CAN STRONG NAMES BE CRACKED?

  • Thread starter Thread starter SStory
  • Start date Start date
S

SStory

ok, from reading and reading and reading, and thinking of a personal app
deployment/update solution, I have the follow educated guess...

It seems that if I make a strong name for my exe and always sign with the
same key that it doesn't matter if anyone can decompile the code because if
they muck with it dotnet won't run it because the strongname will fail.

The question then is, how good are strong names? Are they crackable?

Are my assumptions correct?

Thanks,

Shane
 
The question then is, how good are strong names? Are they crackable?


Their good enough for many Fortune 500 companies to sign their
products with and continue to feel good about the decision well beyond
the time of deployment.

Rest assured that if they were insecure, people smarter than you or i
will ever be, would have panned the idea many moons ago.

Given that strong names are such such a key component of security and
deployment on the dot net framework, and given that security is an
insanely important topic @ Microsoft these days, you could say in some
ways strong names are good enough for Microsoft to bet the company on
them.

Many things are theoretically crackable - it all comes down to time
and money. But given that both are so scarce, practically speaking,
i'd say No....you would have more chance of becoming President of the
United States, if even the majority didn't vote for you. And we all
know thats so ridiculous it could never happen.... I mean we are
talking about the most democratic country in the world.... right?

;)

Richard
 
Thanks Richard,

1.) So if I strongname sign my exe then if it gets tampered with, dotnet
just won't run it, correct?

2.) If I have an exe and a dll and strongname sign them both with same key
and then update the dll later and sign the update with the same key, all
should work fine correct?

3.) Is there a way to make my exe be the only one that can use my dll?
Would I include the strong name public key or something in the exe (for the
dll)? If so, could someone with a decompiler just copy that, include in
there exe and do the same?

Thanks for you help... I have read for days on all of this and think I am
close to understanding but... not sure.

Shane
 
1.) So if I strongname sign my exe then if it gets tampered with, dotnet
just won't run it, correct?
Click to expand...

By default the executable wont load, no. But it's pretty easy to work
around so don't expect any real security just because of the strong
name.

2.) If I have an exe and a dll and strongname sign them both with same key
and then update the dll later and sign the update with the same key, all
should work fine correct?
Click to expand...

Yes, unless you make some breaking changes to the DLL.

3.) Is there a way to make my exe be the only one that can use my dll?
Would I include the strong name public key or something in the exe (for the
dll)?
Click to expand...

Check out link demands and the StrongNameIdentityPermission.

If so, could someone with a decompiler just copy that, include in
there exe and do the same?
Click to expand...

No they can't copy your strong name without your private key. But they
could modify the DLL and remove any security demands (or turn off
security altogether).



Mattias
 
Basically strong naming is a process.
If you skip a part of that process then the whole thing falls about
apart.
Theres no point in locking the door if you're going to leave the
windows open.

And obviously if your a rouge administrator you can bypass some pieces
of the puzzle but the whole point of strong naming is to protect the
machine. If your the admin and you want to mess with your own machine,
then there are ways around things.

hth

Richard
 
thanks for your reply....

So what is the solution....

Seems .NET Security is an oxymoron.

I can't believe there are such blatant holes and seem to be no real way of
protecting things.

Thanks,

Shane
 
Well, what I want to do is insure that my dll is only called by my exe, but
since everyone and his brother can see the code in both and since there
seems to be no solution and Mattias says that strong names can be easily
gone around--what in the world is the solution.

I think one of three things:
1.) Most people are using something else to not have to deal with this for
anything of real importance.
2.) There is some solution but is hard to find.
3.) Most people are insanely excepting the terrible security issues that
Microsoft has presented us with with all this mess.

How can you really distribute code--even a simple app, that needs to be
updated and all and get any revenue from your work, under these conditions?

Every ofuscator and encryption company claim to be the best.. Yet after
more than a week of reading and discussing I don't feel real good about any
of these solutions, and since code is so easy to decompile no solution seems
to offer much protection. Seems like a giant step backward.

