473,320 Members | 1,817 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

C# code protection

Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso
Nov 15 '05 #1
9 8489
Hi Saso,

You should be aware that the code you create is also easily accessible not
just the odd string constant. There are tools available to disassemble
assemblies that can reconstruct the code quite nicely.
I havent dug into this deeply and so cannot comment on the viability of
obfuscators but I have tried a disassembler and see that it can do the job
very well.
Cheers
-jr-

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso

Nov 15 '05 #2
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso

Nov 15 '05 #3
so an obfuscator is basicly software which "moves things around" in your
assemblies?

As I mentioned before I use SQL Server in my application and if I left the
connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso


Nov 15 '05 #4
Why you said the obscufator that comes with VS.NET is next to useless? I am
wondering because I am planning to use it. Is it really next to useless??
Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is next to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
so an obfuscator is basicly software which "moves things around" in your
assemblies?

As I mentioned before I use SQL Server in my application and if I left the connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and

cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
> Hi!
>
> I have recently completed an application, written in C#.
> When I opened one of the files with a hex editor I was amazed by the
> lack
> of protection for the assemblies.
> My application uses SQL Server and during install it sets up tables
> needed in the application. I also use a simple protection system,
> which stores a string (an initialization password) in the database,
> needed for the application to unlock after a few days have passed.
> The thing is, that all of the strings that I use in my assembly are
> clearly visible when using a hex editor.
> Is there a way of "hiding" that string? Or does anyone have any better > suggestions?
>
> thanks,
> Saso



Nov 15 '05 #5
Doesnt take much to reverse it :D check online (google) for tools to do that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I am wondering because I am planning to use it. Is it really next to useless??
Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is

next
to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
so an obfuscator is basicly software which "moves things around" in your assemblies?

As I mentioned before I use SQL Server in my application and if I left the connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and

cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
> You may be interested in dotfuscator:
>
> http://www.preemptive.com/
>
> "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> news:8b*************************@posting.google.co m...
> > Hi!
> >
> > I have recently completed an application, written in C#.
> > When I opened one of the files with a hex editor I was amazed by the > > lack
> > of protection for the assemblies.
> > My application uses SQL Server and during install it sets up tables > > needed in the application. I also use a simple protection system,
> > which stores a string (an initialization password) in the database, > > needed for the application to unlock after a few days have passed.
> > The thing is, that all of the strings that I use in my assembly are > > clearly visible when using a hex editor.
> > Is there a way of "hiding" that string? Or does anyone have any better > > suggestions?
> >
> > thanks,
> > Saso
>
>



Nov 15 '05 #6
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made
it so easy for people to view the logic of a .NET software, which in the end
will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do that :D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I
am
wondering because I am planning to use it. Is it really next to useless??

Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is
next
to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
> so an obfuscator is basicly software which "moves things around" in your > assemblies?
>
> As I mentioned before I use SQL Server in my application and if I
left the
> connection
> strings in the program anyone with a hex editor could see them.
> What I did is I encrypted a text file (using .NET security and
cryptography
> classes) and I derypt and read the file during install.
> It's probably not the best solution but it's something :)
>
> One other thing... I also use a "Setup and deployment project" in my
> application. How can I get obfuscated files into the .msi file? I

have > VS.NET 2003 and DOTFuscator is included
> with vs.net.
>
> Thanks a lot for your answers,
> Saso
>
> "Edward Yang" <ne***********@msn.com> wrote in message
> news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > You may be interested in dotfuscator:
> >
> > http://www.preemptive.com/
> >
> > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message > > news:8b*************************@posting.google.co m...
> > > Hi!
> > >
> > > I have recently completed an application, written in C#.
> > > When I opened one of the files with a hex editor I was amazed by

the > > > lack
> > > of protection for the assemblies.
> > > My application uses SQL Server and during install it sets up tables > > > needed in the application. I also use a simple protection system, > > > which stores a string (an initialization password) in the database, > > > needed for the application to unlock after a few days have passed. > > > The thing is, that all of the strings that I use in my assembly are > > > clearly visible when using a hex editor.
> > > Is there a way of "hiding" that string? Or does anyone have any

better
> > > suggestions?
> > >
> > > thanks,
> > > Saso
> >
> >
>
>



Nov 15 '05 #7
unless you are encrypting the payload and have a loader somehow, (and where
is the decrypt key stored?? :D) its always going to be possible to reverse
it.

