G Himangi is a Senior Software Developer at LogicNP Software (http://www.ssware.com) and is a member of LogicNP Software's component and controls development team. Original Article: http://www.ssware.com/articles/protect-and-obfuscate-your-dotnet-code-against-reverse-engineering-using-crypto-obfuscator.htm
Introduction
Most non-.Net compilers emit binary programs containing native CPU instructions which are very hard to disassemble, decompile and reverse-engineer. However, all .Net compilers such as C#, VB.Net, Managed C++, IronPyhton, etc emit compiled programs in MSIL (Microsoft Intermediate Language) format. This format preserves a lot of high-level information about your software such as class, field, method, property and parameter names and even the actual code in a well-defined structure. This has facilitated the development of many decompilers and dissassemblers which can extract this information from a .Net assembly. Some tools can even reconstruct the actual structure of your code including loops, if statements, method calls, etc. Needless to say, this means that an unprotected .Net assembly is an easy target for hackers, crackers or competitors who can easily reverse-engineer your .Net code from the compiled assembly. They can easily glean valuable trade secrets, algorithms, sensitive information such as passwords, SQL queries, etc stored in strings, or even try to find security vulnerabilities and change product functionality.
Obfuscation & Protection Techniques
All is not lost however as there exist various methods and techniques which makes it extremely difficult for a hacker, cracker or competitor to reverse-engineer your application. Crypto Obfuscator makes use of the following advanced and sophisticated obfuscation and protection techniques:
Symbol Renaming
Crypto Obfuscator renames the names of the classes, methods, properties, fields, events, etc in your .Net assembly to a garbled unintelligible name. Depending on the symbol renaming scheme chosen, this will result in either very long or very short names which have no relation to the original names. The original names cannot be derived or guessed from the obfuscated names. Since meaningful names are the most powerful ally when reverse-engineering a software, this makes it very hard to determine the purpose and function of the renamed entity.
Advanced Overload Renaming
Crypto Obfuscator renames fields or methods with different signatures to the same name. For example two fields having types int and boolean will be given the same name. Similarly two methods will different parameters will be given the same name. In the case of methods, the method return type is also used in the signature even though high-level languages such as C# and VB.Net do not support overloading by return type. The .Net runtime is able to differentiate between the fields/methods without any problem since the signatures are different. Needless to say, this scheme makes it even harder to reverse-engineer your code.
String Encryption
.Net assemblies contain all the literal strings used in your code in plain view for anybody to see. Literal strings often contain sensitive information such as login information, passwords, SQL queries, algorithm parameters. In addition, they also help in reverse-engineering your .Net code by providing a marker. For example, someone wanting to remove license checking from your software will search for all instances of strings like "license" or 'valid" or "invalid". Once they have found such strings, they will examine the surrounding code to see if it is the licensing checking code and if so, remove or disable it. Crypto Obfuscator solves all these issues by encrypting all literal strings in your .Net code.
Advanced Tamper Detection
Crypto Obfuscator can perform strong name verification of the assembly itself even if strong-name verification has been turned OFF on the machine on which the assembly is running or if the assembly has been registered in the verification 'skip-list' - this is typically done by hackers or crackers. Furthermore, the strong name verification is done using the original key used to sign the assembly when it was processed by Crypto Obfuscator. Thus, strong name verification fails even if the key is removed or replaced - again something typically done by hackers or crackers.
Control Flow Obfuscation
In .Net assemblies, even the code is stored in a well structured manner using a published format. This enables a sufficiently advanced decompiler to reconstruct to a pretty accurate degree the exact structure of your code including the for/while loops, if statements, try-catch blocks, etc. When doing control flow obfuscation on your code, Crypto Obfuscator changes the structure of your code into spaghetti code while maintaining 100% the logic and output of the code. The result is that decompilers are unable to reconstruct your code and output incorrect or garbage code. Most of the times they crash while trying to do so. This provides powerful method body protection for your software.
ILDASM Suppression
ILDASM (Microsoft IL Dissassembler) is a free tool to disassembly any .Net assembly into MSIL (Microsoft Intermediate Language) and extract the entire contents including the classes, methods, code and resources from the assembly. Crypto Obfuscator can modify the assembly in such a way that ILDASM refuses to disassemble the assembly.
Anti-Reflection Protection
Many decompilers, dissassemblers and memory dumpers use .Net Reflection mechanism to extract information about a .Net assembly. Crypto Obfuscator can modify the assembly in such a way that such tools will fail when trying to work on your assembly.
Anti-Decompiler Protection
Advanced decompilers such as the freely available .Net Reflector are your enemy in the battle against the hackers, crackers and competitors. Crypto Obfuscator can modify your assembly in such a way that such tools fail to work on your assembly - many times they are not even able to open your assembly, let alone examine it.
Resource Encryption
Tools such as ILDASM, .Net Reflector and others can easily extract resources from your assembly. Such resources often contain valuable, sensitive or copyrighted information such as images, UI (WPF baml files), textual content, etc. Crypto Obfuscator can hide and encrypt all such resources so that it is impossible to see them, let alone extract them from the assembly.
Assembly Encryption
Crypto Obfuscator can encrypt all dependant assemblies and any additional assemblies used by your software. This makes it impossible for someone to get their hands on individual assemblies. You can use this feature to your advantage by separating all sensitive or important code and data in a dependant assembly. In fact, this can be taken to an extreme - simply put ALL your code/data in a separate assembly and use a shell assembly as a starter/loader assembly for your application.
