* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Protecting critical source code

There has been a lot of discussion in this forum about code protection, licensing, etc. so I thought I would ask  if  I am correct in assuming that a c++ DLL is more difficult to extract the source code than c#?

c# is my primary language. I want to "hide" a key intellectual property section of code in my c# application by moving it to a c++ DLL.  I would have to learn C++ but the DLL would only be a few lines of code with no libaries required.

 I know ALL the arguments about cracking, hacking, etc. My app is not worth a lot of effort to hack it so I just want to make it hard enough to discourage hackers so they will move on to something easier or more worth their effort.
Bill Anonomist Send private email
Tuesday, June 18, 2013
 
 
I don't think the language you use will make any difference, especially if, as you say, it is just a small piece of code. Even assembler is pretty easy to understand, if you disassemble the opcodes.
Scorpio Send private email
Tuesday, June 18, 2013
 
 
@Scorpio

I realize that. I just want to make it a little bit harder than copying my source code, which is pretty easy with c# -even if obfuscated, there are de-obfuscators. The problem scenario is a developer -empolyee in a company who downloads the trial and can copy the code into visual studio and run it to solve an immediate problem, rather than asking for permission to purchase the program. And maybe they claim to have solved the problem on their own. but I dont see them taking the time to figure out how the program works and then writing their own code.
Bill Anonomist Send private email
Tuesday, June 18, 2013
 
 
Bill Anonomist: I think you're giving too much credit to most employees.  One of the good things of selling to business is that it isn't the buyer's own money, so he isn't interested in making such an effort to save it. For example if it costs the employee 3 hours to decompile your program and solve the problem instead of just refering it to his boss and making the company do a purchase of some few hundred bills, most will choose the later. Only if really time pressed he'd think of decompiling it.

Now, if you found a really good way of doing something, and want to prevent it getting on competitor's hands, then yes a DLL is harder to decompile. I think you might have some problems with a 32-bit DLL on 64-bit systems, you'll have to investigate more about it.

Either way, even then a competitor could try to back-box your DLL, and use your compiled code on their application. You'd have to make sure that it's your application calling the DLL, and I think it's not possible. Even if you encrypted the calls, the competitor could decompile the calls in C# and call the DLL exactly as your program.

I suggest you invest all the time and energy fighting this fantasy employee or super competitor improving your marketing skills instead.
Mauricio Macedo Send private email
Tuesday, June 18, 2013
 
 
@Mauricio

I know for a fact this is happening. In a few cases it is a contract programmer working on-site. they want the fastest way to get something done and dont want the company to know how.
I am not concerned about competitors or anyone trying to use my code to create a commercial product with it.
 
Anyway, you answered my question about c++ and that  is all I really wanted so thanks for that. I did not want to start another discourse on this forum about hacking.
Bill Anonomist Send private email
Tuesday, June 18, 2013
 
 
Yes, compiled C++ provides less useful decompiled output than that of C# bytecode.

Obviously strip all symbols. I also recommend writing the code not in a structured manner with lots of functions but as a monolithic function, which does not depend on external libraries, which does its own stack allocation as much as possible, and which makes liberal use of gotos and labels. Also pack in there a bunch of bogus code that is executed and does mysterious things, but which are not used.
Scott Send private email
Tuesday, June 18, 2013
 
 
>I just want to make it hard enough to discourage hackers so they will move on to something easier or more worth their effort.

The harder it is, the more kudos they get.

You might find this interesting or useful:
http://successfulsoftware.net/2011/04/07/interview-with-a-cracker/
Andy Brice Send private email
Tuesday, June 18, 2013
 
 
"the DLL would only be a few lines of code with no libaries required"
Is it feasible to use a web service ?
codingreal Send private email
Tuesday, June 18, 2013
 
 
Something like this would make your few lines of code very hard to break:

http://www.validy.com/en/products/softnaos/

Basically, a hacker would have to reverse engineer a physical chip.

The downside of this approach is HUGE performance hit - my simple test had become 40000 times slower:

http://www.excelsior-usa.com/blog/excelsior-jet/java-bytecode-encryption-revisited/

Finally, this one is for Java, not sure if there are analogs for .NET.
Dmitry Leskov Send private email
Wednesday, June 19, 2013
 
 
Bill Anonomist: The point I was trying to make is that you can hide your key code in a DLL, but this won't prevent the contractor programmer from using your DLL. If I understood correctly you want to insert your license code checking in the DLL alongside some critical function. It's possible that it'll make it more difficult to be used by some less sophisticated programmers.

We do the same with our product, but for another reasons. It started as a Delphi product and we are migrating to Web/C#. So we refactored the Delphi code to work as a webservice.
Mauricio Macedo Send private email
Wednesday, June 19, 2013
 
 
@Mauricio

No. Not putting license checking  there. The DLL will handle a small, but critical, part of the "secret sauce" to how the application works.

I got the answer I wanted, which is Yes, C++ is a bit harder to get to the source code.So in Stackoverflow style, I accept Scott's answer and this question is closed as far as I am concerned.
Bill Anonomist Send private email
Wednesday, June 19, 2013
 
 
Also - make the exported function names incomprehensible, like a letter followed by a bunch of numbers, or something innocuous like str_span(). And turn on maximum optimization for size.
Scott Send private email
Wednesday, June 19, 2013
 
 
To follow up that last post by Scott... one way to do this without making your code incomprehensible to you is the following:

Use dumpbin.exe to get a list of all symbols in the DLL.  Then make an include file that redefines all the symbols to something incomprehensible, and include that file at the beginning of every source file.

So, for example:

file obfuscate.h:

#define doSomethingTopSecretHere lkxoik
#define secretGlobal jjxpzy

file main.cpp:

#include "obfuscate.h"

float secretGlobal = 3.0f;

void doSomethingTopSecretHere()
{
  // ...
}
Steven Merel Send private email
Thursday, June 20, 2013
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz