Next, I will introduce various. Net protection solutions. I divide DOTNET protection into three categories.
1. protection solution provided by DOTNET
A) Strong name
Strong names are the protection mechanism provided by Ms. It needs to use the SN command. What does a strong name mean? I will explain it here. A strong name is used to preventProgramThe Assembly has been illegally modified. After the Assembly is modified, you must re-use your private key and then add a strong name to the Assembly.
SN /? You can see how it works. If the framework you have installed is in Chinese, the parameter explanation is also in Chinese, so I will not talk about it more.
Is a strong name useful? There are many ways to easily crack Strong names on the Internet. After the ildasm decompilers and the Assembly with a strong name are added, remove the information related to the strong name in the Il file and use ilasm to compile the assembly, you can remove the restriction on Strong names. I have tested this. The publckey with a strong name can be removed whether it is added to the program set or to the class. Therefore, a strong name is not a perfect protection method. However, if there is a good solution that can be used with strong names, a very good mechanism will be established to prevent modification and abuse. When it comes to abuse, this is a special use of strong names. It can prevent your DLL from being called by a third party, if your dll can protect yourself. Here, we will explain how to use it in depth if necessary.
B) Compile msil as the Local Machine Code (Misunderstanding ?)
For this, I often Community We can see that MVPs face problems like this:
Q: Can C # write programs compile the cost machine code?
A: Yes. ngen.exe enables msil code to be compiled into local code.
Why is the MVP wrong? Strictly speaking, the mvp's response is correct. ngen.exe can indeed compile msil into the local code, and enable JIT to re-compile msil without any need. In this way, the program execution efficiency can be accelerated. However, the user is not satisfied with the execution efficiency, but with the intermediate language. Unfortunately, ngen cannot solve the user's problem. Let's analyze ngen's work in a simple sense.
Ngen is a native image generator provided by Ms. It can compile intermediate language assembly into local code and store it in the cache. Please note that it is stored in the cache, and DOTNET creates a cache in the memory, which stores many common Assembly compiled local code, which is resident, to speed up the execution of DOTNET.
The so-called local code, because the local ing, will map some methods required in the framework, compiled for assembly is like call 0x0200000, and these things must be compiled by the event. In theory, ngen must be run on the currently executed machine, but the program that directly compiles the machine code to copy to another place may not be used, and I have never found a way to copy the local code in the cache.
At this point, I don't know what I mean. No matter how ngen.exe is, it is just a tool to speed up, because to compile the code for the local machine, the original assembly is required, the original program has msil, so the program cannot be separated from the decompiled object. If you are free, you can perform a test.
Ngen/show shows all the compiled assembly in the cache, so DOTNET is not slow.
Ngen <assembly path or display name> can map the specified assembly to the local code.
Ngen /? You can see other parameters.
The above is a tool provided by Ms. Next I will talk about how to use skills to prevent cracking or decompilation during programming.
2. Programming Skills protection solution
Here, I will introduce you to two methods:
2.1. Human confusion
Here, I will briefly talk about What obfuscation is. Obfuscation refers to confusion and ambiguity. There is an RID in metadata, and the Assembly runtime has nothing to do with the name. It is called using the RID, so you can save the name. What is artificial Obfuscation? It is artificial obfuscation. I have seen an assembly and manually folded a method into dozens or hundreds, so that you can't understand it. It is a pity that the analysis tools of DOTNET assembly are very powerful and can be implemented by programs for reference and reverse calls, so it is of little use to implement this. The famous reflector has these features.
2.2. Hide an assembly
We just talked about reflector, which uses this method to hide its core assembly. Believe me, reflector is not the executable program you see. Its executable program is just a shell, and there is a definition and interface, there is no instance method. If you want to get the core of decompilation, I'm afraid you will lose your way in the maze.
How is it done? Let me tell you that its core assembly is actually a resource. This resource is an encrypted resource. If I remember correctly, he should start to release the resource when double-clicking the first method to be decompiled, decrypt the resource, and then load it dynamically. The advantage of this is that the core assembly does not leave any trace on the hard disk. It only decrypts and is loaded in the memory, and you basically cannot get this assembly. In addition, DOTNET does not allow dump of memory. Do you think this protection method is good? You can encrypt your core code into a resource package in the program and decrypt it when using it. You only need to implement it yourself. However, if you have the energy, patience, and technology, I believe you can still find its core assembly for decryption within a few days.Algorithm . And the resource assembly is successfully parsed. If you are a master and experienced, the encryption method should be seckilling.
2.3. compile related methods (methods) in the assembly into unmanaged (unmanaged code)
The following describes how you can't get the core code, whether you are a cainiao or a master. It can be called the ultimate protection means because it is "unmanaged code ". What is managed code and what is non-managed code. To put it simply, managed code is the intermediate language code that needs to be interpreted by JIT, rather than the local code. The following describes how to host code and unmanaged code in your own datasets. Note that the unmanaged code cannot be decompiled by the current decompilation tool. Note that I have not tried it myself, but I have confirmed it.
In the DOTNET assembly, how does one implement the coexistence of hosted and unmanaged code? This is not free. It is necessary. The condition is that the DLL must be written in the VC ++. Net unmanaged mode, and the DLL of the local code is introduced in the project established in the VC ++ hosting mode. Finally, a DLL of the DOTNET assembly is generated. The Assembly contains both managed code and unmanaged code. Managed code can be decompiled, but non-managed code cannot be decompiled. Someone may ask, what is the difference between this and writing a DLL with VC ++? The difference is that the combination is closer, and the DLL cannot be analyzed using the conventional ASM analysis tool.
It also explains a misunderstanding here. Some people say that the registration algorithm is written using the Win32 local code and the DLL is generated for the DOTNET assembly call to prevent cracking. In fact, this sentence is only half correct. This can only increase the difficulty of cracking the registration machine and cannot prevent the attack. Why? Because the registration is correct, it is still necessary to make judgments in the DOTNET program, so as long as you get rid of this judgment, it achieves the same cracking effect. However, if you want to analyze the registration algorithm, it is difficult.
3. Third-party protection tools
Next, let's talk about third-party protection tools and concepts.
Vendors with better third-party protection tools include:
1. aiasted. Soft
A) Product: maxtocode, type: encryption, obfuscation
2. peremptive Solutions
A) Product: dotfuscator community, type: Obfuscation
3. remotesoft
A) Product: remotesoft protect, type: Encryption
B) Product: remotesoft dotfuscator, type: Obfuscation
4. xenocode
A) Product: xenocode, type: Obfuscation
5. Some other companies have recently released the first obfuscation tool in China in Shanghai. If you want to choose obfuscation products, it is good to support Chinese products.
Protection methods of third-party tools
1. Obfuscation
This is the most popular method at present. Let's make an analysis today. Let's measure the intensity of obfuscation.
Obfuscation Software generally has three functions
1. String Encryption
2. Name Obfuscation
3. Process Obfuscation
Currently, popular obfuscation software includes
Xenocode, dotfuscator, remotesoft, and maxtocode also integrate a little obfuscation.
4. Final Solution
Hide the Assembly and key code in win32dll.