views:

450

answers:

8

Is that right that C# can be reverse engineered? How is easy to do that? Can we say the C# is not enough good from safety aspect? And what about C++ compared with C# against decompiling?

+12  A: 

It's true!

Take a look at one of your own executables using Reflector.

Does this mean that C# is "not enough good from safety aspect"? No, it doesn't mean that.

There's nothing wrong with the safety of C#. You just need to ensure that you don't put any secrets in your published executables if you don't want the world to know about them. (This applies to pretty much any language, not just C#. All executable code can be reverse-engineered, it's just that some languages/frameworks make it easier than others.)

LukeH
That one is free and to me best so far :)
Braveyard
See http://en.wikipedia.org/wiki/Kerckhoffs%27_principle, too.
Joey
Reality is not so much "don't put secrets in..." as "there's no point being so paranoid and defensive that you never publish or profit". There's risk in everything - including both getting out of bed in the morning and staying in bed the whole time. The former normally pays better.
Steve314
+1  A: 

Yes, C# can be reverse engineer. In fact it is trivially easy to do. Take a look at Reflector. To make it harder, but not impossible use an obfuscator.

Keep in mind that applications written in C/C++ or any other language for that matter can be reverse engineered as well albeit not as easily as non-obfuscated C# or Java.

Brian Rasmussen
I wouldn't say it's trivially easy to do; there probably went a little thought and work into Reflector but yes, the metadata-heavy nature of CIL does make it easier to get to almost the original code with much less effort than with the JVM or native code.
Joey
I am not saying the Reflector is trivially easy to implement, but using it to inspect .NET code certainly is imo. It is much easier to reverse engineer unobfuscated .NET code from the binaries than say C code.
Brian Rasmussen
A: 

Google for "Red Gate Reflector" - http://www.red-gate.com/products/reflector/

If you want to prevent this then you need an obfuscator, or some other more advanced form of protection.

Peter Morris
Obfuscator won't prevent it from being reverse engineered, but makes it harder.
rahul
+7  A: 

Oh dear.

Even if you write your program in C or whatever language, you can always extract the machine code from the executable (even if it's some weird self-modifying code) and then you can always get the assembly representation. This is necessary because CPUs can only execute machine code. This is inherently true for any program written for any Turing machine.

This fact is well illustrated by cracks popping up for any game or application a few days after their release no matter how hard the developers tried to obfuscate code. There are obfuscation techniques but in the end, it will be always possible to reverse engineer the machine code (or the IL code in the case of .NET). There are also very good Assembly -> C decompilers out there.

Just accept the fact that your code can be reverse engineered and will be if someone needs the source code enough and is willing to invest some time in it. Design your software by keeping this in mind.

DrJokepu
Indeed, in principle any program can be reverse engineered. In C# and Java, for example, it's easier than with a language like C though, because there are decompilers which can translate byte code back to (more or less readable) source code - something which is a lot harder with machine code to C or C++.
Jesper
I've seen the 'secret' code for licence key systems stuck in as a string literal. More than once :-( 'anyone who knows about the strings command, no decompile required....)
Chris Huang-Leaver
+1  A: 

Each new version of C# is more difficult to reverse engineer. It's true that when C# was at 1.0, Reflector would practically reveal your source code however now we are at 3.0 and if you are using anonymous delegates, LINQ, anonymous classes etc. all that high-level syntax is being compiled down to "dumb" MSIL and it's no more easy to reverse engineer them back to its original source.

lubos hasko
+3  A: 

You can obviously use Reflactor to see its source code. But you can make it a bit difficult by using obfuscator like Dotfuscator

But as everyone is saying you cant make it impossible to reverse engineering it.

Mahin
A: 

Any code written using the .NET framework can easily be reverse engineered. That's where the concept of obfuscation comes in.

Obfuscation is a technique some tools use that take a .NET -based assembly output and attempts to encrypt strings, change flow control of method bodies, rename variable, parameter and method names, thereby making it harder for causal hackers to follow and "decompile" the code.

Obfuscation does not guarantee complete protection of your "proprietary" code. To maintain the best security of your code, simply keep the code on your private servers. It's important to remember that all code can be reverse engineered given enough time and perseverance by the would-be "hacker".

C# safety aspect
If you feel you have "sensitive" code you don't want other users to see and "decode", you should investigate developing those portions of code in a native Win32 environment (C++ or Delphi) and continue with the benefits afforded from the .NET framework.

Mike J
A: 

Use Reflector with the File Disassembler plugin http://www.denisbauer.com/NETTools/FileDisassembler - it will generate all the code from the dll for you.

DodyG