?
Solved

Protecting vb6 & .Net code Obfuscation

Posted on 2016-11-26
18
Medium Priority
?
317 Views
Last Modified: 2016-11-28
Hi talking with colleagues was informed that there is a way to protect our code vb6 and vb.net; something called Obfuscation.  We looked it up and there is a lot of confusing info not quite understand.  Can an EE tell us if this Obfuscation is the way to go in protecting our code? Please advice.
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 46

Expert Comment

by:aikimark
ID: 41902675
If you're writing Windows applications, then obfuscation is your friend.  I'm also a fan of the protection software from Oreans
http://www.oreans.com/

They take obfuscation a step (or three) further than code obfuscation.
0
 

Author Comment

by:rayluvs
ID: 41903060
We know nothing is 100% but we are looking for is to maybe protect the EXE files; can you elaborate a bit more on obfuscation  maybe in more simple terms?
0
 
LVL 10

Expert Comment

by:Luke Chung
ID: 41903071
Our Total Visual CodeTools product offers a wide range of tools to help VB6 and VBA developers

It's VBA/VB6 Code Delivery feature lets you obfuscate your variable names, remove comments, blank lines, line continuation characters, etc. so that someone who gets the raw source code or reverse engineers the code from the EXE would have much more difficulty. It also adds line numbers to all your code which is very helpful if your error handler reports the line number where crashes occur. A basic requirement when we deliver solutions.

Hope this helps.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 46

Expert Comment

by:aikimark
ID: 41903075
What kind of "protection" do you seek for your exe files?
0
 

Author Comment

by:rayluvs
ID: 41903088
So obfuscate means that the said apps would somehow rename:
- variable names
- remove comments
- blank lines
- line continuation characters, etc

???

The "protection" we seek in our exe files are 2 (in our limited expierence):

  • Limit or make dificult reverse engineering.

This for obvious reasons and we think we understand by obfuscate.

  • Constant values like letters, for example variable="Expert Exchange" not be visible with a hex editor.

This is because we were told that if we place a line like DisplayCompanyNameLicensedTo="Expert Exchange", an individual can use a hex editor and change that value.  So when run, the apps will say it's license  to someone else and legally since it says it in the apps


Hope this provide our scope of what we want.

please advice
0
 
LVL 46

Assisted Solution

by:aikimark
aikimark earned 2000 total points
ID: 41903141
Ah.  Then you should also look for a utility/package with those features.  

Alternatives
* You might preprocess your code to encrypt-and-encode literal strings and include a function to decode-and-decrypt those strings.  
* You might place such encrypted/encoded strings into a resource file and read those values
* You can add an external binary file with your installation and read/decrypt it.
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 41903277
Obfuscation will make it a bit harder to read code to is not 100% hack-free. There is not much you can do in the Windows world to really protect .Net code other than having the code to run from a remote server.

Also, if you are using the Reflection feature, your app won't run if obfuscated.
0
 

Author Comment

by:rayluvs
ID: 41903407
Yes, that is what we concluded here "include a function to decode-and-decrypt those strings" (as a matter of fact we  place another question on this).  

In other words, if we encrypt a string we want to display on the form, we would  make a function  that we would send the encrypted data and the function would decrypted and display it.

Can you provide an example?

Eric, what do you mena by Reflection feature?
0
 
LVL 46

Expert Comment

by:aikimark
ID: 41903487
Some things to ask yourself:
1. How many versions of the software will we sell/license?
2. How much effort ($$$) will we spend protecting our program?
3. How often do new versions get distributed?
0
 

Author Comment

by:rayluvs
ID: 41903550
Answers:
1. How many versions of the software will we sell/license? - for now 1 and at this point it's on trial with the site; hopefully more subsequently (this will be our first time)
2. How much effort ($$$) will we spend protecting our program? -we have one person working on it; we are no knowledgeble on the matter but want to se how viable to incorporate  this practice
3. How often do new versions get distributed? -for now 1
0
 
LVL 46

Expert Comment

by:aikimark
ID: 41903612
How are you handling the licensing? (Lease, purchase, other ________, by PC/server, by domain)
0
 

Author Comment

by:rayluvs
ID: 41903620
We are not there yet.  Unfortunately this is a project that our boss just threw on us due to a bad move by the customer and now we must implement but want to protect anything we send over during this period.  So for now, we don't know what the next sale will be  like; Lease, purchase, etc.
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 41903961
0
 
LVL 10

Expert Comment

by:Luke Chung
ID: 41904275
Looks like this has gone beyond the technical to the issue of trust with the client, since this is a one customer issue right now. Not sure what the price/value of your solution is, but in most cases, delivering an EXE in VB6 or .NET is sufficient to protect the source code. It's a separate issue if you're trying to hide specific secure information (e.g. passwords and connection strings) versus the source code.

If there's fear about the client reverse engineering from the EXE, that raises all sorts of other issues beyond obfuscation. First, that would require considerable effort. Second, they would need to have the technical expertise to do something with it.

Is the fear they won't pay you? Or that they'll take your work and resell it or compete against you? One needs to understand what you're trying to protect/prevent in order to come up with the right solution.
1
 

Author Comment

by:rayluvs
ID: 41904371
Hi Éric,

read your link and it seems that it's for obtaining information about loaded assemblies.
How does that help us?
thanx.

Hi LukeChung,

We are trying to protect the EXE from their techs so they do  not either reverse engineer or view the EXE with some sort of hex-viewer and identify certain values as strings so on.
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 41904404
You can use Reflection to call methods or get/set properties that are not known at compile time. If you obfuscate your code, all the names will be changed and reflection won't be able to work.
0
 
LVL 46

Accepted Solution

by:
aikimark earned 2000 total points
ID: 41904490
If you primarily need to protect at-rest (on disk) data, your job is a bit easier than trying to prevent in-memory data.

In .Net, you can use intrinsic obfuscation, specifying encryption of selected parts of your assembly.
Example: https://help.gapotchenko.com/eazfuscator.net/20/advanced-features/resource-encryption

VB 6 is more complicated.  In addition to the above comments, I recommend this question thread:
https://www.experts-exchange.com/questions/28333992/VB6-Hiding-Strings.html

You could use part of the .Net framework to externalize file(s) with the encrypted data, as described in this two-part article:
https://msdn.microsoft.com/en-us/library/aa719107(v=vs.71).aspx
https://msdn.microsoft.com/en-us/library/aa719106(v=vs.71).aspx
However, I think that you'd probably want to structure the data (XML, JSON) or store multiple files in a zip format for easier distribution.

You might use the Resource Compiler to assemble an encrypted file and include it with your VB6 installation.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa381055(v=vs.85).aspx

==============================
Protecting your IP is difficult.  Here are some things I've done for my applications.
* Each user gets a unique key (think GUID) that is based on their environment (PC-specific data or domain)
* Some protection and licensing values are stored in the Registry/Hive in encrypted form.
* Other pieces of protection are disk-based.
* Once you've used some decrypted data, wipe that variable's value even though it will be garbage collected at the end of the routine.
* Consider using a DLL to help you package your code.
* Distribute parts of your decryption key in your code and assemble it in different places in your initialization routine.
0
 

Author Closing Comment

by:rayluvs
ID: 41904501
Thanx! Great Info!  We are working on it right now!!!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question