How to prevent reverse engineering of VB.NET apps

[esposito]

Dear AlexCode, Im afraid I must contradict you when you say anybody can decompile VB5 applications: executables created with VB5 can only be disassembled, not decompiled as VB.NET apps can. This means that, while it is possible to get the full source files from a VB.NET exe, it is only possible to get the assembly code from a VB5 program (unless you select the P-code option before compiling).
As you probably know, the assembly code cannot give you the plain source files, so borrowing the technique of the software, i.e. the code that allows functions to work, is impossible. Now, the way I see things is that this makes a fundamental difference between software created with VB5/VB6, which can be copyrighted, and software created with VB.NET which should logically belong to the open source world. It doesnt make any sense to copyright a VB.NET application since anybody could decompile it, "steal" the code and produce a similar, if not identical, program.

So, the conclusion I have come to is, for commercial purposes VB5/VB6 is a better choice, especially if your software is addressed to the general public.

I agree with you when you say "thinking on this problem will force developers to develop better apps, with better algorithms to be worth the price", but the implied "threat" is that as soon as a better application is available on the market, somebody may decompile it, modify it a little bit and make money with it, i.e. with somebody elses work.

 

[Divil]

Esposito, I suggest you purchase Remotesoft .NET Protector. This is the only application on the market that completely protects .NET assemblies from automatic decompilation back to .NET source code.

It compiles the assemblies to native code so you are offered the same level of protection as you would have against someone decompiling a natively-compiled VB5/6 executable. Its a completely different process from obfuscation, and it leaves the assembly manifest intact so all your existing code to interop with the assembly should still work. Its just that instead of IL instructions inside, youll have native machine code.

Note that this is a different process from ngen; ngen doesnt replace the contents of the original assembly. Instead, it stores it in a special location within the fusion cache.

 

[AlexCode]

esposito... How many sharewares do you have to make to worth buying this Protector?

RemoteSoft:
Our protector is available now at $1899 for 1-5 users.

 

[AndreRyan]

Compiling Natively removes the main ability of .Net. A .Net app can structure itself to make full use of special hardware features whereas a native code application needs to manually make use of special features. .Net apps may also become cross-platform compatible, a native app needs a Windows version, Linux version and Macintosh version but a .Net app may eventually have a "one for all"

A native program, though more difficult, can be disassembled. You can view the assembly of any running program by opening VS.Net and choosing Debug>Processes and pick any program you like.
A .Net program is easier to understand and easier to disassemble but, as has been said, it is probably not worth the trouble because you still do need to be a reasonable programmer to understand the dump from ILDASM and if its just a combination of existing algorythms and nothing that hasnt been done before, it may not be worth examining.

Most companies that distribute commercial applications/technologies use EULAs to make the user swear never to decompile/disassemble their application under threat of a law suit.

Just as a side note, Ive disassembled a few of the .Net apps that came with VS.Net to see how ILDASM worked, most of the programs were far to complicated to understand unless you had a few weeks/months to read through all the MSIL to see how it fits together since the compiled MSIL is much longer than the source code and not immediately understandable. An obfuscated program is even worse since every variable/class/namespace is renamed to a alphabet letter(A to Z), at least in the one I used.

 

[AlexCode]

... I ve never mentioned that Manage vs Unmanaged advantages or why MS use the IL because I think wouldnt worth...

I think our frind esposito, thinking like this, will never experience the goods of, for example, .net Reflection!...

 

[esposito]

Divil: this Remotesoft .NET Protector sounds very interesting and, to a certain extent, it guarantees continuity with former versions of VB producing self-sufficient applications. It is true that, as AlexCode pointed out, its quite expensive ($1899 for 1-5 users) but, if it prevents hackers from stealing your code, it is certainly worth the price.

AndreRyan: (1) Im afraid Microsoft are quite reluctant to extend the .Net platform to other operating systems, since this would probably threaten the monopoly of Windows. So I just wouldnt care about cross-platform compatibility. (2) Using EULAs would not stop hackers from decompiling your code. You definitely need to resort to more drastic measures to protect your software: it would be ingenuous to expect a honest behaviour from programmers used to practising reverse engineering. (3) You are probably right when you say that a decompiled VB.NET executable is not easy to read but this would not stop someone from modifying the graphic interface of your software, rewriting some code that he or she can understand and taking advantage of your work.

AlexCode: I know VB.NET is much more powerful that VB5/6 but, for the kind of software I produce, all the new functions offered ny the .Net platform are superfluous. For the moment, Ill continue to write my software in VB5. In the meantime I want to do some practice with VB.NET and experiment with Remotesoft .NET Protector to see if it is worth the price.

