Hi Guys

Last week i tried to crack a library of a package that we use in our app - I reverse engineered it. Yah the package was obfuscated and had strongnames - but it only took me 2 hours to crack the package and have all the source code back into a usable format.

I noticed that the obfuscated variable names for example "0x13faff41" was always unique throughout the library. So i you had a variable X of type string it would be called X everywhere and you could basically just do a global replace throughout the project to change "0x13faff41" to readable name like "FontName" ... You start to understand what the variables and classes are being used for after studing the flow of the library a bit. Remember that the class types are not encrypted or mangles at all only procedure, functions and variable names.

After cracking this package so easily i wondered how easily my own would be cracked because i spent quite sometime protecting my libraries using all the suggestions that Otis gave me a few months ago. See - http://www.llblgen.com/tinyforum/Messages.aspx?ThreadID=1652

It took be about an hour to crack one of my libraries. This made me start to worry!!! Is there nothing that you can do to safe guard against people stealing your work? I think this is a serios problem for .Net!! No wonder none of M$ programs are written in .Net.

Strong Names are useless as it does not protect you from people referse engineering your assemblies. Obfuscation just makes it difficult to compile reverse engineerd code. So what else can a person do?

Dotfuscator Pro claims that they can spoil disassemblers:

http://dotfuscator.com/products/dotfuscator/Features.html

Also, there are products that will compile your app to native code...

http://www.xenocode.com/ http://thinstall.com/help/index.html?linking_netframework.htm http://www.remotesoft.com/linker/intro.html

BOb

Every copy protection scheme will be broken. One takes more time than another. As Eric Sink once wrote in one of his excellent blog items: spending a terrible long time on copy protection is a waste of time, mainly because 1) it will be broken anyway if they really want to and 2) most people are actually pretty honest.

Obfuscation, signed xml license files, what more can you do? In the end, some cracker simply purchases a license with a stolen creditcard (happend to us a couple of times in the past 2 years), which thus gets refunded (as the official cardholder hasn't purchased it) and there is a license floating around. No cracking needed.

It's a given, and once you've done what you could, you just have to accept it, it will get rid of a lot of stress

Btw: cracking someone elses library isn't something you should do, especially when you're using it in your own application. Just pay the license fee.

Otis wrote:

Btw: cracking someone elses library isn't something you should do, especially when you're using it in your own application. Just pay the license fee.

Thanks for your Concern. but you misunderstood. We naturally own all the libs that we use - our company has a no pirate software policy. It would be wrong to try and protect our own work while stealing from others.

So you guys are saying that i should not worry about this to much?... Difficult, ill see what my superiors say.

wayne wrote:

So you guys are saying that i should not worry about this to much?... Difficult, ill see what my superiors say.

Well, you'll probably never know if they do reverse it, and ignorance is bliss. If you do however, discover they have stolen your code, can't you take some sort of legal action as it is?

Besides, you will have wowed them with your amazing coding skills and they'll probably admit they stole it just so they can learn more from you about how to code. Or is that a little TOO cup half full?

wayne wrote:

So you guys are saying that i should not worry about this to much?... Difficult, ill see what my superiors say.

Jah.. spend some time on the newsgroups or torrent sites and you will quickly realize it's a waste of time to use copy protection. The best of the best have all tried to keep crackers from taking advantage of them, but I've never seen an application that wasn't crackable. Even applications that 'call home' or use physical dongles can be cracked.

I agree with Frans. Most people are suprisingly honest. The rest either can't afford (or don't think they can afford) the software they need or they're not going to pay regardless.

Consider this... Many companies release thier software HOPING it ends up in pirates' hands because it increases their exposure!

Man, it sounds like I'm a software pirate.

I'm not really worried about people copying my libraries - Makes me feel kinda, honoured and there is not really anything you can do about it. I might have used the wrong words (Copy Protection) in my title.

But what worries me is that someone can take my hard work reverse engineer it and put their name on it. It is one thing to have pirate copies floating around but what if the pirates could now claim that all your work is their own?

So it is the reverse engineer part that i am actually worried about - just imagine you write a cool Barcoding library just to find out a few months later that someone reverse engineerd it and made it open source.

How do you proof that it is yours...I mean they do have the source code - And i can garentee you that the source code won't look the same but will do the same things.

You can't prevent anyone reverse engineering your work. If you've seen a C decompiler at work once, you'll know what I mean

Software engineering is about algorithms and solutions to problems, not about code. 10 to 1 what you've written is in books for years and documented in articles all over the internet, simply because most things are already documented. Your specific implementation might be great, but that's not important. Unless you solved P = NP in your software, the chances are no-one really will reverse engineer your library and put their name on it.

(disclaimer: I'm not talking about the quality of your work, I just want to make the point that reverse engineering is not very efficient: it's more efficient to simply get an algorithm implementation from the internet or from a book)

Otis wrote:

You can't prevent anyone reverse engineering your work. If you've seen a C decompiler at work once, you'll know what I mean

Software engineering is about algorithms and solutions to problems, not about code. 10 to 1 what you've written is in books for years and documented in articles all over the internet, simply because most things are already documented. Your specific implementation might be great, but that's not important. Unless you solved P = NP in your software, the chances are no-one really will reverse engineer your library and put their name on it.

(disclaimer: I'm not talking about the quality of your work, I just want to make the point that reverse engineering is not very efficient: it's more efficient to simply get an algorithm implementation from the internet or from a book)

Ok, you do have a point there but how would you feel if you browse the Internet and find a OR Mapper that looks identical to yours - no actually it is yours but it is called Just another OR Mapper and it is open source. They might not have your Name's (LLBLGen) credability but i am sure you won't like competing against your own product especially if it is open source and free. .

Just think about it : You work your butt off for 2-3 years and somebody comes and takes your source code without giving you any compensation and even claims that they have written all the source code by themselfs.

I am sure there are books out there about every subject under the sun and yes i am sure that i dont have any special algorithms in my code that somebody would want to steal but it still remains my code until i feel like sharing it. (Mine, Mine All Mine... )

There is alot of scaly people & companies out there. Why does my brain keep thinking about M$ when talking about stealling somebody elses work?

Well at the end of this whole discussion there is not really anything that i can do about the reverse engineering problem... but thanks for everybodies input.

wayne understand your frustration but if a professional wanted to steal your code they can, they don't have to get it by reverse engineering, they can just steal it from the source, like bribe a security guard, break in to your work premises and take your computer, etc, etc...

I believe it's the novice hacker that you want to protect against and what you have done is enough IMHO... back this up with copy protection statements in your code and your covered providing that you can prove the code was yours in the first place, something very hard to do unless you can patent the ideas of the class library.

my two pennies worth....

Geoff.

Thanks Geoff

wayne wrote:

Last week i tried to crack a library of a package that we use in our app - I reverse engineered it. Yah the package was obfuscated and had strongnames - but it only took me 2 hours to crack the package and have all the source code back into a usable format.

I just got an email from a vendor who's licensing components that I used announcing that they released a new product to protect source code. I remembered this thread and thought you might want to check it out.

http://xheo.com/products/enterprise/codeveil/default.aspx

BOb

I truly hope they've now hidden their way of storing trial install info in this version. In their older versions it didn't take me very long to find that info (I looked at them to see if I should roll my own or buy their license, so I performed some normal actions any hacker would perform as well)