4

I just found out that even though I obfuscate my application it can still be cracked using code injection. This pretty much makes C# completely useless for me. Is there really no way to protect or make the process very difficult to do? Do 'crackers' have to know any class names etc. to do this? Thanks!

UPDATE: I'm trying to protect a binary (exe) not code.

Kristian
  • 1,348
  • 4
  • 16
  • 39

4 Answers4

2

I've read somewhere on here from several users that whatever the code is written in, it can be decompiled. Think of it like this, how else would the system know how to run the code? It is the same concept.

Usually though, most developers(that I know of) don't worry so much about this. Of course, this is a good reason not to have any sensitive details within your code but rather somewhere else.

SchautDollar
  • 348
  • 3
  • 13
  • Well, for example if we look at gmail, they have insantelly long and spagetti like code which is pretty hard to make any sense of, I at least I can make this process complex so it's not worth doing. – Kristian Dec 17 '12 at 19:20
  • Alright, why the downvote? I gave a completely valid answer except that at the time of answering, your update wasn't there. SO, to update my answer, I would agree with J Torres on signing the application. – SchautDollar Dec 17 '12 at 19:30
0

Any of the .NET languages, and Java can be de-compiled. This includes .Exe and .dll files. What you will need to do is get an tool that obfuscates the code.

I've listed one below for you so you can get an idea: http://www.red-gate.com/products/dotnet-development/smartassembly/

Ed Charbeneau
  • 4,501
  • 23
  • 23
0

If you're worried about protected industry secrets, it's impossible to send a computer the right instructions, but expect those instructions cannot be read by a capable person. If your goal is to stop somebody from modifying your EXE, why not simply sign your executable?

http://blogs.msdn.com/b/shawnfa/archive/2007/01/10/combining-strong-names-with-authenticode.aspx

Jaime Torres
  • 10,365
  • 1
  • 48
  • 56
  • Thanks! will this solve the code injection issue? how can I make the code injection process so complex that it's not worth doing. I want to protect my authorization protocol. Thanks – Kristian Dec 17 '12 at 19:23
  • @Kristian - You can't. If they have the source code, and administrative privelages, then they can decompile and inject new code. I suspect you are relying on the wrong security mechanism. – Josh Dec 17 '12 at 19:27
  • As always, there are ways around any form of security. But signing your code will nearly guarantee that your binaries have not been modified by 3rd parties. – Jaime Torres Dec 17 '12 at 19:27
  • @Josh, that's not entirely true. Signed code requires a password, so even if they have your pfx, but not your password, they cannot re-sign the executable. If a user knows to require your specific certification on your program, this will mitigate that issue. If the user runs anything willy-nilly, then you can't really help them. – Jaime Torres Dec 17 '12 at 19:29
  • @JTorres - But I can modify the assembly and remove strong naming. If I do this for all the provided assemblies, then strong naming no longer matters. Strong naming doesn't stop me decompiling and recompiling the code. It only prevents me from replacing a dependent assembly with an unsigned one. – Josh Dec 17 '12 at 19:41
  • @Josh But how would you sign it? – Jaime Torres Dec 17 '12 at 19:44
0

Are you sure your code is worth the trouble for someone to do that? Very very few applications are.

Spencer Ruport
  • 34,865
  • 12
  • 85
  • 147