[C # prevents the anti-compilation].net product copyright protection Scheme (. NET source encryption Protection)

Source: Internet
Author: User

[C # prevents the anti-compilation].net product copyright protection Scheme (. NET source encryption Protection)

2011-03-24 21:06 27009 People read review (13) Favorite Report

Classification:

c#/. NET (4) decompile (6)

Description: Do you want to use. NET hard-worked software to be easily cracked? Do you want to spend a lot of your resources using. NET to develop products that are easy for competitors to get core code? This is a more detailed description of how to protect their own. NET source code articles, such as confusion, encryption and strong name, for the protection of the original author's point of view, so I do not qiatouquwei as their own personal article, because it is reproduced in full text, so does not represent I fully agree with the author's views, Also does not mean I mention the author mentioned software advertising, this point please note, do not think I advertise for others and scold me, in fact, I do not know the author.
I. Preface

Hello everyone, I am Kong Shijie, everyone can call me Jason.

I and everyone, are engaged in technical background, has not been a lecturer, so the mouth material is limited, if the point is not good, but also hope that we have a lot of sea, thank you.

Today is the first time we meet, we can meet you, really very happy.

Let's not delay everyone's precious time, so we'll start the class right away.

DotNet is the MS Development and promotion of enterprise solutions, is also one of the core development strategy of MS After several years, so I think DotNet is promising, he has a good concept, there is a strong consortium, it is difficult to fail. What DotNet lacks is the confidence of high-level executives in large enterprises, and it also takes time and examples to prove that there are many big cases to be developed in the world, and that Java and DotNet ultimately have a large market share, and it is unclear.

Two. Introduction Dotnet Compiling principle

Believe that we have used Dotnet, there may be many masters. But I also want to talk about the basic knowledge of dotnet, dotnet compiling principle.

Dotnet is a language that is built on a virtual machine that directly generates the intermediate language of the MSIL, and then the dotnet compiler JIT interprets the image as native code and delivers CPU execution. It and Java are a mechanism of language. The advantage of this language is that you don't have to think about where your program is running, you just have to make the feature, and the virtual opportunity to implement your functionality anywhere. This is a good trend and idea, but the intermediate language of a virtual machine is extremely easy to decompile because it has a lot of "meta-data" information.

The code for MSIL is actually not much different from C # or VB, and you should be able to read it easily if you remember 20 or so instructions.

Protection Code and open source does not conflict, need to protect must have their own reasons, so today I do not come to oppose open source. Oh

Three. Disadvantages of the intermediate language

The intermediate language is so easy to decompile that there are a lot of horrors.

1. The intellectual property that we care about most

Hard research out of the algorithm, how many sleepless nights to study out the results. This is a magic weapon that you make money, but be public, intellectual property has not, that time hate who ah.

2. Source code leaks, by competitors to compete with you (this is a lot of things)

As I know, there are several, but it is inconvenient to say it.

They try to copy back a copy of the other company's products from the customer, and then decompile, change the pictures, pictures and copyright information and registration information, and then take out to sell.

A regular company sells 20,000, and they are only 8,000. function basically the same, you say you are the customer, who do you buy?

3. The registration machine of their own products flying everywhere

Do a shareware, make some money to improve life bar, products just listed, not a few days registration machine every site has. Affect the sales also affect the mood, not to do products, or to do a reliable service, at least piracy can not ah, hehe, but do service, not so much money, really do what is difficult ah.

4. The author or developer bears the consequences of being implanted into a malicious program by someone else

The above said are only the things that others take advantage of, fortunately, just let can occupy the advantage, forget, loss also can not lose much. However, I say one more, it is not to be taken advantage of so simple.

For example: Your company out of a set of products, put on the Internet to download the trial, set the version is 1.0, a malicious company hostile, the product download, with the evil ILDasm anti-compilation, and then add a section on the inside of a conditional trigger command, the content of the command is the format C:or formatd :. Then compile with the evil ILAsm, use your company's name to make an identical package, upgrade to 1.2 trial version, and then put on the FTP or sharewaresite for people to try to download. Just imagine, soon you will receive complaints from users, or even prosecution.

Again, for example: to leave the company's employees, the company's various forms of dissatisfaction, after the handover, the company release a good project of a DLL to change, will inevitably cause the major loss of the project. Of course, I'm not teaching you how to treat your discontent in this way. I'm just telling you, Dotnet's assembly is not protected.

Four. Classification of protection schemes

Now, let me introduce you. NET's various protection schemes.

I divide the protection of dotnet into three major categories.

    1. Non-third-party protection solutions provided by m$

A) Strong name

The strong name is the protection mechanism provided by Ms.

It requires the use of the SN command.

What does a strong name mean? Here's a little explanation. The role of a strong name is to prevent an assembly from being modified illegally, and when the assembly is modified, you must re-use your private key again to add a strong name to the assembly, which is why the strong-named assembly must be re-enforcing the name after it is obfuscated or encrypted.

