Coffeehouse Thread

17 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

MSIL & Disassemblers

Back to Forum: Coffeehouse
  • User profile image
    Secret​Software

    Hi guys,
    Writing code that compiles directly to machine language in the unmanaged world had the advantage that it was hard to decompile or disassemble the machine language into the original source code. But with .NET it is easy to decompile and to disassemble .NET assemblies and executables, and so you might as well let your end users download the source code with the compiler to MSIL. Obfuscation raises the bar a bit but is not as if you cant break that too.

    So how do you protect your intellectual property from being "decompiled or disassembled" by malicious crackers?

    What do people do to protect their code from being "read" by any one?

  • User profile image
    Cornelius Ellsonpeter

    I was always kind of wondering about this one, too. Perhaps this is why we are not seeing a great deal of commercial products written exclusively in .NET? I suppose you could always threaten everybody with legal action in the EULA.

  • User profile image
    Secret​Software

    Cornelius Ellsonpeter wrote:
    I was always kind of wondering about this one, too. Perhaps this is why we are not seeing a great deal of commercial products written exclusively in .NET? I suppose you could always threaten everybody with legal action in the EULA.


    I mean I just was googling for someway to thwart disassembling my C# code. I find this website it shows any noob how to read .NET assemblies ,and even there are tools that would decompile to actual C# or VB.NET  source code. So why is IL not made as hard to disassemble as machine language or even worse?

    So what is the point of compiling in this way, why not just send your source code to your users and have them compile it themselves lool.

    This is something I want fixed Expressionless

  • User profile image
    Minh

    Realizing that x86 code isn't a fool-proof way of protecting your secrets. There are disassemblers in that world, too.

    Obsfuscator is a good first step. And whatever you do to obsfuscate in the unmanaged world, you can do in the managed world (other than compilation. I mean there are tricks you can do to make it hard for hackers).

    If your secrets are sensitive enough, make an online component to your app. And put your sensitive bits there.


  • User profile image
    W3bbo

    SecretSoftware wrote:
    So how do you protect your intellectual property from being "decompiled or disassembled" by malicious crackers?


    I don't believe in intellectual property, it's just newspeak for stuff that should otherwise by copyrighted. When I write software, I provide the sourcecode to those who buy it on request. If anyone's abusing it, that's what the legal guys are for.

    Granted, this may not work for larger ISVs.

  • User profile image
    eddwo

    It always seems to me that the least capable developers are the ones who are most paranoid about other people reading their code.

    The people who really know their code inside out realise that any attempt to prevent people reading what must eventually be decoded and executed by the processor is utimately futile against a determined attacker.

    Personally I think its more useful to get a full stack trace with the proper class and method names if anything goes wrong, than worry about the possiblity of anyone being interested in copying my work.

    I should be flattered to think that anyone would consider it worthwhile.

  • User profile image
    Secret​Software

    W3bbo wrote:
    
    SecretSoftware wrote: So how do you protect your intellectual property from being "decompiled or disassembled" by malicious crackers?


    I don't believe in intellectual property, it's just newspeak for stuff that should otherwise by copyrighted. When I write software, I provide the sourcecode to those who buy it on request. If anyone's abusing it, that's what the legal guys are for.

    Granted, this may not work for larger ISVs.


    If you have a really efficient implementation of something. You want people to come buy it from you. Otherwise no one would need your products because they can do it themselves.

    If people are able to easily write OSs, no one would need Windows or MAC OS or anything else, they would just write it themselves to do what they want it to do.

    So its just a way to "Save" a share of the pie for you .

  • User profile image
    Secret​Software

    eddwo wrote:
    It always seems to me that the least capable developers are the ones who are most paranoid about other people reading their code.

    The people who really know their code inside out realise that any attempt to prevent people reading what must eventually be decoded and executed by the processor is utimately futile against a determined attacker.

    Personally I think its more useful to get a full stack trace with the proper class and method names if anything goes wrong, than worry about the possiblity of anyone being interested in copying my work.

    I should be flattered to think that anyone would consider it worthwhile.


    Protecting your program is not an indication that you are a lousy programmer. There are really good and smart programmers who dont want their implementation of things known or their software played with.

    I can know my source insideout, but I dont want someone else to know how a particular feature is implemented.
    Suppose you have a Audio compression tool that would allow you to save thousands of dollars on bandwidth, and it would give you advantage in the market, wound you not want to "hide" how this tool does its compression method?