Conclusion
Each of the above techniques on their own are pretty powerful and effective against hackers, crackers and competitors. When combined and used together for the obfuscation and code protection of your .Net assembly, they form an impenetrable shield which is extremely difficult to break. Even if broken into by the most expert of hands, all they will see are garbage, encrypted or obfuscated code, names and data.
Crypto Obfuscator arms .Net developers with a powerful code protection and obfuscation tool which enable them to deploy their .Net software without fear of IP theft, reverse-engineering, hacking, cracking and piracy.
- Related Videos
- Related Articles
- Ask / Related Q&A
Ecommerce to Dynamics GP Real Time Integration: Order Connector
By: Andrew Karasev | 25/12/2009If your back office Corporate ERP application is Microsoft Dynamics GP, former versions were also known as Microsoft Great Plains and Great Plains Dynamics, and you have in-house developed ecommerce web application with items catalogs with advanced price lists (especially in B2B ecommerce scenarios), shopping cart, credit card processing, we would like to present you this small publication in the form of FAQ and orientation session.
Learn How to Figure Out Spreadsheets
By: Colon Bolden | 25/12/2009Doing spreadsheets on a computer may seem a little complicated at first. But a small investment of time and effort will soon pay dividend, because once you have the hang of them, spreadsheets can perform complex financial calculations.
Microsoft Office Training Is a Wise Investment in Working World
By: Caitlina Fuller | 25/12/2009Microsoft Office 2010 will be released to the public in the beginning of 2010. This is great news as it has been widely believed that the software is in dire need of revamping.
PSP Go Download Center - You can Download PSP and PSP Go Games Here!
By: Sarah Brown | 25/12/2009Psp Go Game Downloads, Download Psp Go Games, How To Download Psp Go Games, Psp Go Download Center, Where To Download Psp Go Games, Psp Go Game Download, Psp Go Games Download, Psp Go Games Downloads PSP Go Download Center is one of the few places that allows you to download psp go games. This is a membership site that guarantees all its downloads for psp go games.
PSP Go Download Center - place where you can download PSP and PSP Go games fore free!
By: Sarah Brown | 25/12/2009PSP Go Download Center - place where you can download PSP and PSP Go games fore free! Do you want to get your favorite game for your new PSP Go? Do you want to spend thousand of dollars to find a new but a good game? So you have some options here.
Download PSP Go games, movies, music,software and more!
By: Sarah Brown | 25/12/2009Are you looking for a website that can allow you to download PSP Go games, movies, music and more? Are you paying $30 to $50 for each PSP Go game fro your local store? Do you want to stop doing that and pay one time fee and star download newest PSP Go games, movies, music and more? So here is your solution.
PSP Go Download Center: Can you download psp and psp go game at a high speed form PSP Go Download Center?
By: Sarah Brown | 25/12/2009There are many sites online that help you make the most of the PSP or PSP go you just bought, PSP Go Download Center is just one of them. It is not just about the kind of services a site offers anymore though. There are quite a few sites that offer decent variety and range of downloads. But what makes PSPgo Download Centre different and exciting is not just the wide range of downloads it possesses, but also the speed of download. PSPgo Download Centre has high-speed servers that facilitate and
PSP Go Download Center - Get PSP and PSP Go Download Games For The Price Of just 1 PSP Go Game
By: Sarah Brown | 25/12/2009If you just bought your PSP or PSP go, then psp go download is possible, then all that must be going on in your head is how to get the maximum possible entertainment out of it. It is not just games that you get to play on it, but music, movies, software and so much more out of it. So, what do you need to make the most of your PSP? Nothing much, just your personal computer, internet and your PSP or PSP go machine.
8 Ways To Protect And Obfuscate Your .Net Code Against Reverse-Engineering Using Crypto Obfuscator
By: G. Himangi | 23/10/2009 | SoftwareCrypto Obfuscator arms .Net developers with a powerful code protection and obfuscation tool which enable them to deploy their .Net software without fear of IP theft, reverse-engineering, hacking, cracking and piracy.
Add Network Floating License Capability To Your Software With CryptoLicensing
By: G. Himangi | 18/09/2009 | SoftwareA network floating license is an essential requirement for some types of software and for some customer scenarios. CryptoLicensing makes it extremely easy to add network floating licenses functionality to your software via its customer deployed license service.
8 Ways To Make Your Software Hacker-Proof and Crack-Proof: Writing Effective License Checking Code And Designing Effective Licenses
By: G. Himangi | 23/04/2009 | ProgrammingThis article provides some useful tips and guidelines for designing effective licenses and writing effective license validation code. The philosophy is simple: to make it as difficult as possible for the hacker to 'crack' your software and cause the hacker to lose interest in your software or not make it worthwhile for him/her.
Add Windows Explorer Integration to Document Management Software, Content Management Software and Virtual Drives Using Namespace Extensions
By: G. Himangi | 13/01/2009 | ProgrammingEZNamespaceExtensions.Net is a framework for rapid development of shell namespace extensions in .Net. It eliminates the complicated process of developing namespace extensions and supports all features including sub-folders, custom views, details/column view, contextmenus, drag-drop and others which enable the extension to integrate smoothly into Windows Explorer.
Folderbrowserdialog Unmasked: Everything You Wanted to Know About the Folder Browser Component From .net Framework
By: G. Himangi | 21/11/2008 | ProgrammingThe FolderBrowserDialog, available as part of the .Net framework, provides a folder browser component for your C# and VB.Net applications. The UI consists of a modal dialog which contains a tree control displaying all the files and folders on the system. The user can then browse and select a folder from the tree. The full path of the selected folder is then returned. In this article we will learn more about the FolderBrowserDialog, its usage, properties and limitations.