By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,979 Members | 1,452 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,979 IT Pros & Developers. It's quick & easy.

C# code protection

P: n/a
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso
Nov 15 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Hi Saso,

You should be aware that the code you create is also easily accessible not
just the odd string constant. There are tools available to disassemble
assemblies that can reconstruct the code quite nicely.
I havent dug into this deeply and so cannot comment on the viability of
obfuscators but I have tried a disassembler and see that it can do the job
very well.
Cheers
-jr-

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso

Nov 15 '05 #2

P: n/a
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso

Nov 15 '05 #3

P: n/a
so an obfuscator is basicly software which "moves things around" in your
assemblies?

As I mentioned before I use SQL Server in my application and if I left the
connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso


Nov 15 '05 #4

P: n/a
Why you said the obscufator that comes with VS.NET is next to useless? I am
wondering because I am planning to use it. Is it really next to useless??
Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is next to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
so an obfuscator is basicly software which "moves things around" in your
assemblies?

As I mentioned before I use SQL Server in my application and if I left the connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and

cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
You may be interested in dotfuscator:

http://www.preemptive.com/

"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:8b*************************@posting.google.co m...
> Hi!
>
> I have recently completed an application, written in C#.
> When I opened one of the files with a hex editor I was amazed by the
> lack
> of protection for the assemblies.
> My application uses SQL Server and during install it sets up tables
> needed in the application. I also use a simple protection system,
> which stores a string (an initialization password) in the database,
> needed for the application to unlock after a few days have passed.
> The thing is, that all of the strings that I use in my assembly are
> clearly visible when using a hex editor.
> Is there a way of "hiding" that string? Or does anyone have any better > suggestions?
>
> thanks,
> Saso



Nov 15 '05 #5

P: n/a
Doesnt take much to reverse it :D check online (google) for tools to do that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I am wondering because I am planning to use it. Is it really next to useless??
Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is

next
to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
so an obfuscator is basicly software which "moves things around" in your assemblies?

As I mentioned before I use SQL Server in my application and if I left the connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and

cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something :)

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

"Edward Yang" <ne***********@msn.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
> You may be interested in dotfuscator:
>
> http://www.preemptive.com/
>
> "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> news:8b*************************@posting.google.co m...
> > Hi!
> >
> > I have recently completed an application, written in C#.
> > When I opened one of the files with a hex editor I was amazed by the > > lack
> > of protection for the assemblies.
> > My application uses SQL Server and during install it sets up tables > > needed in the application. I also use a simple protection system,
> > which stores a string (an initialization password) in the database, > > needed for the application to unlock after a few days have passed.
> > The thing is, that all of the strings that I use in my assembly are > > clearly visible when using a hex editor.
> > Is there a way of "hiding" that string? Or does anyone have any better > > suggestions?
> >
> > thanks,
> > Saso
>
>



Nov 15 '05 #6

P: n/a
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made
it so easy for people to view the logic of a .NET software, which in the end
will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do that :D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I
am
wondering because I am planning to use it. Is it really next to useless??

Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
This is a big problem with managed code, the obscufator in .NET 2003 is
next
to useless, same for theyre resource editor.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
news:bh**********@planja.arnes.si...
> so an obfuscator is basicly software which "moves things around" in your > assemblies?
>
> As I mentioned before I use SQL Server in my application and if I
left the
> connection
> strings in the program anyone with a hex editor could see them.
> What I did is I encrypted a text file (using .NET security and
cryptography
> classes) and I derypt and read the file during install.
> It's probably not the best solution but it's something :)
>
> One other thing... I also use a "Setup and deployment project" in my
> application. How can I get obfuscated files into the .msi file? I

have > VS.NET 2003 and DOTFuscator is included
> with vs.net.
>
> Thanks a lot for your answers,
> Saso
>
> "Edward Yang" <ne***********@msn.com> wrote in message
> news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > You may be interested in dotfuscator:
> >
> > http://www.preemptive.com/
> >
> > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message > > news:8b*************************@posting.google.co m...
> > > Hi!
> > >
> > > I have recently completed an application, written in C#.
> > > When I opened one of the files with a hex editor I was amazed by

the > > > lack
> > > of protection for the assemblies.
> > > My application uses SQL Server and during install it sets up tables > > > needed in the application. I also use a simple protection system, > > > which stores a string (an initialization password) in the database, > > > needed for the application to unlock after a few days have passed. > > > The thing is, that all of the strings that I use in my assembly are > > > clearly visible when using a hex editor.
> > > Is there a way of "hiding" that string? Or does anyone have any

better
> > > suggestions?
> > >
> > > thanks,
> > > Saso
> >
> >
>
>



Nov 15 '05 #7

P: n/a
unless you are encrypting the payload and have a loader somehow, (and where
is the decrypt key stored?? :D) its always going to be possible to reverse
it.

If a code obscufator works by replacing variable names with crappy names or
other symbols then the algorithm would still be visible won't it?

There are a few but I would ask "how" they obscufate it

here is one that I quickly found and I am sure there are many other attempts
at solving this problem, http://www.wiseowl.com/products/products.aspx

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:#s**************@TK2MSFTNGP12.phx.gbl...
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made it so easy for people to view the logic of a .NET software, which in the end will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do

that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
Why you said the obscufator that comes with VS.NET is next to useless? I
am
wondering because I am planning to use it. Is it really next to useless??

