2012年10月21日 星期日

Protect .NET code from reverse engineering?


Obfuscation is one way, but it can't protect from breaking the piracy protection security of the application. How to make sure that the application is not tampered with, and how to make sure that the registration mechanism can't be reverse engineered. Also it is possible to make to convert C# app in native code, Xenocode is too costly.
C# provides lot of features, and is the ideal language for my code, so writing in C++ again the whole codebase is out of question.
Secure certificates can be easily removed from the signed assemblies in .NET

You can't.
There are steps you can take to make it a little more difficult but ultimately any executable on the local machine is crackable. Eventually that code has to be converted into native machine code and every application that is runnable is vulnerable.
What you want to do is just make it difficult enough to crack to make it not worth peoples trouble.
Some suggestions I have for you to help protect your app:
  • Obfuscate your code. Dotfuscator has a free edition and comes with Visual Studio.
  • Use public/private key or asymmetric encryption to generate your product licenses. This ensures that only you can generate your license codes. Even if your app is cracked you can be sure that they won't be releasing a key generator for your application because it is impossible to reverse the key generating algorithm.
  • Use a 3rd party packer to pack your .NET executable into an encrypted w32 wrapper application.Themida is one of the better ones. This stops people from reflecting your application in .NET Reflector and makes it a pain to unpack for reversing.
  • Write your own custom packer. If the 3rd party packers are too expensive, consider writing your own. Sometimes custom packers can be very effective because there aren't well published methods on how to unpack them. This tutorial gives a ton of good information on writing your own win32 packer.
Ultimately though, if people want your application cracked they will. Look at all the commercial software out there that has a vast amount of resources to protect their applications and yet they are cracked before the applications are even released to the public.
A skilled reverse engineer can fire up IDA-Pro and slice through your application like butter no matter what you do. A packed application can be unpacked and obfuscation only prevents it from making it a walk in the park. All your hard work with your complex license code can be undone with a single byte patch.
You just need to accept that there is a very real chance people are going to pirate your software. There are some people who are never going to pay for your application no matter what and these are the people you don't need to worry about.
There are however, many businesses out there who would never risk a lawsuit and happily buy software licenses and many computer users who either don't want to risk it, find it wrong or are not tech savvy enough to pirate. These are your true customers and you should focus your efforts on providing them with a good user experience and ignore the people cracking your software.
I've had my application pirated before and I took it as a personal affront. Here I was, a small-time developer, pouring my heart and soul into an application and these people had the gall to pirate from me?! They were taking money directly from my pocket!
I immediately added in a bunch of draconian DRM code and attempted to sabotage any person using an illegitimate or cracked copy. I should of been working on making my application better instead of trying to stop the inevitable. Not only that, but I was hurting my true customers will all these extra protections I was putting in.
After a long battle I realized I was fighting the tides and all this time wasted was for naught. I took out all the phone-home code except for the barebones license functions and never looked back.

沒有留言:

張貼留言