Protecting your .NET code

[lozina]

I'm looking to distribute some code I wrote in .NET as an installer. Now, if I take my assembly and run it through something like .NET Reflector, it outputs all my source code almost exactly as I wrote it.

I'd like to avoid this by making it either impossible or so much effort that its not worth it to decompile.

I know there have been some assemblies out there I have tried to run through .NET Reflector and other decompilers and they either get an error or they output gibberish or they say they cant decompile. What are those assemblies protected with?

I found one tool that probably is used from XHEO called DeployLX. But that thing is $900 (if you want it to work with 64-bit OS which of course you'd want nowadays)

Are there any cheaper alternatives?

My goal is enough protection to defeat these decompiler tools. If the person wants to spend his or her time manually decompiling then they deserve whatever they get out of it lol

So obfuscators definitely do not achieve the goal I want

 

[lozina]

Ok doing some more research I have found quite a few solutions out there....

XHEO DeployLX ($800)
Remotesoft Salamander Protector ($1900)
.NET Reactor ($179)
DYAMAR Protector ($95)
DnGuard ($1300)
Microsoft SLP Protector ($500/year ?!)

Trying to find out mroe info on these products to see if the expensive ones are worth it. Seems .NET Reactor is pretty easy to defeat, with even some automated tools out there to do it. Also see alot of bad comments on the XHEO product.

The SLP thing from Microsoft just sounds ridiculously expensive.

Having trouble finding info on DYAMAR

DnGuard sounds like a strong solution

You guys have any input on these products and their strengths/weaknesses?

 

[Oyster]

Check this table for reviews, pricing. It isn't up-to-date, but lists a lot of products... you can Google for reviews yourself.

http://www.csharp411.com/net-obfuscators/

I had some experience with .NET Obfuscator a few years ago... it would obfuscate well, but also break certain functionality. That is the one common theme across a lot of these obfuscators - you need to retest your functionality to ensure obfuscation doesn't break your core logic.

 

[Markbnj]

I think it's more trouble than it's worth, personally. If your code contains some proprietary algorithm that is very valuable, then file a patent it, and perhaps rewrite the core piece in C++. Otherwise the primary value in your code is that you took the time to figure out whatever it is you're doing and do the work to code it. It's always going to be cheaper for people to buy that work from you than do it themselves. Sure, they may decompile it and understand what you're doing, but there isn't much risk in that, and it may actually help them solve problems and understand what's going on, and lower your support burden.

 

[DaveSimmons]

Two reasons for protection are competition and security:

If someone can decompile your widget-spindling program and clone it, that's a lot cheaper than doing the work themselves. Copyright infringement can be hard to prove without a lot of funding for the legal work.

"Security through obscurity" is definitely not foolproof, but it can be enough to stop casual hacking of your program. Like other features of a program the quality of your security is a cost / benefit decision. Obfuscation of license enforcement code might be "good enough" for a cheap niche program.

 

[JavaMomma]

I've used .NET Reactor - it worked very well. However, if you need any support or have any questions of any sort even regarding sales, don't expect the company to ever respond.

 

[postmortemIA]

Just rename your variables to a,b,c,d etc.
also IMO usually people who are new developers and produce relatively crappy code are worried that somebody is going to 'steal' it.

If I need code for some solution, so I don't have to develop it myself, I would look for billion or so open source projects. I have more trust in code that more than one pair of eyes have seen.

 

[lozina]

I've used .NET Reactor - it worked very well. However, if you need any support or have any questions of any sort even regarding sales, don't expect the company to ever respond.

Then you might love DYAMAR

Im evaluating .NET reactor and DYAMAR currently. .NET reactor seems to have more options but DYAMAR seems to get the job done. I cant decompile anything from either solutions. I emailed DYAMAR a couple of times and they get back to me within minutes lol

one thing I wish DYAMAR offered was a built in obfuscator, just to be safe in case someone manages to unpack your encrypted assembly. Most other tools including .net reactor offer that option.

 

[lozina]

Just rename your variables to a,b,c,d etc.
also IMO usually people who are new developers and produce relatively crappy code are worried that somebody is going to 'steal' it.

If I need code for some solution, so I don't have to develop it myself, I would look for billion or so open source projects. I have more trust in code that more than one pair of eyes have seen.

Or you are developing a very time consuming algorithm to do something which no one else has done, so you cant find any example or open source solution out there at all and you odnt want some hack to walk by and take your code as a sample to fast track a solution of their own.

The more time they spend trying to do what I do, the less time they are competing against me.

 

[sm625]

Fun topic. I wrote a program that took an IM text string and implanted it into an image in such a way that it was impossible to tell the image was altered, unless of course you had the original... The actual algorithm was quite simple, but I put in my own layer of obfuscation to prevent decompilation.

I used every trick I could think of. I converted data into strings, converted from ascii to BCD, threw in all sorts of loops and dummy function calls. I'd get the pointer to the function and use pixel data to set the function pointers. I'd parse through the entire image file and pull pixels and run them through all sorts of bogus algorithms. I'd form polynomials with them and do expansions, then perform integrations. Exclusive ORs, NANDS, bitwise compares of every flavor. It was all a bunch of bull, the actual critical algorithm was only 3 lines of code. But anyone decompiling it would never know that! I wonder if this code made it to the CIA, or homeland security. Meh. Those goons are so stupid anyways.

 

[LogicNP]

Give Crypto Obfuscator a look - it has many advanced protections like Method Encryption (IL code is hidden), string/constant encryption, method call hiding, etc - it will give good obfuscation and nobody will be able to make sense of the code.

 

[Train]

I think it's more trouble than it's worth, personally. If your code contains some proprietary algorithm that is very valuable, then file a patent it, and perhaps rewrite the core piece in C++. Otherwise the primary value in your code is that you took the time to figure out whatever it is you're doing and do the work to code it. It's always going to be cheaper for people to buy that work from you than do it themselves. Sure, they may decompile it and understand what you're doing, but there isn't much risk in that, and it may actually help them solve problems and understand what's going on, and lower your support burden.

I agree with this. I think code obfuscators fix a problem that either doesn't exist or is more trouble to fix than it is worth. If you focus on making your product good, and putting the value to its users first, you will do well. The kind of person who would "steal" your code would never be able to duplicate your success.

 

[0___________0]

I think if you have the professional or a higher version of VS they include dotfusactor, I believe that Reflector is actually obfuscated with dotfuscator.