IL disassembler

>> involve a foriegn secret (i.e. it calls home to register)
Would you please explain more?

example would be to keep your registration process on a webservice (they need to call back to the webservice in order to get a key to unlock the software) This is assured to be secure as the code is not on the client machine where it can be disassembled

Well there are two points here then. First, one can still use some DNS hacks, etc, to make the programmer connect to a fake site, and bypass the real registration system. (Or change the URL the software looks into, by simply manipulating the code!) Second, once the software connects to the webservice and sends the requried data, it recieves a reg key from that web site, and checks it with its validation algorithm. One can read and reverese-engineer the validation code.
What do you think?
Huji

Ok, the spoofed site concept is valid sort of ...

who said anything about receiving a registration key?

If you are verifying that the server is authentic there are other ways that you can do this.

You still run a risk of someone going in and flat out changing your code, but if you are also signing your .dlls this issue is pretty much nullified.

>>  if you are also signing your .dlls this issue is pretty much nullified.
Why?

because the person while able to disassemble the dll will not be able to overwrite it (matching your key) putting their own code into the .dll ... if they create another .dll of the same name it will fail to load.

Why can't they do that? (Well I have not heard any body doing that, but I have seen cracks which were dll file substitutes.)

with an unsigned dll it is quite easy to do ... with a signed dll it is not.

Excuse me for being a quesiton box, but I don't know what you mean by a signed dll.

You sign the dll with a private key ..http://msdn2.microsoft.com/en-us/library/xc31ft41(VS.80).aspx

Thanks.
Huji