. Net Product copyright protection solution (. NET source code encryption protection)

Note: Do you want to use. Net to easily crack software? You want to spend a lot of manpower and resources on your own to use. Net developed products to obtain the core easily by competitors.Code? This is a detailed description of how to protect your. netSource codeOfArticle, Such as obfuscation, encryption, and strong names. To protect the original author's point of view, I have not taken my head and tail as my own article, because it is a full text reprinted, therefore, it does not mean that I fully agree with all the ideas of the author, nor do I propose to advertise the software mentioned by the author. Please note that I should not scold others for advertising, in fact, I don't know the author at all.
I. Preface

Hello everyone, I'm KANG Shijie. You can call me Jason.

Like everyone else, I am a technical engineer and I have never been a lecturer. Therefore, I have limited skills. If you are not good at speaking, I hope you can have a lot of questions. Thank you.

Today is the first time we met. It's a pleasure to meet you.

Next, let's not delay your valuable time. Let's start class now.

DOTNET is an enterprise solution developed and promoted by Ms. It is also one of the core development strategies of MS in the next few years. Therefore, I think DOTNET has a promising future and he has an excellent concept, there is also a powerful consortium, which is hard to fail. What DOTNET lacks is the confidence of senior management of large enterprises. It still takes time and examples to prove that there are still many large cases to be developed in the world, java and DOTNET eventually have a large proportion of market members, but it is still unclear.

II. Introduction to DOTNET compilation principles

I believe everyone has used DOTNET, and there may be many experts. But I also want to talk about the basic knowledge of DOTNET and the compilation principles of DOTNET.

DOTNET is a language based on virtual machines. It directly generates the msil intermediate language, and then the DOTNET compiler JIT interprets the image as the local code and delivers the CPU for execution. It is a mechanism language with Java. The advantage of this language is that you do not need to consider yourProgramWhen running there, you only need to make the function, and the virtual opportunity is used to implement your function anywhere. This is a good trend and idea, but the virtual machine's intermediate language is also easily decompiled because it carries a large amount of "metadata" information.

Msil code is actually not much different from C # Or VB. As long as you remember 20 commands, you can easily read them.

There is no conflict between protection code and open source. You must have your own reasons for protection. So today I am not here to oppose open source .. Haha

Iii. disadvantages of intermediate language

The middle language is so easy to decompile, there are many terrible aspects.

1. Intellectual property rights that we are most concerned about

Hard workAlgorithmHow many sleepless nights have been studied. This was a magic weapon for making money, but it was made public and intellectual property rights were lost. Who hated it at that time.

2. Source Code leaks, and competitors can compete with you (this is a lot of a problem)

I know a few of them, but it is not easy to tell.

They tried to copy back a copy of a product from another company from the customer, and then decompiled it, and changed the pictures, pictures, copyright information, and registration information to sell the product.

Regular companies sell 20 thousand yuan a set, and they only sell yuan a set. The functions are basically the same. You say you are a customer and who did you buy?

3. The registration machine of your product is flying all over the sky

Make a sharing software and make some money to improve your life. The product is just on the market, and every website has a registration machine in a few days. It affects sales and mood. If we don't do products in the future, we still need to provide reliable services. At least we can't perform piracy. However, we don't have enough funds to do services, it's really hard to do anything.

4. The consequences of malicious programs implanted by others shall be borne by the author or developer.

All of the above is just about taking advantage of others. Fortunately, it's just about making it take advantage of it. Even if you forget it, you cannot lose much. However, if I talk about it again, it's not as easy as taking advantage of people.

For example, your company has launched a set of products and put them on the internet for trial download. The version is 1.0. A malicious company downloading the product and decompiling it with ildasm, then add a conditional-triggered command in it. The command content is format C: or format D :. then compile it with ilasm, and use your company's name to create an identical package, upgrade it to the 1.2 trial version, and then put it on the FTP or firmware ware site for trial and download. Imagine that you will soon receive a user complaint or even a lawsuit.

For example, employees who want to leave the company are dissatisfied with the company's various forms. after the handover, a DLL of the company's release project will be changed, which will inevitably cause significant losses to the project. Of course, I am not teaching you to treat your dissatisfaction in this way. I just want to tell you that the DOTNET assembly cannot be protected.

Iv. protection solution Classification

Next, I will introduce various. Net protection solutions.

I divide DOTNET protection into three categories.

Non-third-party protection solution provided by M $
A) Strong name

Strong names are the protection mechanism provided by Ms.

It needs to use the SN command.

What does a strong name mean? I will explain it here. A strong name is used to prevent the Assembly from being modified illegally. After the Assembly is modified, you must re-use your private key to add a strong name to the Assembly, this is also the reason why names must be added again after obfuscation or encryption for assembly with strong names.