If a code obscufator works by replacing variable names with crappy names or
other symbols then the algorithm would still be visible won't it?

There are a few but I would ask "how" they obscufate it

here is one that I quickly found and I am sure there are many other attempts
at solving this problem, http://www.wiseowl.com/products/products.aspx

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:#s**************@TK2MSFTNGP12.phx.gbl...
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made it so easy for people to view the logic of a .NET software, which in the end will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do

that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I
am
wondering because I am planning to use it. Is it really next to useless??

Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
> This is a big problem with managed code, the obscufator in .NET 2003 is next
> to useless, same for theyre resource editor.
>
>
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
> "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> news:bh**********@planja.arnes.si...
> > so an obfuscator is basicly software which "moves things around" in your
> > assemblies?
> >
> > As I mentioned before I use SQL Server in my application and if I left the
> > connection
> > strings in the program anyone with a hex editor could see them.
> > What I did is I encrypted a text file (using .NET security and
> cryptography
> > classes) and I derypt and read the file during install.
> > It's probably not the best solution but it's something :)
> >
> > One other thing... I also use a "Setup and deployment project" in
my > > application. How can I get obfuscated files into the .msi file? I have > > VS.NET 2003 and DOTFuscator is included
> > with vs.net.
> >
> > Thanks a lot for your answers,
> > Saso
> >
> > "Edward Yang" <ne***********@msn.com> wrote in message
> > news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > > You may be interested in dotfuscator:
> > >
> > > http://www.preemptive.com/
> > >
> > > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message > > > news:8b*************************@posting.google.co m...
> > > > Hi!
> > > >
> > > > I have recently completed an application, written in C#.
> > > > When I opened one of the files with a hex editor I was amazed by the
> > > > lack
> > > > of protection for the assemblies.
> > > > My application uses SQL Server and during install it sets up

tables
> > > > needed in the application. I also use a simple protection system, > > > > which stores a string (an initialization password) in the

database,
> > > > needed for the application to unlock after a few days have passed. > > > > The thing is, that all of the strings that I use in my
assembly are
> > > > clearly visible when using a hex editor.
> > > > Is there a way of "hiding" that string? Or does anyone have

any better
> > > > suggestions?
> > > >
> > > > thanks,
> > > > Saso
> > >
> > >
> >
> >
>
>



Nov 15 '05 #8
If something is encrytped by a loader, whats to stop me loading up a ram
editor, like winhex and viewing ram with it in its decrypted form?

I suppose something is better than nothing.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#N*************@TK2MSFTNGP10.phx.gbl...
unless you are encrypting the payload and have a loader somehow, (and where is the decrypt key stored?? :D) its always going to be possible to reverse
it.

If a code obscufator works by replacing variable names with crappy names or other symbols then the algorithm would still be visible won't it?

There are a few but I would ask "how" they obscufate it

here is one that I quickly found and I am sure there are many other attempts at solving this problem, http://www.wiseowl.com/products/products.aspx

