How to keep .NET program logic (reasonably) secret?

Question

Right, I am talking about license validation code in a desktop application, e.g. a method bool ValidateLicense(string licenseCode). Of course, any protection scheme can be reverse engineered by a skilled and determined cracker. However, I'd like to prevent that anyone with some basic programming knowledge can use Reflector to build a keygen in a couple of minutes.

Possible approaches

1. Obfuscate. My understanding is that obfuscating causes a performance overhead and may hinder (legitimate) debugging. So are there tools that allow obfuscating only selected methods?

2. Move method to ngen'ed assembly or unmanaged DLL. But isn't this an invitation to simply replace the DLL? Any ideas how to prevent this (read: make it a bit harder for an attacker)?

3. Other?

PS: Question is obviously related to Protect .NET code from reverse engineering? trying to put thoughts from there to practice

UPDATE

To 1. A first obfuscation step would surely be to rename the validation method. (Thanks, Jonathan)

To 2. Assuming the application uses Win32 API methods one could re-route the calls through an unmanaged DLL thereby making it an integral part of the application. Fiddling with the method signatures (e.g. change name, swap parameters) would make this less obvious. Do you think the innate drawbacks are justified?

To 3. Don't distribute validation method belongs here. Keep it on your server and call remotely, i.e. use online validation (Thanks, David Hedlund)

Answer 1

Eazfuscator let you obfuscate your code only in Release, We're using it a don't feel any performance problem. It let you obfuscate selected methods too. Note that public methods can't be obfuscated.

Any function like your ValidateLicense can be easily modified with a good reflector inserting a return true as the first line :( I recomend you this articule about code injection in assemblies: http://www.codeproject.com/Articles/20565/Assembly-Manipulation-and-C-VB-NET-Code-Injection

You should sign your assemblies to avoid modifications, but... The signature can also be removed with the propper tools: http://www.nirsoft.net/dot_net_tools/strong_name_remove.html

Sorry, but there isn't any trick to avoid reverse engineering in .Net, you can only makes things harder. (by ex. don't name yout function ValidateLicense and make your validation logic a bit cryptic)

Answer 2

One approach that a lot of software vendors have adopted is to require online activation. That way, the key validation code can be executed only at your server, which would make it less accessible to would-be hackers.

Of course, then you introduce the new vulnerability of simply re-routing the validation call to a custom server that sends a success response, if the hacker knows or can extract information on how such a response is expected to look. But then, as you point out, there will always be someone who will be able to hack your product, so I would still say this is a viable option.