Sign in to follow this  
thannett

Unity [.net] Making .Net Decompilation Harder

Recommended Posts

thannett    214
I've been working on an application in C++ .Net for a couple of months now, and I'm thinking about possibly selling it. So I was looking around at ways to secure .Net applications when I found Reflector. According to the website, Reflector does the following: "Reflector is the class browser, code explorer, code analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic, C++, IL assembly, Delphi and Chrome." So I ran it on my application, and pretty soon it was giving me the sourcecode to my application. Since then I've been trying to find ways to thwart the decompiler, there are several different solutions that I have come acrossed, but they are all fairly pricy. I've got Dotfuscator Community Edition, but most of it's features are turned off, and I don't know if it will offer much protection. So I was wondering if you guys knew any free solutions? Thx.

Share this post


Link to post
Share on other sites
blaze02    100
In .NET, go to your project properties. Start with release mode. Turn on all the optimization settings you can. Turn off all the debug settings you can. I think the key one is omit frame pointers. I've heard that helps. Once you tweak all the settings, do a clean rebuild and try to decompile that.

Hope it helps.

Share this post


Link to post
Share on other sites
OrangyTang    1298
Quote:
Original post by thannett
Since then I've been trying to find ways to thwart the decompiler, there are several different solutions that I have come acrossed, but they are all fairly pricy. I've got Dotfuscator Community Edition, but most of it's features are turned off, and I don't know if it will offer much protection.

If you're not willing to fork out any money to protect your code, then what are you trying to protect against?

It may be depressing but the sad fact is this: your code[1] is worthless to other people. It needs assets, build processes, build tools, etc. etc. to be actually usable - and even then it's still not worth much, most code is filler, boiler plate stuff which is heavily tied to the way you've done things.

IMHO the only real reason you'd care was if you genuinely had some new/revolutionary/unique algorithms that you don't want someone else to see. And if you've got that then forking out some money for proper obscurification tools shouldn't be a problem.

[1] By which I mean your code, my code and pretty much all code out there.

Share this post


Link to post
Share on other sites
thannett    214
That's true... I would fork out some money, but the sad fact is that I don't have any to fork out. I'd like to have some kind of protection, because I'd like to try to sell this application, so it'd be nice if people couldn't look at my code and remove any copy protection that I put in. I guess your right, nobody is really going to care that much about decompiling my app, it just bothers me that people can pop open my app and see the source like that. Thx.

Share this post


Link to post
Share on other sites
Talonius    643
Unavoidable, really. When you get down to it the Framework has to be able to read your application so no matter how much you obfuscate it, it must remain readable to the Framework. shrug. C++ is decompilable as well - however, it didn't retain all the metadata which provides for the clean C# decompilations. (That same metadata is required for .Net to analyze and work with your assemblies.)

No matter what you do - application or game - it'll be pirated and stolen. There's still a great number of people in the world who are honest and will pay you for your efforts, if they find them worthwhile.

Share this post


Link to post
Share on other sites
RipTorn    722
Your best defence is to sign your assemblies. This does not encrypt them, however it means that if someone were to crack one, they would have to crack all of them, as any modifications to a single assembly would prevent the others from running.
This is most advantageous with web apps that download new content (and code potentially) at runtime. If you wanted to get tricky, you could send a serialised object over the web, get the server to check the public key, and then send a modified object back which is used by the app. To make it more tricky, you can do funky things like put a stack walk in the static constructor of the serialised type, to make sure the correct app is initalising it.

But at the end of the day, the harder you make it, the more challenge it will be to crack, and the bigger challenge the more fun the cracker will find it. You can end up encouraging piracy.

Just as long as you are carful with your users private details then you are ok. Ie salting passwords, etc (in the case of an internet aware app).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this