Am I missing something here? Is there a good solution? Will there be? Or
should I just invest my time in learning something else that is more secure?
I'm really wanting some answers.

thanks,

Shane
 
Well Shane... if you promise not to get too crazy I'll talk it over with you
:-) You've brought it up before and even offered your opinion that "anyone
who wants to allow everyone to easily see their code is a moron." I let it
slide because I didn't need an argument...

Security is a concern clearly. It would be hard to believe that large
companies with software products to sell and larger companies making use of
that software wouldn't be interested in security. They are risking much
more than (I imagine) you are in this case.
Well, what I want to do is insure that my dll is only called by my exe...
Click to expand...

The first thing to consider is, is this a worthwhile goal? Perhaps it is
_very_ important but do you really believe that I (for instance) intend to
call your .dll if I could only get my hands on it? Again, it might be very
problematic but are you certain you aren't just imagining all these people
who can disassemble and reverse engineer your creation but are unable to
create similar software themselves?
I think one of three things:
1.) Most people are using something else to not have to deal with this for
anything of real importance.
2.) There is some solution but is hard to find.
3.) Most people are insanely excepting the terrible security issues that
Microsoft has presented us with with all this mess.
Click to expand...

Or 4) some combination of the above plus the knowledge that preventing theft
is trade-off. There is no perfect solution and there never will be. That's
why the music industry was worked up over music piracy and the movie
industry is concerned about DVD piracy. Apparently illegal copies of "The
Passion" (Mel Gibson's movie) are already available on the street. Would
you like to purchase a fake Rolex watch?
How can you really distribute code--even a simple app, that needs to be
updated and all and get any revenue from your work, under these
Click to expand...
conditions?

Yet people do it. WinZip is doing well (so far as I know) and I registered
my copy despite the fact that you don't have to in order to use it. How
many illegal copies of most games and products like Norton Antivirus, MS
Office, PhotoShop and such do you think there are? I found an estimate from
a few years back (and of course it is largely a guess) that estimated piracy
costs the software industry $2.6 billion annually. That's a lot of
software.
Every ofuscator and encryption company claim to be the best.. Yet after
more than a week of reading and discussing I don't feel real good about any
of these solutions, and since code is so easy to decompile no solution seems
to offer much protection. Seems like a giant step backward.
Click to expand...

This isn't the first time. Java suffers the same problem (see: Mocha) as
did VB3 and FoxPro and Clipper and other languages that produce intermediate
code. The step is "backwards" if decompiling is your primary goal. There
are alternative goals and non-native code compilers fill that niche.
Am I missing something here? Is there a good solution? Will there be? Or
should I just invest my time in learning something else that is more secure?
I'm really wanting some answers.
Click to expand...

There is no good solution for all sorts of things. You can be run over by a
car or your car can be hit by an uninsured driver. You can lose your house
in a flood or a tornado. You can get mad cow disease or the asian flu.
Somebody can take the CD you distribute your software on and clone 1000
copies of it.

I'm not just making fun, seriously what measures would you suggest be taken
to insure you don't lose revenue and nobody else uses your .DLL? If you
have a solution (and particularly if it can be applied to software, music
CDs and movie DVDs) you are on your way to success. Everybody wants such a
solution, you aren't the first to ask for it and I'll wager the companies
losing millions are as concerned as you.

Should you invest your time learning something more secure? Sure, what
would that be? Are the losses incurred by MS, Symantec, et.al. due to their
choice of language? Is it the O/S which you are going to change? Perhaps
get into manufacturing goods, they're never stolen... banks are never
robbed... Earth can be a dangerous place, people do stupid things for
short-term gain... there is no technological solution to the clever,
desperate, determined criminal. That's why they have jails :-)

Tom
 
hmm..
Interesting.
And I understand your points.
I know there is no fool proof system
you can get keys for winzip and anything else for serial 2000
but come on. ILDASM the exe or dll and read anything in it even if you
aren't even a good cracker? That is a bit much I think to expect developers
to swallow.

Plus although what you say is true, there surely are better answers
than--lets do nothing and let our code go everywhere. Try breaking winzip
protection... not that simple unless you are really good.

if it were in .net a child of 10 could do it. That is my point.

Thanks for the conversation. I am not mad at anyone. This is just really
frustrating and there seems to be very little literature on any of it.. I
know I can't be the only person thinking these things.