    Otherwise what is the incentive for innovation?

  • User profile image
    Minh

    SecretSoftware wrote:
    Suppose you have a Audio compression tool that would allow you to save thousands of dollars on bandwidth, and it would give you advantage in the market, wound you not want to "hide" how this tool does its compression method?

    Otherwise what is the incentive for innovation?
    Sounds like you're better off protecting your program with a patent, then.

  • User profile image
    Sven Groot

    SecretSoftware wrote:
    So why is IL not made as hard to disassemble as machine language or even worse?

    The reason for this is because .Net assemblies are meant to be verifyably type safe. The keyword here is verifyable. Machine code for x86 is not only hard to decompile, it's also extremely hard to do any effective reasoning about it. If you have a random x86 binary, it's not possible to prove that it's never going to cause an access violation, or will never have a buffer overrun, or will never deadlock, or any number of other dangerous things. With MSIL (and I mean the pure, safe version of MSIL, if you use unsafe constructs this doesn't apply anymore), it is possible to do those things, so you can enforce Code Access Security and have greater reliability constraints.

    But I find that for the largest part, it's not even really the structure of MSIL that makes decompilation easy. It's the metadata. The fact that you have the names of all the classes and their members, even when private, is key in being able to quickly understand the decompiled source. That's where an obfuscator helps, of course, since renaming non-public symbols is pretty much the first thing it does.

  • User profile image
    W3bbo

    SecretSoftware wrote:
    If you have a really efficient implementation of something. You want people to come buy it from you. Otherwise no one would need your products because they can do it themselves.


    As I said, the sourcecode comes with the purchase, it's not "freely" available.

    SecretSoftware wrote:
    If people are able to easily write OSs, no one would need Windows or MAC OS or anything else, they would just write it themselves to do what they want it to do.


    Well, Linux is doing pretty well Smiley

    ...and IRT "with your source, they can see how you do things", that argument is moot for complicated operations, it can take weeks to comprehend how it works. I've been rooting through the Gecko source code for months and I'm still stumped about how its flow layout system works. There really isn't that much to loose from releasing .NET binaries, it's the same thing with Java, and that's as strong as ever.

  • User profile image
    ZippyV

    SecretSoftware wrote:
    If people are able to easily write OSs, no one would need Windows or MAC OS or anything else, they would just write it themselves to do what they want it to do.


    You are forgetting that people or companies don't have the time to invest and build there own operating system. Everybody has the necessary tools to create an os but not everybody has the time to do it.

    In conclusion: if the cost to buy an existing solution is lower than to write it yourself, you should go with the first one.

  • User profile image
    Andrew Webber FX

    To answer the question once you have access to the box you cannot prevent anyone from dissasembling your code, especially if you use a runtime from the CRT to the .NET framework which is almost all of windows and windows based programs not to mention mac or linux. Just ask any developer who uses windbg Big Smile i remember finding a bug in ATL by steping through that glorious product only to ponder afterwards at the fact that if its in memory its crackable. [detours is your friend]

    Therefore if you really want securty try the server client model with RSA. This allows you to execute your really important code on another machine. If you clean up nice no one will ever know what gets executed on the server.
    [now where did i leave that server room backup master key...]

  • User profile image
    Secret​Software

    But Generally this is unacceptable. MS should have implemented some way to make it harder to disassemble your managed code. We developers deserve better.Expressionless

    Edit: What if there was a way to encrypt your MSIL, and the .NET framework would  support encrypted MSIL. So I would generate a Key to decrypt it and give it as part of the product. But only the .NET framework engine would be able to use the key to decrypt the MSIL and then compile it to machine code.

  • User profile image
    TommyCarlier

    If you leave out the metadata, reflection would really suck. Bye bye, plugins.

  • User profile image
    cheong

    SecretSoftware wrote:
    What if there was a way to encrypt your MSIL, and the .NET framework would  support encrypted MSIL. So I would generate a Key to decrypt it and give it as part of the product. But only the .NET framework engine would be able to use the key to decrypt the MSIL and then compile it to machine code.

    If there is any public key the JIT engine can use to decrypt the file, you've already lose.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    WBurggraaf

    If your scared and can't sleep, just use ngen for every OS you want to deploy and hey, it ain't that easy anymore to disarm. Cool[H]

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.