Does anyone know of a good way to prevent people taking a .Net DLL and simply loading it up into a decompiler (such as anakrino) and stealing your code? This seems to be a big problem with .net, just how do you protect your code?
-
-
Blkbam
Bam, Bam! Bam, Bam Bam!
That’s a simple one. There's a tool that comes with VS.Net called Dotfuscator. It will scramble your code a bit so that it is not as recognizable as it would normally decompile to be. Or you could search for an "obfuscator" on the web. I've never used one because I don't do my own builds for .net apps but I've heard there are other free options.
-
Just get an obfuscation program...
There is one that comes with VS.NET 2005 betas called dotfuscator community edition.
Also, it is the same with Java, it is quite easy to "decompile" your code into source code.
Heck, .NET comes with ILDASM that effectively allows you to see the IL generated for your Assembly (DLL) file. -
The trouble with that is that it doesn't seem to do much more than make things harder to read by renaming variables and methods into something not very human friendly. Even after running a dll through this I can still use Lutz Roeder's .Net reflector to see the actual code in there.
What I was looking for was something that would stop even this happening and totally hide / scramble my code...
-
Tom Servo
W-hat?
You can pretty much forget about this. In any language. Obfuscation should do the job well enough for you. If every variable, method and class name (with the exception of public stuff incase of a library) has been scrambled with non-sense names, stealing the code is useless. The time someone would spend into decoding the obfuscated names would be better spent in writing the code themselves. Additionally, you'll disassemble it into MSIL code. While it'd work to decompile it into C# or VB.NET, the results will be ugly.
You could use a custom assembly resolver that loads a scrambled assembly, but there's always a way to catch the key, dump the memory or do other stuff. You should know it from games and application piracy, no matter how hard you make it to crack an application, at some point someone does it too. So the point is moot. If you indeed want to scramble your code, you're just stretching the time until someone screws around with it. -
Tom Servo
W-hat?
Actually, I see his point. I ran into a similar situation, where I had to deal with LGPL components but had the wish of building a monolithic executable (I'm no proponent of 250 DLLs in your application folder). Since I'm no * and wary of the license requirements, I ended up with a cheap hack involving an assembly resolver and piggybacking files (a command line switch allows extraction of the LGPL files, so kthxbye to source code disclosal clause, since it's a SFX application).
Everyone wants to keep people from screwing with their code, but above example shows you that there's always a way around. -
I do see what you're saying about obfuscation, which I suppose will have to be the final solution. It just seems that the security of code is dependent on it being slightly too hard enough to follow manually, which doesn't seem like a very good philosophy on security to me. But hey, if it's a choice between that and not using C# then I'd stick with C#
-
Tom Servo
W-hat?
Well, it's not too different with native code / assembler. MSIL is just verbose assembler, and the verbosity can be limited a lot using an obfuscator.
-
Catatonic
You're not shy one horse. You brought two too many
Dotfuscator is also available as a stand-alone product that messes with the code very extensively.
http://www.preemptive.com/products/dotfuscator/FAQ.html
-
symonc
symonc
On the managed side you're pretty much limited to obfuscation, while on the unmanaged side you get to rely on the Average Joe's ignorance of assembly. Being honest, is your code so groundbreaking and important that it must be protected at all costs? If so then write a system extension that monitors attempts to do anything other than execute your files - but I can guarantee that such software will never be allowed anywhere near the majority of PCs...
-
If you're really worried about people stealing your code, I've got a fool-proof solution - Write really horrible code!
-
Charles
Welcome Change
Patents work pretty well.
Charles -
Kaelan wrote:If you're really worried about people stealing your code, I've got a fool-proof solution - Write really horrible code!
WHO TOLD YOU MY SECRET?
-
dweller
Let's Kill Dave!
There are several products that do a great job of obfuscating your IL. However, your problem seems broader than that: You have intellectual property you want to protect.
Here's the simple answer: If you don't want people to see your code, never distribute it. Not IL, not Java bytecode, not even _machine code_. If you have something you want to protect, you have two paths:
1) Keep it on the server and force the client to call those routines
2) Protect it through intellectual property laws (patents, copyrights, etc)
Even if you wrote it in assembler, YOUR CODE IS NOT PROTECTED. Anybody with determination can easily figure out assembler almost as easily as IL (since, technically, there's not a lot of difference).
Obfuscators are like bicycle locks. They keep the average unscrupulous person from taking it, but a determined person isn't deterred by such simple things. If they want it, they can take it. If it's valuable, you protect it as best you can, then you also get insurance (in the case of code, that's one of the purposes of a patent -- it covers you from loss of your intellectual property)
NOTE: I'm not a lawyer and this doesn't constitute legal advice. My suggestion is: If you have something valuable to protect in code, you are willing to pay for legal services to help you protect it. -
sbc
GW R/Me
Perhaps another way of protecting your code is to use Web Services - the important code could be kept on a server and you just expose the API's to a Windows Form that just interfaces with the service. Only those with direct access to the server will be able to get at your code.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.