how to protect IL from prying eyes...

[Dan]

Dear All

I would like to find out ways to protect the IP of my code in IL? What
technique can be use and what is your working experience with these
technique? any limitation?

I know about the Dotfuscator that shipped with V.Studio, has anyone use it?
did you upgrade to the Professional edition instead?

any news of MS gonna do something to protect IL from the prying eyes?

thank you very much
dan

 

[Cowboy \(Gregory A. Beamer\)]

The version that ships with VS.NET is okay. The pro version is better. There
are some other obfuscation tools that are nice, as well. RemoteSoft has a
really nice one that also adds protection for their decompiler, which is the
only really decent decompiler on the market.

It really depends on the code protection level you need.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

 

[Hermit Dave]

I did try the dotfuscator but instead of using the community edition i went
for the pro.

Important points.... unless you use string encyption and renaming of objects
to unprintable... it would be very easy to decompile the dotfuscatored
assembly. I have done a step by step comparision of dotfuscator assembly and
plain vanilla output and even tried reading them through a few
decompilers...

 

[Dan]

Hi Guys

thanks for sharing, is there any problem in using the ofuscated assembly as
a shared assembly both privately and globally (installed in GAC)?

thanks
dan

 

[Cowboy \(Gregory A. Beamer\)]

The public interfaces are not normally obfuscated, so there is no problem
with using in the GAC.

My advice is to follow good programming procedures and have functions that
do one thing. Make public procedures as light as possible and do the work in
private functions. This will further obfuscate the logic for the hacker, as
more of the calls will be to obfuscated methods.

Bad for obfuscation:

public DataSet SingleMethodThatDoesALotOfCrap()
{
// Entire code here
}

Good for obfuscation
public DataSet ReturnDataSet()
{
string serverName = GetServerName();
SqlConnection conn = new SqlConnection(GetConnString(serverName));
}

private SqlConnection GetConnection(string connString)
{
}



et al

The first will still have the signature. The second will be something like
so:

public DataSet ReturnDataSet()
{
string a= a();
SqlConnection a= new SqlConnection(GetConnString(a));
}

private SqlConnection a(string a)
{
}

To further obfuscate, if you have multiple items of the same type, use
params:

private SqlCommand GetCommand(string commandText, CommandType commandType,
params object sqlParams)
{
}

ends up as
private SqlCommand a(string a, CommandType a,
params object a)
{
}

The call could look like this:

SqlCommand cmd = a(a,a,a,b,c,d);

Even with obfuscation, a person could, theorhetically, decompile. The idea
is to make it more expensive to decompile and steal than to write your own
d$mn code.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************