A final question: dont you think Microsoft have been unfair depriving millions of VB programmers of an extremely user-friendly tool, forcing them to learn a much more complicated programming language (thats what VB.NET is) which can only be installed on Windows XP and produces executables as difficult to penetrate as HTML files? Have Microsoft thought about the possibility they could lose millions of customers who may prefer to switch to a different programming language, such as the latest version of Macromedia Flash MX, rather than try to sell applications that, to be run, need the presence of a very cumbersome framework?

 

[Volte]

Microsoft doesnt need to compete with Macromedia Flash. That idea is laughable. Maybe for small hobby programmers Flash is decent, but lets see you create a business enterprise which depends on Macromedia Flash.

.NET can be installed on anything >= Windows 2000, not just Windows XP, and Microsoft specifically designed .NET to be potentially cross platform.

The framework is not cumbersome for anything except downloading, and as new versions of Windows become more widespread (Windows 98 has already been obselete for a long time, we cant keep supporting it) it will become less so.

Microsoft havent deprived millions of VB programmers. VB6 will be supported until something like 2008, and people are free to program in it if they want. Its not like they just made it stop working.



Bottom line: if you dont want to use .NET, dont use it, but I think the pros outweigh the cons when it comes to alternatives.

 

[AlexCode]

I like this discussion !

Ive some things to comment your last post...

(1) - The Cross platform implementation isnt on the MS side... I think you dont know that you already can make your code on a Windows based machine and have good warranties, that it will run on a Linux machine! Its called PRoject Mono... its a Framework for Linux... and as this one that already works very well there must be someone developing something alike to Mac environments... Its just a matter of someone build a framework to do so...

(2) - VB.net isnt harder than VB5... specially VB5!... Its simply diferent, its a OOP language witch VB5 isnt. VB5/VB6 was ment to be OOP but is far, very far from that... Once I got my hands on VB.net when I got to change some old code in VB6 its a headache...

(3) - On the contrary of what you said... I never saw so much developers, developing on MS languages... So many forums, so many people spending their spear time developing VB.net or C# apps... So many people leaving C++ or Java or Cobol to a real RAD language, where u can do anything you put your mind to in less time... I sont think its the best it could be but its improving...

(4) - Are you comparing Fash Mx with the .net platform? Tell me why is JAVA so wide distributed! Doesnt JAVA have a "Framework"????? Only the name is diferent... they have called it "Virtual Machine" dispite of that... I dont see any diference...

(5) - Here I was going to teach you the benifits of the Framework but Ill leave it to a next post...

 

[esposito]

I would very much like to use VB.NET for my commercial software, but first I have to sort out that problem about security issues.

You havent probably seen the latest version of Macromedia Flash MX yet: you can now manage any kind of database, so it is no longer a programming language for the Web only. Macromedia themselves said it is their intention to take advantage of the millions of former VB programmers who dont feel like upgrading to the .NET philosophy.

If Microsoft designed to make .Net cross platform, why isnt the .Net framework available for any other operating systems yet?

What if a new programmer would like to buy VB6? Theres no way you can get it, unless you resort to piracy. Dont you think Microsoft should make VB6 available since it has very little to do with its "successor" VB.NET? As you can see, theres no freedom to program in VB6.

Originally posted by VolteFace
Microsoft doesnt need to compete with Macromedia Flash. That idea is laughable. Maybe for small hobby programmers Flash is decent, but lets see you create a business enterprise which depends on Macromedia Flash.

.NET can be installed on anything >= Windows 2000, not just Windows XP, and Microsoft specifically designed .NET to be potentially cross platform.

The framework is not cumbersome for anything except downloading, and as new versions of Windows become more widespread (Windows 98 has already been obselete for a long time, we cant keep supporting it) it will become less so.

Microsoft havent deprived millions of VB programmers. VB6 will be supported until something like 2008, and people are free to program in it if they want. Its not like they just made it stop working.



Bottom line: if you dont want to use .NET, dont use it, but I think the pros outweigh the cons when it comes to alternatives.

 

[AlexCode]

Wanting to buy VB6 now its just like wanting to buy a new Win98...

Things have to move ahead. I dont agree with many stategies of MS but this one I support 200%.

I dont know how it is there in Italy but here in Portugal are many developers stuck in languages like Cobol that just cant make one step foward... and so their companies are drawning with them...

Every Prog language have its time and developers have to look ahead... ahead is like 4... 5 years ahead... Do you see yourself developing win apps in VB5 4 or 5 years from now??

Give me a break...

 

[whosyodaddy]

Well, a freind of mine creates real good programs, private, for security, you have to have this key plugged into your computer, yes, it is a physical object. Those keys are the safest bet... and each key is designed only for your computers special number that it assigns. So one person cant hand that key to somebody else.

 

[Volte]

How does it work? Is it a CD/Floppy with a special file, or some sort of special USB/serial device?

 

[AlexCode]

Here r some comercial apps that use that... the PCB is inside a 25 pin connector (like the one of the printers) and works fine but... and theres allways a but... It doesnt solv this problem here...
It only protects the program from running, doesnt protect it from beeng reversed...

Just a final comment: There is at leat one company distributing keys like those... but if you serch on the net theres also a app that simulates the key ! Cute isnt it?!?!?

 

[AndreRyan]

To point out a particular point from my previous post, .Net is potentially cross-platform and even if an app is running on Windows it can make use of special features and optimizations that are avaliable on the computer the software is running on. Like on an Intel processor the program may be compiled natively using cmov/fmov instead of mov or something like that(Im not an assembly programmer but I assume the special mov commands are faster versions of the normal one).

The obfuscator from remotesoft is difficult to deobfuscate since there doesnt appear to be any trace of the original names plus the obfuscator optimizes the program a little by removing some commands that may not be needed.

You can try encrypting your .Net apps if you want. Write a VB5/6 App that decrypts files using a custom encryption algorythm then the user runs the decrypter which gets the EXE out and you can run it then delete the EXE at the end of the session. This will make it impossible to use the Reflection functions though so its no good if youre using plugins.

 

[whosyodaddy]

Originally posted by AlexCode
Here r some comercial apps that use that... the PCB is inside a 25 pin connector (like the one of the printers) and works fine but... and theres allways a but... It doesnt solv this problem here...
It only protects the program from running, doesnt protect it from beeng reversed...

Just a final comment: There is at leat one company distributing keys like those... but if you serch on the net theres also a app that simulates the key ! Cute isnt it?!?!?

Yea.. but in order to get the program you pay for the key, so why do that? You cant get pirated copies off of the net or file sharing because he sells private... only to major big time companies.

 

[jorge]

You can still get vb6, it still on msdn,
And i agree, a good programmer can rewrite an aplication faster than a very good hacker can decompile it.
e.g. i had on old vb6 project i made when i was 12(im almost 16 now), i lost the code, but i rewriten it in about 15minuts, becouse mu knoledg has improved over 3 year, so why cant a experieced programmer recreate msn or somthing? and why is it so important that some one has your source code? Most of my apps are opensource, it help other programmer get smarten and new ids, personaly id love to see some one use my code.

Originally posted by esposito
I would very much like to use VB.NET for my commercial software, but first I have to sort out that problem about security issues.

You havent probably seen the latest version of Macromedia Flash MX yet: you can now manage any kind of database, so it is no longer a programming language for the Web only. Macromedia themselves said it is their intention to take advantage of the millions of former VB programmers who dont feel like upgrading to the .NET philosophy.

If Microsoft designed to make .Net cross platform, why isnt the .Net framework available for any other operating systems yet?

What if a new programmer would like to buy VB6? Theres no way you can get it, unless you resort to piracy. Dont you think Microsoft should make VB6 available since it has very little to do with its "successor" VB.NET? As you can see, theres no freedom to program in VB6.

 

[AlexCode]

Hey jorge... I never aggreed with esposito but youre too much open source !

 

[jorge]

Well maybe, lol, im just a hobby programmer, and i dont care about making money(yet) i gues ill change in a few year when im out of school i wand to make my living out of it, so they OS goes byebye

-- back on topic --
Would a debug build be harder to decode than a release build like it is in c++?

 

[AlexCode]

I presume youre talking about VS.net C++ ...

If it is... the ILDasm works the same way on both compile methods as also all the other revense engeneering apps out there...

 

[AndreRyan]

ILDASM cant decompile native sections of C++ Apps so the Managed section comes out but the Unmanaged needs to be dissassembled seperately. Debug builds are larger than Release builds because they contain debug symbols but it shouldnt be any harder to decompile.

I was MSDN yesterday and they say that they packaged dotfuscator in VS.Net 2003, there was also a feature list which described a special overrloading system used in the obfuscated files so that almost everything is renamed to "A" and makes the decompiled code difficult to recompile because the Assembler is not supposed to be able to understand correctly. With obfuscators you can preserve .Nets features but make the code almost impossible to understand. The renaming method also cant be undone(deobfuscated).