Large. NET business software code protection technology and practice to protect hard-to-create labor results

The code protection techniques used to enumerate the various types of software encountered since the work, only the principle does not involve the implementation of technical details, in order to avoid the emergence of legal issues. Some friends say that the code directly on GitHub open source download, open source can promote technical exchanges and progress, but the valuable code is piled up in the hard disk, even if the bad code is sold a lot of money, won a lot of customers and the market. Cherish the love of their own written code, they are valuable wealth.

The following protection techniques are primarily measured against offline authentication and protection and do not involve the networking (connection to license server) authentication.

1 Assembly Obfuscation asembly obfuscate

The operation of the CLR code is performed on an immediate compilation. NET compiler simply compiles the source code file into an intermediate language, and the intermediate language contains rich metadata. Anti-compilers such as the. NET Reflector/ilspy/justcode can restore almost the entire source code, so use the. NET development software The first task to do is to confuse the compiled intermediate language code. That's the most I've seen. NET code protection technology.

2 Writing the Registry Registry

Although. NET ERA emphasizes xcopy, but a lot of programs still rely on the registry to do the basis of protection technology. You can put the information you want to hide in a very deep registry key.

Some programs do a string processing of a registry key, such as changing a string to a 16 binary value, or a des obfuscation, and it is difficult to see what it means without knowing the decryption key (key).

3 RSA Signature RSA Signature

RSA signature technology can generate two keys, the private key is used to generate a license file, the public key is used to verify the license.

string publickey = "<BitStrength>1024</BitStrength><RSAKeyValue><Modulus> WDSWDT4UJPA+B7VKWDXGDVIEDC18O6QSNGTL38PRVR18B7SJQBHR2UQ1C7HKSADNF

Dh+pahv9bawiqa1cweavgcwc2lnmclaju4jzg0afdizhzunhv56ks5aavd+mhh+iegmpok9xrz7jd8hyjd38jhl439uaf6oltxmrdks5ku =</modulus><exponent>aqab</exponent></rsakeyvalue>";

string privatekey = "<BitStrength>1024</BitStrength><RSAKeyValue><Modulus> wdswdt4ujpa+b7vkwdxgdviedc18o6qsngtl38prvr18b7sjqbhr2uq1c7hksadnfdh+pahv9b

Awiqa1cweavgcwc2lnmclaju4jzg0afdizhzunhv56ks5aavd+mhh+iegmpok9xrz7jd8hyjd38jhl439uaf6oltxmrdks5ku=</modulus ><exponent>aqab</exponent><p>82nuszkxklx

+ndtqlirubldgozauaj50pqhkq7jgllv740jz521+v2o6eva+59gpgswfrx6e7hnurkkbqgby/w==</p><q>yito+1+ Xanvmecaykdfbonrbp1/tounakkrekyycg/klnjgpkb22gmtu

u5ocbfy2vidydzbyyexmlysj9io+ww==</q><dp>ds7zx3iykrv3rz7vv/mmqudiu3yaoaa9torbe/ 29afiko4dujt14hao1i4y7bgy/6r1nmasm7i9486vawqjagq==</dp><dq>sru

1zbiy7i1vi09xopkpnmdr2f7tcvjti50kktknezhnbbolkgslqgam5wpgy/3ztadkhuv6gaio0e8/m15p6q==</dq><inverseq >yszncptrcalrlr5ts+rj+m9g8+xuijgglsb3czjw

q28rfgxa//avpx05e3fin0tfaokjhy84vkelqpnyqyacna==</inverseq><d>jany3clxl6qgp3/ 90xwc0zcpsh6ekt4gsnwjorrpkh0dnjnesajhtpxmgs/0avsptoouzvxejp/idkttwtg

1gdkqzp+gaqkbp73rp21nmd+lz/s1wvmute3ge5i5fp/7zf9kntxbm1ylel/9n5ul6o5encpnjqut2+okq+q7vju=</d></ Rsakeyvalue>";

Because private keys exist only in their own computer, will not be published in the program, as long as the private key does not leak out, this encryption method is quite safe.