And again, while much of what you said is true, it profits me 0 in the
problem. So welcome to the long list of sources of information that
basically don't help at all.

Guess you don't have any answers or you would have given them.... I sure
don't or I wouldn't be asking so much. Just trying to put together a
working deployment solution that isn't so easily cracked by just anyone. If
MS loses 2.6 million big deal--out obillions it is nothing.
But if a peon like me loose $26000 on something I am selling or even $2600
that is a big deal to me.

Take care,

Shane
 
One more thought.
If you just work for someone else. I guess, who cares is the philosophy of
many..... not my problem.. not my money. But if you want to sell something
then it becomes a problem.

Hope you understand my point of view and don't take any of this in a evil
tone. I don't wish to sound offensive in any way. Just expressing my
opinion.

My 2 cents worth,

Shane
 
Hi again,

SStory said:
I know there is no fool proof system you can get keys for winzip and
anything else for serial 2000 but come on. ILDASM the exe or dll
and read anything in it even if you aren't even a good cracker?
Click to expand...

But either way one loses the income. The loss of .Net-based software has
been established. Of course it is a concern, the industry has pointed this
out and I mentioned it in my response. Is the .Net issue larger than all
previous issues?
Plus although what you say is true, there surely are better answers
than--lets do nothing and let our code go everywhere. Try breaking winzip
protection... not that simple unless you are really good.

if it were in .net a child of 10 could do it. That is my point.
Click to expand...

I'm not certain that is the case but if I give you a .Net program run the
obfuscator (I assume you are over 10) can you return the source code to me?
I pointed out Java specifically and even gave you the name of a decompiler.
Are you familiar with the issues in Java and/or that product? I'm simply
saying you aren't the first person to notice the problem...

I don't need to break WinZip protection I bought it. Why would I try to
break your .DLL if I needed it I would buy it. If somebody won't license
WinZip surely they are stealing all sorts of software that cost far more.
Thanks for the conversation. I am not mad at anyone. This is just really
frustrating and there seems to be very little literature on any of it.. I
know I can't be the only person thinking these things.
Click to expand...

It has been frustrating for some 20+ years now. I wrote my first commercial
programs using an interpreter... if you wanted to see the source code you
could list it with the CP/M TYPE command. If you wanted a copy of your own
you had to use PIP however. :-)
Guess you don't have any answers or you would have given them.... I sure
don't or I wouldn't be asking so much. Just trying to put together a
working deployment solution that isn't so easily cracked by just anyone. If
MS loses 2.6 million big deal--out obillions it is nothing.
But if a peon like me loose $26000 on something I am selling or even $2600
that is a big deal to me.
Click to expand...

What answers? The "this will keep your code safe" just do this solution?
Obfuscation is the best solution that I am aware of you don't appear to want
to settle for that. MS isn't losing $2.6 million. I mentioned the industry
estimated 2.6 "billion" with a B. Put 2 plus 2 together and you should be
able to see that if they could do something to combat the loss they would.

What have you lost so far with your product? Nothing right? Are you
estimating a smaller loss if you right it in C++ or if you write it for
Linux?
If you just work for someone else. I guess, who cares is the philosophy of
many..... not my problem.. not my money. But if you want to sell something
then it becomes a problem.
Click to expand...

Shane you're young if I'm not mistaken. Not that it has much to do with
anything but I didn't write that the philosophy of "who cares" should
prevail. People in the industry aren't stupid, developers aren't dumb,
companies that spend money to develop obfuscators aren't rip-offs. We get
the point that you believe a) something needs to be done and b) it should be
cheap.

I'm suggesting that with age comes the realization that "don't hold your
breath" is probably good advice.
Hope you understand my point of view and don't take any of this in a evil
tone. I don't wish to sound offensive in any way. Just expressing my
opinion.
Click to expand...

I will guess that we all understand your point of view. When you solve the
problem of software piracy, decompilation and reverse-engineering what do
you intend to charge for your product? I hope it will solve the problem and
be reasonably priced... any idea when it will be ready?

