How to prevent reverse engineering of VB.NET apps

E

esposito

Well-known member
Joined
Jul 11, 2003
Messages
103
Location
Perugia - Italy
Hello, everybody. I gave an executable file created with VB.NET to a friend of mine, who is an experienced programmer, and the next day he gave it back to me... together with the source files!!!

He explained to me that disassembling an exe created with managed code is a piece of cake. Is there any way you can protect your programs developed in VB.NET?

TIA
 
Note this... You could also see the code in non manage code... maybe not that easy but it was possible too...

In .net, the EXE code isnt compiled in native mode, its in IL.
The IL is sort of easy to understand... You shoulnt put any passwords or sensetive texts on the code cause you can see all plain code perfectly using a tool called ILDASM :D

What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...:D NICE...

You can also use another tool to compile your code that is NGen that, as long as I know, it compiles your app directly to Native Mode... but it brings good and bad things too...

I gave you all the names... search for them on the net and take your conclusions... :D Good luck ...
 
As far as I know, you can only get assembly code from standard exe files, but no source. Moreover, in order to do so, you should be able to use specific tools, such as SoftIce and a hex editor. This means that programming applications with the previous version of VB is much safer, isnt it? Now, my question is, do you think it makes more sense to stick to VB5/VB6 than migrate to VB.NET if you want to develop desktop applications? As I said, cracking VB.NET apps seems to be as easy as pie.

Originally posted by AlexCode
Note this... You could also see the code in non manage code... maybe not that easy but it was possible too...

In .net, the EXE code isnt compiled in native mode, its in IL.
The IL is sort of easy to understand... You shoulnt put any passwords or sensetive texts on the code cause you can see all plain code perfectly using a tool called ILDASM :D

What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...:D NICE...

You can also use another tool to compile your code that is NGen that, as long as I know, it compiles your app directly to Native Mode... but it brings good and bad things too...

I gave you all the names... search for them on the net and take your conclusions... :D Good luck ...
Click to expand...
 
Dear Derek, Im afraid VB.NET makes a muck with security issues, unless you buy third party products. I currently produce desktop based applications with VB5/VB6 and so far nobody has ever managed to decompile my software in the way my friend did with a VB.NET executable.

So, unless I need to produce something for the Web, I think Im going to stay with VB5.

Originally posted by Derek Stone
http://www.computerhelp.forum/showthread.php?s=&threadid=75908
Click to expand...
 
Derek raises an excellent point. People may be able to get the source dump, but it really doesnt matter even if they do. In order to turn your decompiled source into a working program would probably be more work than writing it from scratch. The only really useful thing you can get from a decompilation is logic, and much of the logic is changed drastically (i.e. the IL uses goto constantly rather than many of the other equivilants, like calling internal subs or Select Case statements).
 
You are right: turning decompiled source files into a working program would require a big effort. Anyway, I was referring to security issues from another point of view, i.e. reverse engineering in order to crack a protected program, e.g. shareware. You will agree with me that, with VB.NET, things have become much easier for hackers.

Originally posted by VolteFace
Derek raises an excellent point. People may be able to get the source dump, but it really doesnt matter even if they do. In order to turn your decompiled source into a working program would probably be more work than writing it from scratch. The only really useful thing you can get from a decompilation is logic, and much of the logic is changed drastically (i.e. the IL uses goto constantly rather than many of the other equivilants, like calling internal subs or Select Case statements).
Click to expand...
 
The only real effective kind of shareware is the kind where you cripple the software, taking away some key functionality. Any shareware which contains full functionality ("locked" or otherwise) anywhere in the program is simply ineffective to anyone who knows how it is done, and regardless of whether it is done in .NET or not, it isnt that hard to figure it out.

Another effective way to do it would be to require an encrypted evaluation key to be entered on install, which needs to be emailed to the user. The key would expire after 30 days, and since you already have the users email stored in your database, you dont send another one. It is fairly effective, but takes a lot more work to set up. Look at the VMWare site to see what I mean.

However, if you need to securely store algorithms and such, you might try using a C++ DLL. However, an assembler programmer would usually be able to extract stuff like that from the C++ DLL.
 
Dear VolteFace, I know no security system is perfect but, as you said, crippling software has now become too easy. That friend of mine who managed to get the source files of my VB.NET executable cannot use, for example, SoftIce nor can he program in C++.

Again, what concerns me is that now reverse engineering is within the reach of inexperienced programmers. So, unless you devise a very complicated protection system for your software, you may have reason to believe that sooner or later it will be cracked by the first newbie who wants to show how clever he is.

