• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

IL disassembler

There is an IL disassembler which installs with VS 2005. I'd like to know to what extent it can disassmble the code (for example can it fully reveal the code behind a shareware registeration function) and how can someone protect his fully .net coded application from being disassmebled like that.
Thanks
Huji
0
huji
Asked:
huji
  • 6
  • 6
1 Solution
 
gregoryyoungCommented:
There is ildasm which is actually part of the framework SDK ... there is also reflector http://www.aisto.com/roeder/dotnet/ which most people use ...

The method with which you would use to stop people from doing such a thing in say a shareware app would be to make the registration process involve a foriegn secret (i.e. it calls home to register). There are other ways but they are just obscurity (obfusication is a well known one) http://www.preemptive.com/products/dotfuscator/index.html?source=Adwords&gclid=CIPGkKSZs4QCFRMGNAodCWTq_A is an example of an obfusicator ... Even obfusicated code can still be read through by someone who knows that they are doing however and ius as such not completely secure. As such the keeping of this code not on the local machine is probably your best bet.

Cheers,

Greg
0
 
hujiAuthor Commented:
>> involve a foriegn secret (i.e. it calls home to register)
Would you please explain more?
0
 
gregoryyoungCommented:
example would be to keep your registration process on a webservice (they need to call back to the webservice in order to get a key to unlock the software) This is assured to be secure as the code is not on the client machine where it can be disassembled
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
hujiAuthor Commented:
Well there are two points here then. First, one can still use some DNS hacks, etc, to make the programmer connect to a fake site, and bypass the real registration system. (Or change the URL the software looks into, by simply manipulating the code!) Second, once the software connects to the webservice and sends the requried data, it recieves a reg key from that web site, and checks it with its validation algorithm. One can read and reverese-engineer the validation code.
What do you think?
Huji
0
 
gregoryyoungCommented:
Ok, the spoofed site concept is valid sort of ...

who said anything about receiving a registration key?

If you are verifying that the server is authentic there are other ways that you can do this.

You still run a risk of someone going in and flat out changing your code, but if you are also signing your .dlls this issue is pretty much nullified.



0
 
hujiAuthor Commented:
>>  if you are also signing your .dlls this issue is pretty much nullified.
Why?
0
 
gregoryyoungCommented:
because the person while able to disassemble the dll will not be able to overwrite it (matching your key) putting their own code into the .dll ... if they create another .dll of the same name it will fail to load.
0
 
hujiAuthor Commented:
Why can't they do that? (Well I have not heard any body doing that, but I have seen cracks which were dll file substitutes.)
0
 
gregoryyoungCommented:
with an unsigned dll it is quite easy to do ... with a signed dll it is not.
0
 
hujiAuthor Commented:
Excuse me for being a quesiton box, but I don't know what you mean by a signed dll.
0
 
gregoryyoungCommented:
0
 
hujiAuthor Commented:
Thanks.
Huji
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now