标签云

微信群

扫码加入我们

WeChat QR Code

Obfuscation is one way, but it can't protect from breaking the piracy protection security of the application. How do I make sure that the application is not tampered with, and how do I make sure that the registration mechanism can't be reverse engineered?Also it is possible to convert a C# application to native code, and Xenocode is too costly.C# provides lot of features, and is the ideal language for my code, so writing the whole codebase again in C++ is out of the question.Secure certificates can be easily removed from the signed assemblies in .NET.


blogs.msdn.com/b/dotnet/archive/2014/04/02/… Things change!

2019年04月19日25分01秒

Andreas: This is awesome!! I'm going give a try. Anyone using it?

2019年04月20日25分01秒

Jack it's for window store apps only. There is no timeline for desktop apps(as far as I can tell).

2019年04月19日25分01秒

If you want native without archaic C++, use Delphi.The ease of .Net came from Delphi anyways.

2019年04月20日25分01秒

So +1 that it’s almost +2. I wish more people would finally get that you simply can not protect your software against a determined attacker.

2019年04月19日25分01秒

You have reached software protection nirvana: it's not about adding more protection, it's about focusing on the product and making it so good that people WANT to pay for it. And for those that pirate it, they would have never paid anyways so it's as if they never existed.

2019年04月19日25分01秒

Arthur Chaparyan, I agree.It took a long time to get here but I finally have seen the light.I went down the road of more restrictive protections and battling the crackers.I learned all I could about reverse engineering in an attempt to prevent my own. I finally figured out the right ideology

2019年04月19日25分01秒

Hell I'd have been honored to find out someone thought my software was worth pirating...

2019年04月19日25分01秒

When you start relying on the sales of your software for a major part of your income it changes things.It feels like someone is stealing from you.I get what you are saying though.I was shocked when I first found cracks for my software on torrent sites.

2019年04月20日25分01秒

CW? +1 regardless.Nice answer, all points covered.

2019年04月19日25分01秒

Learning: it kinda grew over time and passed the automatic convert to CW threshold.

2019年04月20日25分01秒

+1 Better than the answer I gave to the previous version of this question.Joel Didn't know there was a limit.

2019年04月20日25分01秒

Good argument, but misses a point about protecting intellectual property. If your app has some code that does something that is somewhat complex, obfuscation can provide the difference between flat out copying and pasting code, and trying to interpret and re-engineer code so it works. This is particularly important with updates: if someone has copied your obfuscated code, when you release an update, they have to do that over again - and at the very least, it causes them more pain/expense/time. If you don't have it protected in some way, they just copy/paste again and it works.

2019年04月19日25分01秒

Great post - it really goes into all the right details about the reasons why it's not worth bothering to write complex copy protection. Even though the question is a duplicate it's worth reopening it just for this answer. Maybe a mod can merge it?

2019年04月20日25分01秒

Btw i m doing a project in which i want to activate a product "offline" also.(I made a WCF service to make activate online). In this case how u will manipulate code ? can u give me some hits ?

2019年04月19日25分01秒

Interesting idea, butWhat course of action would you recommend to someone developing an application which must run without a data connection, such as a WP7 game?

2019年04月19日25分01秒

Using strong cryptography to protect/verify your licences is completely useless if somebody rips out the code that aborts the application if the licence doesn’t check out. :)

2019年04月20日25分01秒

Agreed, but as I was saying, the protection isn't for those groups of users who will resort to using cracks (an assumption that I made will exist).

2019年04月19日25分01秒

public-key cryptography = asymmetric cryptography.I think you meant symmetric.

2019年04月19日25分01秒

Bummer, thanks for pointing it out, I'll edit that :)

2019年04月19日25分01秒

To be fair the third point is biased since it assumes that portion of people is always a minority. I'm pretty sure under certain frameworks it's a clear majority. I have online games with massively multiplayer features in mind because a) most users are kids with very low ethical standards b) the cost can be significant to those users if it's a monthly fee that drags for months etc.

2019年04月20日25分01秒

like the idea, you can also use different passwords for assymetric encryption in different releases.

2019年04月19日25分01秒

Interesting idea, but what exactly is the problem with a long registration code, anyway? Nowdays nobody would enter it by hand anyway - everyone would copy and paste it, so whether it's 10 characters or 100 characters shouldn't make any difference.

2019年04月19日25分01秒

Evgeny: That's only true if your users are power users. We have been creating shareware / casual games for many years and I can tell you that most of our users can't copy and paste. The registration window even comes with a manual on how to copy and paste, and some even don't it after reading it.

2019年04月19日25分01秒

Wow! OK, well, you obviously have more experience than me in this, so I can't argue, I can only say I'm surprised. But I would say that if they don't know how to copy and paste then you should make the code 200 characters long, so that they learn a highly useful general computer skill. :)

2019年04月19日25分01秒

Evgeny: Even with the short registration codes, we still got a lot of e-mails from people who have mistyped their codes and therefore thought that the code can't be valid because they would never make a mistake like this several times in a row. I prefer to leave the IT teaching to other companies... :-)

2019年04月19日25分01秒

pricing my friend, buying a licensing software from Microsoft is too costly for normal ISV

2019年04月19日25分01秒

I've tried it, it works very well but it only encrypt the code inside a method not the whole assembly or project, so a cracker can easily alter the flow of the program with IL injection

