CodeGuru123 wrote:



I know some say to put your protected IP into native .dll's and invoke them, however if your calling .net exe is still reversable, the methods of accessing/using that .dll are still visible.

evildictaitor wrote:


Get your native entry points to look at the calling assembly's file, take a hash and compare it to your code, and do useful things only if there's a match.

CodeGuru123 wrote:



I'm not looking for obfuscators.. I use commercial dotfuscator and it seems to do the job that all dotfuscators do..

However, what other options are there from preventing our .net exe's being reversed?

I know of solutions like:
thinstall
remotesoft

But are there any others?

I know some say to put your protected IP into native .dll's and invoke them, however if your calling .net exe is still reversable, the methods of accessing/using that .dll are still visible.

Thanks.

littleguru wrote:

The thing is that if somebody really wants to crack your app s/he always can. Look at how fast games and software get cracked - even if they are compiled down to native. Crackers just don't care, they analyze the assembly code and fix it...

figuerres wrote:


first thing I always ask is why?
then what is the risk?
what is the benefit?
what is the cost?
what is the audience (users, who, sales market)?

most of the time the users are not going to mess with the code and the cost far outweighs the benefit.

if the users are tech-savy hacker types then the same thing happens as a determined cracker will break any protection if they are willing to spend the time and effort.

CompGuy101 wrote:

I use .NET Reactor and it works great. It injects the CLI header at runtime so when people try to open it up in .net reflector they just get errors. It also encrypts your source.

TimP wrote:



If you're really that concerned, make it a web app or something and run it on a box you own. If you think your competitors will go to any length to reverse engineer your work, then don't give it out the EXE at all.

I don't think many customers would be keen on this, though. Eventually if you make it too cumbersome to even use they'll go elsewhere regardless.

CodeGuru123 wrote:



figuerres wrote:  first thing I always ask is why? then what is the risk? what is the benefit? what is the cost? what is the audience (users, who, sales market)? most of the time the users are not going to mess with the code and the cost far outweighs the benefit. if the users are tech-savy hacker types then the same thing happens as a determined cracker will break any protection if they are willing to spend the time and effort.

I often see similar types of responses when people ask about protecting their source..

I guess some people simply don't understand..

For a small operation like mine, code security is key to our business future. If we were to release our product in unencrypted .net, our competitors would gain substantial IP to help rocket them into markets where we already exist, and if our .net app could easily be reversed many new competitors would pop up.

You see, not everybody is a adobe, or microsoft, or even winzip or nero...

Some outfits have a lot of development time invested into developing product for consumers that have no current available options.. We invest heavily to make a product that most of the time, others don't know how to do. Again, if we released our .net unprotected well then these others would pop up out of the wood work.

Now, most people say, well you provide great customer service and a great product and you won't have to worry about that. That only works if your target consumer is willing to pay the premium for those services. If your target consumer (unfortunately) wants the product at the lowest price that argument goes right out the door.

I'm not asking for assistance as to if I need .net protection, I know I do. I'm asking what options others use.

The industry I am in is very competative. There have been src leaks and startups from reversing.. its real tough.

We use .net as its real easy to develop GUI based applications, much quicker than it is in C or using other dev tools.

I look forward to when a main stream vendor releases a product in .net, should be very interesting.

CodeGuru123 wrote:

I look forward to when a main stream vendor releases a product in .net, should be very interesting.

CodeGuru123 wrote:



I take it your just trying to help.

I'm not asking for assistance as to if I need .net protection, I know I do. I'm asking what options others use.

The industry I am in is very competative. There have been src leaks and startups from reversing.. its real tough.

We use .net as its real easy to develop GUI based applications, much quicker than it is in C or using other dev tools.

I look forward to when a main stream vendor releases a product in .net, should be very interesting.

My goal is to protect my investments and make it more difficult (not impossible) for would be crackers to break.

