Hi everybody. :wave:

I have recently created a huge application using Microsoft C#.NET.
Created a setup for this app, and deployed. This is a test application. We populated this proqram writing to CDs and are selling it in our country very efficiently.

The program is a real success with the public.

But, to avoid piracy we added an activation feature to the application. So as people who buy this program could activate it through internet. Using the activation key obtained from internet they activate the application and use it.

I didn't know that an application written on dotNET (that is compiled into MSIL) can be decompiled as succesfully.

I found a decompiler tool and decompiled my own application to read. I can easely read the source code. Only comments aren't visible.
Here is the link of this decompiler tool to download.
http://www.aisto.com/roeder/dotnet/
Name: Reflector.

Anyone who wants to crack it, or, anyone who wants to write a keygen for it can very easily accomplish it thanks to the decompiler tool from Luts Roeder (or any other decompiler tool).
(I understand that MSIL allows it to be decompiled).

Decompiling is the worth thing than I have ever known. This is just funny. Consider you write an HTML page. Your code can be viewed and be altered by anyone. I have always been a Microsoft developer. But I thing a Borland developer has a lot of pro's than a microsoft developer. What do you think?

Now, I am looking for a tool that can directly compile a dotNET source code into native machine code, or a mean to complie MSIL into a machine code. I don't want my code to be viewed by third parties.

What can I do to protect my code to be decompiled. I have also used obfuscators (like DotFuscator tool installed with VS.2003), but this also doesn't play any interesting role. The content of functions is still easily readable.

I think a professional developer must created projects only using unmanaged C/C++. But Microsoft unmanaged C++ libraries are to poor to be used to create professional business application.
I think developers must create thier own rich libraries to support such valuable technologies as Regular Expressions, Collections, XML, XML WebServices, Internet protocols, GUI components, Unicode, and many more for unmanaged C++ language.

Adding a direct compiler dotNET apps into machine code is not very difficult for Microsoft, I know it. Because this is anyway compiled.

Best Regards.
Thanks preliminary.

But I thing a Borland developer has a lot of pro's

Unless of course, you are using Delphi .NET :D

On a more serious note, this is a real issue. Compiling to native code helps this issue, but has some serious downsides.

Avoiding the use of .NET/CLR/CLS/MSIL and just using un-managed C++ is an alternative, but then so is hand coding binary files using a good editor :p [p.s. I use to do this about 30 years ago]

One solution is to write a launcher [typically in C++] that can dynamically decrpyt files on disk and couple this with the dynamic capabilities of the framework. This technique works well for both programs and data [and is in many ways similar to DRM].

We currently use this technique for some of our products, and are hoping to be able to release a version by the end of October this year.

My friend, I am afraid that writing a part of such applications is not a way out.
Because its code is already open. Consider all your apps are open source. And for free. :blush:

Interface with the unmanaged encrypter application can be succesfully copied from a managed application and be pasted into a new project. So, decrypted data could be obtained from my "unmanaged tool" :)

Is not that true?

If its code is fully viewable, you can do nothing, I am afraid.
To protect code, first you need is a real executable with native code.:D

Yes, I have that problem too. You see I want to protect game data for games that I create in C#. So people can't just edit the game files and be able to do anything they want! A good answer was to create C++ DLLs, then just use a function inside of the DLL for a boolean function that would test the key & code inside of a character file.

BUT

That's easy to crack! Because you just DECOMPILE the C# Game, then they can just look at how I called the C++ DLL!

rashad I think you're right about unmanaged being more secure, but there HAS to be another way (me no like C++) :( .

I also think that there must another way. It is not easy to ignore such a powerfull technology like dotNET. Its easy to develop, supports many new technologies and so on...

I think developers who realize the danger of decompilation capability of MSIL must ask Microsoft to provide additional direct compilator tool for dotNET apps to the next releases of Visual Studio.

Let's see what will they say. May be they have ony good ideas. Or may be being open source is a good idea :p

Who knows? :D

Would soneone give me a link where to sent my requests for Microsoft about dotNET, like feedback or so.

Let's all togather tell them to add a tool to compile dotNET apps for specific OS (for exaple MS Windows).

And this in turn, will be another benefit of dotNET to java. :cool:

Microsoft is God, they'll think of something :p

Thinking of money is not bad at all.

But thinking of the quality of their product, about the benefits and the security of their product must be one of the most interesting things for them.

In my opinion we must at least ask them for such a tool.
And they will be thinking of it.

Because direct compilation into native code, allows developers, to create very-very powerfull, highlevel application to deploy with no dependencies is such a short timie. :rolleyes: . This is just amazing. ;) Such a RAD tool like dotNET has not been seen among the programming languages of history.

So, I do beleive that OS specific native code compiler for dotNET apps is an actual idea, and must be enclosed to Microsoft.

I wish W3 created a standard for all OS's to have the same machine code so that all programs could be cross platform lol, but I don't know what I'm talking about! :sick:

--------------------

Wait W3 has nothing to do with OS's lol. World Wide Web, hmmm, that would be interesting. I believe the only limits they put on are for browsers.

"The World Wide Web Consortium (W3C) develops interoperable technologies (specifications, guidelines, software, and tools) to lead the Web to its full potential." - w3.org

--------------------

Yeah ok back to topic lol...

Just my 2 cents...

I wholly agree.

In fact, I'm not so worried about people de-compiling my code - I'm more worried about people using my assemblies.

In actual fact there appears to be no way of stopping them just adding my assemblies as references and then just using them.

And because of my design (easy for myself - easy for others) it would be a total doddle for others to use what is in fact the 'engine' of my applications.

I suppose statically linked assemblies would sort of get around the problem....

Now, consider flat static dlls - they suffer from the same problem.

But COM dlls don't because you can always remove the type library and just use the .h file generated from the idl (if you're not using dual interface COM objects of course).

Hasn't Microsoft thought of this ?

Oooh - hang on a minute, this is the company which produced Internet Explorer and we all know that it's got more holes than a piece of Swiss cheese.

It won't stop me using .NET though, no no no....

Darwen.

Yeah lol, Microsoft comes out with a security patch that says "There is a security flaw in sector 4323 that allows a hacker to take over your computer and delete your C drive" every day it almost seems! But everytime I download a security patch, I feel so warm and fuzzy.
------------------------------

Though Java suffers the same problem (REALLY BADLY, because it's like 100x easier than .NET, because the software is free, and it's called: jad. The code is purely decompiled (Everything looks exactly the same).

Soooo if Java is the best programming language in the world right now, and it can be decompiled that easily...then...C# should have no problem fitting in :lol: HAHAHAHAHAHA~~~~~~~~~~~~~~~~~~~BLLLAAHH!!! :sick:

I've stopped using IE - I wholly use netscape now.

But that's not really the point.

The point is that with .NET Microsoft have effectively produced an open environment for people to use whichever important assemblies go to make up any product.

I'm personally working on a product which includes modem use, COM port use and all of this is in an assembly.

Someone could quite easily take this assembly and use it in their applications - all that hard work that I've done (and expense at getting a second phone line to test the modem) and just use it.

I don't like this...

Darwen.

Nice to see you've cheered up Ravenz. I was worried you were going to turn into an arsehole like me....

*laugh*

Darwen.

Well, that's why I always put this into video game style! You see, my primary weapon is C# (right now it's like a dull butterknife). And then my secondary weapon is like either VB.NET or Java, and that's like... er...an eraser or something.

So we need to start picking up some heavy weapons here! I need to upgrade my eraser to a like peice of glass or something. Because once I forget my butterknife, then it's game over!!! IT'S GAME OVER DO YOU UNDERSTAND MEEEE AAAHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! :eek:

---------------------------

Arsehole!? You are a good person! It's just really hard to be nice online & look professional & smart at the same time! I'm thinking about changing my avatar to something really bad, because I need to balance! I need apple juice!

Ah, you want 'BIG WEAPONS' ?

OK - learn C++ .NET.

Then learn MFC.

Then learn Win32.

Then learn COM.

Phew ! Loads of technology in those few statements.... makes be breathless.

In actual fact I like C++.NET because it does actually teach you what's going on in C# and will make you a better programmer for this very fact.

I need to have a lie down now...

Darwen.

No comeback Ravenz ? I'd have thought a person with your verciforous talents would have something to say...

*laugh laugh, and laugh again*.

Just pulling your leg...

Darwen.

I just spit milk all over the screen!! ****!! Do you know how many hours that's going to take in front of the screen!? Let alone cookies and milk (that's what I got instead of apple juice :(). But jeezz :(

Should I go with C++ unmanaged or C++ managed? Should I do both, but managed first?

Now MFC, what's that!? :thumbd:

Ok Win32 sounds good.

What's COM in short terms? This forum needs more smilies!