1970年01月01日00分03秒

ogggre If adding vendor links, you really need to disclose your connections in the post. Also the currently available version of SLPS (which I work on :D) does support generics. Naturally all solutions have their individual pros and cons that only an eval can properly contextualise for people

2019年04月19日25分01秒

MohsenAfshin I don't understand what you're saying - the point is that you need to protect any methods where the addition/removal/changing of IL would represent a licensing breach. Because virtualizing things cannot be free, it simply doesn't make sense to 'magically protect it all' as you're suggesting. Back to the key point: The aim of SP's Protection is to prevent IL changes on methods that you select on the basis that they are sensitive (plus generally some others as noise to avoid planting a you need to crack this bit here --> sign)

2019年04月20日25分01秒

RubenBartelink I agree with you. Unfortunately this thread is way too big with several pages of content. At first I wanted to add a new answer but StackOverflow suggested that it is better to extend the existing one. So I did. Hope my small piece of information is useful. Thanks for an update on generic support in SLPS and your corrections.

2019年04月19日25分01秒

Don't forget that it is quite possible to attack the software part of the hardware lock.

2019年04月19日25分01秒

Yes, that's true, the only real option would be to have the application partially implemented in hardware (some weird mix of software-VHDL application for example). This would also be crackable though...

2019年04月19日25分01秒

What about dongles that implement a public/private key strategy.Only the private key of the dongle can decrypt the application and run it.

2019年04月20日25分01秒

That's what the hardware key usually does. But you can either attack the dongle - clone it, or the software responsible for talking with the dongle (circumvent, disable, etc).

2019年04月20日25分01秒

In my case it really WAS worth it. After I implemented Partial Key Verification and changed registration key scheme for an existing product, sales went up in significant manner. All software can be cracked, the question is just how high you raise the bar for the casual software pirate.

2019年04月19日25分01秒

If you really bother outsourcing your registration code into a dll, you should make sure that the DLL has to be different with every new version of your software. Otherwise your making it even easier for people to crack your software. All they'd need to do is crack your DLL once and use that for all later versions. Even end users could do this once they find an old cracked DLL, and this is even worse than putting the registration mechanism in your managed code.

2019年04月20日25分01秒

didn't get can you explain in detail.

2019年04月20日25分01秒

It's not just "if they really want to see how your software works, they will".If they care, they can probably guess without looking.99.9%+ of software doesn't have any magic pixie dust algorithms.The hard part of programming isn't some special secret technique.It's just getting all the parts to line up and work.

2019年04月19日25分01秒

Ken - Shhhh! You can't let the rest of the world know that most of the time we're not using magic pixie dust algorithms.

2019年04月19日25分01秒

Justin: Does Love count as a magic algorithm?Love is what makes my programs special.I don't think you can disassemble Love.

2019年04月20日25分01秒

The answer is quite easy: It is a pity, that most answers talk about obfuscation. Obfuscation is good for stopping the very first (Reflector-like) try to look in your code, that's all. That is not bad. And of course there is nothing which stops real hackers who understand assembly code, besides writing a SAAS application (even then they can try to hack your server). But there is more, there are tools like Salamander, .NET Reactor an other mentioned, who provide (maybe) nearly the same security form uncompiling as a C++ compiled Win32 .exe . Which of those tools is best, I cannot judge yet.

2019年04月19日25分01秒

I tried to contact those guys with some question, I had about their product, but they never replied. Did your tried their product. I have gone with smart assembly and both their product and supportis very good. But as I already said in the question obfuscation is one way, but not full proof.

2019年04月20日25分01秒

I had some issues with their product earlier and then I asked some question regarding high resolution icons in groups.google.se/group/net-reactor-users and I got a reply and a fix, but now it seems like they are hard to get hold of. To bad - it's a great product and I'm still using it

2019年04月20日25分01秒

If "no existing tool can decompile", why is it listed as a supported obfuscator/packer on the de4dot features page?:bitbucket.org/0xd4d/de4dot

2019年04月19日25分01秒

Probably because it's an old statement and they haven't updated their webpage. I am no longer a user of any obfuscation tool.

2019年04月20日25分01秒

what if the server is down or users don't have internet access always, your method will simply frustrate the customers by having so many frequent round trip to the internet servers just to use an app.

2019年04月20日25分01秒

I agree completely.That's why I said "this is probably more invasive than you want..." in my last line.I was just offering the OP the best solution that I thought was technically feasible, not the best approach to keeping customers happy :)

2019年04月19日25分01秒

In the first quarter of 2010 (several months after this answer was written), the game development company Ubisoft tried this, and apparently the load on the server-side components was so big that the games were unplayable. Overall impression of the SW: "hassle to install, cannot be used offline, invasive and unreliable". So, should you decide that server-side processing is the way to go, make sure you can actually scale to demand.

2019年04月20日25分01秒

Reflection can become quite fragile with obfuscated assemblies ...

2019年04月19日25分01秒

doesn't a crash point is easy to debug, and override the code in .NET to bypass that check. Also how will you change the opcodes in .NET, can u elaborate on this?

2019年04月20日25分01秒

Oh.I had C tricks in mind; say, take the address of the validation function, add up the 10 first bytes in that char array (cast the function pointer);pick any function f, and store [the address of f minus the previous sum] in fptr.Always call f as *(fptr + that sum).Precompute "that sum"

2019年04月19日25分01秒