Decompiling C#?!?!? Where is the privacy?

"Diogo Alves - Software Developer"
<Di*************************@discussions.microsoft .com> a écrit dans le
message de news: 7C**********************************@microsoft.com...

| Hope that this will be a hot topic here in the news groups because it's a
| poblem that will affect all of us

This has been discussed a lot already. Using a *good* obfuscator is the only
real solution IMO. There are several on the market.

Joanna

--
Joanna Carter [TeamB]
Consultant Software Engineer

You may be over-exagerating the problem... or rather, imaging that it is
specific to C#.

The reply to the following post (which started the same as this, but about
Java) explains how this applies equally to every single programming
language, compiler, etc on the market. To be honest, though, in any moderate
sized company you're probably at just as much risk of a disgruntled employee
taking the source out on a CD and uploading it somewhere...

http://forum.java.sun.com/thread.jsp...311&tstart=150

If you concern is intellectual property, then yep; the best you can do is to
buy a good obfuscator and make it damed hard (but not impossible).

If your concern is security algorithms, then the answer is to use a proper
security algorithm where knowledge of the exact implementation does not
allow access to the data (encrypt rather than cypher).

Marc

"Diogo Alves - Software Developer"
<Di*************************@discussions.microsoft .com> wrote in message
news:7C**********************************@microsof t.com...

I found a few days ago that was possible to decompile any program developed
in C#

That is a huge failure.... It's not aceptable that a company that pays a
lot
for visual studio and pays to the employees to develop new product, and
then
all the code is exposed....

I found that the decompilers are pretty good, and have options like
deObfuscate....

There is any solution to this..., Isn't there a way to dificult the access
to the source code?

Hope that this will be a hot topic here in the news groups because it's a
poblem that will affect all of us

<Di*************************@discussions.microsoft .com> wrote:

I found a few days ago that was possible to decompile any program developed
in C#

<snip>

Here's an article on the topic:
<http://www.pobox.com/~skeet/csharp/obfuscation.html>.

You are finding out now that it is possible to decompile ANY program
developed in ANY language on ANY platform. There are decompiler programs out
there that will do this. Bottom line is, if the computer can read it (to
execute it), so can you.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but it takes a very long time,
and the bicycle has to *want* to change.

"Diogo Alves - Software Developer"
<Di*************************@discussions.microsoft .com> wrote in message
news:7C**********************************@microsof t.com...

I found a few days ago that was possible to decompile any program developed
in C#

That is a huge failure.... It's not aceptable that a company that pays a
lot
for visual studio and pays to the employees to develop new product, and
then
all the code is exposed....

I found that the decompilers are pretty good, and have options like
deObfuscate....

There is any solution to this..., Isn't there a way to dificult the access
to the source code?

Hope that this will be a hot topic here in the news groups because it's a
poblem that will affect all of us

Hi,

Diogo Alves - Software Developer wrote:

I found a few days ago that was possible to decompile
any program developed in C#
Any program, developed, in anything, can be decompiled / disassembled. The
ease of doing so and the resemblance of the reversed code to the original
may vary some, but anything that can be interpreted by a computer in order
to execute can also be interpreted by humans to see how it works.
That is a huge failure.... It's not aceptable that a company that
pays a lot for visual studio and pays to the employees to develop
new product, and then all the code is exposed....

....and what? :) Are you sure your code is all that interesting? It is the
whole product and the effort to put it together that has value, not any of
the thousands of lines of code taken out of context and usually containing
techniques that are well documented elsewhere. If you have invented a new,
valuable algorithm that you wish to protect and license -- patent it.

--
Chris Priede

Remember too if someone does copy your code, you'll be able to tell as
well by decompiling theirs ;)

I hate to be so blunt, but if your company already bought Visual Studio
and dedicated yourself to .NET without knowing this, then that is an error
on your part. The fact that assemblies are in IL is a basic tenant of .NET,
and is difficult to overlook, let alone miss completely.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"Diogo Alves - Software Developer"
<Di*************************@discussions.microsoft .com> wrote in message
news:7C**********************************@microsof t.com...

I found a few days ago that was possible to decompile any program developed
in C#

That is a huge failure.... It's not aceptable that a company that pays a
lot
for visual studio and pays to the employees to develop new product, and
then
all the code is exposed....

I found that the decompilers are pretty good, and have options like
deObfuscate....

There is any solution to this..., Isn't there a way to dificult the access
to the source code?

Hope that this will be a hot topic here in the news groups because it's a
poblem that will affect all of us

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:ue**************@tk2msftngp13.phx.gbl...

I hate to be so blunt, but if your company already bought Visual Studio
and dedicated yourself to .NET without knowing this, then that is an error
on your part. The fact that assemblies are in IL is a basic tenant of
.NET, and is difficult to overlook, let alone miss completely.