Before you begin you might want to look at some of the research... I've done
some for you. Recall the DES 56-bit encryption standard still used today
and at one point considered uncrackable. It was eventually cracked in less
than 3 days (now done in less than a day.) It is estimated that a machine
can be built to crack it in about 3 1/2 hours. The US government imposes a
limit on the key length (40-bits) on exported crypto products and it is
estimated that that can be cracked using the same technology in about 12
seconds.
My 2 cents worth,
Shane
Click to expand...

Take care,
Tom
 
Tom,

Again, I see your point.

Not just dll's I am talking about but basic deployment issues and it is
really hard to decide which solution to take.
I'm not arguing for argument sake. Just looking for the best solution to
decent protection, deployment, licensing/updating issues.
Since everyone's product is the best.. It is hard to know what to do.
I'm not certain that is the case but if I give you a .Net program run the
obfuscator (I assume you are over 10) can you return the source code to me?
I pointed out Java specifically and even gave you the name of a decompiler.
Are you familiar with the issues in Java and/or that product? I'm simply
saying you aren't the first person to notice the problem...
Click to expand...
No I haven't used java other than java script. Mainly from
basic/pascal/c/C++/Visual Basic background. Just looking through the code
that I've obfuscated so far, I see that all my strings are obviously visible
and tell where to start looking to crack--easily. I don't know IL yet, but
if I did seems it would be simple to bypass anything.
I don't need to break WinZip protection I bought it. Why would I try to
break your .DLL if I needed it I would buy it. If somebody won't license
WinZip surely they are stealing all sorts of software that cost far more.
Click to expand...
Maybe you are right......just know so many people that never register that.
I am looking to do the best I can do. Just not sure what that is.
What have you lost so far with your product? Nothing right? Are you
estimating a smaller loss if you right it in C++ or if you write it for
Linux?
Click to expand...
I'm not really sure. I just know I wouldn't worry about the code being so
readable in C++. It would be assembly at least and yes it can be cracked
but not as easily. My it is futile.. I don't know. Just don't want to be
stupid... I would like to take the best approach I can and hope for the
best. Just not sure what that is.
What is your suggestion for distributing/licensing/updating/patching a .net
app?

thanks,

Shane
 
SStory said:
Not just dll's I am talking about but basic deployment issues and it is
really hard to decide which solution to take.
Click to expand...

Yes it is... it is a problem shared by everybody who releases goods into the
marketplace.
I see that all my strings are obviously visible and tell where to start
Click to expand...
looking to crack

In so far as I know string constants are maintained intact in most
languages. I believe "most" compilers place them into a constants area and
reference them through offsets into the table from the code. You could
encrypt the strings of course as it doesn't take much to make them
unrecognizable.
I'm not really sure. I just know I wouldn't worry about the code being so
readable in C++. It would be assembly at least and yes it can be cracked
but not as easily. My it is futile.. I don't know. Just don't want to be
stupid... I would like to take the best approach I can and hope for the
best. Just not sure what that is.
Click to expand...

For you to lose sales it doesn't have to be readable... it only has to be
able to be copied. And nobody knows the answer that is part of the problem.
Some companies license the source code. If they feared losing a large part
of their revenue to people decompiling their product it seems they wouldn't
be doing that. Some companies lock it up with software keys, some use
hardware-based keys, some go the shareware route, some offer limited time
demo versions.

Each of those companies surely is losing some percentage of sales due to
piracy... so which one is using the "best" approach? Heck if I know, I
don't think they even know.
What is your suggestion for distributing/licensing/updating/patching a ..net
app?
Click to expand...

Reading up on the issues and making an informed decision based upon your
particular circumstances. Notice in the following links that the US
government (along with others) are concerned with the problem, as well as
large companies (and entire industries) of course. Some companies offer
tools though you have to pay for their development efforts and operating
expenses. DataDynamics (and most other companies) include wording in their
agreements that makes it illegal for you to reverse engineer their
products... does it stop somebody? Not everybody obviously but it is one
more thing to do.

You have to ask yourself the questions... if I sell 100 copies but 10 copies
are stolen would it be worth it? How about if you sold 1000 but 1000 were
pirated? How about if you sold 10,000 copies but 20,000 were pirated?
Nobody but you knows the answers. We don't know the product, we don't know
what you intend to charge for it.