This still makes me prefer VB5/VB6 to VB.NET.

Originally posted by VolteFace
The only real effective kind of shareware is the kind where you cripple the software, taking away some key functionality. Any shareware which contains full functionality ("locked" or otherwise) anywhere in the program is simply ineffective to anyone who knows how it is done, and regardless of whether it is done in .NET or not, it isnt that hard to figure it out.

Another effective way to do it would be to require an encrypted evaluation key to be entered on install, which needs to be emailed to the user. The key would expire after 30 days, and since you already have the users email stored in your database, you dont send another one. It is fairly effective, but takes a lot more work to set up. Look at the VMWare site to see what I mean.

However, if you need to securely store algorithms and such, you might try using a C++ DLL. However, an assembler programmer would usually be able to extract stuff like that from the C++ DLL.
Click to expand...
 
This thread is going deep :)

esposito: I dont know what kind of programing u do, nor how much time do you have to develop each application but VB5!!! You got to be kidding with us...

Derek gave you the URL to other Thread on this forum where is something really true... If you really devellop something that really worth the work of reverse engeneering theres no language or security method that can protect you!!

Dont u thing if it exists the games developer wold use it?? :D
Think about it...

No present security issue worth sticking with VB5... :p

I think Im going to have nightmares with that tonight ! :D
 
AlexCode: Im not sure I grasped the gist of your last post. Anyway, to sum up what I said, I am afraid that, if you develop commercial software using VB.NET, anybody could decompile it, make some modifications to the code and graphic interface and become the owner of a new program based on your production.

I produce shareware for the Italian market. If you are curious, you can download my software from
http://www.geocities.com/espositosoftware
which is a mirror of my Web site.

I know no language can guarantee perfect protection from hackers but I also know that VB.NET makes decompiling too easy.

Originally posted by AlexCode
This thread is going deep :)

esposito: I dont know what kind of programing u do, nor how much time do you have to develop each application but VB5!!! You got to be kidding with us...

Derek gave you the URL to other Thread on this forum where is something really true... If you really devellop something that really worth the work of reverse engeneering theres no language or security method that can protect you!!

Dont u thing if it exists the games developer wold use it?? :D
Think about it...

No present security issue worth sticking with VB5... :p

I think Im going to have nightmares with that tonight ! :D
Click to expand...
 
Youre absolutely kidding yourself if you think its harder to replace a jmp command with a nop command in a natively compiled executable than to do the same in an assembly code in IL. Shareware programs are just as vunerable then as they are now, and anyone that says otherwise is living in a world of delusion. With that said you also need to remember that no one cares what your source code looks like. .NET has almost completely removed the need for "creative coding", since most of the functionality one needs is already available in the BCLs.

Software is created to meet the needs of a customer. Generally it isnt created to break creative boundaries or to be looked upon as something unique, since within time someone is going to capitalize on your idea and theres little you can do about. What it boils down to is that all software developers need to accept this and move on with their work. The time youre wasting on obscuring your "masterpiece" is time you should be using to entice users to your product.
 
I respect your point of view but I have a different opinion about it.

I think the copyright on your source code is still important, otherwise commercial software would disappear from our "world of delusion".

What you are saying would mean that I could easily become the owner of any software I can find on the market, because "no one cares what your source code looks like".

Open source is a generous project but it does not allow you to make ends meet. Developing software is a job like any other. If you deprive programmers of the possibility of selling their products, you will force them to look for a new job.

Thats why Im still looking for a secure way of protecting my applications.

Originally posted by Derek Stone
Youre absolutely kidding yourself if you think its harder to replace a jmp command with a nop command in a natively compiled executable than to do the same in an assembly code in IL. Shareware programs are just as vunerable then as they are now, and anyone that says otherwise is living in a world of delusion. With that said you also need to remember that no one cares what your source code looks like. .NET has almost completely removed the need for "creative coding", since most of the functionality one needs is already available in the BCLs.

Software is created to meet the needs of a customer. Generally it isnt created to break creative boundaries or to be looked upon as something unique, since within time someone is going to capitalize on your idea and theres little you can do about. What it boils down to is that all software developers need to accept this and move on with their work. The time youre wasting on obscuring your "masterpiece" is time you should be using to entice users to your product.
Click to expand...
 
Derek... I think were out of arguments :D
What can we say to meke him see that he gains more money developing better and faster apps than more secure ones :confused: ?