AAAHH!!!

You are right darwen.

Just say whether you agree that such a direct compiler tool must added to the future releases of microsoft Visual Studio.

(And something else. Darwen and Raventz, stop **** each other, just share your opinions.)
:mad:

[edit] Rashad! Avoid these kind of things.

Fair enough rashad...

Me and Ravenz have been at it all day long and i'm tired now.

Anyway, the decompilation problem isn't going to go away.

I don't like this aspect of .NET. With all the security stuff in .NET I'd have thought that Microsoft would have thought of this problem.

Oh well, back to more C# for now (even though - like a bad child - I love it).

Darwen.

But as far as C# security, even with C++ unmanaged, people can still decompile your code, but of course it wouldn't be as effective. Though C# is being developed more thoroughly as time goes on, because I believe 2.0 is coming out. So I'd say that within the future Microsoft will stop with making C# the best programming language in the world, and just focus the security of the .NET Framework itself.

from msdn :
The Native Image Generator creates a native image from a managed assembly and installs it into the native image cache on the local computer. Running Ngen.exe on an assembly allows the assembly to load and execute faster, because it restores code and data structures from the native image cache rather than generating them dynamically.

Yeah, I know this tool, and have used it.
But ngen.exe doesn't generate a standalone executable file.
:(

If you find something interesting about it, please let me know.
Thanks preliminary.

nothing can create a standalone EXE in .NET
i sent about ngen.exe as a solution to the decompilation of code..

Does ngen.exe work without the original dotNET program. I don't think so.

To use ngen.exe the application itself must be deployed to the clients machine. And then the ngen.exe tool must be started. this tool depending on the local computer settings compiles the code and saves the compiled copy in the global cache. Thus making the original copy of the app still decompilable.

I know that current software means do not let creatnig a standalone executable. That is why I think that Microsoft must add such a tool to the next releases of Visual Studio, for example VS 2005.

And this in turn would make the dotNET technology to get spreaded widely.

I personally think that serious applications cannot be written in managed code, because of JIT compilation (which causes reducement of application performance) and decompilation capability of MSIL.

This is the only lack of dotNET. And this idea must be enclosed to Microsoft. What do you think?

the .NET framework is more than 20MB
so making a stand alone EXE will make it too large !!

after a few years.. .NET will be a part of every OS that MS produces (maybe other OSs too) so the destribution of the .NET framework won't be a big problem (maybe)..

but about JIT : I agree that it slows the startup of the application..
and should be optional.

I know that redistributable of the dotNET weighs 20 MB.
But compiling into a standalone executable doesn't mean that all the framework - needed and the ones that has not been used in the app must be written in to the application.

I would like to have such a cabability not because of the deployment problem.

a standalone application is needed to avoid decompilation, and increase speed of applications.

I personally think that serious applications cannot be written in managed code, because of JIT compilation (which causes reducement of application performance) and decompilation capability of MSIL.

Presumably you are only talking about Microsoft's (.NET) or Sun's (Java) implementation of JIT?

Smalltalk has used JIT for 20+ years without significant problems with performance, particularly with "serious applications".

Performance (http://www.google.ch/search?q=smalltalk+c%2B%2B+performance)

hspc,

>nothing can create a standalone EXE in .NET

Remotesoft and Thinstall claim to have tools that will create stand-alone .NET apps (no need for .NET to be installed). I haven't tried either.

http://www.remotesoft.com/salamander/protector.html
http://thinstall.com/

Marcus

Mind you, all this said - you can always look at static dll functions using depends.exe and derive their functions and arguements.

I don't think we're ever going to leave the problems with hacking.

However, I think the 'delayed linking' idea would be a good route to follow.

Picture this : you in your company develop an assembly.

Before deployment, a build of the entire product takes place.

This build of the product incorporates a key into the code meaning that assemblies locked to that key can't be used without the key - so someone else can't rip off your assemblies.

What I'm saying is, the executable and all the dlls would need to share the same key for that build to be able to run together.

'Patching' would still be possible - dependent on the fact that the key of the main application didn't change.

A new key could be generated for each full release.

And for anyone reading this, I mean a huge, huge number.... like what's generated by the .NET passports.

Just a few thoughts...

Darwen.

:wave: I visited http://thinstall.com.
And downloaded the direct compilator tool.
This is just the tool that I was looking for.
I have tried. and this works fine.

Unfortunately this is just an evaluation version.
But the organization can pay.

