开发者

Is it possible to prevent decompilation of .NET MSIL DLL?

开发者 https://www.devze.com 2022-12-17 10:02 出处:网络
Almost all the .net assemblies can be de-compiled using Reflection .Which means that all .net products are open source since the code can be easily be used by other developers.

Almost all the .net assemblies can be de-compiled using Reflection .Which means that all .net products are open source since the code can be easily be used by other developers. Isnt there a way so that we can encrypt the codes (at l开发者_开发问答east for some security logic) so that it cannot be easily cracked or misused.

Edit

Old question Is winforms .net really equal to open source? was edited considering comments regarding proper use of the word Open Source


There are tools that can encrypt .NET Assemblies, preventing decompilation with Reflector and similar tools. They also perform a number of related services such as obfuscation, protection of embedded resources, etc. Two I know of:

RemoteSoft Salamander Suite
XHEO DeployLX


No

All code can be reverse engineered, copied, cloned, reused, relinked and other things. What open source means is that it is free in the legal sense from restrictions, so people can learn from the code. This also means technology can grow and a stronger long-term tech economy can be created, rather than short-termism. Read the "Cathedral and the Bazaar" for a biased but relevant point of view.

I am not aware of a sufficiently strong code protection method that isn't just high obfuscation and is only security through obscurity. Your question alone says you need to know more about the topic you are asking about by reading and researching the technical, logical and possibly the philosophical qualities of the question's intent.

Edit: I stand by my principle even though the use of the term "Open source" was retracted.


Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused.

Other people have touched on code obfuscators, but ask yourself what you're really trying to accomplish:

  • Are you trying to make your code more "secure"? Not only is security through obscurity a relatively weak strategy, you shouldn't be putting sensitive data in source code anyway! Move passwords, connection strings, etc out of code and into a config file.

    Presumably, then, the application is secure so long as no one has access to your physical machine. You can assume if the attacker has the physical machine, all hope is gone anyway.

  • Are you trying to protect proprietary algorithms? If you don't want to shell out the money to get a patent, then the best tried and true strategy would be exposing your API through a web service on servers you control. The app makes a call into the web service -- meaning performance degrades and you have a dependency on your users having an internet connection, but at least your code is absolutely secure.

  • Are you trying to prevent users from pirating software? There are lots of posts on SO regarding licensing key systems.


Anything can be reverse-engineered. While .NET assemblies can be more easily decompiled there are many obfuscators available to make the code harder to understand.

There isn't any good way to encrypt the code that you are shipping to customers. At some point the code must be decrypted in order to run and that means that the client machine must have the ability to do this. If the client machine has the ability to decrypt the code then so does anyone else who has access to the machine.

This problem is not unique to .NET assemblies - any application is susceptible to decompilation. If the security of the original source is your main concern then perhaps a web-based application (like a website or web service) would be better as you would be able to isolate the assemblies from the outside world.


Obscurity can never help you forever...

Your code that is decompiled may or may not have useful variable/class names and it definitely won't have comments, and of course the copyright still belongs to you.

So legally you can't use decompiled programs in anyway(or even decompile them) and I'm sure there is some option(if not on by default) you can use for basic obscurity such as using var1...9999 as the variable names and class names.


If need opensource try mono framework. Although a part of it has portion that has not been publish by microsoft as part of Common language Infrastructure CLI. For you answer NO you cannot use or reuse/publish part of as whole anywhere. You can also look at rotor Shared Source Common Language Infrastructure 2.0 which is open souce and managed by microsoft but it does not contain Window form namespace just CLI. It for learning and research purpose only. Microsoft also publish it code under MPL at codeplex. Please read license carefully even for opensource there is difference between GPL and LGPL too. Reverse engineering for learning purpose it i think ok in case e.g some issue comeup that is not in you code you might like to debug it. For that purpose microsoft have allow use of it framework source directly from its symbol server. Youc an configure visual studio to download source and symbol:t for any .NET framework and debug it to so how and what happen in framework code. Here is a very good article how to do that at shawn burke blog.

0

精彩评论

暂无评论...
验证码 换一张
取 消