We always got to supply some security but beeng obseced about it its a run that will never end...

Im no expert on Reverse Engeneer but if you build som app in VB5 and offer $1000 to a good hacker he gives you the code just like your friend gave you the .net code... :D

Maybe if the hacker is a smart one... he builds the entire program from scratch faster than he would reverse it !! and this is the logic...

Use ILDasm in one of yours EXEs and telme what u see!
Can you understand the logic of it from there?
Its what I told you... the onle security break I see here its if you place a plain text password there... on a database connection to a database for example... despite of this do yourself a huge favor... leave all those VB5 spider webs and put your hands on really OOP and RAD programming!

The main idea I want u to retain is:
Youll earn more money developing better and faster than securer... Trust me on this...!
 
Perhaps I should have put this posting in a separate thread, so if I should have please forgive me as Im still very new here and just learning my way around.

I do have a question in seeking some advice. One of my goals in learning VB.NET is to write class libraries that can be used by other applications.

I realize in VB.NET you complile class libraries to a file. I have not gotten that far yet in my studies, so I do not know if the file takes on the form of an exe file or not.

But is it possible to use an obfuscator on a class library and would you suggest using one?

I mean no disrespect to anyone by asking this and acknowledge all that has been said so far in this thread. I am not seeking an absolute solution here as I realize that nothing, no matter what it is, is absolutely secure. If someone is determined enough to get something then it will happen.
Thanks,
Ira
 
Irasmith, an obfusctor designed for .NET should be able to handle any type of assembly produced by .NET. An example of an obfuscator would be the one that comes with VS.NET 2003.
 
Thank you for the input and clarification on that. I have made a note of it for when I get to the class libraries portion of my studies.
Ira
 
Sorry to disappoint you but I just want to remind you how unreliable an obfuscator is quoting AlexCodes words: What we can do is use a tool called Obfuscator... There are already plenty of these on the market... even VS.net comes with one... The problem is that there are some DeObfuscators too ...

Originally posted by irasmith
Thank you for the input and clarification on that. I have made a note of it for when I get to the class libraries portion of my studies.
Ira
Click to expand...
 
Your reply does not give an answer to the problem I have already pointed out, i.e. if you develop commercial software using VB.NET, anybody could decompile it, make some modifications to the code and graphic interface and become the owner of a new program based on your production.

How can you make money in that way?

Originally posted by AlexCode
Derek... I think were out of arguments :D
What can we say to meke him see that he gains more money developing better and faster apps than more secure ones :confused: ?

We always got to supply some security but beeng obseced about it its a run that will never end...

Im no expert on Reverse Engeneer but if you build som app in VB5 and offer $1000 to a good hacker he gives you the code just like your friend gave you the .net code... :D

Maybe if the hacker is a smart one... he builds the entire program from scratch faster than he would reverse it !! and this is the logic...

Use ILDasm in one of yours EXEs and telme what u see!
Can you understand the logic of it from there?
Its what I told you... the onle security break I see here its if you place a plain text password there... on a database connection to a database for example... despite of this do yourself a huge favor... leave all those VB5 spider webs and put your hands on really OOP and RAD programming!

The main idea I want u to retain is:
Youll earn more money developing better and faster than securer... Trust me on this...!
Click to expand...
 
Dear esposito... its not that peace of cake to retrieve the code as it was... the vars dont have their primitive names and is not that easy to read that and I keep telling u... If your code worths it anyone can decompile VB5 too...

But as ALL programing languages its easyer to take the logic of the program and buil one from scrach... faster and better...

Thinking on this "problem" it forces developer to develop better apps, with better algorithms to worth the price...

I make a question...
Does anyone want to reverse an accounting software rather than get the 3 best ones, take their logic, goods and bads and buid one of their own?
 

Similar threads

M
How to make your own N95 face masks with special virus neutralizer
Replies
0
Views
98
Maren Estrada
M
P
Book Review: Valley of Genius: The Uncensored History of Silicon Valley (As Told by the Hackers, Founders, and Freaks Who Made It Boom) by Adam Fisher
Replies
0
Views
689
Petros Koutoupis
P
G
How to replace or remove last 500 bytes of a file without rewriting all the file?
Replies
0
Views
58
G-A-F-S
G
EDN Admin
how to get shortcut icon name of vb.net exe
Replies
0
Views
146
EDN Admin
EDN Admin
EDN Admin
How to Create Video Games in VB.Net
Replies
0
Views
118
EDN Admin
EDN Admin
Back
Top