how intelligible it is.
Deja View - the feeling that you've seen this post before.
-
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Jim Crafton wrote:
When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this.
Wow. Obfuscation was SOP for our production builds when I was working with Java in 1999-2001. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
Jim Crafton wrote:
When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this.
Wow. Obfuscation was SOP for our production builds when I was working with Java in 1999-2001. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Well it was a consulting project for an internal application at a company. Maybe that's why they weren't concerned?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
I'll second Xenocode (see below). We used Spices.Net for a while, but I just found the customer support and desire to keep it up to date better with Xenocode. However, if you really want to know what the obfuscator is like open up the obfuscated code in Reflector and see how intelligible it is.
Deja View - the feeling that you've seen this post before.
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
-
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
We use Microsoft SLP Services Code Protector. Rather expensive but is included with some MSDN Subscriptions if you have one. It is way more advanced than Obfuscation. You get your own specific Permutation that is used to create intermediary code that only a specific virtual machine can interpret. This is all done automatically with a couple dlls you have to include in your project but for everything we have tried it can't be broken without having access to the original permutation. Something to look into.
-
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
Sorry - I should have clarified that I meant that a good test of ANY obfuscator is to try it in reflector.
Deja View - the feeling that you've seen this post before.
-
Well it was a consulting project for an internal application at a company. Maybe that's why they weren't concerned?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Gotcha. OT: How are you? :) /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
Gotcha. OT: How are you? :) /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Good! :)
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001From my own experience Xenocode is better then Spices.Net I've seen some assemblies obfuscated with xenocode that couldn't be decompiled by .Net Reflector. It just said 'item obfuscated' instead of the code. (Not all of the code but some parts.)
Giorgi Dalakishvili #region signature my articles #endregion
-
The average moron doesn't hack the binaries themselves. They download apps that does it for them, or serial number generators. Obfuscation is truly a waste of money.
-- Kein Mitleid Für Die Mehrheit
Jörgen Sigvardsson wrote:
Obfuscation is truly a waste of money.
Yes. I agree with you.. I'm not sure why ppl want to use those kinda "Code protection" program. I think it will make your program slow. .
Thanks and Regards, Michael Sync ( Blog: http://michaelsync.net)
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I've been happy with .Net Reactor. It's cheaper than most out there $179 per license or $279 for company. I've used it for the past six months and so far I've been happy with it. It has a NecroBit protection level which is propriatary to this software. I've tried all the de-obfuscators on my assemblies and none have been able to crack them. Check it out at http://www.eziriz.com/
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001There are two ways to protect .NET code; obfuscation (string encryption, variable naming code flow) and code protection (prevents decompilers, code encryption, anti-debug stuff, and anti-tampering). This discussion thread seem to morph the two approaches. So I have attempted to compare the varous products mentioned in the threads (below). But first this is how I would define the two classes of protectors Code Protection - Products that employ anti-reverse engineering technology into the code and protect the code at runtime - Can include anti-decompiling capabilities, code encryption, anti-debug, anti-tamper, and runtime exection protection Code Obfuscators - Products that remove context from the code by obfuscating the IL. - Includes string encryption, changing code flow, variable renaming - Some may include anti-decompiler technology, but without protection of the code in memory its has little value Here is how would groups the different products mentioned Code Protection V.i. Labs CodeArmor - Encrypts IL code at assembly level and protects the decryption operation with a driver based technology. Continiously monitors for anti-debugging and other reverse engineer tools to deter analyzing the code in memory. The .NET binaries will appear as native unmanged code on disk. Microsoft SLPS - Tranforms and encrypts code into a per vendor proprietary format and implements a separate VM CLR to compile code. Can protect at method level, but have severe performance issues because of VM CLR component. XHEO CodeVeil - Encrypts IL code, has some obfuscation, some anti-debug, but code is accessible in memory and more exposed to dumpers. Salamander Protector - Not an available product, but can test by giving them code. I believe they encrypt the IL code and provide a library that hooks the CLR to decrypt JIT and limited exposure in memory. However, I do not believe that monitor the runtime environment for tools and protect against their stuff being hooked. Traditional Code Obfuscation Note: Should be able to combine obfuscation with some of the products above for really strong protection. Spices.NET Obfuscation .NET Reactor PreEmptive DotObfuscator