SN /? You can see how it works. If the framework you have installed is in Chinese, the parameter explanation is also in Chinese, so I will not talk about it more.

Is a strong name useful? There are many ways to easily crack Strong names on the Internet. After the ildasm decompilers and the Assembly with a strong name are added, remove the information related to the strong name in the Il file and use ilasm to compile the assembly, you can remove the restriction on Strong names. I have tested this. The publckey with a strong name can be removed whether it is added to the program set or to the class. Therefore, a strong name is not a perfect protection method. However, if there is a good solution that can be used with strong names, a very good mechanism will be established to prevent modification and abuse.

When it comes to abuse, this is a special use of strong names. It can prevent your DLL from being called by a third party, if your dll can protect yourself.

Here, we will explain how to use it in depth if necessary.

B) Compile msil as the local code (misunderstanding ?)

For this, I oftenCommunityWe can see that MVPs face problems like this:

Q: Can C # write programs compile the cost machine code?

A: Yes. ngen.exe enables msil code to be compiled into local code.

Why is the MVP wrong? Strictly speaking, the mvp's response is correct. ngen.exe can indeed compile msil into the local code, and enable JIT to re-compile msil without any need. In this way, the program execution efficiency can be accelerated.

However, the user is not satisfied with the execution efficiency, but with the intermediate language. Unfortunately, ngen cannot solve the user's problem.

Let's analyze ngen's work in a simple sense.

Ngen is a native image generator provided by Ms. It can compile intermediate language assembly into local code and store it in the cache. Please note that it is stored in the cache, and DOTNET creates a cache in the memory, which stores many common Assembly compiled local code, which is resident, to speed up the execution of DOTNET.

The so-called local code, because the local ing, will map some methods required in the framework, compiled for assembly is like call 0x0200000, and these things must be compiled by the event. In theory, ngen must be run on the currently executed machine, but the program that directly compiles the machine code to copy to another place may not be used, and I have never found a way to copy the local code in the cache.

At this point, I don't know what I mean. No matter how ngen.exe is, it is just a tool to speed up, because to compile the code for the local machine, the original assembly is required, the original program has msil, so the program cannot be separated from the decompiled object.

If you are free, you can perform a test.

Ngen/show shows all the compiled assembly in the cache, so DOTNET is not slow.
Ngen <assembly path or display name> can map the specified assembly to the local code.

Ngen /? You can see other parameters.

The above is a tool provided by Ms. Next I will talk about how to use skills to prevent cracking or decompilation during programming.

Programming Skills protection solution
Here, I will introduce you to two methods:

1. Human confusion

Here, I will give a brief description of what obfuscation is.

Obfuscation refers to confusion and ambiguity. There is an RID in metadata, and the Assembly runtime has nothing to do with the name. It is called using the RID, so you can save the name.

What is artificial Obfuscation? It is artificial obfuscation.

I have seen an assembly and manually folded a method into dozens or hundreds, so that you can't understand it. However, unfortunately, the analysis tools of DOTNET assembly are very powerful and can be implemented by programs for both positive references and reverse calls, it is useless. The famous reflector has these features.

2. Hide the Assembly

We just talked about reflector, which uses this method to hide its core assembly. Believe me, reflector is not the executable program you see. Its executable program is just a shell, and there is a definition and interface, there is no instance method. If you want to get the core of decompilation, I'm afraid you will lose your way in the maze.

How is it done? Let me tell you that its core assembly is actually a resource. This resource is an encrypted resource. If I remember correctly, he should start to release the resource when double-clicking the first method to be decompiled, decrypt the resource, and then load it dynamically. The advantage of this is that the core assembly does not leave any trace on the hard disk. It only decrypts and is loaded in the memory, and you basically cannot get this assembly. In addition, DOTNET does not allow dump of memory.

Do you think this protection method is good? You can encrypt your core code into a resource package in the program and decrypt it when using it. You only need to implement it yourself.

However, if you have the energy, patience, and technology, I believe you can find the location of its core assembly decryption algorithm in a few days. And the resource assembly is successfully parsed.

If you are a master and experienced, the encryption method should be seckilling.

3. compile related methods (methods) in the assembly into unmanaged (unmanaged code)

The content below is that no matter you are a cainiao or a master, you cannot get the core code.

It can be called the ultimate protection means because it is "unmanaged code ".

What is managed code and what is non-managed code.

To put it simply, managed code is the intermediate language code that requires JIT to explain, rather than managed code.

Is the local code. The following describes how to host code and unmanaged code in your own datasets. Note that the unmanaged code cannot be decompiled by the current decompilation tool.

Note that I have not tried it myself, but I have confirmed it.

