Welcome to MSDN Blogs Sign in | Join | Help

How do I protect my C# code against reverse engineering?

One of the questions that comes up often - usually after somebody comes across one of the C# decompilers, such as RemoteSoft's Salamander or Lutz Roeder's Reflector - is “how do I keep somebody from reverse-engineering my assemblies and stealing my code?”.

While reverse engineering of code has been around for a long time, the combination of IL and rich metadata in systems such as Java and .NET make it easier. Reverse engineering optimized x86 code is harder, but it's still quite feasible, as many companies that used copy protection back in the 80s found out.

One way to think about securing your code is to consider how you secure your house or business. There are some possessions that are not protected, some that are secured with simple locks, some are put in safes, and some warrant a vault with a 24-hour guard. I think it depends upon how valuable a specific piece of software is, and that obviously is something you'll have to decide for yourself.

As for protection, there are a number of different schemes that customers have told me about.

  1. No protection. Some companies sell products that either ship with source code or have source code that can be bought separately, or have chosen not to protect certain parts of their application that have little IP.
  2. Some companies use the obfuscator that ships with VS 7.1 (a “Community Edition“ of PreEmptive Solution's Dotfuscator)
  3. Some companies use one of the commercial obfuscators out there. There's a list on the C# Developer Center on MSDN.
  4. Some companies write the sensitive parts of their code in C++, compile that to an unmanaged DLL, and then use interop to call into the unmanaged DLL.

I should also point out that there are some products that claim to use encryption-based approaches to prevent reverse-engineering, but I don't have any credentials to evaluate such schemes, so I won't venture an opinion.

If you know of any other schemes, please add them in the comments

Published Tuesday, February 24, 2004 9:34 AM by ericgu
Filed under: ,

Comments

Tuesday, February 24, 2004 10:22 AM by Brad More

# re: How do I protect my C# code against reverse engineering?

The follow-up question is, of course, how does MS protect their code? With many of the new server (and I suspect client) applications coming out of managed code, how does the mothership protect her young?
Tuesday, February 24, 2004 10:24 AM by Fabrice

# re: How do I protect my C# code against reverse engineering?

Excellent question Brad!

More obfuscators: http://sharptoolbox.madgeek.com/Pages/Category68fc8748-8956-4ed8-98aa-170a85c36813.aspx
Tuesday, February 24, 2004 10:32 AM by damien morton

# re: How do I protect my C# code against reverse engineering?

Id like to chime in that Reflector has proven invaluable for learning the windows forms framework.
Tuesday, February 24, 2004 10:32 AM by Eric Wilson

# re: How do I protect my C# code against reverse engineering?

Right up their with this question is the question: How do I prevent people from running my code without a license? I've yet to come up with a good answer for this one (anything that I could do to prevent it I could just as easily circumvent by decompling, removing the check, and recompling).
Tuesday, February 24, 2004 10:40 AM by Milan Negovan

# re: How do I protect my C# code against reverse engineering?

Reverse engineering isn't going anywhere. Be it compiled Win32 code or .NET assemblies or whatever else. Ten years ago there were even InstallShield script decompilers and a host of other decompilers.

I appreciate the fact that Microsoft's .NET code is not obfuscated because being a hacker (in a good sense) by nature I love to dig deep into the internals. To me Reflector has been a source of much learning by way of poking around .NET assemblies (again, in a good way).

I truly think anyone with a strong agenda can get to your code mo matter how hard you obfuscate it or whatever other word we may use for it. We don't need to go to extremes or it'll start hurting us in the first place.
Tuesday, February 24, 2004 11:20 AM by Paul Tyng

# re: How do I protect my C# code against reverse engineering?

Some decent code protection:

<a href="http://www.uspto.gov/">http://www.uspto.gov/</a>

Tuesday, February 24, 2004 11:28 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

Reverse Engineering is LEGAL in the EU according to directives in order to promote interoperation and competition.

