views:

228

answers:

5

I was playing around with .Net reflector today and realized that Miicrosoft's entire Expression suite is written in .Net. As a result I was pretty much able to see the underlying code for expression. This makes it far easier than binary to break copy protection. I think that that's a big deal. Is it generally recommended to make commercial software in .Net where it is fairly easy to see the source code down to the variable names? I was surprised that Microsoft didn't at least dotfescate it. Thanks

+5  A: 

Any application worth buying--especially a large one like Expression--has no one piece that if disassembled and copied would reduce its competitive advantage.

At the other extreme, it would be pointless to disassemble and copy the entire codebase--since that would be so obvious.

In short, we're not talking flux capacitors here.

Ben M
I'm just refering to bypassing licensing
Milo
+2  A: 

What you see in reflector is decompiled IL. There's no practical way to obfuscate that, except to change the identifier names.

It has always been the case that a determined hacker will reverse engineer your code anyway, whether you obfuscate it or not (obfuscated or binary code just takes a little longer to reverse engineer). The same argument goes for licensing algorithms.

Robert Harvey
+4  A: 

I would consider the ability to reverse all the way back to variable names (and perhaps comments) a feature. .NET Reflector and the Java Decompiler are quite nice.

Even if it was written in C or C++, to an RCE it means nothing. People cut their teeth reading assembly and tinkering with OllyDBG, IDA Pro, and the like. Microsoft offers their own tools for reversing native code as well.

Considering how much commercial Java and .NET software is already around (and how easily it is decompiled), I doubt using .NET, over Java, over C++, C or assembly would make much of a difference when comparing how easy it is to get back the original source form.

Having said that, most of the commercial .NET software I have encountered writes the core of their program in (what appears to be) a C++ library and then interfaces with that through a .NET app.

Cool Jon
+2  A: 

MS doesn't need to obfuscate their code to protect IP when they have an army of lawyers that could sue any organization that tried to use the code to create a competing product. Even if you don't have an army of lawyers, is there anything so novel in your code that would justify the cost of reverse engineering it? Most clients will try to use legitimate software, as the risks associated with using poorly supported illegitimate software are too high. Anybody could take a Stephen King novel and copy all of the words written in it, as they are all there, plain to see, but he is still able to make substantial profit from the good faith of his readers who buy his books.

Dan Bryant
A: 

Yes, .NET is a viable commercial platform but we (meaning OffByZero, the company I co-founded) strongly recommend that you use an obfuscator for sensitive code in both .NET and Java. From Developing for Software Protection and Licensing:

If you are developing in .NET or Java, shipping a non-obfuscated application is almost equivalent to shipping in source code form. If you're concerned about intellectual property within your code (especially if you're interfacing with devices in a fashion that might expose trade secrets) then you need to use a quality obfuscator.

...

It's important to note that no software protection solution can be guaranteed to be 100% unbreakable; fundamentally, once your binary is on another machine, you have relinquished complete control of it. The aim should be to use a high-quality software licensing system in conjunction with obfuscation to make it very hard & time-consuming to crack your software, thereby raising the bar sufficiently high to protect your revenues.

Duncan Bayne