The only way to crack the RSA signature is to replace the public key and generate the license file with the private key you generated.

4 Parameter Protection Parameter Protection

Based on the 3rd RSA signature technology, the string generated after the signature is read-only, on the basis of which we can add many control points, such as the number of users to be used, the expiration time, the maximum count of accounts and so on.

In my enterprise Solution development Framework, we provide examples of license protection technologies based on 3rd and 4th, to the extent that the protection of products is not used by unauthorized users.

5 Machine Hardware Identification Hardware recognition

In order to control the software will not be random copies of the customer distribution, on the one hand through the legal contract provisions expressly prohibited, but usually there is no egg, on the other hand must do hardware identification. Before generating the license file, depending on the customer's machine configuration, the customer's machine hardware information is completely saved to the license file, run-time detection, found that there are inconsistencies immediately exit the application.

. NET provides the WMI interface for reading machine-related information, with the following code examples:

  Private Static string Getdiskdrivesize ()

        {

            return Wmihelper.getwmipropertyvalue ("win32_diskdrive", "Size");

        }

        Private Static string Getdiskdrivetotalsectors ()

        {

            return Wmihelper.getwmipropertyvalue ("win32_diskdrive", "totalsectors");

        }

        Private Static string Getdiskdrivetotaltracks ()

        {

            return Wmihelper.getwmipropertyvalue ("Win32_baseboard", "Manufacturer");

        }

Three methods to read the hard disk size, hard disk partitions, motherboard manufacturers, the combination of this information into a string file, that is, the computer hardware information, and then do a des symmetric encryption or RSA signature processing, after processing, the customer's hardware information appears to be such a string.

lxocnnn7ofk2+nheb7qo+cbrdlcbvwhcfvsfg/xnyt3f7q/ avyrl3lj7gotpmtuo41a33ajsryt5a1ydvu7ttonsosizy8hjirp13t5jhbgyhzgzaqk54egln3eft5zijkt3hyirz5w2mf6mwmv/9f

68jfxsnnh//ouuavi3lx0=kmw2grnz8bql4lnw4a5j+tudlvbsj5gp3cgznbaxlflgw188uliazexb6ghcvb0vswtv37r6nustt/vt5mj7wyf/ Zyyhpa1uhgx4/uzilcawawnap90bkqwlh1avz

2ltx3i93ikkyodajf0y5tm9njlvvqtoj2cbbwlug+syxxo=dujipsbrp5cl8l// wbis7ersx8rbtevmfo7ociyoth7yogvzjnh3d3qzhyknnfgmjdmslejsgdlb0gdiwdegiltf0uv7lqsoa076

wm5vrtg7o/h0e3dvmisp7okkujimeipexam+3gdlihgvhyrk0ndfzbqm8axm2k0ue8wj0xy=k5crv+ ikedb6yzey65ilxsu0lqt1fbhwsh7lawwboozhjt1twiaajhuqh0ahawzgrhydbhcxnljfv9t

oepsjdngl6cvjuenyuna3rlhknb6k51rojiq1rokriy9z+ysbhbjxdbsj3km/kitzfhvodqqig4zrtr0xfsn49j0rmki=c4obw14/ K1owpzmc1sue+yxrjtyuqzl2k/ckz/feahz0delbuicucbjhhg

+ryg+e7p5bfy53n3kh5sbud4rvbpruzgx4xzfpb8exq40sucmxs74cbqruph7+zqo6qf/atrqkxkbzoizkhcz50n6h/afaa+ Jwuoplyux191269w4=rgdybw6j5vxjo7philx1zlrcbo3+6srbuclefwk

