IL disassembler

There is an IL disassembler which installs with VS 2005. I'd like to know to what extent it can disassmble the code (for example can it fully reveal the code behind a shareware registeration function) and how can someone protect his fully .net coded application from being disassmebled like that.
Thanks
Huji
LVL 14
hujiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gregoryyoungCommented:
There is ildasm which is actually part of the framework SDK ... there is also reflector http://www.aisto.com/roeder/dotnet/ which most people use ...

The method with which you would use to stop people from doing such a thing in say a shareware app would be to make the registration process involve a foriegn secret (i.e. it calls home to register). There are other ways but they are just obscurity (obfusication is a well known one) http://www.preemptive.com/products/dotfuscator/index.html?source=Adwords&gclid=CIPGkKSZs4QCFRMGNAodCWTq_A is an example of an obfusicator ... Even obfusicated code can still be read through by someone who knows that they are doing however and ius as such not completely secure. As such the keeping of this code not on the local machine is probably your best bet.

Cheers,

Greg

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hujiAuthor Commented:
>> involve a foriegn secret (i.e. it calls home to register)
Would you please explain more?
gregoryyoungCommented:
example would be to keep your registration process on a webservice (they need to call back to the webservice in order to get a key to unlock the software) This is assured to be secure as the code is not on the client machine where it can be disassembled
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

hujiAuthor Commented:
Well there are two points here then. First, one can still use some DNS hacks, etc, to make the programmer connect to a fake site, and bypass the real registration system. (Or change the URL the software looks into, by simply manipulating the code!) Second, once the software connects to the webservice and sends the requried data, it recieves a reg key from that web site, and checks it with its validation algorithm. One can read and reverese-engineer the validation code.
What do you think?
Huji
gregoryyoungCommented:
Ok, the spoofed site concept is valid sort of ...

who said anything about receiving a registration key?

If you are verifying that the server is authentic there are other ways that you can do this.

You still run a risk of someone going in and flat out changing your code, but if you are also signing your .dlls this issue is pretty much nullified.



hujiAuthor Commented:
>>  if you are also signing your .dlls this issue is pretty much nullified.
Why?
gregoryyoungCommented:
because the person while able to disassemble the dll will not be able to overwrite it (matching your key) putting their own code into the .dll ... if they create another .dll of the same name it will fail to load.
hujiAuthor Commented:
Why can't they do that? (Well I have not heard any body doing that, but I have seen cracks which were dll file substitutes.)
gregoryyoungCommented:
with an unsigned dll it is quite easy to do ... with a signed dll it is not.
hujiAuthor Commented:
Excuse me for being a quesiton box, but I don't know what you mean by a signed dll.
gregoryyoungCommented:
hujiAuthor Commented:
Thanks.
Huji
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.