Sn/? Can see how it is used, if you install the framework is Chinese, then the interpretation of parameters is Chinese, I will not speak more.

Is it useful to have a strong name? There are many ways to easily crack strong names on the Web, and after ildasm the assembly with the strong name, the information about the strong name is removed in the Il file, and the strong name can be removed by ILAsm compilation. This I have tested, your strong name Publckey whether it is added in the assembly, or added in the class, can be removed, so the strong name is not a perfect way to protect. But to say here, if there is a good plan to use with the strong name, then will create a very good mechanism, anti-modification, anti-abuse.

When it comes to abuse, this is a special use of strong names, which can make your DLL not be called by a third party if your DLL can protect itself.

As for the name of this place, the way he uses it is necessary, we will explain in depth later.

b) Compile MSIL for native code (error? )

In this regard, I can often see in the MS community that there is an MVP to face the problem:

Q: Can a program written in C # compile the cost machine code?

A: Yes, you can use Ngen.exe to compile the MSIL code into native code.

Did the MVP answer that wrong? In fact, strictly speaking, the MVP answer is correct, Ngen.exe is indeed able to compile MSIL into native code, and can make the JIT does not need to compile MSIL again. This will speed up the execution of the program.

But the user's problem is not satisfied with the execution efficiency, but not satisfied with the intermediate language, but Ngen does not solve the user's problem.

Let's have a shallow analysis of NGen's work.

The NGen is a native image generator provided by MS, which compiles intermediate language assemblies into native code for storage in the cache. Please note that it is stored in the cache, dotnet in the memory of a cache, the cache contains many common assembly compiled native code, they are resident, thereby speeding up the execution speed of dotnet.

The so-called native code, because the native mapping, will map out some of the Framework of the required method, compiled to the assembly is called Call 0x0200000, and these things must be the event compiled good. So theoretically Ngen must be running on the currently executing machine, and it is not always possible to copy the program that compiles the cost machine code directly to another place, and I have not found a way to copy the native code from the cache.

I don't know what I mean here. No, no matter how Ngen.exe is just a speed-up tool, because the original assembly must be compiled to native code, and MSIL exists in the original assembly, so that the program cannot get out of the deserialized target.

Everyone go home, if available, you can do the experiment.

Ngen/show can see all the compiled assemblies in the cache, so dotnet is not slow.
Ngen <assembly path or display name> can map the specified assembly to native code.

Ngen/? can see other parameters

These are the tools provided by MS, under which you can use tips to prevent cracking or decompile during programming.

    1. Programming Tips Protection Solutions

Here, I'll show you two three ways

1. Artificial confusion

In this case, I'm going to start with a brief talk about what's called confusion.

Confusion as implies meaning, is confusion, not clear. There is a RID in metadata, and the Assembly runtime has nothing to do with the name, and it is called with RID, so you can omit the name.

What is confusing is man-made confusion.

Have seen an assembly, hand-folding a method into dozens of or hundreds, so that you can not understand the purpose. However, it is a pity to say: Now the Dotnet assembly analysis tools are very powerful, positive reference, anti-invocation can be implemented by the program, so that is actually done, it is not much use. The famous reflector have these features.

2. Hide the Assembly

Just talking about reflector, it's the way to hide your core assembly. Believe me, reflector is not the executable you see, its executable is just a shell, inside is a definition and interface, there is no instance of the method. If you want to get the core of how he's going to decompile, I'm afraid you'll lose your way in the maze.

How is it done? Let me tell you that its core assembly is actually one of its resources. And this resource is an encrypted resource. If I remember correctly, he should have started releasing the resource when he double-clicked the first method that needed to be recompiled, and then dynamically loaded the resource and decrypted it. The advantage of doing this is that the core assembly does not leave any traces on the hard disk, it only decrypts in memory and is loaded, and you basically cannot get this assembly. And dotnet is not allowed to memory dump.

Do you think this method of protection is good? You can encrypt your core code and make it into a resource package in the program, and then decrypt it when you use it, it just needs to be done yourself.

But I have to say responsibly, if you have the energy, and the patience and skill, I believe you can still find out in a few days the location of its core assembly decryption algorithm. and successfully solved its resource assembly.

If it is a master and very experienced, this way of encryption should be the second kill.

3. Compiling the relevant method (methods) in an assembly into unmanaged (unmanaged code)

The following is a description of whether you are a rookie, or master, can not get the core code of the party

It can be called the ultimate protection, because it is "unmanaged code".

What is managed code and what is unmanaged code.

Simply put, managed code is the intermediate language code that needs to be JIT-interpreted, not managed code

is native code. The way to do this is to teach you how to have managed code in your own assembly, with unmanaged code. Note that unmanaged code cannot be recompiled by the current anti-compilation tool.

Special note that I did not try it myself, but I have seen people do it and have been confirmed.