Sitok/z+ogtfeoifhd5dzrp9t6gvytpdi7jpvz7ltv4dl5xfcq8wojjpqudb++pyaiw3gx9el6pd+ Ucrflktinng6ujke0r6a51y9egjric9p8uapgsej8otnlmo0mvwcwhe=gjg9mdr/yddmzcve0wpb3

s8ygkfzdpyj3xjtqtrydflv9e6ghzqj8ffgirxjdod3n9fgthhf82mtpjs3kodiyqec7moiensbzqevcups4zmdwmveh/ F4dsyns7jaipqccnaj7n4ei/pkxzwatdhsra2ywbkebw5plvhltlbclge=fl

+jsw0yguipizugq8vrt27e5j+d0vroew9t5nkproysngw=yn1yhy2reehqps30acnopndz2

he2e9re26qbwipngivhm8z/fclk0hjaleic8zy4dcn+0pkag6dh7tmibwtpbus2+zqjllgix7ukmpb49+ypc5qov8vsjgv/s81xvea+ Prgnbh9sa3tssbv3qmsyzdeyvkhc+1qbbold/1h2wui=p0/g

likmq7xorom9njdq5xpn3sj4v8p137v6eddq7utprctxd/qowi/ Izmcnx56lqvb1pjko0bcuyxa8h0zzevsmtjnxuzggzlpkzk4eozq4gektwm6hxcn0es/6iz2j5et1h5ksook1mlzs3cmuhesrn0js

ed0o/+l8+qbnpyapf6gl2iyf5j/qfi+2djowqcsphawzcbz/e/wtk0b/0f4= lmhd5bvilxa7kiqk8yma7d4dp5mawdnhmeuyg68sn15sjoumzlgift17rh0y7z

54itnjvmharvxbsc/ldkypiwsd+tzbtgdbsoebmxvde+jdh6zlsmguidreh4/l19y1713pyj2r6hyi9v/8gobkwwg4chikggbhsyujfp8jj4q= Jhnsedyacxeiwwhr

ndfiqowzbrzjmcgf7lo9g4bctyd0kbllrkdrdernptqs+e3klf0/fhc0x0bse/ycuycnj8rh9/ia08zuxo+tzkz/p5rsewklwboc45o90q/ Zxfuu5f+tcvpnftxcxmjwdh3

f4i7eotpzweus/p++ydvhhwa=d8l5s9fna0fux4eo9lohvt4wb8ybhkdvdw7o1p+wtdykiroclockklrsgdhjoi8eww= Ldrogw3pq7rv4l7yoglazamxfrdcw1wp2zi/hn2

This avoids the customer privacy information leakage, but also can solve the current software environment in the context of software distribution problems.

6 Serial Number/registration code Serial Key

Quite a lot of software is still taking this traditional serial number protection method, such as the registration code of Windows Server 2012:

Nb4wh-bbbyv-3mppc-9rcmv-46xcb

A seemingly disordered combination of numbers and letters plays an important role in software protection. If the serial number is verified during software installation, it will be more difficult to crack.

The alpha-numeric combination above the sequence can contain a lot of information, such as customer name, expiration time, and maximum number of users. This serial number is shared with other customers, and once the software company has traced it it is easy to identify the serial number as legitimate.

One of the components used in my blog download tool is ASPNETMHT, which uses this method to distribute the serial number, and the serial number contains the expiration time. The serial number of the aspnetmht looks like this:

Sm48z-fmxgz-25p67-4zjkf-gs211-aqya4-7vhux-kcf1c-rd4rc-ru7xs-xk8jy-6jt54-m9cx

7 Strong Name Strong Name

A strong name is not a code protection technique, but an assembly identity technology. Each assembly that is signed with the strong name is unique and can be verified at runtime to verify that the signature of the file has been altered.

The key to validating a strong name is to invoke the underlying method in the CLR:

[DllImport ("mscoree.dll", CharSet = CharSet.Unicode)]

public static extern bool StrongNameSignatureVerificationEx (string wszfilepath, bool fforceverification, ref bool pfwasverified);

So developed. NET program, not only to sign the program, but also to verify at run time whether the given signature has been altered.

