We are using the purchased DotFuscator to scramble the assembly code. I imagine that there is no perfect solution to registration. I would appreciate pointers to "best practice".
Thank you Mark -----Original Message----- From: Daniel O'Connell [mailto:[EMAIL PROTECTED] Sent: Tuesday, 20 April 2004 3:07 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] Application registration It's really not that hard. Version information for assembly references is, to my knowledge, stored in one place in a given assembly, the AssemblyRef table. This table contains an index into the blob heap, where the public key token lays. A similar index exists that points to the hash value. You do, of course, have the various attributes that specify keys, but 90% of those can probably be detected in an automatic manner as well. Signed code is useless as far as licensing goes. I'm pretty sure I could whip up a utility to re-hash and re-sign an entire chain of assemblies in less than a day. Simple code analysis should pick up most strong name permissions or other requirements (I can't think of what they all are, off hand, but it is certainly doable). In fact, if you were feeling creative, you could probably even generate code to hook AppDomain.CurrentDomain.AssemblyResolve to automate the process. Such a system would take a bit longer, but it certainly wouldn't be impossible or even difficult, relatively speaking. > -----Original Message----- > From: Moderated discussion of advanced .NET topics. [mailto:ADVANCED- > [EMAIL PROTECTED] On Behalf Of Ido Samuelson > Sent: Monday, April 19, 2004 11:40 AM > To: [EMAIL PROTECTED] > Subject: Re: [ADVANCED-DOTNET] Application registration > > Again, I mean you can't recompile it with the same strong name > > and if you put strong name check on your application it will not be easy > to avoid those checks > > Best Regards, > Ido Samuelson > > IBM Global Services (Israel) > Tel: 972-3-5313765, Mobile: 972-67-888150. > Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED] > > Only 10 kind of people understand me. Those who are and those who aren't. > > > > Frans Bouma <[EMAIL PROTECTED]> > Sent by: "Moderated discussion of advanced .NET topics." > <[EMAIL PROTECTED]> > 19/04/2004 07:08 PM > Please respond to > "Moderated discussion of advanced .NET topics." > > > To > [EMAIL PROTECTED] > cc > > Subject > Re: [ADVANCED-DOTNET] Application registration > > > > > > > > Again, > > > > You cann't change the compiled IL > > the assembly will fail executing > > erm, not to be rude or anything, but... have you tried what I > wrote? Just because you say so, doesn't make it true, sorry. > > You can't alter the bytes in the original DLL, but why would you > do that? you can reconstruct the DLL from that original dll WITH the > altered code. You can even use a plugin in reflector which exports a > complete class library to C#. Oh, you want to tell me I then can't > compile that generated C# into a new DLL? Or alter the .exe's references > so it loads my new assembly? > > Simply denying that you can't alter a compiled assembly is > closing your eyes for actions others WILL perform on your code you want > to protect so much. For the cracker it doesn't matter if the new dll is > altered, as long as the functionality it has to perform (i.e. the code > you want to protect) is performed. > > I find it very important everybody knows the real truth about > what the real value is of what seems to be a good solution to protect > your code. I once thought that by signing my .exe and my assemblies, > no-one could crack it, because that would require altering the assembly > and then that would break the signature. Besides that you can switch off > signature checking, it also can be circumvented by removing the > signatures from the references in the IL. You don't have to believe me, > but it took someone just 20 seconds to do it. Now, what do you want: > keep on telling everybody that it can't be done, so people keep on > believing it and keep on using protection schemes which do not protect > your IP at all, or that people realize what the dangers are and that > they take REAL steps to protect their IP: use a code-rearranging tool > like an obfuscator which re-arranges code as well (name mangling doesn't > work) AND including checks for the license in a lot of random places, > preferably from code which is compiled at runtime from encrypted > sourcecode which also contains code essential for the program. Neither > will help you in the long run, but will help you turn down the cracking > attemps of the average employee of a company which doesn't want to pay > for a license. > > Frans. > > > > > Best Regards, > > Ido Samuelson > > > > IBM Global Services (Israel) > > Tel: 972-3-5313765, Mobile: 972-67-888150. > > Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED] > > > > Only 10 kind of people understand me. Those who are and those > > who aren't. > > > > > > > > Ido Samuelson/Israel/Contr/[EMAIL PROTECTED] > > Sent by: "Moderated discussion of advanced .NET topics." > > <[EMAIL PROTECTED]> > > 19/04/2004 05:30 PM > > Please respond to > > "Moderated