I'll guess that if you write a utility with the appeal of WinZip using _any_
language and charge approximately what they charge that you will ultimately
lose just about what they lose to software piracy. All I am really
suggesting is that if there was "a" solution everybody would be using it
right now.

Best of luck...

http://www.cnn.com/2000/TECH/computing/05/08/reverse.engineering.idg/

http://www.preemptive.com/government.html
http://msdn.microsoft.com/msdnmag/issues/03/11/netcodeobfuscation/

http://www.sofpro.com/pcgw32.htm

http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

http://www.datadynamics.com/Products/ARNET/ProductLicenseAgreement.aspx

http://www.codepedia.com/zone28/cat1016/
 
My point of view is that strong naming and associated securitys do a
very good job of preventing someone else from passing their work of as
yours. If you look at much of the documentation and online banter, the
main angle seems to be in the giving the user/admin piece of mind that
the code they are running does in fact come from the author it
proports to... this is very important with all these virus hacks
running around.

This is a very key area of trusted computing. Security is a huge topic
and I believe the tools that Microsoft and the .NET framework offer us
to solve the problems they were designed, work for very well. I dont
know about you but my life has become a whole lot easier since ASP.net
and the security features it can now embody have been made available.

I think your asking the wrong question in your subject re:cracking
strong names. Strong names were not designed to prevent reverse
engineering of products and the protection of your intellectual
property, which is essentially what you are talking about. Its a
different animal. My take is that strong names are an important piece
of the puzzle for the user, not the developer, to ensure they can
safely run code locally, in a distributed computing environment.

Other posters have already talked about the your problem as a whole
re:the music industries, hollywood etc, so im not going to repeat
their comments. I think you've asked the wrong question. You also have
to look at what Microsoft are trying to do with the .NET framework,
and accept the trade offs that are inherent within that objective and
that come with having an interpreting
virtual machine that is the CLR.

Personally im happy with the trade off. Obfuscate your code, make a
few encrpyted registry entires or use a validating web service, if you
feel you need too and keep your eyes and ears open for new
intellectual property security techniques. Thats the best i can offer.

You also need to look at the trade off between your product price
point and the amount of time and effort it takes to crack your code.
If your facing this problem alone chances are your software is not
going to priced in the hundreds or thousands of dollars, unless your a
programming dynamo, in which case you wouldn't need my help. If your
talking about a $30, $40, $50 product then you have a much higher
trade off for the user, tracking down a crack for your program, if one
is even available, knowing how to apply it, avoiding malicious code
and trogan horses/diallers etc, rather than just forking over the $50
bucks or whatever to a trusted source.

You can point to Winzip,etc but if you've got an app with that kind of
market share then congratulations are in order... it s a cracking
problem i'd love to have.

You also seem to be assuming that every user is a cracker/user of
cracks when the vast majority of users are only just capable of doing
a basic install and checking their email. Security is definitely a hot
topic that needs to be thought about from the beginning but it almost
sounds as if your saying why bother if the current environment is not
air tight. My suggestion is to create a competitive, useful and
succesful product and lament the fact that your getting ripped off.

I dont yet know of any technique that is 100%, but thats an industry
problem, not Microsofts' alone.

Hth
Richard
 
Richard,

Points taken.
No, I have just generated a lot of discussion to bounce my thoughts off
everyone to get to the truth.

But tell me this.. If I strongname and exe and if I had a dll and
strongnamed it (both same key).
Wouldn't that mean that no one could change it and have it execute
afterwards because .NET would balk on executing it because the strongname
wouldn't match? If that is the case then the problem is mostly solved.

Yes...ofuscating is definitely a must.

Then distribution and the issues caused by ofuscation---stack trace
gibberish, updates, etc.
Are unfortunately all issues that I have had to try and become well learned
in although I have never before had to deal with any of this. Has been
frustrating and I am sure I am not alone.
ASP.NET is great. ADO.NET--sometimes great--sometimes aggravating(coming
from ADO).

There are lots of pluses to .NET don't get me wrong.

Unfortunately, it probably takes each of us who try to distribute a cheap
simple app for $, quite a while to weed through hype and promises of various
sources and decide which is the best overall way to go for all of these
issues.

Thanks for your thougths Richard,

Shane
 
Back
Top