Code Protection
-
Jim Crafton wrote:
Is there some fundamental difference between how the two runtimes deal with the bytecode?
Not at all. My guess is that there are more desktop applications written with .NET than Java, or at least more commercial ones. Having said that, a simple search[^] shows that there are many Java bytecode obfuscators as well.
Weird, maybe Java was still new enough in 99 that people weren't as concerned, plus very little of our program was desktop based.
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
While what you say is true only an idiot would release licensed commercial .net code without any obfuscation at all because you're not trying to defend against *skilled* developers, that was never the point of any obfuscation scheme, you're protecting against the average moron with a copy of any of the zillion free tools for opening and generating source code from the assembly. Particularly the area that manages your licensing scheme whatever it happens to be or other proprietary and complex code that you don't want to just give away to an utter moron. And once you understand how it works it's pretty easy to ensure that the JIT is happy at all times.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
The average moron doesn't hack the binaries themselves. They download apps that does it for them, or serial number generators. Obfuscation is truly a waste of money.
-- Kein Mitleid Für Die Mehrheit
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I'll second Xenocode (see below). We used Spices.Net for a while, but I just found the customer support and desire to keep it up to date better with Xenocode. However, if you really want to know what the obfuscator is like open up the obfuscated code in Reflector and see how intelligible it is.
Deja View - the feeling that you've seen this post before.
-
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Jim Crafton wrote:
When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this.
Wow. Obfuscation was SOP for our production builds when I was working with Java in 1999-2001. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
Jim Crafton wrote:
When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this.
Wow. Obfuscation was SOP for our production builds when I was working with Java in 1999-2001. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Well it was a consulting project for an internal application at a company. Maybe that's why they weren't concerned?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
I'll second Xenocode (see below). We used Spices.Net for a while, but I just found the customer support and desire to keep it up to date better with Xenocode. However, if you really want to know what the obfuscator is like open up the obfuscated code in Reflector and see how intelligible it is.
Deja View - the feeling that you've seen this post before.
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
-
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
We use Microsoft SLP Services Code Protector. Rather expensive but is included with some MSDN Subscriptions if you have one. It is way more advanced than Obfuscation. You get your own specific Permutation that is used to create intermediary code that only a specific virtual machine can interpret. This is all done automatically with a couple dlls you have to include in your project but for everything we have tried it can't be broken without having access to the original permutation. Something to look into.
-
Doesn't xenocode have a compile .net to native code option? not much to reflect after that point.
You know, every time I tried to win a bar-bet about being able to count to 1000 using my fingers I always got punched out when I reached 4.... -- El Corazon
Sorry - I should have clarified that I meant that a good test of ANY obfuscator is to try it in reflector.
Deja View - the feeling that you've seen this post before.
-
Well it was a consulting project for an internal application at a company. Maybe that's why they weren't concerned?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Gotcha. OT: How are you? :) /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
Gotcha. OT: How are you? :) /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Good! :)
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001From my own experience Xenocode is better then Spices.Net I've seen some assemblies obfuscated with xenocode that couldn't be decompiled by .Net Reflector. It just said 'item obfuscated' instead of the code. (Not all of the code but some parts.)
Giorgi Dalakishvili #region signature my articles #endregion
-
The average moron doesn't hack the binaries themselves. They download apps that does it for them, or serial number generators. Obfuscation is truly a waste of money.
-- Kein Mitleid Für Die Mehrheit
Jörgen Sigvardsson wrote:
Obfuscation is truly a waste of money.
Yes. I agree with you.. I'm not sure why ppl want to use those kinda "Code protection" program. I think it will make your program slow. .