Tony

"Duncan McNutt" <mu*******@127.0.0.22> wrote in message
news:u8**************@TK2MSFTNGP09.phx.gbl...
> This is a big problem with managed code, the obscufator in .NET 2003 is next
> to useless, same for theyre resource editor.
>
>
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
> "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> news:bh**********@planja.arnes.si...
> > so an obfuscator is basicly software which "moves things around" in your
> > assemblies?
> >
> > As I mentioned before I use SQL Server in my application and if I left the
> > connection
> > strings in the program anyone with a hex editor could see them.
> > What I did is I encrypted a text file (using .NET security and
> cryptography
> > classes) and I derypt and read the file during install.
> > It's probably not the best solution but it's something :)
> >
> > One other thing... I also use a "Setup and deployment project" in
my > > application. How can I get obfuscated files into the .msi file? I have > > VS.NET 2003 and DOTFuscator is included
> > with vs.net.
> >
> > Thanks a lot for your answers,
> > Saso
> >
> > "Edward Yang" <ne***********@msn.com> wrote in message
> > news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > > You may be interested in dotfuscator:
> > >
> > > http://www.preemptive.com/
> > >
> > > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message > > > news:8b*************************@posting.google.co m...
> > > > Hi!
> > > >
> > > > I have recently completed an application, written in C#.
> > > > When I opened one of the files with a hex editor I was amazed by the
> > > > lack
> > > > of protection for the assemblies.
> > > > My application uses SQL Server and during install it sets up

tables
> > > > needed in the application. I also use a simple protection system, > > > > which stores a string (an initialization password) in the

database,
> > > > needed for the application to unlock after a few days have passed. > > > > The thing is, that all of the strings that I use in my
assembly are
> > > > clearly visible when using a hex editor.
> > > > Is there a way of "hiding" that string? Or does anyone have

any better
> > > > suggestions?
> > > >
> > > > thanks,
> > > > Saso
> > >
> > >
> >
> >
>
>



Nov 15 '05 #8

P: n/a
If something is encrytped by a loader, whats to stop me loading up a ram
editor, like winhex and viewing ram with it in its decrypted form?

I suppose something is better than nothing.

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#N*************@TK2MSFTNGP10.phx.gbl...
unless you are encrypting the payload and have a loader somehow, (and where is the decrypt key stored?? :D) its always going to be possible to reverse
it.

If a code obscufator works by replacing variable names with crappy names or other symbols then the algorithm would still be visible won't it?

There are a few but I would ask "how" they obscufate it

here is one that I quickly found and I am sure there are many other attempts at solving this problem, http://www.wiseowl.com/products/products.aspx

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:#s**************@TK2MSFTNGP12.phx.gbl...
Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made
it so easy for people to view the logic of a .NET software, which in the

end
will be the one accessing the securited data.
"Duncan .McNutt" <fu*******@127.0.0.99> wrote in message
news:#B**************@TK2MSFTNGP10.phx.gbl...
Doesnt take much to reverse it :D check online (google) for tools to do
that
:D

--

Duncan McNutt
Microsoft Product Deactivation Team
--
"Tony Liu" <en*******@hotmail.com> wrote in message
news:ey**************@TK2MSFTNGP09.phx.gbl...
> Why you said the obscufator that comes with VS.NET is next to
useless?
I
am
> wondering because I am planning to use it. Is it really next to

useless??
>
>
> Tony
>
>
>
> "Duncan McNutt" <mu*******@127.0.0.22> wrote in message
> news:u8**************@TK2MSFTNGP09.phx.gbl...
> > This is a big problem with managed code, the obscufator in .NET
2003 is
> next
> > to useless, same for theyre resource editor.
> >
> >
> >
> > --
> >
> > Duncan McNutt
> > Microsoft Product Deactivation Team
> > --
> >
> >
> > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in
message > > news:bh**********@planja.arnes.si...
> > > so an obfuscator is basicly software which "moves things around"

in your
> > > assemblies?
> > >
> > > As I mentioned before I use SQL Server in my application and if
I left
> the
> > > connection
> > > strings in the program anyone with a hex editor could see them.
> > > What I did is I encrypted a text file (using .NET security and
> > cryptography
> > > classes) and I derypt and read the file during install.
> > > It's probably not the best solution but it's something :)
> > >
> > > One other thing... I also use a "Setup and deployment project"
in my > > > application. How can I get obfuscated files into the .msi file?
I have
> > > VS.NET 2003 and DOTFuscator is included
> > > with vs.net.
> > >
> > > Thanks a lot for your answers,
> > > Saso
> > >
> > > "Edward Yang" <ne***********@msn.com> wrote in message
> > > news:Oy**************@TK2MSFTNGP10.phx.gbl...
> > > > You may be interested in dotfuscator:
> > > >
> > > > http://www.preemptive.com/
> > > >
> > > > "Saso Zagoranski" <sa*************@guest.arnes.si> wrote in message
> > > > news:8b*************************@posting.google.co m...
> > > > > Hi!
> > > > >
> > > > > I have recently completed an application, written in C#.
> > > > > When I opened one of the files with a hex editor I was

amazed by the
> > > > > lack
> > > > > of protection for the assemblies.
> > > > > My application uses SQL Server and during install it sets up
tables
> > > > > needed in the application. I also use a simple protection

system,
> > > > > which stores a string (an initialization password) in the
database,
> > > > > needed for the application to unlock after a few days have

passed.
> > > > > The thing is, that all of the strings that I use in my assembly are
> > > > > clearly visible when using a hex editor.
> > > > > Is there a way of "hiding" that string? Or does anyone have any > better
> > > > > suggestions?
> > > > >
> > > > > thanks,
> > > > > Saso
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 15 '05 #9

P: 3
I would advise you to keep away from obfuscating your code.
It has the potential of introducing many bug in case you rely on reflection. Moreover, public methods names are not obfuscated and in case you are relying on a third party library to manage you authorization and authentication need then you are really in de ep trouble. I would recommend using code encryption based utilities, specifically CliSecure by SecureTeam which I find very useful. You can find it at SecureTeam
Jun 15 '06 #10

This discussion thread is closed

Replies have been disabled for this discussion.