Disclaimer
NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.
General Overview
Before you read part 2, please make sure you already have read part 1 as it is related. In this article, I will be showing how to defend your .NET assemblies from being tampered. I do believe you have heard of the Digital Signature Approach. In short, you could actually attached a Strong Name key to the .NET Assembly to protect it from being tampered. Strong Name key is a RSA 1024 bit encryption, and to break it is not that easy at all. You need to have huge computing power to get that private key.
Why Strong Name??
When it was first introduced to me, I had no idea what it meant.
1st Scenario :
I am not sure whether this had happened to you, but it did for me. I was thinking of securing my .NET Assemblies a while ago, and I tried reading up on articles regarding how to do so. From what I read, it recommended me to use Strong Name key. It continued to explain about the benefits of it, but it was rather vague. It assumed that I could visualize what the author could which in the end, left me wondering about what so special is this so-called Strong Name.
Why did I feel this way? Well, reason being that I had many doubts about it. It did not encrypt my codes nor did it hide my codes from decompilers such as .NET Reflector. It isn't even related to obfuscation. So then what is Strong Name for? Some marketing tool to convince the public that the assemblies it protects is secure?
2nd Scenario :
Your superior comes to you and asks you to implement a Strong Name key in your assemblies. And then when you reply, why Strong Name, they would say this is what other people are doing in the industry; we should follow them as well.
The Demonstration
In this demo, I will show you the usage of attaching a Strong Name key to your assemblies.
Test machine specifications :
1. Open the Visual Studio .NET 2003 command prompt and make sure you access to the directory where your source files or solution files resides. 2. Type “sn –k sn.key”
3. The strong name has been successfully created. Now how do you attach it to your solution?
4. Open up the source code for AssemblyInfo.cs in your CrackingIL solution and enter this code inside AssemblyKeyFile.
5. Build your project and run it by pressing F5 in Visual Studio .NET 2003.
6. Now, open up the Visual Studio .NET 2003 command prompt and type “ildasm CrackingIL.exe /out=CrackingIL.il”
7. Open up the CrackingIL.il with any text editor. I chose Notepad.
8. Search for this line:
9. Then change it from “Welcome to NeCoders” to “I can’t hack you, why!”
10. Save the file. Type this command “ilasm CrackingIL.il” in Visual Studio .NET 2003 command prompt.
11. Execute the CrackingIL.exe.
You will see the above and this:
12. It means that you just can’t simply manipulate someone else's .NET assembly and convert it back. Congratulations, you have successfully protected your assembly with Strong Name.
Conclusion
I hope that from this article, you manage to gain some brief idea about Strong Name and how it helps to protect your .NET assembly. I have finished the part 3 of this series. Please do check it out.
References
None
|
|
 |
 | Protection
joejoe GOD's Son | 1:11 28 May '05 |
|
|
This is a great article !
Why don't you write your own .net protector ?
Any hot new tricks ?
jj
|
|
|
|
|
|
|
Well I am busy with work. Sigh...
Anyway I will be releasing my very own obfuscation. No promises.
I think i will release some screen shots somewhere around august 2, 2005.
And yeah, it is free
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
|
|
Seems like we have to stay in contact :->
Good news ! If you need help with designing the app, ask me.
BTW, how does the QND Obuscator work ? It throws an exception whenever i want to obfuscate an app.
jj
|
|
|
|
|
|
|
this is a dead link 
|
|
|
|
|
| hacking strong names
Anonymous | 1:35 20 Jan '05 |
|
|
I have read its possible to hack strong names by disassembling an assembly, removing all traces of strongname and recompiling.
Presumably you could also hack by : Create a new hack key file, replace the public key embedded in assembly with your hack public key (by disassemble, reassemble), hash the source code and encrypt hash with your hack private key to get hack digital-signature, replace signature in assembly with your hack version ( by disassemble/reassemble )
Is this a real threat ?
|
|
|
|
|
| Great articles
Judah Himango | 8:01 18 Nov '04 |
|
|
I find both part 1 and part 2 of your articles very informative.
Your name rings a bell too; I seem to remember you from the WildTangent developer forums. If you are indeed that person, then hello from Swamii.
Any remotely useful information on my blog will be removed immediately. There are 10 kinds of people in the world. Those who have heard of the ubiquitous, overused, worn-out-like-an-old-shoe binary "joke" and those who haven't.
Judah Himango
|
|
|
|
|
|
|
Thanks Swamii. Yeah, i remembered who you are. The one who always help me in WT days
Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
| Good article
sinus-c | 0:14 1 Nov '04 |
|
|
I am always on the lookout for more ways to protect my sourcecode, and the ones I've found so far is strong name signing and obfuscation.
Have you got any more tricks up your sleave?
/sinus-c
|
|
|
|
|
|
|
Hi there,
Thanks for the comments. This was my 1st time writing articles, so i was hoping someone to give some comments.
Please look out for Part 3 (in the process, i guess) - breaking strong name assemblies...
I will discuss more tips and tricks on protecting in article 4 and onwards.
Thanks again
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
|
|
I agree. Very good article!
|
|
|
|
|
|
|
Thanx alot for the information. One question, do we have any free software/product that help us in the obfuscating of .Net Code.
regards,
-Zeeshan
|
|
|
|
|
|
|
|
|
|
Chua -
Good article.
Zeeshan -
Dotfuscator community edition is included in .NET Studio. This is a basic obfuscator.
|
|
|
|
|
|
|
I Agree, that it is a really great Article.
But who thinks that Micro$ofts IL is secure?
If you want professionaly protect your applications
you should use "PC Guard for .NET V5" from Sofpro.
Than the Crackers have to invest much more time
to steal your Application.
http://www.sofpro.com/e_pcgw32.htm
|
|
|
|
|
|
|
Could this be an advert? Or a real recommendation from a developer? Who knows?
|
|
|
|
|
|
|
"PC Guard for .NET V5" from Sofpro can only hide your assembly, if you encrypt your application too. You can't encrypt ADDIns for other applications.
Greetings
Danger.IQ
|
|
|
|
|
|
|
Last Updated 1 Nov 2004 |
Advertise |
Privacy |
Terms of Use |
Copyright ©
CodeProject, 1999-2010