In the Dotnet assembly, how do you allow managed and unmanaged code to coexist? This is not free, and this is a requirement. Its condition is that VC + + must be used. NET unmanaged way to write DLLs, and then use VC + + hosting method to establish a project to introduce this native code DLL. A DLL that eventually generates a dotnet assembly. Then there is managed code in the assembly and unmanaged code. Managed code can be deserialized, and unmanaged code cannot be recompiled.

One might ask, what is the difference between writing a DLL with VC + +? The difference is that such a combination is tighter, and it is not possible to analyze the DLL with conventional analytical ASM tools.

Here also to explain a misunderstanding, it is said that the use of Win32 native code write registration algorithm, and generate DLL to provide dotnet assembly calls to prevent cracking. In fact, this sentence only said to half, this can only increase the difficulty of cracking the registration machine, and prevent the crack. Why is it? Because registration is right or in the Dotnet assembly to judge, so as long as the decision to change, the same to achieve the effect of cracking. However, if you want to analyze the registration algorithm, it is difficult to some.

    1. Third-party protection tools

Next, let's talk about third-party protection tools and concepts

Third-party protection tools good manufacturers are:

1. Aiasted.soft

A) Products: Maxtocode, Category: Encryption, confusion

2. Peremptive Solutions

A) Product: Dotfuscator Community, Category: Confusion

3. Remotesoft

A) Products: Remotesoft Protect, Category: Encryption

b) Products: Remotesoft Dotfuscator, Category: Confusion

4. Xenocode

A) Product: Xenocode, Category: Confusing

5. Some other companies, the recent Shanghai has a company out of the domestic first confusion tool, if you want to choose to confuse products, support the domestic also good.

Classification of protection methods for third-party tools

1. Confusion?

This is the most popular way right now. Today we're going to do an analysis. Let's take a look at the intensity of the confusion.

Obfuscation software generally has three functions

1. String encryption

2. Name confusion

3. Process confusion

The current popular obfuscation software has

Xenocode, Dotfuscator, and Remotesoft,maxtocode also incorporate a little confusion.

Using slides to explain process obfuscation principles

Use the program on the spot to demonstrate how to reverse process confusion

1. Target Program

2. Confused program use Reflector view

3. Using ILDASM to decompile the IL file

ILDASM xenocodetest.exe/out=xenocodetest.il

4. Extract a method from the Il file

5. Using Deflow for anti-aliasing

6. Backfill and compile with Ilasm

Ilasm Xenocodetest.il/resource=xenocodetest.res/output=xenocodetestnew.exe

7. Go back to Reflector to view

2. Packaging?

ThInstall is a packaging tool that he can package for almost all applications, also including

Dotnet.

He has multiple dotnet assemblies wrapped in a large program that cannot be decompile. But think about it and know that, if it is packaged, it will be released when it needs to run, and if it finds the released file, it is the same as no protection, so this is the worst way to protect. Of course, originally I did not want to put it in, because there are often people on the forum to use this thinstall reply to others said can protect dotnet assembly, so I special advice to everyone, do not believe.

3. Encryption?

Encryption protection is different from confusion, it is the best way to protect the current, but also the strongest protection ability.

He dotnet to a certain extent, the deficiency of the dotnet to attract more developers. Cryptographic protection software has a common denominator, that is, the dotnet anti-compilation into the Win32 of the disassembly, unfortunately, also limited the dotnet cross-platform advantages.

This class of Representative software has

Maxtocode, Remotesoft Protect, and some other foreign, I will not say, really let people do not go on.

Because Remotesoft company too stingy, protect even trial version are not provided, so I can only find his one encrypted product WebGrid3.5, but WebGrid4.0 did not use protect, do not know why, thousands of dollars is so waste? After analyzing WebGrid3.5, I found that he and maxtocode, the result is not to see the IL code, but also generate a native code DLL as the operating environment.

Because the Remotesoft protect can not be studied in depth, only know the effect and maxtocode, then we will talk about the principle of maxtocode implementation.

Maxtocode was born to dotnet the congenital insufficiency of the mystery. It is China's first high-strength dotnet protection software, in the world's dotnet Protection Horizon is also at the forefront of the dominant.

In fact, the principle of maxtocode is very simple, it is to encrypt all the IL in the assembly, so the use of the anti-compiler can not see the IL, and therefore can not be anti-compilation. Based on the framework extraction method of IL as the basic principle, when the JIT needs IL, I will add the dense il decryption to JIT to compile, thus forming the basic principle of maxtocode.

The following is the process and result of Maxtocode encryption:

1. Select an assembly

2. Select options for Advanced encryption

3. Select the option to confuse

4. Encryption

5. Results

The results of the program running after encryption:

Using Reflector to decompile the results

Anti-compilation using the MS-brought tool Ildasm

Viewing code area content using Ildasm

The source code is empty and cannot be deserialized at all. Eliminate the problem of anti-compilation.

from:http://zhoufoxcn.blog.51cto.com/792419/163944

[C # prevents the anti-compilation].net product copyright protection Scheme (. NET source encryption Protection)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.