Tuesday, February 24, 2004 11:30 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

Let me further qualify the previous.

If I want to know how some closed protocol works (say Yahoo YMSG10 or whatever) and I request the information ( and I have done and I get silence) I can now reverse engineer it for such information in order for my product to work.

If there is an application that I want to add features to, I request information, i get the usual BS reply, I can now reverse engineer it (like K++ for kazaa hacks).

All perfectly legal.
Tuesday, February 24, 2004 11:31 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

I could make a business model out of legally providing a reverse engineering service to those companies in countries that prevent it.

$$$ ka ching.
Tuesday, February 24, 2004 11:40 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

Btw, if you think charging for such information (FAT32 file system licensing) forget it, I can still reversen engineer it as that information is not FREELY available.

Yer screwed :D
Tuesday, February 24, 2004 11:40 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

Btw, if you think charging for such information (FAT32 file system licensing) forget it, I can still reversen engineer it as that information is not FREELY available.

Yer screwed :D
Tuesday, February 24, 2004 11:41 AM by Nic Wise

# re: How do I protect my C# code against reverse engineering?

How does MSFT do it? I really hope they DONT - there is no other way to workout how things work under the hood, at the moment (yes, releasing a source block for the framework, like Sun does with java, would be lovely)

As for obfuscation - I'd love to find one that works on the Compact Framework. 90% of our code, which could get into "nasty" people's hands, is on a small device, not on a desktop.... And with Smartphone and over the air deployment being pushed, maybe.... just maybe..... :)
Tuesday, February 24, 2004 11:42 AM by Ferris Beuller

# re: How do I protect my C# code against reverse engineering?

They dont, run reflector on the System.* etc librariy modules. All there to see.

Tuesday, February 24, 2004 12:52 PM by Michael Giagnocavo

# re: How do I protect my C# code against reverse engineering?

Putting sensitive code into a C++ assembly is normally a bad idea. The reason is that you isolate your sensitive code and stick a big red flag out that says "Crackers: look here.".

A few other notes: Many obfuscators boast about generating verifiable code. This is nice if you need to run in a sandbox. However, generating verifiable code means that the obfuscation is weaker. In our obfuscator, we can even obfuscate calls to mscorlib and type info at the call site (example: a call to System.Console.WriteLine looks like it could be taking a NullArgumentException as a param). As well, verifiable code is round-trippable through ILDASM/ASM. If we use unverified (and rename everything to "X"), then we can break ILDASM/ASM roundtripping.

Also, a good obfuscator can throw in opcodes that have no meaning in C# and VB.NET, like cpblk, calli, and tailcalls.

Remember, the point of obfuscation is to make the code as screwed up as possible. Stopping half way defeats the idea.

As well, encrypted loaders can help. The encryption is almost NEVER the weak point. Our obfuscator links assemblies together, performs obfuscation on them, then encrypts the whole thing and emits a loader. This raises the bar even more, since now an attacker has to get the IL out of memory instead of from the disk. If anyone is interested in this, email me. The thing to remember is that someone can modify the CLR and make it do their bidding. There's no way around that.

I also recommend manually obfuscating your critical code, if that's an option. (Hint, no one cares how you load your plugins or create you menu items, no matter how clever you think it is). I'm talking about a key-generation section. It's temping to do it in 5 lines of code (encrypt their serial number or whatnot). However, even in x86, that's going to be easy to see through. Using multiple threads, adding extra unused data, etc. can make it hard to tell what's going on, even if you have the source (remember to comment). This kind of code is much harder to crack (if you're Microsoft or Adobe, don't even bother since it's going to be cracked no matter what you do).

BTW, the site for our obfuscator is www.InvisiSource.com, in case anyone wants to join the beta.
Tuesday, February 24, 2004 1:16 PM by Junfeng Zhang

# re: How do I protect my C# code against reverse engineering?

Personally, I think it is wrong to obfuscate your shipping product, especially for platform venders like Microsoft. People will be scared by the closeness nature of obsuscation. In the long run, obfuscation hurts your business more than helps it.