I have a solution that works very well for me now, its one of the ones already listed in this thread.. however I'm not sure about the future of this solution as an option for us, as their prices and methods of licensing are drastically changing.

The ideal solution for me, and for many .net users I'd imagine is something that:

• prevents viewing the MSIL from both a reflector type app and also via RAM dumpers.
• Packs the exe into a loader application that isn't easily unpacked.
• Prevents .net extraction via modification of the native core .net dll's.
• Prevents debugger attachments, softice, etc...
• Disables .NET profiling
• Protects against ProcDump
• Does not require packing the entire .net framework into the exe to achieve the above protection

That is my ideal list. I'm just trying to come up with a list of solutions that achieve this type of protection.

According to my research, CodeVeil has unpackers available.

CodeGuru123 wrote:

My goal is to protect my investments and make it more difficult (not impossible) for would be crackers to break.

We deal in low volume sales and our product caters to a specific market. We're able to stay ahead of our competition because we have resources that make us able to develop new products in our industry before our competitors do.

Due to the nature of our product, it would be very easy for our competitors to gain key info from reversing our product which would allow them to tap into new customer bases.

By protecting our product the way we do, the amount of time it would take to crack is similar to the amount of time it would take to develop the new products the hard way.. the way we currently do.

If we released our application in unprotected .net form, it would be only a matter of time before our market share was decreased substantially due to the fact that we'd lose our edge of being first to market. We might still be first, but the second to market companies would follow very shortly after us, unlike now where we have a year or so or more...

RoyalSchrubber wrote:

Ok, what industry you're working in? If you say it's industry then you're not the only one doing it right? What do you do?

Also, if I can contribute - build your app with mvc paradigm in mind.. do Model and Controller in C/C++ and View in .net. You competitors are probably smart enough to do View(GUI) themselves, but it will be hard(er) for them to get to your algorihm code... or throw away .net completely and do it in c++/mfc, machine code can be much more obfuscated than IL.

W3bbo wrote:


MVC doesn't work for every program. It's geared towards 3-tier database apps, it wouldn't work well for Photoshop or Excel, for example.

CodeGuru123 wrote:



By protecting our product the way we do, the amount of time it would take to crack is similar to the amount of time it would take to develop the new products the hard way.. the way we currently do.

If we released our application in unprotected .net form, it would be only a matter of time before our market share was decreased substantially due to the fact that we'd lose our edge of being first to market. We might still be first, but the second to market companies would follow very shortly after us, unlike now where we have a year or so or more...

evildictaitor wrote:

If you're releasing complex algorithms (such as compilers, or solution solvers or hashes or implementing protected network protocols) which might legitimately be sought after with the intent of gaining knowledge or algorihms (but not code) then you should be looking to build those algorithms in C and use a commercial grade obfuscatior over it.

CodeGuru123 wrote:

Its not arrogance. Please don't be so close minded.

We develop software tools that interface with hardware built by others..

(These are just examples to get open your thought processes)
For example, it could be iPods, cell phones, pda's, etc.. devices built by vendors who we have no communication with and in many cases do not even know about us.

So in our src is methods and keys to access these "devices". So yes, to do what we do you would have to write the SAME exact code as there is one and only one way to do these things.

And I know someone is going to say to put these secure pieces in a native dll or something else.. however the methods and keys are not as simple as you would think. They are actually very complicated and are really embedded into the parent .net program. To extract them into a seperate DLL would really muck up the entire program structure..

I think the list I came up with on the first page is a great list.

prevents viewing the MSIL from both a reflector type app and also via RAM dumpers.

Packs the exe into a loader application that isn't easily unpacked.

Prevents .net extraction via modification of the native core .net dll's.

Prevents debugger attachments, softice, etc...

Disables .NET profiling

Protects against ProcDump

Does not require packing the entire .net framework into the exe to achieve the above protection

Also, if you think that list is unrealistic, there is an app on the first page that does the above. It is also the most expensive one listed by far. I'm looking for more options.