In the DOTNET assembly, how does one implement the coexistence of hosted and unmanaged code? This is not free. It is necessary. The condition is that the DLL must be written in the VC ++. Net unmanaged mode, and the DLL of the local code is introduced in the project established in the VC ++ hosting mode. Finally, a DLL of the DOTNET assembly is generated. The Assembly contains both managed code and unmanaged code. Managed code can be decompiled, but non-managed code cannot be decompiled.

Someone may ask, what is the difference between this and writing a DLL with VC ++? The difference is that the combination is closer, and the DLL cannot be analyzed using the conventional ASM analysis tool.

It also explains a misunderstanding here. Some people say that the registration algorithm is written using the Win32 local code and the DLL is generated for the DOTNET assembly call to prevent cracking. In fact, this sentence is only half correct. This can only increase the difficulty of cracking the registration machine and cannot prevent the attack. Why? Because the registration is correct, it is still necessary to make judgments in the DOTNET program, so as long as you get rid of this judgment, it achieves the same cracking effect. However, if you want to analyze the registration algorithm, it is difficult.

Third-party protection tools
Next, let's talk about third-party protection tools and concepts.

Vendors with better third-party protection tools include:

1. aiasted. Soft

A) Product: maxtocode, type: encryption, obfuscation

2. peremptive Solutions

A) Product: dotfuscator community, type: Obfuscation

3. remotesoft

A) Product: remotesoft protect, type: Encryption

B) Product: remotesoft dotfuscator, type: Obfuscation

4. xenocode

A) Product: xenocode, type: Obfuscation

5. Some other companies have recently released the first obfuscation tool in China in Shanghai. If you want to choose obfuscation products, it is good to support Chinese products.

Protection methods of third-party tools

1. Obfuscation?

This is the most popular method at present. Let's make an analysis today. Let's measure the intensity of obfuscation.

Obfuscation Software generally has three functions

1. String Encryption

2. Name Obfuscation

3. Process Obfuscation

Currently, popular obfuscation software includes

Xenocode, dotfuscator, remotesoft, and maxtocode also integrate a little obfuscation.

Use slides to explain the process obfuscation principles

Use the program to demonstrate on-site anti-process Obfuscation

1. Target Program

2. Use reflector to view obfuscated programs
 
3. decompile the Il file using ildasm

Ildasm xenocodetest.exe/out = xenocodetest. Il

4. Extract A method from the Il File

5. Use deflow for anti-obfuscation

6. backfill and use ilasm for compilation

Ilasm xenocodetest. il/resource = xenocodetest. Res/output1_xenocodetestnew.exe

7. Go back to reflector for viewing.

 

2. packaging?

Thinstall is a packaging tool that can package almost all applications, including

DOTNET.

He packages multiple DOTNET sets in a large program to achieve the goal of non-compilation. However, if you think about it, you can package it and it will be released when you need to run it. If you find the released file, it will be the same as not protected, this is the worst protection method. Of course, I didn't want to include it because people often use thinstall on the Forum to reply to others saying that it can protect the DOTNET assembly, so I would like to advise you not to trust it.

3. encryption?

Encryption protection is not the same as obfuscation. It is currently the best protection method and the most powerful protection capability.

He raised the inherent deficiency of DOTNET to a certain extent, attracting more developers for DOTNET. Encryption protection software has one thing in common, that is, the DOTNET decompilation is extended to Win32 disassembly. Unfortunately, it also limits the cross-platform advantages of DOTNET.

Such representative software has

Maxtocode, remotesoft protect, other foreign, I will not say, it is really difficult to use.

Remotesoft is so stingy that protect does not provide a trial version, so I can only find one of its encrypted products, webgrid3.5, but webgrid4.0 does not use protect. I don't know why, tens of thousands of dollars is that enough? After webgrid3.5 is analyzed, it is found that, like maxtocode, the Il code is invisible and a local code DLL is generated as the runtime environment.

Since remotesoft protect cannot be studied in depth, we only know the same effect as maxtocode, so let's talk about the implementation principle of maxtocode.

Maxtocode was born to supplement the congenital deficiency of DOTNET. It is China's first powerful DOTNET protection software, and is also ahead of the world's DOTNET Protection Line.

In fact, the principle of maxtocode is very simple, it is to encrypt all the IL in the Assembly, so the use of the anti-compiler can not see the Il, thus cannot be decompiled. The basic principle of extracting method based on framework is Il. When JIT needs Il, I decrypt the encrypted Il to JIT for compilation. This forms the basic principle of maxtocode.

The process and result of maxtocode encryption are as follows:

1. Select assembly

2. select Advanced Encryption

3. Select obfuscation options

4. Encryption

5. Results

Encrypted program running result:

Reflector decompilation results

Decompilation using the MS tool ildasm

Use ildasm to view the code area content

The source code is empty, and The Decompilation is not allowed at all. This eliminates the problem of decompilation.