Protecting my code from reverse engineering

Question

As discussed in similar questions here and here I want to protect my code from reverse engineering.

My situation is as Simucal describes in his (excellent) answer here:

Basically, what it comes down to is the only chance you have of being targeted for source theft is if you have some very specific, hard to engineer, algorithm related to your domain that gives you a leg up on your competition. This is just about the only time it would be cost-effective to attempt to reverse engineer a small portion of your application.

I have exactly this situation. A hard to engineer algorithm which is elegant and valuable for our specific domain.

After spending months fine tuning and developing this the end result is very compact (approx. 100 lines of code) and elegant. I want to protect this specific part of the code from reverse engineering or at least make it reasonable difficult.

The scenario is a rich-client application written in C# and I have to deploy this part of the code - I cannot execute it from a webservice.

I think extracting the code and rewriting it in a unmanaged native binary is not an option due to performance reasons (and cross boundary issues).

Initially I wanted to do simple obfuscation but given the small size of the code I don't think this will offer much protection.

Ideally I would like to protect my whole application but there are two main issues that seem to make ordinary obfuscaters and 3rd party packers difficult to use:

1. The application offers a plugin interface and therefore some assemblies (and interfaces/classes) should not be obfuscated and packed

2. We still want to be able to get to a real stack trace when receiving error reports - potentially this could be done my mapping obfuscation to the real code.

Setting these issues aside (although I would appreciate any input on this as well), what is a good way to protect a tiny part of my code from reverse engineering? I am not concerned about anyone altering or hacking the code but want to make it difficult to understand and reverse engineer it.

Answer 1

It cannot be done. If your code can be run, then it can be read and reverse-engineered. All you can do is make it a little harder and, believe me, it will only be a little harder. You may not like the fact but most crackers are far better at cracking than anyone else is at making things hard to crack. The amount of effort to protect your code is usually not worth it, especially if it disadvantages your paying customers. Witness the stunning non-successes of DRM.

My advice is to not worry about it. If your algorithm is truly novel, seek a patent (although that got a little harder with the Bilski decision unless you tie it to a specific hardware implementation). Relying on trade secrets is also useless unless you only distribute your software to those that sign contracts that ensure they will not allow unfettered access. And then, you have to have a way to police this. The minute you put the binaries up on the internet or distributed them without a contract, I believe you'll be deemed to have lost trade secret status.

Relying on licensing is also fraught with danger - you may think that you can insert clauses in your license that prohibit reverse-engineering but many jurisdictions around the world specifically disallow those provisions. And the Russian mobsters who whoever are responsible for most of the cracking are unlikely to honor said provisions anyway.

Why don't you just concentrate on making your product the best it can be? The goal is to stay ahead of the crowd rather than lock them out altogether. Being the first to deliver and always having the best product in a competitive group will ensure your prosperity far more than wasting a lot of effort on useless protection (IMNSHO).

This is just my opinion. I may be wrong. I've been wrong before, you only need ask my wife :-)