Thanks and Regards, Michael Sync ( Blog: http://michaelsync.net)
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I've been happy with .Net Reactor. It's cheaper than most out there $179 per license or $279 for company. I've used it for the past six months and so far I've been happy with it. It has a NecroBit protection level which is propriatary to this software. I've tried all the de-obfuscators on my assemblies and none have been able to crack them. Check it out at http://www.eziriz.com/
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001There are two ways to protect .NET code; obfuscation (string encryption, variable naming code flow) and code protection (prevents decompilers, code encryption, anti-debug stuff, and anti-tampering). This discussion thread seem to morph the two approaches. So I have attempted to compare the varous products mentioned in the threads (below). But first this is how I would define the two classes of protectors Code Protection - Products that employ anti-reverse engineering technology into the code and protect the code at runtime - Can include anti-decompiling capabilities, code encryption, anti-debug, anti-tamper, and runtime exection protection Code Obfuscators - Products that remove context from the code by obfuscating the IL. - Includes string encryption, changing code flow, variable renaming - Some may include anti-decompiler technology, but without protection of the code in memory its has little value Here is how would groups the different products mentioned Code Protection V.i. Labs CodeArmor - Encrypts IL code at assembly level and protects the decryption operation with a driver based technology. Continiously monitors for anti-debugging and other reverse engineer tools to deter analyzing the code in memory. The .NET binaries will appear as native unmanged code on disk. Microsoft SLPS - Tranforms and encrypts code into a per vendor proprietary format and implements a separate VM CLR to compile code. Can protect at method level, but have severe performance issues because of VM CLR component. XHEO CodeVeil - Encrypts IL code, has some obfuscation, some anti-debug, but code is accessible in memory and more exposed to dumpers. Salamander Protector - Not an available product, but can test by giving them code. I believe they encrypt the IL code and provide a library that hooks the CLR to decrypt JIT and limited exposure in memory. However, I do not believe that monitor the runtime environment for tools and protect against their stuff being hooked. Traditional Code Obfuscation Note: Should be able to combine obfuscation with some of the products above for really strong protection. Spices.NET Obfuscation .NET Reactor PreEmptive DotObfuscator
-
I've been happy with .Net Reactor. It's cheaper than most out there $179 per license or $279 for company. I've used it for the past six months and so far I've been happy with it. It has a NecroBit protection level which is propriatary to this software. I've tried all the de-obfuscators on my assemblies and none have been able to crack them. Check it out at http://www.eziriz.com/
NecroBit just sounds like they are wrapping as an unmanaged binary. So on disk it looks like unmanaged code and decompilers will fail, but when running the IL code is still exposed in memory. The way to test this is using .NET generic unpackerhttp://www.ntcore.com/utilities.php[^] This tool will produce unprotected code while app is running if no other countermeasures are deployed
-
NecroBit just sounds like they are wrapping as an unmanaged binary. So on disk it looks like unmanaged code and decompilers will fail, but when running the IL code is still exposed in memory. The way to test this is using .NET generic unpackerhttp://www.ntcore.com/utilities.php[^] This tool will produce unprotected code while app is running if no other countermeasures are deployed
You're right however, I just tried it on one of my programs that is protected by .Net Reactor and I can see my form names as well as controls that I placed on the form. The problem comes when I try to view the code in my routines. .Net Reflector blows up and won't let me see anything, it just displays an error message. Now while this makes me feel better, I still don't like the fact that I can view my form names. It should be protected all the time and I will email .Net Reactor about this and see if they have a solution. Thanks for your input.
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I have personal experience with PreEmptive Solutions DotFuscator. With a price tag of around $2,000, it costs more than many of its competitors, however, it is top of the line when it comes to obfuscation. There are many advantages to obfuscation from a performance standpoint, the main one being that with obfuscation renaming you usually get a smaller file size and functions are addressed faster by the runtime due to smaller method names. Of course if you use string encryption/decryption, it may balance out the performance gain. Most professional obfuscation software will integrate into the Visual Studio build process so that you never have to leave the IDE (unless you want to). Obfuscation will prevent the large majority from attempting to tamper/reverse-engineer your code. It is not a fool-proof way of stopping it though. My opinion is that as long as you sell more of your product than the cost of obfuscation software, then it's worth the cost. It will stop the majority of those attempting to invade your code.
- Pero Matic -