Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I protect my .NET assemblies from decompilation?

People also ask

What technique can be used to avoid decompilation?

Code obfuscation is the standard technique to prevent hackers from decompiling or reverse engineering source code.

How do I protect my DLL?

Strip all symbols. Use a . DEF file and an import library to have only anonymous exports known only by their export ids. Keep the DLL in a resource and expose it in the file system (under a suitably obscure name, perhaps even generated at run time) only when running.

Can you protect C# code?

You can't.

Can C# be decompiled?

You can now use Visual Studio to decompile managed code even if you don't have the symbols, allowing you to look at code, inspect variables and set breakpoints.


One thing to keep in mind is that you want to do this in a way that makes business sense. To do that, you need to define your goals. So, exactly what are your goals?

Preventing piracy? That goal is not achievable. Even native code can be decompiled or cracked; the multitude of warez available online (even for products like Windows and Photoshop) is proof a determined hacker can always gain access.

If you can't prevent piracy, then how about merely reducing it? This, too, is misguided. It only takes one person cracking your code for it to be available to everyone. You have to be lucky every time. The pirates only have to be lucky once.

I put it to you the goal should be to maximize profits. You appear to believe that stopping piracy is necessary to this endeavor. It is not. Profit is simply revenue minus costs. Stopping piracy increases costs. It takes effort, which means adding cost somewhere in the process, and so reduces that side of the equation. Protecting your product also fails to increase your revenue. I know you look at all those pirates and see all the money you could make if only they would pay your license fees instead, but the reality is this will never happen. There is some hyperbole here, but it generally holds that pirates who are unable to crack your security will either find a similar product they can crack or do without. They will never buy it instead, and therefore they do not represent lost sales.

Additionally, securing your product actually reduces revenue. There are two reasons for this. One is the small percentage of customers who have trouble with your activation or security, and therefore decide not to buy again or ask for their money back. The other is the small percentage of people who actually try a pirated version of software to make sure it works before buying. Limiting the pirated distribution of your product (if you are somehow able to succeed at this) prevents these people from ever trying your product, and so they will never buy it. Moreover, piracy can also help your product spread to a wider audience, thus reaching more people who will be willing to pay for it.

A better strategy is to assume that your product will be pirated, and think about ways to take advantage of the situation. A couple more links on the topic:
How do i prevent my code from being stolen?
Securing a .NET Application


At work here we use Dotfuscator from PreEmptive Solutions.

Although it's impossible to protect .NET assemblies 100% Dotfuscator makes it hard enough I think. I comes with a lot of obfuscation techniques;

Cross Assembly Renaming
Renaming Schemes
Renaming Prefix
Enhanced Overload Induction
Incremental Obfuscation
HTML Renaming Report
Control Flow
String Encryption

And it turned out that they're not very expensive for small companies. They have a special pricing for small companies.

(No I'm not working for PreEmptive ;-))

There are freeware alternatives of course;


Host your service in any cloud service provider.


How to preventing decompilation of any C# application

Pretty much describes the entire situation.

At some point the code will have to be translated to VM bytecode, and the user can get at it then.

Machine code isn't that much different either. A good interactive disassembler/debugger like IDA Pro makes just about any native application transparent. The debugger is smart enough to use AI to identify common APIs, compiler optimizations, etc. it allows the user to meticuloulsy rebuild higher level constructs from the assembly generated from machine code.

And IDA Pro supports .Net to some extent too.

Honestly, after working on an reverse engineering ( for compatibility ) project for a few years, the main thing I got out of my experience is that I probably shouldn't worry too much about people stealing my code. If anyone wants it, it will never be very hard to get it no matter what scheme I implement.