I wonder how many people will have missed this. I know I did ;)

Doug H wrote:

Remember too if someone does copy your code, you'll be able to tell as
well by decompiling theirs ;)

<snigger> don't most EULAs stipulate that you are not allowed to reverse
engineer the code?

I sold a product once that allowed users to add their own help into MSDN
library (the VS6 version). My company released it to the internet as a
beta product. A few weeks later a competitor (about 100,000 times bigger
than us) released a beta product of their own, doing the same thing as
our product. It was funny, the same mistakes in the XML that we produced
also appeared in theirs, we didn't have to resort to decompiling or
disassembling to determine what code had influenced theirs <g>.

We got in touch with president of that company and after a few long
phone calls he expressed an interest in licencing our technology. Then a
few weeks later Microsoft announced that they would use a different
technology in their next version of MSDN library and our dreams of pot
loads of cash disappeared. :-(

Richard
--
Fusion Tutorial: http://www.grimes.demon.co.uk/workshops/fusionWS.htm
Security Tutorial:
http://www.grimes.demon.co.uk/workshops/securityWS.htm

Just as a further note regarding this issue, software is copyrighted, in the
same way that books, movies, and music are copyrighted. The purpose of
copyright laws is to provide a means of legal redress to the owner of the
intellectual property in the event that someone copies it or plagiarizes it
in some way. It is important to note that there would be no need for
copyright laws if these types of things were not able to be copied.

Again, reverse-engineering is something that has been around for as long as
software has been around. If a computer can read the binary instructions and
execute them, so can a human being, with the aid of a computer. There are
myriads of decompilers and other software for analyzing software on the
market. Some people make their living using this sort of software.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but it takes a very long time,
and the bicycle has to *want* to change.

"Richard Grimes" <ri******@mvps.org> wrote in message
news:O1**************@tk2msftngp13.phx.gbl...

Doug H wrote:

Remember too if someone does copy your code, you'll be able to tell as
well by decompiling theirs ;)

<snigger> don't most EULAs stipulate that you are not allowed to reverse
engineer the code?

I sold a product once that allowed users to add their own help into MSDN
library (the VS6 version). My company released it to the internet as a
beta product. A few weeks later a competitor (about 100,000 times bigger
than us) released a beta product of their own, doing the same thing as our
product. It was funny, the same mistakes in the XML that we produced also
appeared in theirs, we didn't have to resort to decompiling or
disassembling to determine what code had influenced theirs <g>.

We got in touch with president of that company and after a few long phone
calls he expressed an interest in licencing our technology. Then a few
weeks later Microsoft announced that they would use a different technology
in their next version of MSDN library and our dreams of pot loads of cash
disappeared. :-(

Richard
--
Fusion Tutorial: http://www.grimes.demon.co.uk/workshops/fusionWS.htm
Security Tutorial:
http://www.grimes.demon.co.uk/workshops/securityWS.htm

You should have knowledge of several layers below the one you are working
on. This is not optional. If you are a .NET developer and don't know what
IL is then I gotta agree with Nicholas... It's like not knowing you have
blood running through your veins ;)

--

Derek Davis
dd******@gmail.com

"Mario Charest" <po********@127.0.0.1> wrote in message
news:J0********************@weber.videotron.net...

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote
in message news:ue**************@tk2msftngp13.phx.gbl...

I hate to be so blunt, but if your company already bought Visual
Studio and dedicated yourself to .NET without knowing this, then that is
an error on your part. The fact that assemblies are in IL is a basic
tenant of .NET, and is difficult to overlook, let alone miss completely.

I wonder how many people will have missed this. I know I did ;)

If the fact that people can figure out how your software works is a
problem for your business, then you're doing something wrong. As others
have pointed out, any program can be reverse engineered. Any
expectation of keeping your code private is lost the moment you
distribute it to someone else.

C# and other .NET languages leave a lot of information in the compiled
file that make reverse engineering easier, but the same information
also makes debugging easier, makes useful features like Reflection
work, and allows the CLR to run your program more efficiently. The
tradeoff is well worth it, since all you're really losing is a false
sense of security.

Jesse

Chris Priede wrote:

Hi,

Diogo Alves - Software Developer wrote:

I found a few days ago that was possible to decompile
any program developed in C#

Any program, developed, in anything, can be decompiled / disassembled. The
ease of doing so and the resemblance of the reversed code to the original
may vary some, but anything that can be interpreted by a computer in order
to execute can also be interpreted by humans to see how it works.

The ease of recovering "useful" source and the degree of resemblance to the
original *are* what matter, though. Truisms to the effect that "anything can be
decompiled" are just red herrings somwhere off to the side that point.

That is a huge failure.... It's not aceptable that a company that
pays a lot for visual studio and pays to the employees to develop
new product, and then all the code is exposed....

...and what? :) Are you sure your code is all that interesting? It is the
whole product and the effort to put it together that has value, not any of
the thousands of lines of code taken out of context and usually containing
techniques that are well documented elsewhere. If you have invented a new,
valuable algorithm that you wish to protect and license -- patent it.

