> > is simply circumvented by altering the IL a bit to simply
> > skip the 'CheckLicense' routine which does the communication
> > with your server and it's cracked.
>
> you can't changed an assembly. thats the point of security!
you can't?
ILDasm /out=foo.asm myAssembly.dll
notepad foo.asm
alter all you want. Save
ILAsm /out=myAssembly.dll /dll foo.asm
et viola. (you probably want/need some more options, but this is the
idea)
> add to it a strong name assembly and it is imposible to fake either.
Also wrong :) You can remove the signature in the IL you generated with
ILDasm. You can apply your own signature to the IL when using ILAsm. And
*drumroll* here's the catch: you can also do this with the .exe
referencing this DLL. I.o.w.: I can change a hardcoded reference in the
.exe into a reference with another public key token, namely the one
matching the assembly created with ILasm which is signed with my own
key. So next time I run the .exe (which is now also altered) I load my
own dll, which is altered and won't contain the check for the license,
without problems. So once you can create IL asm from an assembly, the
protection is gone. Two things will make this hard(er): the IL should be
horrible to read (i.e. a lot of code re-arranging by a good obfuscator)
and it should be hard to find the actual call to the check.
I once thought it was safe also. Well, it's not :)
FB
>
> Best Regards,
> Ido Samuelson
>
> IBM Global Services (Israel)
> Tel: 972-3-5313765, Mobile: 972-67-888150.
> Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED]
>
> Only 10 kind of people understand me. Those who are and those
> who aren't.
>
>
>
> Frans Bouma <[EMAIL PROTECTED]>
> Sent by: "Moderated discussion of advanced .NET topics."
> <[EMAIL PROTECTED]>
> 19/04/2004 12:01 PM
> Please respond to
> "Moderated discussion of advanced .NET topics."
>
>
> To
> [EMAIL PROTECTED]
> cc
>
> Subject
> Re: [ADVANCED-DOTNET] Application registration
>
>
>
>
>
>
> > I have nearly finished a new application and we want to
> > protect our investment.
> >
> > What is the best way to implement product registration? Is
> > there an example around?
> >
> > I have read that some people are using the HD Volume number
> > as a key to ensure each installation is unique. Is this a good idea?
> >
> > We want registration to be such that the software generates a
> > key (unknown to the user) and together with the serial number
> > entered is used by our server to provide a license key.
> >
> > I would appreciate pointers on a satisfactory solution.
>
> The only one I can give you is a reality check, I'm afraid: no
> matter how protective you are, it is breakable. The system
> you envision
> is simply circumvented by altering the IL a bit to simply skip the
> 'CheckLicense' routine which does the communication with your
> server and
> it's cracked.
>
> The harder you make this process (thus check on
> random spots for
> a license will do, for example in encrypted code which is
> decrypted in 1
> go and also contains vital code so it can't be hacked out, see CodeDom
> for pointers) the better, but if your application is very popular, it
> will be cracked no matter what you throw in: a cracker will simply NOP
> the call to the check routine and will make the code to believe the
> check was valid.
>
> Decompilation prevention will help you in this, however an
> obfuscator is often not that sufficient as public methods often aren't
> obfuscated, so the obfuscator needs to re-arrange code as well (which
> makes decompilation harder).
>
> I recently remembered that back in the old days of
> the demoscene
> we used .exe packers like upx. I tried that one with .NET code but it
> obviously failed, but the idea is nonetheless interesting for
> decompilation prevention: it picks up the .exe, compresses it and adds
> it's runtime decompressor to it. This thus leads to a .exe
> which is not
> decompilable with reflector for example. At runtime it then
> decompresses
> the .exe in memory and passes execution to the actual start routine.
> Because .NET .exe's are not native win32/pe format, this doesn't work,
> but perhaps your team can look into the upx sourcecode and change it a
> bit to have it work with .NET executables.
> (http://upx.sourceforge.net/#download . Remember, this
> doesn't work with
> .NET out of the box)
>
> Frans.
>
> --------------------------------------------------------------------
> Get LLBLGen Pro, the new O/R mapper for .NET: http://www.llblgen.com
> My .NET Blog : http://weblogs.asp.net/FBouma
> Microsoft MVP (C#)
> --------------------------------------------------------------------
>
> ===================================
> This list is hosted by DevelopMentor(r) http://www.develop.com
> Some .NET courses you may be interested in:
>
> NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles
> http://www.develop.com/courses/gaspdotnetls
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com
>
>
>
>
>
>
===================================
This list is hosted by DevelopMentorŪ http://www.develop.com
Some .NET courses you may be interested in:
NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles
http://www.develop.com/courses/gaspdotnetls
View archives and manage your subscription(s) at http://discuss.develop.com