discussion of advanced .NET topics." > > > > > > To > > [EMAIL PROTECTED] > > cc > > > > Subject > > Re: [ADVANCED-DOTNET] Application registration > > > > > > > > > > > > > > is simply circumvented by altering the IL a bit to simply skip the > > 'CheckLicense' routine which does the communication with your > > server and > > it's cracked. > > > > you can't changed an assembly. thats the point of security! > > add to it a > > strong name assembly and it is imposible to fake either. > > > > Best Regards, > > Ido Samuelson > > > > IBM Global Services (Israel) > > Tel: 972-3-5313765, Mobile: 972-67-888150. > > Fax: 972-3-5313500, E-mail : [EMAIL PROTECTED] > > > > Only 10 kind of people understand me. Those who are and those > > who aren't. > > > > > > > > Frans Bouma <[EMAIL PROTECTED]> > > Sent by: "Moderated discussion of advanced .NET topics." > > <[EMAIL PROTECTED]> > > 19/04/2004 12:01 PM > > Please respond to > > "Moderated discussion of advanced .NET topics." > > > > > > To > > [EMAIL PROTECTED] > > cc > > > > Subject > > Re: [ADVANCED-DOTNET] Application registration > > > > > > > > > > > > > > > I have nearly finished a new application and we want to > > > protect our investment. > > > > > > What is the best way to implement product registration? Is > > > there an example around? > > > > > > I have read that some people are using the HD Volume number > > > as a key to ensure each installation is unique. Is this a good idea? > > > > > > We want registration to be such that the software generates a > > > key (unknown to the user) and together with the serial number > > > entered is used by our server to provide a license key. > > > > > > I would appreciate pointers on a satisfactory solution. > > > > The only one I can give you is a reality check, I'm afraid: no > > matter how protective you are, it is breakable. The system > > you envision > > is simply circumvented by altering the IL a bit to simply skip the > > 'CheckLicense' routine which does the communication with your > > server and > > it's cracked. > > > > The harder you make this process (thus check on > > random spots for > > a license will do, for example in encrypted code which is > > decrypted in 1 > > go and also contains vital code so it can't be hacked out, see CodeDom > > for pointers) the better, but if your application is very popular, it > > will be cracked no matter what you throw in: a cracker will simply NOP > > the call to the check routine and will make the code to believe the > > check was valid. > > > > Decompilation prevention will help you in this, however an > > obfuscator is often not that sufficient as public methods often aren't > > obfuscated, so the obfuscator needs to re-arrange code as well (which > > makes decompilation harder). > > > > I recently remembered that back in the old days of > > the demoscene > > we used .exe packers like upx. I tried that one with .NET code but it > > obviously failed, but the idea is nonetheless interesting for > > decompilation prevention: it picks up the .exe, compresses it and adds > > it's runtime decompressor to it. This thus leads to a .exe > > which is not > > decompilable with reflector for example. At runtime it then > > decompresses > > the .exe in memory and passes execution to the actual start routine. > > Because .NET .exe's are not native win32/pe format, this doesn't work, > > but perhaps your team can look into the upx sourcecode and change it a > > bit to have it work with .NET executables. > > (http://upx.sourceforge.net/#download . Remember, this > > doesn't work with > > .NET out of the box) > > > > Frans. > > > > -------------------------------------------------------------------- > > Get LLBLGen Pro, the new O/R mapper for .NET: http://www.llblgen.com > > My .NET Blog : http://weblogs.asp.net/FBouma > > Microsoft MVP (C#) > > -------------------------------------------------------------------- > > > > =================================== > > This list is hosted by DevelopMentor(r) http://www.develop.com > > Some .NET courses you may be interested in: > > > > NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles > > http://www.develop.com/courses/gaspdotnetls > > > > View archives and manage your subscription(s) at > > http://discuss.develop.com > > > > > > > > > > > > > > > > > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > Some .NET courses you may be interested in: > > NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles > http://www.develop.com/courses/gaspdotnetls > > View archives and manage your subscription(s) at > http://discuss.develop.com > =================================== This list is hosted by DevelopMentor http://www.develop.com Some .NET courses you may be interested in: NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles http://www.develop.com/courses/gaspdotnetls View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorŪ http://www.develop.com Some .NET courses you may be interested in: NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles http://www.develop.com/courses/gaspdotnetls View archives and manage your subscription(s) at http://discuss.develop.com
