Description: Do you want to use. NET hard-worked software to be easily cracked? Do you want to spend a lot of your resources using. NET to develop products that are easy for competitors to get core code? This is a more detailed description of how to protect their own. NET source code articles, such as confusion, encryption and strong name, for the protection of the original author's point of view, so I do not qiatouquwei as their own personal article, because it is reproduced in full text, so does not represent I fully agree with the author's views, Also does not mean I mention the author mentioned software advertising, this point please note, do not think I advertise for others and scold me, in fact, I do not know the author.
A . preface everybody good, I am Kong Shijie, everybody can call me Jason. I and everyone, are engaged in technical background, has not been a lecturer, so the mouth material is limited, if the point is not good, but also hope that we have a lot of sea, thank you. Today is the first time we meet, we can meet you, really very happy. Let's not delay everyone's precious time, so we'll start the class right away. DotNet is ms development and promotion of enterprise solutions, is also one of the core development strategies of MS After several years, so I think DotNet is promising, he has an excellent concept, There is a strong consortium, it is very difficult to fail. What dotnet lacks is the confidence of high-level executives in large enterprises, and it also takes time and examples to prove that many of the world's big cases are still,java and DotNet who ultimately have a large market share and are still unclear. Two . Introduction dotnet compiling principle I believe we have used dotnet , and there may be many masters. But I also want to talk about the basic knowledge of dotnet, dotnet compiling principle. Dotnet is a language that is built on a virtual machine that directly generates the intermediate language of MSIL , and then by the Dotnet compiler JIT interprets the image as native code and delivers CPU execution. It and Java are a mechanism of language. The advantage of this language is that you don't have to think about where your program is running, you just have to make the feature, and the virtual opportunity to implement your functionality anywhere. This is a good trend and idea, but the intermediate language of a virtual machine is extremely easy to decompile because it has a lot of "meta-data" information. msil 's code is actually not much different from C# or VB , as long as you remember 20 or so commands, you should be able to read it easily. Protection Code and open source does not conflict, need to protect must have their own reasons, so today I do not come to oppose open source. Hehe three . the disadvantage of intermediate language the intermediate language is so easy to decompile that there are many horrors. 1. We are most concerned about the intellectual property of the hard work out of algorithms, how many sleepless nights to study out the results. This is a magic weapon that you make money, but be public, intellectual property has not, that time hate who ah. 2. source code leaks, by competitors to compete with you (this kind of thing a lot) I know there are several, but inconvenient to say. They try to copy back a copy of the other company's products from the customer, and then decompile, change the pictures, pictures and copyright information and registration information, and then take out to sell. A regular company sells 20,000, and they are only 8,000. function basically the same, you say you are the customer, who do you buy? 3. own product registration machine fly out to do a sharing software, make some money to improve life bar, products just listed, not a few days keygen every site has. Affect the sales also affect the mood, not to do products, or to do a reliable service, at least piracy can not ah, hehe, but do service, not so much money, really do what is difficult ah. 4. by others into malicious programs, the consequences of the author or developer to assume that the above is just the things that others take advantage of, fortunately, just let can occupy the advantage, forget, lose also not much. However, I say one more, it is not to be taken advantage of so simple. For example: Your company out of a set of products, put on the Internet to download the trial, set the version is 1.0, a malicious company hostile, the product download, with the evil of the ildasm decompile, and then add a section on the inside of a conditional trigger command, the content of the command is format c: or format d:. then compile it with all the evil ilasm , use your company's name to make an identical package, upgrade to a 1.2 trial version, then put to ftp or shareware site for trial download. Just imagine, soon you will receive complaints from users, or even prosecution. Again, for example: to leave the company's employees, the company's various forms of dissatisfaction, after the handover, the company release a good project of a DLL to change, will inevitably cause the major loss of the project. Of course, I'm not teaching you how to treat your discontent in this way. I'm just telling you, Dotnet's assembly is not protected. Four . protection scheme categories below, I begin to introduce. NET's various protection schemes. I divide the protection of dotnet into three major categories.
- Non-third-party protection schemes provided by m$
A) strong name is the protection mechanism provided by Ms. It needs to use sn this command. What does a strong name mean? Here's a little explanation. The role of a strong name is to prevent an assembly from being modified illegally, and when the assembly is modified, you must re-use your private key again to add a strong name to the assembly, which is why the strong-named assembly must be re-enforcing the name after it is obfuscated or encrypted. sn /? can see how it is used, if you install the framework is Chinese, then the explanation of the parameter is Chinese, I will not speak more. Is it useful to have a strong name? There are many ways to easily crack strong names on the Web, and after ildasm the assembly with the strong name, the information about the strong name is removed in the Il file, and the strong name can be removed by ILAsm compilation. This I have tested, your strong name Publckey whether it is added in the assembly, or added in the class, can be removed, so the strong name is not a perfect way to protect. But to say here, if there is a good plan to use with the strong name, then will create a very good mechanism, anti-modification, anti-abuse. When it comes to abuse, this is a special use of strong names, which can make your DLL not be called by a third party if your DLL can protect itself. As for the name of this place, the way he uses it is necessary, we will explain in depth later.  B) compile MSIL for native code (myth?) In this regard, I can often see in the MS community that there is an MVP to face the problem: Q: C # Written by the program can compile the cost machine code? A: Yes, you can use Ngen.exe to compile MSIL code to native code. Did the MVP answer that wrong? In fact, strictly speaking, the MVP answer is correct, Ngen.exe is indeed able to compile MSIL into native code, and can make the JIT does not need to compile MSIL again. This will speed up the execution of the program. But the user's problem is not satisfied with the execution efficiency, but not satisfied with the intermediate language, but Ngen does not solve the user's problem. Let's have a shallow analysis of ngen's work. The NGen is a native image generator from MS, which compiles intermediate language assemblies into native code and stores them in the cache. Here, please note that it isstored in the cache, dotnet a cache in memory that stores many common assembly-compiled native code, which are resident, thereby speeding up the execution of dotnet. The so-called native code, because the native mapping, will map out some of the Framework required method, compiled to the assembly is the call 0x0200000 like this, and these things must be the event compiled good. Then theoretically Ngen must be running on the machine that is currently executing, and the program that compiles the cost machine code directly to another place is not necessarily available, and I have never found a way to make the native code copy out of the cache. I don't know what I mean here. No, no matter how Ngen.exe is just a speed-up tool, because it has to be compiled into native code or the original assembly, and MSIL exists in the original assembly, so that the program cannot detach itself from the deserialized target. Everyone go home, if available, you can do the experiment. ngen /show can see all the compiled assemblies in the cache, so dotnet is not slow.
Ngen <assembly path or display name> can map the specified assembly to native code. Ngen/? Other parameters can be seen above are the tools provided by MS, and the next, in the process of programming, how to use techniques to prevent cracking or anti-compilation.
- Programming Tips Protection Solutions
Here, I will give you two kinds of three ways 1. man-made confusion here, I would like to talk about what is called confusion confusion as implies meaning, is chaos, unclear meaning. There is a RID in metadata, and the Assembly runtime has nothing to do with the name, and it is called with RID, so you can omit the name. What is confusing is man-made confusion. Have seen an assembly, hand-folding a method into dozens of or hundreds, so that you can not understand the purpose. However, it is a pity to say: Now the Dotnet assembly analysis tools are very powerful, positive reference, anti-invocation can be implemented by the program, so that is actually done, it is not much use. The famous reflector have these features. 2. Hidden assemblies just talked about reflector, which is the way to hide their core assembly. Believe me, reflector is not the executable you see, its executable is just a shell, inside is a definition and interface, there is no instance of the method. If you want to get the core of how he's going to decompile, I'm afraid you'll lose your way in the maze. How is it done? Let me tell you that its core assembly is actually one of its resources. And this resource is an encrypted resource. If I remember correctly, he should have started releasing the resource when he double-clicked the first method that needed to be recompiled, and then dynamically loaded the resource and decrypted it. The advantage of doing this is that the core assembly does not leave any traces on the hard disk, it only decrypts in memory and is loaded, and you basically cannot get this assembly. And dotnet is not allowed to dump memory. Do you think this method of protection is good? You can encrypt your core code and make it into a resource package in the program, and then decrypt it when you use it, it just needs to be done yourself. But I have to say responsibly, if you have the energy, and the patience and skill, I believe you can still find out in a few days the location of its core assembly decryption algorithm. and successfully solved its resource assembly. If it is a master and very experienced, this way of encryption should be the second kill. 3. compiling the relevant method (methods) in an assembly into unmanaged (unmanaged code) The following is a description of whether you are a rookie or a master, Cannot get the core code, it can be called the ultimate protection, because it is "unmanaged code". What is managed code and what is unmanaged code.Simply put, managed code is the intermediate language code that needs to be JIT-interpreted, and unmanaged code is native code. The way to do this is to teach you how to have managed code in your own assembly, with unmanaged code. Note that unmanaged code cannot be recompiled by the current anti-compilation tool. Special Note that I did not try it myself, but I have seen people do it and have been confirmed. in the Dotnet assembly, allow managed code and unmanaged code to coexist, how to implement it? This is not free, and this is a requirement. Its condition is that VC + + must be used. NET unmanaged way to write DLLs, and then use VC + + hosting method to establish a project to introduce this native code DLL. A DLL that eventually generates a dotnet assembly. Then there is managed code in the assembly and unmanaged code. Managed code can be deserialized, and unmanaged code cannot be recompiled. One might ask, what is the difference between writing a DLL with VC + +? The difference is that such a combination is tighter, and it is not possible to analyze the DLL with conventional analytical ASM tools. Here also to explain a misunderstanding, it is said that the use of Win32 native code write registration algorithm, and generate DLL to provide dotnet assembly calls to prevent cracking. In fact, this sentence only said to half, this can only increase the difficulty of cracking the registration machine, and prevent the crack. Why is it? Because registration is right or in the Dotnet assembly to judge, so as long as the decision to change, the same to achieve the effect of cracking. However, if you want to analyze the registration algorithm, it is difficult to some.
