C# code protection

[Saso Zagoranski]

Hi!

I have recently completed an application, written in C#.
When I opened one of the files with a hex editor I was amazed by the
lack
of protection for the assemblies.
My application uses SQL Server and during install it sets up tables
needed in the application. I also use a simple protection system,
which stores a string (an initialization password) in the database,
needed for the application to unlock after a few days have passed.
The thing is, that all of the strings that I use in my assembly are
clearly visible when using a hex editor.
Is there a way of "hiding" that string? Or does anyone have any better
suggestions?

thanks,
Saso

 

[jfreilly]

Hi Saso,

You should be aware that the code you create is also easily accessible not
just the odd string constant. There are tools available to disassemble
assemblies that can reconstruct the code quite nicely.


I havent dug into this deeply and so cannot comment on the viability of
obfuscators but I have tried a disassembler and see that it can do the job
very well.


Cheers
-jr-

 

[Edward Yang]

You may be interested in dotfuscator:

http://www.preemptive.com/

 

[Saso Zagoranski]

so an obfuscator is basicly software which "moves things around" in your
assemblies?

As I mentioned before I use SQL Server in my application and if I left the
connection
strings in the program anyone with a hex editor could see them.
What I did is I encrypted a text file (using .NET security and cryptography
classes) and I derypt and read the file during install.
It's probably not the best solution but it's something

One other thing... I also use a "Setup and deployment project" in my
application. How can I get obfuscated files into the .msi file? I have
VS.NET 2003 and DOTFuscator is included
with vs.net.

Thanks a lot for your answers,
Saso

 

[Tony Liu]

Why you said the obscufator that comes with VS.NET is next to useless? I am
wondering because I am planning to use it. Is it really next to useless??


Tony

 

[Duncan .McNutt]

Doesnt take much to reverse it check online (google) for tools to do that

 

[Tony Liu]

Oh my god, so do you have a suggested obscufator that works as expected?
Actually, the entire world is investing money on data security, but MS made
it so easy for people to view the logic of a .NET software, which in the end
will be the one accessing the securited data.

 

[Duncan .McNutt]

unless you are encrypting the payload and have a loader somehow, (and where
is the decrypt key stored?? ) its always going to be possible to reverse
it.

If a code obscufator works by replacing variable names with crappy names or
other symbols then the algorithm would still be visible won't it?

There are a few but I would ask "how" they obscufate it

here is one that I quickly found and I am sure there are many other attempts
at solving this problem, http://www.wiseowl.com/products/products.aspx

 

[Duncan .McNutt]

If something is encrytped by a loader, whats to stop me loading up a ram
editor, like winhex and viewing ram with it in its decrypted form?

I suppose something is better than nothing.

 

[LogicNP]

Have you given Crypto Obfuscator a try? It gives variety of strong protections to your code and data.