> Again,
>
> You cann't change the compiled IL
> the assembly will fail executing
erm, not to be rude or anything, but... have you tried what I
wrote? Just because you say so, doesn't make it true, sorry.
You can't alter the bytes in the original DLL, but why would you
do that? you can reconstruct the DLL from that original dll WITH the
altered code. You can even use a plugin in reflector which exports a
complete class library to C#. Oh, you want to tell me I then can't
compile that generated C# into a new DLL? Or alter the .exe's references
so it loads my new assembly?
Simply denying that you can't alter a compiled assembly is
closing your eyes for actions others WILL perform on your code you want
to protect so much. For the cracker it doesn't matter if the new dll is
altered, as long as the functionality it has to perform (i.e. the code
you want to protect) is performed.
I find it very important everybody knows the real truth about
what the real value is of what seems to be a good solution to protect
your code. I once thought that by signing my .exe and my assemblies,
no-one could crack it, because that would require altering the assembly
and then that would break the signature. Besides that you can switch off
signature checking, it also can be circumvented by removing the
signatures from the references in the IL. You don't have to believe me,
but it took someone just 20 seconds to do it. Now, what do you want:
keep on telling everybody that it can't be done, so people keep on
believing it and keep on using protection schemes which do not protect
your IP at all, or that people realize what the dangers are and that
they take REAL steps to protect their IP: use a code-rearranging tool
like an obfuscator which re-arranges code as well (name mangling doesn't
work) AND including checks for the license in a lot of random places,
preferably from code which is compiled at runtime from encrypted
sourcecode which also contains code essential for the program. Neither
will help you in the long run, but will help you turn down the cracking
attemps of the average employee of a company which doesn't want to pay
for a license.
Frans.
>
> Best Regards,
> Ido Samuelson
>
> IBM Global Services (Israel)
> Tel: 972-3-5313765, Mobile: 972-67-888150.
> Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED]
>
> Only 10 kind of people understand me. Those who are and those
> who aren't.
>
>
>
> Ido Samuelson/Israel/Contr/[EMAIL PROTECTED]
> Sent by: "Moderated discussion of advanced .NET topics."
> <[EMAIL PROTECTED]>
> 19/04/2004 05:30 PM
> Please respond to
> "Moderated discussion of advanced .NET topics."
>
>
> To
> [EMAIL PROTECTED]
> cc
>
> Subject
> Re: [ADVANCED-DOTNET] Application registration
>
>
>
>
>
>
> is simply circumvented by altering the IL a bit to simply skip the
> 'CheckLicense' routine which does the communication with your
> server and
> it's cracked.
>
> you can't changed an assembly. thats the point of security!
> add to it a
> strong name assembly and it is imposible to fake either.
>
> Best Regards,
> Ido Samuelson
>
> IBM Global Services (Israel)
> Tel: 972-3-5313765, Mobile: 972-67-888150.
> Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED]
>
> Only 10 kind of people understand me. Those who are and those
> who aren't.
>
>
>
> Frans Bouma <[EMAIL PROTECTED]>
> Sent by: "Moderated discussion of advanced .NET topics."
> <[EMAIL PROTECTED]>
> 19/04/2004 12:01 PM
> Please respond to
> "Moderated discussion of advanced .NET topics."
>
>
> To
> [EMAIL PROTECTED]
> cc
>
> Subject
> Re: [ADVANCED-DOTNET] Application registration
>
>
>
>
>
>
> > I have nearly finished a new application and we want to
> > protect our investment.
> >
> > What is the best way to implement product registration? Is
> > there an example around?
> >
> > I have read that some people are using the HD Volume number
> > as a key to ensure each installation is unique. Is this a good idea?
> >
> > We want registration to be such that the software generates a
> > key (unknown to the user) and together with the serial number
> > entered is used by our server to provide a license key.
> >
> > I would appreciate pointers on a satisfactory solution.
>
> The only one I can give you is a reality check, I'm afraid: no
> matter how protective you are, it is breakable. The system
> you envision
> is simply circumvented by altering the IL a bit to simply skip the
> 'CheckLicense' routine which does the communication with your
> server and
> it's cracked.
>
> The harder you make this process (thus check on
> random spots for
> a license will do, for example in encrypted code which is
> decrypted in 1
> go and also contains vital code so it can't be hacked out, see CodeDom
> for pointers) the better, but if your application is very popular, it
> will be cracked no matter what you throw in: a cracker will simply NOP
> the call to the check routine and will make the code to believe the
> check was valid.
>
> Decompilation prevention will help you in this, however an
> obfuscator is often not that sufficient as public methods often aren't
> obfuscated, so the obfuscator needs to re-arrange code as well (which
> makes decompilation harder).
>
> I recently remembered that back in the old days of
> the demoscene
> we used .exe packers like upx. I tried that one with .NET code but it
> obviously failed, but the idea is nonetheless interesting for
> decompilation prevention: it picks up the .exe, compresses it and adds
> it's runtime decompressor to it. This thus leads to a .exe
> which is not
> decompilable with reflector for example. At runtime it then
> decompresses
> the .exe in memory and passes execution to the actual start routine.
> Because .NET .exe's are not native win32/pe format, this doesn't work,
> but perhaps your team can look into the upx sourcecode and change it a
> bit to have it work with .NET executables.
> (http://upx.sourceforge.net/#download . Remember, this
> doesn't work with
> .NET out of the box)
>
> Frans.
>
> --------------------------------------------------------------------
> Get LLBLGen Pro, the new O/R mapper for .NET: http://www.llblgen.com
> My .NET Blog : http://weblogs.asp.net/FBouma
> Microsoft MVP (C#)
> --------------------------------------------------------------------
>
> ===================================
> This list is hosted by DevelopMentor(r) http://www.develop.com
> Some .NET courses you may be interested in:
>
> NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles
> http://www.develop.com/courses/gaspdotnetls
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com
>
>
>
>
>
>
>
>
===================================
This list is hosted by DevelopMentorŪ http://www.develop.com
Some .NET courses you may be interested in:
NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles
http://www.develop.com/courses/gaspdotnetls
View archives and manage your subscription(s) at http://discuss.develop.com
