Secure Encryption / Stop reverse engineering of DLL

Posted on 2009-12-22
Last Modified: 2013-11-07
I am developing a system which encorperates encryption when storing passwords.

I am fully aware of the ILDASM application that can be used to open up compiled executables and DLL files to see the assembly code, which makes any routine I write to encrypt/decrypt passwords pretty useless, as someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen), and write their own .net app using my DLL to decrypt the passwords!

My question is, is there a way to stop this from happening? or can anyone suggest a more secure method of doing it?
Question by:DjDezmond
    LVL 7

    Accepted Solution

    The process by which you can stop this reverse engineering is using obfuscation. Its a techniquewhich will foil the decompilers. There are many third parties (XenoCode, Demeanor for .NET)which provide .NET obfuscation solution. Microsoft includes one that is Dotfuscator CommunityEdition with Visual Studio.NET
    LVL 85

    Expert Comment

    by:Mike Tomlinson
    Ask the USER for a password to use...that way it must be entered every time and it won't be stored in your DLL.
    LVL 7

    Expert Comment

    Even if you are going to ask the user for a password, we would need to validate this password which is obfuscated with in your DLL.

    Just obfusication will not suffice and protect the DLL.

    Alternately, the better solution would be for the DLL to authenticate to a key server. This is still not cent % foolproof.
    LVL 85

    Assisted Solution

    by:Mike Tomlinson
    The author said:

    "...someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen)"

    So he needs a KEY to encrypt some values with.  I'm saying that you never even store the key within the DLL.  Instead you ask the user EVERY time what the key to use.  Then you encrypt the values with the user supplied key.  When you go to decrypt, if the user provides the wrong key then it will fail.  Only the correct user supplied key would decrypt properly (not throw an exception).

    Basically you ask the user for a "master password" that never gets stored.
    LVL 17

    Assisted Solution

    Try some commercial products like:

    I got dealed with obfuscated/encrypted files using those applications, they are really hard to reverse engineer....

    You can't stop real reversers at all, even most secure cryptographic obfuscators and encryptors like ExeCrypt and Themida are reversible. But you can stop most of reversers except experts one with 2 programs I listed.
    LVL 3

    Assisted Solution


    Here's the one I use, {smartassembly} from Red Gate Software

    {smartassembly} will obfuscate and protect your .NET code, optimize your .NET assemblies for better deployment, minimize distribution size, increase performance & add powerful error-tracking and debugging capabilities to your valued application.

    Keys Benefits
     Protects your .NET Software, your Intellectual Property, and your business.
     Helps you build a bullet-proof Application.
     Simplifies and improves the deployment of your Application.
     Improves your Application's global performance.
     Saves Countless hours of diagnostic and debugging.
     Helps you improve the quality of your software.

    Product Editions -
     {smartassembly} is available in 3 editions:

     The Standard edition is perfect for a small and simple project.
     The Professional edition, thanks to its advanced debugging capabilities, enables to improve and protect larger and more complexes projects.
     The Enterprise edition, thanks to its specific customization capabilities, enables to improve and protect your enterprise projects.

    LVL 9

    Author Comment

    Thanks for your posts guys. I was not online over xmas and newyear to read them sooner.

    Some interesting information here.

      The "master password" idea (although a good one) would not really help me in this situation as I am trying to build a server application that authenticates user logins to a website. But a good idea none the less.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    vSphere client error 503 5 56
    FortiGate problem 8 38
    How can i Install a new Data Source on Visual Studio 2 51
    Problem to event 3 27
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now