The. NET CLR supports skipping strong name validation on assemblies, but it is too risky to modify the behavior of the CLR directly, and there are not many instances.

8 Memory Protection Memories Protection

Delphi XE took this approach, the runtime will generate a validation code, verification after the end of the code to destroy, because the validation in memory, will not leave traces on the hard disk, the difficulty of cracking relatively difficult.

WIN32 supports dynamic loading and unloading of assemblies, so the Win32 API has interfaces LoadLibrary and unloadlibrary for invocation, which enables memory protection.

. NET also supports the dynamic loading of assemblies, but does not support unloading (unload) assemblies, and the uninstallation of assemblies is controlled by the CLR, which provides the convenience of cracking memory protection techniques.

In my enterprise Solution development Framework, a combination of 7th and 8th is briefly explained as follows: Create a type definition file, then sign the file with a strong name, then confuse the signed assembly, string encryption, etc. Attached to the startup program's resource file, run, I release this Assembly resolution from the resource file, while forcing validation of the assembly's strong name, run the validation method specified in the type definition file, and implement simple memory protection techniques.

Cracking this protection requires knowing the strong name of the signature assembly, the whole process of string encryption processing and the corresponding key, which adds a lot of difficulty to cracking. To verify what and how the validation is specified in the type definition file that I designed, the launcher is just a shell that uses reflection to invoke the method to be validated. And this signed assembly is attached to the main program, to replace the resource file, you also need some methods and techniques.

9 source code is confusing with the obfuscate

After compilation is confused. NET assembly, which can still be debugged by the debugger at run time. If I could replace the sensitive string in the source code with a messy string, reducing the appearance of plaintext, while reducing performance, this would increase security. For example, when I run the runtime detects that the license file cannot be found, the following exception is thrown:

String path = Path.Combine (AppDomain.CurrentDomain.BaseDirectory, "license.lic");

if (! File.exists (PATH))

  throw new LicenseException ("License file not found");

The following program is replaced by the source code-sensitive string:

String path = Path.Combine (AppDomain.CurrentDomain.BaseDirectory, "license.lic");

if (! File.exists (PATH))

  throw new LicenseException (B ("/jnloqd4u59lbt64ex1hb9eo8kydd7td"));

After a B method call, can not see the exception of the plaintext, increased the difficulty of cracking. If there are a lot of such B methods in the code, and the string processing methods of the B method are different, the security of the system is undoubtedly improved.

Now there are a lot of JavaScript source code obfuscation tools on the market, that is, the format of the JavaScript code is scrambled, so that it is not easy to read.

C # source code can also take this approach, however, reading powerful Visual Studio has the document formatting feature (Edit-advanced-format document, Ctrl + e,d) and instantly becomes a readable format.

10 Native Codes Native code

The upcoming release of Visual Studio 2015 provides. NET native features that can be NET code is compiled into native code. However, after nearly a year of waiting,. NET native is currently only limited to Windows App Store projects, real Windows forms/wpf/asp. NET to implement compilation into native code may not be realistic.

The core of this protection method is that the license verification logic is placed in the native code and compiled directly into the machine code. General use of tools such as visual c++/delphi/vb6, the important algorithm and validation compiled into machine code, which will increase the difficulty of cracking. One aspect of native code that is difficult to handle is the. NET any CPU issue. When we set. NET is compiled into any CPU, CLLRU is compiled into native code based on the platform (x86,x64) The program is running on.

Loading 32-bit native code in a x64 system often throws an invalid assembly exception. The method of cracking this protection can be modified directly. NET program, you can ignore the logic of native code.

Compared to the previous several technologies, this protection technology to crack more difficult, to understand the knowledge point is also very much.

Large. NET business software code protection technology and practice to protect hard-to-create labor results