- third-party protection tool
Next, let's talk about third party protection tools and concepts third party protection tools good manufacturers have:1. aiasted.soft a) product :maxtocode , category &NBSP: Encrypt, confuse 2. peremptive solutions a) product :dotfuscator community , category : Confusing 3. remotesofta) product :remotesoft protect , type : Encryption B) product :remotesoft dotfuscator , kind : Confusion 4. Xenocodea) product :xenocode , kind: Confusing 5. Some other companies, the recent Shanghai has a company out of the domestic first confusion tool, if you want to choose to confuse products, support the domestic also good. Protection methods for third-party tools classification 1. Confusion ? This is the most popular way right now. Today we're going to do an analysis. Let's take a look at the intensity of the confusion. Obfuscation software generally has three functions 1. string encryption 2. Name Confusion 3. process confusion currently popular obfuscation software has xenocode, Dotfuscator, and Remotesoft,maxtocode also incorporate a little confusion. Use the slideshow to explain the process obfuscation principle using the program on the spot to demonstrate how to reverse process confusion Target Program
2. Confused program use Reflector View
3. Use ildasm to decompile the Il file ildasm xenocodetest.exe/out=xenocodetest.il4. Extract a method from the Il file
5.UseDeflow to be anti-confusing
6. Backfill, and compile Ilasm using Ilasm xenocodetest.il/resource=xenocodetest.res/output=xenocodetestnew.exe7.and back toReflector to view in
2. packing? ThInstall is a packaging tool that he can package for almost all applications, also including dotnet. He has multiple dotnet assemblies wrapped in a large program that cannot be decompile. But think about it and know that, if it is packaged, it will be released when it needs to run, and if it finds the released file, it is the same as no protection, so this is the worst way to protect. Of course, originally I did not want to put it in, because there are often people on the forum to use this thinstall reply to others said can protect dotnet assembly, so I special advice to everyone, do not believe. 3. encryption protection is different from confusion, it is the best way to protect, and also the strongest protection. He dotnet to a certain extent, the deficiency of the dotnet to attract more developers. Cryptographic protection software has a common denominator, that is, the dotnet anti-compilation into the Win32 of the disassembly, unfortunately, also limited the dotnet cross-platform advantages. This kind of representative software has maxtocode , Remotesoft Protect, other some foreign, I do not say, really let people use not go down. Because Remotesoft company too stingy, protect even trial version are not provided, so I can only find his one encrypted product WebGrid3.5, but WebGrid4.0 did not use protect, do not know why, thousands of dollars is so waste? After analyzing WebGrid3.5, I found that he and maxtocode, the result is not to see the IL code, but also generate a native code DLL as the operating environment. Because the Remotesoft protect can not be studied in depth, only know the effect and maxtocode, then we will talk about the principle of maxtocode implementation. Maxtocode was born to dotnet the congenital insufficiency of the mystery. It is China's first high-strength dotnet protection software, in the world's dotnet Protection Horizon is also at the forefront of the dominant. In fact, the principle of maxtocode is very simple, it is to encrypt all the IL in the assembly, so the use of the anti-compiler can not see the IL, and therefore can not be anti-compilation. Based on the framework extraction method of IL as the basic principle, when the JIT needs IL, I will add the dense il decryption to JIT to compile, thus forming the basic principle of maxtocode. The following is the process and result of Maxtocode encryption: 1.Select Assembly
2.Choose options for Advanced encryption
3. Select the option to confuse
4.Encrypt
5. Results The result of the program running after encryption Span lang= "en-us":
uses decompile results
Span style= "font-family: the song Body;" > using MS ildasm decompile
Use ildasm
The source code is empty No, you can't decompile