Tuesday, February 24, 2004 1:53 PM by Stephane Rodriguez

# re: How do I protect my C# code against reverse engineering?


"The follow-up question is, of course, how does MS protect their code?".

MS Reporting services, the first real .NET app I am aware of (and reportedly written with C#), is protected with dotfuscator.
Tuesday, February 24, 2004 2:23 PM by Catatonic

# re: How do I protect my C# code against reverse engineering?

I think you just have to live with this problem, unless your product is a web service (or otherwise is exposed to the world without shipping any code to them).
Tuesday, February 24, 2004 4:19 PM by Michael Giagnocavo

# re: How do I protect my C# code against reverse engineering?

Catatonic, there are many cases were you're shipping to a very narrow market (from inhouse to extremely verticle). In those cases, you might have a very good reason to protect code. I know of a particular case (software for a company and only their partners), had the programmers been more careful, the cost of an eletronic attack against their code would have exceeded the cost of a physical attack. Obfuscation techniques (in code and via tools) would have raised the cost + risk for the attack high enought that it would not have been a success.
Tuesday, February 24, 2004 9:14 PM by Louis Parks

# re: How do I protect my C# code against reverse engineering?

Seems to me the first real .NET app from Microsoft was the .NET Framework itself. Next would include the ASP.NET runtime (with only a small amount of unmanaged code for the ISAPI wrapper), several utilities in Windows Server 2003, and Office 2003 BCM.
Thursday, February 26, 2004 4:13 AM by Christophe Lauer

# re: How do I protect my C# code against reverse engineering?

What about using a #pragma unmanaged section inside a C++ Managed assembly?
Thursday, February 26, 2004 7:12 AM by Bart Jacobs

# re: How do I protect my C# code against reverse engineering?

I have one word: NGSCB
Sunday, May 02, 2004 7:24 AM by Anonymous

# re: How do I protect my C# code against reverse engineering?

Just so you know: Reflector is really cool. It would have taken me twice as long to learn the .NET Framework without Reflector. It is also by far the best managed code app I've seen so far. Reflector doesn't exposes the evil "write to disk" option like Salamander does so it is not rally useful for "stealing code". OTOH, even this is valuable for source translation between languages. So I guess the answer is obfuscate, obfuscate, obfuscate. I was wondering why Microsoft never added a /obfuscate switch to the C# compiler?
Sunday, June 20, 2004 9:38 AM by Jason Lewis

# re: How do I protect my C# code against reverse engineering?

Like what has been said before, if someone wants your code bad enough they will crack it. Most crackers and elite groups will crack your software just to show they can. Want a testament to that, try to think of a heavy duty piece of software and type <software name> crack in google and see what happens. I guess the only true way to keep people from cracking your software....Release it Open Source ;)
Saturday, July 31, 2004 2:30 AM by White Rabbit

# re: How do I protect my C# code against reverse engineering?

Wy don't use Net Reactor by Eziriz or Net Protector by Remotesoft. But remember:
THERE IS NO 100% PROTECTION FOR YOUR FILES! THIS IS SIMPLY IMPOSSIBLE!
Thursday, January 22, 2009 4:07 AM by Obfuscators | keyongtech

# Obfuscators | keyongtech

PingBack from http://www.keyongtech.com/641715-obfuscators

Tuesday, June 09, 2009 7:40 AM by Eric Gunnerson s C Compendium How do I protect my C code against | Quick Diets

# Eric Gunnerson s C Compendium How do I protect my C code against | Quick Diets

PingBack from http://quickdietsite.info/story.php?id=14790

Tuesday, June 16, 2009 8:32 AM by Eric Gunnerson s C Compendium How do I protect my C code against | work from home

# Eric Gunnerson s C Compendium How do I protect my C code against | work from home

PingBack from http://workfromhomecareer.info/story.php?id=28093

New Comments to this post are disabled
 
Page view tracker