When you compile a program to publish with Visual Studio 2010, does that have any advanced methods to keep your program being decompiled to source code? Are there any methods you would use to encrypt yoursource code before compiling?
Visual Studio by default does not apply any form of enhancements nor modify the compiled binaries other than chosen optimization setting.
There are however protectors you can make use of.
Remember UPX?
Well upx is still a very viable method of encrypting your binaries altough of course it all depends on your needs.
No, there's really no way to prevent a managed assembly from being decompiled back into source code. The best you can hope for is obfuscation, which can do quite a good job of making the decompiled code hard to understand.
VS 2010 comes with Dotfuscator community edition which will obfuscate your code to a point making it harder to read once decompiled. The only real choice is to encrypt your code if you need the absolute best security. You might want to check out the paid edition http://www.preemptive.com/products/dotfuscator/overview to see if it suits your needs and budget
You can use obfuscators which employ various techniques like class/method name renaming, string encryption, method call hiding, etc. Even if someone were to view your code in a disassembler, he would not be able to make any sense out of it.
DISCLAIMER: I work for LogicNP Software, the developers of Crypto Obfuscator
VS and any other good compiler make optimalizations. Solely these optimalizations are often enough to make your application resist reverse engineering attempts.
This will not encrypt constants in your program so mypass will still be found as mypass in the binary. You need an encryption program for that.
Alas I have no idea what the good and bad encryption programs are for binaries so I won't suggest any.
Best protectors are confuser ,engima and themida
Wibu Systems offers a solution that encrypt the binary files which will preventing reverse engineering.
https://www.wibu.com/uk/products/protectionsuite/axprotector-ip-protection.html
Related
I don't know if this is the correct place to post this question, so sorry if it is in the incorrect place.
Question:
How easy is it for a third-party person to decompile my vb.net application? I mean is it even possible?
For example, I have an .exe, would someone just put that .exe into a decompiler and... BAAM!!, they can see all the code? Speaking of code, when compiling, does the code get encrypted? If not, is there a way to encrypt the code?
I have used SWF decompiler to decompile a .SWF to .FLA, and to decompile an SWF is really really easy with this tool. Would it be this easy to decompile an .exe?
Thanks.
Yes. You can decompile your code very easily. .Net Reflector is an excellent tool to do exactly as you describe.
Imagine if you encrypted the code. The runtime on the users computer would still need to decrpyt it to understand it.
Best you could do would be to obfuscate your code.
.net reflector is not free anymore, I recommend telerik JustDecompile, free and very easy to use, a great tool http://www.telerik.com/products/decompiler.aspx . It's able to decompile everything the way you described
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
iPhone/iPad App Code Obfuscation - Is it Possible? Worth it?
I have spent a lot of time on this and I couldn't able to find a perfect answer. That's why I decided to put my question here. I have an iPhone application and want to encrypt the code to prevent from class-dump or otool utilities. (Tools used to dump out the headers from executable). I would like to know is there any way to encrypt the source code or obfuscate the source code?
It's a lot more complicated than it might seem initially. Any tool that mangles method names has the potential to fudge up:
KVC compliance
The use of dynamically generated selectors
Nib file compatibility
Protocol conformance
Method inheritance
Obfuscation is just another layer to deal with; often obfuscation is easily reversed. It is not really possible to “encrypt” your classes because the Objective-C runtime and Cocoa framework won't know how to decrypt it. Anyone determined enough will eventually figure out how your program works.
Actually you can provide some obfuscation and tamper protection with specialist 3rd party tools. There are 2 companies, I know of, that provide tools or services to do this : Arxan and irDato.
Neither are cheap or accessible to small developers but if you are developing for a large corporation then you should consider them.
Obfuscation is done by mangling code paths and adding redundant instructions so as to confuse anybody trying to reverse engineer the code. Tamper protection is done by adding checksums to the code and embedding checksum checks within functions. You can create a network of interdependent checksums that makes it extremely difficult to bypass them. There are a few other things that can be done but you really need to talk to specialists in this area.
Further to the earlier answer, Apple does not encrypt the binaries but just signs them. It is fairly easy to reverse engineer and modify app binaries on a jailbroken device.
Apparently, according to this answer Apple encrypts iPhone binaries as a matter of course for all iPhone apps.
I'd stop worrying about it.
I understand that it is easy to hack Mach-O executable, I just want simple protection against "class-dump" tool. Is there any tool or XCode plugin that can change all classes names and class functions to something not very readable (like random combination of symbols and numbers)?
Frankly that's all protection I need.
I wrote a bit about this in this blog post, but to summarise: you can avoid having methods appearing in class-dump by registering them at runtime, or just keeping them as functions.
If really all you want to do is rename the classes/methods, you can use the tops command-line tool or Xcode's refactoring feature.
Are you looking for Objective C obfuscators?
This page has a great discussion on Obfuscating Cocoa.