The shipped executable encapsulates all those lines of code and is the end
product of all that effort. So in a real enough sense it is the "the whole
product". Else who would bother de-engineering anything? It doesn't have to
incorporate any "new valuable algorithms" to be an investment worth protecting,
either.

What it seems to come down to is 1) it's apparently relatively easy to recover
"useful" source from a .net executable AND 2) to make it relatively hard one
must spend bucks on (ref Joanna) a *good* obfuscator. If Microsoft supplied a
*good* obfuscator with VS, this might be somewhat easier for folks like the OP
to swallow. So why don't they?

BTW, I agree of course that the OP should have known what he was buying.

-rick-

On this topic, my boss reckons he is gonna rewrite something he did in
C# back as a managed C++ DLL because he thinks that he can protect the
IP that way.
But from the mass amounts of response in this thread alone, it sounds
like that even his DLL will be reverse engineerable.
If so, can someone give me an indicator of how, tools, or even a
supporting topic from MS or anywhere reputable?

(You see, I don't know much C++ and I don't want him to change the DLL
so I need you to help me convince him to leave it as C# !!!!)

Many thanks,
Steven Nagy

Hi,

Rick Lones wrote:

The ease of recovering "useful" source and the degree of resemblance to
the original *are* what matter, though.
Only if you are interested in full source, which is usually _not_ the object
of interest in reverse engineering.
The shipped executable encapsulates all those lines of code and is the end
product of all that effort. So in a real enough sense it is the "the
whole product". Else who would bother de-engineering anything?

In my experience, it was always for very specific (and tiny) portions of the
code. The question was always "How did they do X?", where X was something
unique, inner workings of which were not apparent from that which could be
casually observed.

Most often, people resort to reverse engineering to clarify some details in
the process of creating a compatible product, e.g. capable of working with
competitor's undocumented format data files or interoperating with it in
some other way. This is in the "grey area" legally -- or at least difficult
to pursue.

If there is any demand for decompiling whole applications, I am not aware of
it. Perhaps clients of custom written software might sometimes be looking
for such when the original developer disappears or the relationship turns
sour, but I'd hope no one selling software would be insane enough to expect
to get away with decompiling a competitor's product and reusing major
portions of it in their own.

--
Chris Priede

Steven Nagy wrote:

On this topic, my boss reckons he is gonna rewrite something he did in
C# back as a managed C++ DLL because he thinks that he can protect the
IP that way.
Ummm, why choose *managed* C++? The code will *still* be compiled to IL
which can be decompiled. Reflector will decompile IL to managed C++, or
to make it easier to read, C#. So compiling to managed C++ has no effect
whatsoever on protecting IP.

If your bosss said compile as unmanaged C++ then I might understand the
sentiment. However, you can still disassemble the code to x86
assembler...

No one will want to decompile *all* of your code, there is no point
because they may as well just sell your app under their own name.
Instead, the IP thieves will want to get the secrets of your special
algorithm. That will reduce considerably the amount of code that they
will need to analyse. At that point it *might* be economic for them to
analyse x86 code.

The point about decompiling is that it reduces the time that it takes
people to learn about your code. Moving to unmanaged code will merely
lengthen the amount of time, it will not remove it completely. (Its like
cryptography: you apply enough protection to make it uneconomic to break
the code.)
But from the mass amounts of response in this thread alone, it sounds
like that even his DLL will be reverse engineerable.
If so, can someone give me an indicator of how, tools, or even a
supporting topic from MS or anywhere reputable?

(You see, I don't know much C++ and I don't want him to change the DLL
so I need you to help me convince him to leave it as C# !!!!)

The only solution is to patent the code and then sue anyone who steals
it.

Richard
--
Fusion Tutorial: http://www.grimes.demon.co.uk/workshops/fusionWS.htm
Security Tutorial:
http://www.grimes.demon.co.uk/workshops/securityWS.htm

> If so, can someone give me an indicator of how, tools, or even a

supporting topic from MS or anywhere reputable?
Google "Decompiler Software"

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but it takes a very long time,
and the bicycle has to *want* to change.

"Steven Nagy" <le*********@hotmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com... On this topic, my boss reckons he is gonna rewrite something he did in
C# back as a managed C++ DLL because he thinks that he can protect the
IP that way.
But from the mass amounts of response in this thread alone, it sounds
like that even his DLL will be reverse engineerable.
If so, can someone give me an indicator of how, tools, or even a
supporting topic from MS or anywhere reputable?

(You see, I don't know much C++ and I don't want him to change the DLL
so I need you to help me convince him to leave it as C# !!!!)

Many thanks,
Steven Nagy

You can totally block decompilers with encryption techniques. A tool
that does this is currently in beta at http://assemblylockbox.gibwo.com