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:#s**************@TK2MSFTNGP12.phx.gbl...
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made
it so easy for people to view the logic of a .NET software, which in the

end
will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do
that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
> Why you said the obscufator that comes with VS.NET is next to
useless?
I
am
> wondering because I am planning to use it. Is it really next to

useless??
>
>
> Tony
>
>
>
> "Duncan McNutt" <mu*******@127.0.0.22> wrote in message
> news:u8**************@TK2MSFTNGP09.phx.gbl...
> > This is a big problem with managed code, the obscufator in .NET
2003 is
> next
> > to useless, same for theyre resource editor.
> >
> >
> >
> > --
> >
> > Duncan McNutt
> > Microsoft Product Deactivation Team
> > --
> >
> >
> > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in
message > > news:bh**********@planja.arnes.si...
> > > so an obfuscator is basicly software which "moves things around"

in your
> > > assemblies?
> > >
> > > As I mentioned before I use SQL Server in my application and if
I left
> the
> > > connection
> > > strings in the program anyone with a hex editor could see them.
> > > What I did is I encrypted a text file (using .NET security and
> > cryptography
> > > classes) and I derypt and read the file during install.
> > > It's probably not the best solution but it's something :)
> > >
> > > One other thing... I also use a "Setup and deployment project"
in my > > > application. How can I get obfuscated files into the .msi file?
I have
> > > VS.NET 2003 and DOTFuscator is included
> > > with vs.net.
> > >
> > > Thanks a lot for your answers,
> > > Saso
> > >
> > > "Edward Yang" <ne***********@msn.com> wrote in message
> > > news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > > > You may be interested in dotfuscator:
> > > >
> > > > http://www.preemptive.com/
> > > >
> > > > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> > > > news:8b*************************@posting.google.co m...
> > > > > Hi!
> > > > >
> > > > > I have recently completed an application, written in C#.
> > > > > When I opened one of the files with a hex editor I was

amazed by the
> > > > > lack
> > > > > of protection for the assemblies.
> > > > > My application uses SQL Server and during install it sets up
tables
> > > > > needed in the application. I also use a simple protection

system,
> > > > > which stores a string (an initialization password) in the
database,
> > > > > needed for the application to unlock after a few days have

passed.
> > > > > The thing is, that all of the strings that I use in my assembly are
> > > > > clearly visible when using a hex editor.
> > > > > Is there a way of "hiding" that string? Or does anyone have any > better
> > > > > suggestions?
> > > > >
> > > > > thanks,
> > > > > Saso
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 15 '05 #9
mikep
3
I would advise you to keep away from obfuscating your code.
It has the potential of introducing many bug in case you rely on reflection. Moreover, public methods names are not obfuscated and in case you are relying on a third party library to manage you authorization and authentication need then you are really in de ep trouble. I would recommend using code encryption based utilities, specifically CliSecure by SecureTeam which I find very useful. You can find it at SecureTeam
Jun 15 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
by: dam | last post by:
Hi, since there are tools that can decompile assemblies and show ENTIRE SOURCE CODE (!?) is there any way for developers to protect their work ? Or, is famoues .NET framework just for...
6
by: YK | last post by:
All, What is the best way to protect IL code? --------------------------------------------------- Typical scenario: Visual Studio .NET 2003 includes Dotfuscator Community Edition, which...
15
by: Enzo | last post by:
Hi Ng, It's possible to protect the source code of a js file? With PHP? Thanks in advance! Enzo
7
by: Boni | last post by:
Dear all, in order to protect my assembly component from decompilation I implemented following schema: I created mixed mode C++ project wich has managed cProxy class and unmanaged cMemLoader....
28
by: Noone Here | last post by:
AIUI, it was not all that long ago when the threat to personal users, was attachments that when executed compromised machines with keyloggers, trojans, etc. Now it seems that the big problem is...
14
by: Usman | last post by:
Hi I'm working on an application that contains classes for licensing, authentication etc, including all the algorithms of encryption/decryption etc. I wanted to secure this code, but after...
64
by: Bayazee | last post by:
hi can we hide a python code ? if i want to write a commercial software can i hide my source code from users access ? we can conver it to pyc but this file can decompiled ... so ...!! do you...
16
by: FAQ server | last post by:
----------------------------------------------------------------------- FAQ Topic - How do I protect my javascript code? ----------------------------------------------------------------------- ...
22
by: flit | last post by:
Hello All, I have a hard question, every time I look for this answer its get out from the technical domain and goes on in the moral/social domain. First, I live in third world with bad gov., bad...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.