How to establish an effective. NET software registration Protection Mechanism

This is the actual problem I encountered when I was working on the codeplus software registration module.

. NetProgramIt is easy to decompile and can be masked by obfuscators or by using a strong name. This is really a question about spear and shield.

So how can we maximize the guarantee that the software is not modified, and the Register is not easy to write. It may be a headache.

The general idea is:

I. Using asymmetric encryption and digital signature in the registration mechanism (this process is complicated and I have not made it yet, but I will try my best to solve this problem, hope to get advice from experts)

2. Strong names. It is easier to use strong names: the general steps are as follows:

1. Use sn.exe-K in the doscommand window provided by vs.netGenerate a key pair. And put it in the root directory of the project. For example, c: \> Sn-k c: \ yourprj. SNK and copy yourprj. SNK to your project directory.

2. Modify assemblyinfo. CS,

[Assembly: assemblydelaysign (false)]
[Assembly: assemblykeyfile ("... \ .. \ yourprj. SNK")]
[Assembly: assemblykeyname ("... \ .. \ yourprj. SNK")]

3. Rebuild it. This time is protected by a strong name. Any modifications to the generated EXE or DLL (whether it is Il or binary) will cause the program to stop running.

3. Use the obfuscator to confuse the generated EXE or DLL. We recommend that you use http://www.remotesoft.com/salamander/obfuscator/download.html to confuse and re-sign EXE or DLL under strong name protection. That is to say, obfuscation and strong name dual protection can be achieved. Of course, a question is raised here. That is, since remotesoft's obfuscator can modify the files under strong name protection (obfuscation is a big change), re-sign in to the strong name, although it requires yourprj. the SNK must be stored in the root directory of the project. However, it is also possible to replace it. Therefore, from another perspective, these two methods will not be difficult for the experts to solve. Its protection functions are limited.

Besides, due to the RSAAlgorithmSo the test has never been successful. Yesterday I saw something on the Sook Forum:

Http://www.sorke.com/bbs/Announce/Announce.asp? Boardid = 100 & id = 6060

This section describes the verification of XC #.CodeIs public. (Here, I understand that obfuscation and strong names are useless .) But I was wondering, why didn't I remove the verification code and compile it again? I am puzzled. Or the XC # program has been generated, although someSource codeIt's just for you to see, rather than giving you a chance to recompile. In this case, the strong name must be used. Since there is no research, it is not too clear. First, copy the useful code. This is the XC # Algorithm for verification:

Const string rsakey =" Qzj4mbr2conbw + abcbddssdtfkfszdqc9lltz3xzl1urre0iwrgqq/nynr310460/jsbb5etv
+ Example/1sy
Fb0w.xbku1m4m9lggduwlab + imc = Aqab ";

Static bool isvalidpair (string name, string key, string rsakey)
{
Try
{
Byte [] B = system. Convert. frombase64string (key );
Using (RSA = new rsacryptoserviceprovider ())
{
RSA. fromxmlstring (rsakey );
Rsapkcs1signaturedeformatter F = new rsapkcs1signaturedeformatter (RSA );

F. sethashalgorithm ("sha1 ");
Return (F. verifysignature (New sha1managed (). computehash (system. Text. asciiencoding. ASCII. getbytes (name), B ));
}
}
Catch {return false ;}
}

Reference the strong man's analysis of this Code:

I checked the code carefully and found that the key to the code check is the rsapkcs1signaturedeformatter class, which is a class in the system. Security. cryptography namespace and is responsible for verifying the RSA encrypted signature.
RSA is an asymmetric encryption algorithm. It means that only the public key can be used for decryption. The above static variable rsakey is obviously the public key. That is to say, you must provide the verification code generated by the key generator with the private key to pass the hash verification. That is to say, there is no way to obtain the verification code through the public key.
The method for generating the registration code is useless. Can I solve this problem by modifying the Il code? If you change the return value to true, you can use it whether it is verified or not. After inspection, this method still does not work.
Because this DLL program is not used by the XC # main program, but called by vs.net, it can only be registered as a global assembly. I found that the Assembly xhcs. visualstudio. dll implemented by the Verification logic has been installed in GAC.
As we all know, all the Assembly installed in GAC must be added with strong name verification. If I modify the DLL content, the strong name must be deleted, and the Assembly cannot be in GAC, resulting in failure of vs.net.

Well, now I think of whether the code can be used in our own system, so how to write the encrypted signature? Try to use:

Rsacryptoserviceprovider RSp = new rsacryptoserviceprovider ();
RSP. fromxmlstring (skey); // The public key and private key are read here.
Bytes = enc. getbytes (this. rtxtusergivesn. Text );
Bytes = RSP. signdata (bytes, "sha1 ");

This code is executed, but it fails and no reason is found. It indicates that a null value is set for the object.

Think about it again. If anyone has experience in this area, I hope to provide some guidance.