I want such a tool to be added to visual studio and deployed.

Sincerely.:wave:

Did any of you guys use the DotFuscator Community edition that is under Tools on the menu bar. You can use this to Obfuscate your functions so that nobody can make any sense of what is going on inside your dll, I had this happen to me and I found thisvery useful, this version is free with VS2003 but the company offers a professional version which does the job even better. Takes a while to get the hang of it, but its well worth it. If your shipping a product to te public then you should be buying a professional obsfuscater, if that what you want to do..

This may be of interest to you guys.


Below is the help and what it says about this technique for C#

Why You Need Obfuscation
The .NET platform realizes Microsoft’s vision for the next paradigm in Windows computing: multiple programming languages interacting harmoniously, sharing an enriched object-based framework, contained within a common runtime engine, running using just-in-time compilation. While not exactly the Java platform concept, it is obvious that the .NET architecture shares some common ground.

One concept that Java and .NET mutually share is the use of expressive file syntax for delivery of executable code: bytecode in the case of Java, MSIL (Microsoft Intermediate Language) for .NET. Being much higher-level than binary machine code, the intermediate files are laden with identifiers and algorithms that are immediately observable and ultimately understandable. .NET ups the ante by including readable metadata that explains the intended runtime behavior of the file. Add the mechanized assistance of decompilers and you have a situation that clearly exposes intellectual property to compromise and threatens security breaches.

Organizations concerned with their intellectual property need to take a hard look at this issue when considering the .NET platform. Obfuscation is a technique that provides for seamless renaming of symbols in your assemblies as well as other tricks to foil decompilers. Properly applied obfuscation can increase the protection against decompilation by many orders of magnitude, while leaving the application intact.

I just skimmed through this whole thread and was surprised that an obfusicator wasn't mentioned until the last post. This was the initial solution that has been suggested for the issue of helping to keep code a little safer. You can still decompile an obfusicated app, but the code will require much more effort to read and understand. It is a good starting point and as keithmg1 pointed out, there is a limited version of one in Visual Studio.

Some of the things obfusicators do are to rename all the tokens and names within your programs to make them extremely cryptic. They can also do things ranging from adding in dummy code (that is never called and therefore never executes so it has no impact) or scrambling some of your existing code (which again doesn't really hurt your application be will cause head-aches to anyone who dares to attempt to follow the logic.

There are a number of other things that obfusicators do as well. Some of the public, free ones do very little (token replacement), others can do quite a bit.

Just my 2 cents.

Brad!

Dear,

The article presented at

http://www.geocities.com/krishnapg/SecureAssembly.html

discusses how to secure the assemblies from dissembly using native ineroperability. Hope you might find it useful.

Thanking you,

Yours,

P.GopalaKrishna.

i cannot recompile your code for some reason, .Net keeps removing bootstrapexe.exe and invokeassembly.tbl files.

i cannot recompile your code for some reason, .Net keeps removing bootstrapexe.exe and invokeassembly.tbl files.

Dear,

While building the project they would be rebuilt automatically. We have to make sure of the Project dependency build order. And also we should make sure that we check the option to "Register the Output For Com Interoperability".

The workspace that comes along with the demo has been adjusted to handle these dependcies properly.

One thing that might be of some help is, try running the demo exe after registering the dll and see if it works. Or, you could save a copy of dll somewhere and then could use it too.

Thanking you,

Yours,
P.GopalaKrishna.

i got it to work and it did created traditional Win32 executable. It does make those .Net decompile mulfuctional, but since it appended the .Net file into its resource. It is very easy for a PE editor to strip it off. Any other ways to do this?

Sincerely,

Dear,

You said it correct - PE Editor can extract the resource.

But, we have to note that we are not inserting the managed assembly "as it is" into the resource. We are inserting the encrypted copy of the managed assembly.

So all a PE Editor can do is dump out some encrypted managed assembly.

The exact method of encryption is upto the programmer. In this case I have choosen to encrypt with WIN32 CRYPT functions (with optional password from User)

That way the managed assembly is as strongly secured as the crypting technology could allow us. Give us more powerful crypting technique, our assemblies become more and more secured. Hope you got it.

Production companies can choose their own encryption mechanism with different key techniques. They can supply the key to the customer at the time of purchase or some such thing - the options are wide open.

Hope I convinced.

If there could be any possiblity that is still left out, Please inform it.

Thanking you,
Yours,
P.GopalaKrishna.