tags:

views:

385

answers:

6
+4  Q: 

Is it possible to prevent decompilation of .NET MSIL DLL?

Almost all the .net assemblies can be de-compiled using Reflection .Which means that all .net products are open source since the code can be easily be used by other developers. Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused.

Edit

Old question Is winforms .net really equal to open source? was edited considering comments regarding proper use of the word Open Source

+1  A: 

Anything can be reverse-engineered. While .NET assemblies can be more easily decompiled there are many obfuscators available to make the code harder to understand.

There isn't any good way to encrypt the code that you are shipping to customers. At some point the code must be decrypted in order to run and that means that the client machine must have the ability to do this. If the client machine has the ability to decrypt the code then so does anyone else who has access to the machine.

This problem is not unique to .NET assemblies - any application is susceptible to decompilation. If the security of the original source is your main concern then perhaps a web-based application (like a website or web service) would be better as you would be able to isolate the assemblies from the outside world.

Andrew Hare  2010-01-21 05:06:37
obfuscators, of course, don't prevent decompilation and thus allow analysis of logic, although they make it harder by making method, variable, and namespace names meaningless (as opposed to having an English meaning). Obfuscators are ok but for true logic protection you want to encrypt and protect the assembly.
Michael Bray  2010-01-21 05:11:29
+9  A: 

No

All code can be reverse engineered, copied, cloned, reused, relinked and other things. What open source means is that it is free in the legal sense from restrictions, so people can learn from the code. This also means technology can grow and a stronger long-term tech economy can be created, rather than short-termism. Read the "Cathedral and the Bazaar" for a biased but relevant point of view.

I am not aware of a sufficiently strong code protection method that isn't just high obfuscation and is only security through obscurity. Your question alone says you need to know more about the topic you are asking about by reading and researching the technical, logical and possibly the philosophical qualities of the question's intent.

Edit: I stand by my principle even though the use of the term "Open source" was retracted.

Aiden Bell  2010-01-21 05:06:56
Harsh..........
Robert Harvey  2010-01-21 05:08:37
Yeah a bit harsh I think too... I think the OP misused the term, but it wasn't the point of his question. He's trying to find a way to prevent others from seeing the code he has written. See my answer for some programs that truly protect the MSIL from decompilation.
Michael Bray  2010-01-21 05:13:10
Not supposed to be harsh, I just hate seeing people looking at software like a lockable item .. when it isn't .. even DRM is crap. It is the strategic advantage of what the software does, and for whom, and the business model that counts.
Aiden Bell  2010-01-21 05:15:56
It sounds like your assertion is that Intellectual Property should not be protected for the benefit of the creator? That all source code should be open so everyone can learn from it? That would be nice, but not practical in a capitalistic society.
Michael Bray  2010-01-21 05:18:18
I'm pro capitalist. But you don't see buildings without plans, cars that you can't take apart or patents granted without published details ...
Aiden Bell  2010-01-21 05:21:02
Ok then... tell me the formula for Coke... or the ingredients in the special sauce on a Big Mac?? They are called 'trade secrets' and they ARE protectable. The items you mention provide no benefit to protecting them, which is why they are open.
Michael Bray  2010-01-21 05:22:17
@Michael Bray - But I do appreciate that my answer is slightly off-topic considering the subsequent clarification ... but I still assert my point about the economics of software and some areas of IP being misunderstood and mismanaged.
Aiden Bell  2010-01-21 05:22:54
I'm not saying that all things should be un-protected. Just that software is an odd case.
Aiden Bell  2010-01-21 05:24:04
Peace. :) ...15 character padding...
Michael Bray  2010-01-21 05:26:54
@Michael Bray ;) ... That was a good comment-discussion-run ... not had one that long before!
Aiden Bell  2010-01-21 05:30:17
Aiden: The *definition* of the word "patent" is "to make open". A patent without published details would be a contradiction in terms.
Ken  2010-01-21 06:07:15
@Ken Good to know. Makes sense to me.
Aiden Bell  2010-01-21 06:13:18
but obtaining patent to all applications and code is not possible as it involves long(may be) process .
Thunder  2010-01-21 08:36:27
@Thunder, I am not saying people should patent everything, or anything. Just making a point about the way IP and software is treated.
Aiden Bell  2010-01-21 12:53:21
+4  A: 

There are tools that can encrypt .NET Assemblies, preventing decompilation with Reflector and similar tools. They also perform a number of related services such as obfuscation, protection of embedded resources, etc. Two I know of:

RemoteSoft Salamander Suite
XHEO DeployLX

Michael Bray  2010-01-21 05:07:52
+1, purely for providing an answer that will be helpful ;)
Aiden Bell  2010-01-21 05:24:45
A: 

Obscurity can never help you forever...

Your code that is decompiled may or may not have useful variable/class names and it definitely won't have comments, and of course the copyright still belongs to you.

So legally you can't use decompiled programs in anyway(or even decompile them) and I'm sure there is some option(if not on by default) you can use for basic obscurity such as using var1...9999 as the variable names and class names.

Earlz  2010-01-21 05:14:15
+4  A: 

Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused.

Other people have touched on code obfuscators, but ask yourself what you're really trying to accomplish:

  • Are you trying to make your code more "secure"? Not only is security through obscurity a relatively weak strategy, you shouldn't be putting sensitive data in source code anyway! Move passwords, connection strings, etc out of code and into a config file.

    Presumably, then, the application is secure so long as no one has access to your physical machine. You can assume if the attacker has the physical machine, all hope is gone anyway.

  • Are you trying to protect proprietary algorithms? If you don't want to shell out the money to get a patent, then the best tried and true strategy would be exposing your API through a web service on servers you control. The app makes a call into the web service -- meaning performance degrades and you have a dependency on your users having an internet connection, but at least your code is absolutely secure.

  • Are you trying to prevent users from pirating software? There are lots of posts on SO regarding licensing key systems.

Juliet  2010-01-21 05:21:43
Interesting approach w/r/t exposing API as webservice... +1 for that and looking at this question from a different perspective!
Michael Bray  2010-01-21 05:34:27
:( Very sad that software world is so fragile!
Thunder  2010-01-21 05:35:55
I think in Vb 6.0 it was little difficult to decompile!
Thunder  2010-01-21 05:36:41
+1 I agree, a SaaS approach is interesting here, but can be a nightmare if latency/constant availability is an issue.
Aiden Bell  2010-01-21 05:50:25
A: 

If need opensource try mono framework. Although a part of it has portion that has not been publish by microsoft as part of Common language Infrastructure CLI. For you answer NO you cannot use or reuse/publish part of as whole anywhere. You can also look at rotor Shared Source Common Language Infrastructure 2.0 which is open souce and managed by microsoft but it does not contain Window form namespace just CLI. It for learning and research purpose only. Microsoft also publish it code under MPL at codeplex. Please read license carefully even for opensource there is difference between GPL and LGPL too. Reverse engineering for learning purpose it i think ok in case e.g some issue comeup that is not in you code you might like to debug it. For that purpose microsoft have allow use of it framework source directly from its symbol server. Youc an configure visual studio to download source and symbol:t for any .NET framework and debug it to so how and what happen in framework code. Here is a very good article how to do that at shawn burke blog.

affan  2010-01-21 05:24:27
If you want to hide your code that even most vendor dont you can use obfuscators as mention by Andrew and Michael. I believe there is no point of using obfuscators because many people use reflector or reverse engineer with intention of troubleshooting.
affan  2010-01-21 05:28:08

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?