You really probably don't want to bother with this. Obfuscation will not prevent a determined hacker from reverse engineering a truly valuable algorithm. Casual users won't bother, so you're likely doing a lot of work for little added value. As #mvds points out in a comment to your question, NIB connections will betray the purpose of many classes and a determined hacker could use dtrace/Instruments.app to trace messages to uncover much of the rest of what they need.
Any truly valuable IP needs to be protected by something stronger than obfuscation and should probably be written in C/C++ as well as having legal patent and copyright protection (and enforcement).
If you're not doing already, you can at least strip your executable of certain unnecessary symbols by enabling 'Deployment Postprocessing' and 'Strip Linked Product 'in the Xcode build setting. (Or just use the strip tool directly.) Better than nothing.
I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.
So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.
Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.
Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.
I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.
Thank you for your support.
Cheers,
Saurabh
Obfuscation cannot solve this problem. An attacker can change his hosts file to redirect the domain name to a database he controls. When you login he will get the username/password.
Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.
Security Through Obscurity will never work. You will never be able to control the client.
A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.
I use Eziriz .NET Reactor for a while now and it works great for me. I used Eazfuscator before but it wasn't really powerful.
.Net Reactor has awesome features such as Anti ILDASM and Native Exe file generation. Also it'll fit your budget. You can use Trial before purchasing it and test if it works with your scenario.
You should strongly consider Babel .net obfuscator. In my opinion even though it is a console application it is by far the best for price, licensing (not locked to a single computer) and features.
I use Eazfuscator:http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx
It powerful and it's free. Wonderful tool extremely simple to use.
see also VB.NET Static Code Anaylsis
For better or for worst we now have a VB.NET coding standards document that is based on a C# coding standard as enforced by StyleCop.
For example
the number of spaces you should put in each side of a “+” sign etc
all instance Members (fields and methods!) must be access as “me.fieldName”
all shared members must be accessed as “className.fieldName”
As I tend to think:
If it’s in a requirements document it
should be check for by an automatic
system
I am looking for (ideally free) tools that will check for that short of rules on VB.NET code, as these are style issues that don’t make it into the compiled output, FxCop is not useful.
(I would personally match rather that we just check for important things like duplicated code and single reasonability for each class (so no more multi thousand line classes!), but as I need to keep to the coding standard document I wish to have a tool to help me do so.)
see also Enforcing using the class name whenever a shared member is accessed.
About the bounty.
I am looking for a list of VB.NET code checking tools, with a short summery of what each tool can do and its limitations. If the tools are not free, please include some ideal of cost.
Does anyone have experience using CodeRush/Refactor! or ReSharper with VB.NET to check for this type of coding style issues?
I know of no free source code analysis tools with good VB support. There are, however, at least two commercial tools that may be suitable:
submain CodeIt.Right
SSW Code Auditor
Personally, I prefer the CodeIt.Right rule authoring mechanism, so I would favour it if considerable custom rule development were planned. However, if you just want to use out-of-the box rules, Code Auditor ships with quite a few more code style rules than CodeIt.Right, most of whose built-in rules target the compiled IL (like FxCop).
The only ones I know of are:
Microsoft's FxCop
Of course, this only operates on compiled assemblies, so doesn't give the same functionality as StyleCop, and certainly won't help with things like naming schemes.
However, the closest thing is:
Aivosto's Project Analyzer v9.0 for Visual Basic, VB.NET and VBA
The full version is not free, but this is the closest thing to StyleCop for VB.NET that I can find.
There have been a number of calls for a VB.NET version of Microsoft's StyleCop, such as those in this thread on the code.msdn.microsoft.com site. That same thread also gives some good insight into why a VB.NET version doesn't exist.
I use ReSharper on a daily basis and I find it fine for both code formatting and for solving naming issues. It allows to configure how naming must be enforced, how issues are displayed (hint, suggestion, warning, etc) and provides a precise code formatter (space, paranthesis, line breaks, this qualifier, etc).
Note that I don't know if it can be run in batch mode.
Turning Option Explicit on by default is always a great idea and should be standard practice. I would argue it should be turned on by default in VS out of the box. But it doesn't come close to enforcing the out of the box rules that StyleCop does for C#, nor does it allow for you to create your own rules.
The whole reason for StyleCop's existence is because FxCop only works on compiled assemblies, leaving web projects out in the cold for a similar tool. With StyleCop, web developers get the same great rule enforcement and tight VS integration. It is a great tool for any C# developer.
It is unfortunate that it is only C# capable, a VB version would satisfy a large community that is left wanting something similar.
There already is a very good style tool built into the VB compiler. It is called Option Explicit On, put it at the top of the source code file or use Tools + Options + Project and Solutions + VB Defaults, Option Explicit = On. If that wasn't turned on previously there could be a mountain of errors when you compile your code after changing that.
If it is clean or already turned on, consider that you are 95% close to writing clean C# code and that the language doesn't really matter anymore.