* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Dot net security


We are releasing a new version of our tool, made with .net 4.5 and WPF. We started to check obfuscation tools and other stuff to make it harder to have the source code. We don't care a lot about cracking, but we don't want to release our source code. We work in a niche market, providing tools for engineers.

So far, we have been using HASP (SafeNet) with a hardlock, but this time we need to deliver a reader for our application. This reader would not use the hardlock and because of this, we started to question how can we deploy our app with a reasonable protection to our intellectual property?

Most obfuscation tools are easily open by de4dot and even Themida has the unthemida tools...
When we use HASP, the source code is obfuscated and if you use a tool like .net Reflector, it wouldn't show the source code of that method (it displays the method signature, but crashes when you ask for the source code... tested with .Net Reflector 8). This level of protection is ok for us, but it requires the hardlock.

We accept the fact that no solution is 100% safe, but we are looking for something without an automated tool to open it.

Any alternative product to protect .Net source code without a hardlock?
DotScared Send private email
Tuesday, February 05, 2013
Yet another honeypot question for Wyatt.
Expecting his answer in 3...2...1.....

(Try using the search functionality, the search term "Wyatt" is a good bet)
Magnus J Send private email
Tuesday, February 05, 2013
I don't think his solution covers source code protection.

We just want to protect our source code. The utility would be given to potential clients, as a reader version of our tool.

We don't want to pay licenses fees to distribute a free reader. But we can buy a commercial tool to protect the code being delivered. The main question is: do you know any tool for this?
DotScared Send private email
Tuesday, February 05, 2013
I would recommend you Eazfuscator.

You can try their feature named "virtualization"

Richard Collins Send private email
Tuesday, February 05, 2013
>> "I don't think his solution covers source code protection."

You're absolutely right, LimeLM doesn't do "code protection" / Obfuscation. We don't sell the obfuscation placebo because it's dishonest.

All obfuscation can be undone (yes, that includes "code virtualization"). You've already mentioned de4dot (https://bitbucket.org/0xd4d/de4dot/ ). That's just one of dozens of tools to completely undo all obfuscation.

>> "Any alternative product to protect .Net source code without a hardlock?"

Yes. Keep your code on your servers. Have your reader app send out the rendered view of the file.

If that's unworkable (because of, for instance, large filesizes or inadequate server capacity) then your next best option is to just compile your app and release what the compiler produces.

Don't waste your time or money on obfuscators.
Wyatt O'Day Send private email
Tuesday, February 05, 2013
What about rewriting your application in native code?  It seems to me that is the only proven reliable way to obfuscate your code.  How lucrative is the market for engineering tools, and how likely is it that someone will test all the calls in your application to the CLI in order to either crack your application or do an unauthorized fork?  If AutoCAD is any guide, engineers need tons of support, you can't hack that.
Howard Ness Send private email
Tuesday, February 05, 2013
"Don't waste your time or money on obfuscators"

Right now your best bet might be to use a product like Confuser 1.9 which is Free.  De4dot (a powerful obfuscator) cannot unpack it and it currently defeats the one click tools that newbie crackers like to use. 

Wyatt is right that if they really want your code...they will get it but why make it easy for them?  The more you learn about the tools that hackers use to decompile  .net assemblies the better your protection will be.

Here is the homepage to Confuser.  You might need to play with the settings a bit to get it working right.

Frank Coukos Send private email
Tuesday, February 05, 2013
I meant that de4dot is a powerful DEOBFUSCATOR.  Meaning it reverses the assembly back to it's original form after the file has been obfuscated.
Frank Coukos Send private email
Tuesday, February 05, 2013
Released a product with a separate reader back in .Net 1.1 days. I used preprocessor directives and a separate build to take as much code as possible out of the reader version.
Oh to be anon again! Send private email
Tuesday, February 05, 2013
Thank you guys, all these comments were really useful.

@Frank, you're right. We want protection against wanna be hackers, that use one click tools. I will test confuser, I didn't know it before. Thank you.

"Don't waste your time or money on obfuscators"

I think Wyatt has a very good point here. I tested "obfuscators" from $100 to $2000 and most of them failed to protect the code, even against de4dot! The only exception was the eazfuscator, but it is on de4dot kill list, so I think it will be only a matter of time until they crack December's 2012 version. In respect to these points, I have to agree obfuscation like that is a kind of scam. You think you are buying something strong... until you test it against de4dot :-( It is so unbelievable that I found many obfuscation and protection tools cracked on Google! If they can't protect themselves, imagine what they will do with your code :D

For this solution, our reader only version, we will sell the reader with a hardlock key. Our clients will be charged, but not a lot. The best is to move critical code to C++ and let only UI and minor stuff on C#.

I still have to try confuser.
DotScared Send private email
Wednesday, February 06, 2013
I'd recommend you to try ILProtector. It's a free .NET applications protector. The latest versions are not cracked by de4dot by the way.

Here is the link: http://www.vgrsoft.com/en/products/ilp
Hazel M. Send private email
Thursday, February 14, 2013
Try Crypto Obfuscator - http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

de4dot does not work on assemblies obfuscated with the latest version of Crypto Obfuscator.

Further, even if it works on older assemblies, the de-obfuscated code is nowhere close to original. Also, none of the original class/method/property/field names can be recovered, so the code is unlikely to make much sense.

If a new version of de4dot is released which attempts to improve its de-obfuscation over the previous version, we immediately release a new build of Crypto Obfuscator which thwarts it completely.

Note that no matter what scheme is used, there is always a very small chance that it may be cracked - a 100% uncrackable scheme does not exist. If some company says their scheme is uncrackable, they are lying or ignorant. Your aim should not be to find an uncrackable system, but to use a system which offers reasonably strong protection, is easy to use, has good support and is reasonably priced.
ssware Send private email
Friday, February 22, 2013
I was going to write a point by point rebuttal of that idiocy, Atul (ssware), but we've already done this dance before. What was it, 3 months ago? You're selling the same lies, hoping your customers aren't sophisticated enough to know the crap you're selling is lies.

>> "If some company says their scheme is uncrackable, they are lying [...]"

That made me laugh. The classic liar's paradox. Let James T. Kirk explain: http://www.youtube.com/watch?v=wlMegqgGORY#t=67s
Wyatt O'Day Send private email
Saturday, February 23, 2013

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz