2

If a user knows almost anything about coding in .net, and they see a .dll, they have the unfortunate ability to call your public functions and subroutines. I know you could try a "key" system, where it will check for a certain "key" as an argument, and only run the code if the "key" is valid, but I just ran some code and a .dll that I made, and when the .dll threw an unhandled exception, it showed me the contents of the file.

How can you protect your .dlls? Should you only put code in that you are willing to risk?

Mark Rushakoff
  • 249,864
  • 45
  • 407
  • 398
Cyclone
  • 17,939
  • 45
  • 124
  • 193
  • 2
    Something else to keep in mind: I don't think you are able to "see the code" for a DLL on an unhandled exception, if the DLL is built in release mode and a PDB file is not present. – Mark Rushakoff Sep 21 '09 at 03:20
  • @Mark Rushakoff: a .NET assembly can be decompiled using reflector... – Mitch Wheat Sep 21 '09 at 03:47
  • @Mitch Wheat: Agreed, but the .NET framework shouldn't give much detail when there's an unhandled exception if the DLL was built in the above manner. – Mark Rushakoff Sep 22 '09 at 03:21

4 Answers4

9

Nevermind calling existing methods etc. Reflector will decompile the code!

Obfuscation will get you so far, but to protect critical IP you need to host it on a secure server that you control.

Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541
3

Be aware that there is no difference between a .NET DLL and an EXE file when it comes to ability to decompile or re-use in other applications.

Your question implies that putting all of your code in an executable is somehow safer, this is a big misconception.

Both are assemblies, so it is equally simple to instantiate and use publicly visible types in an executable, as it is with a DLL assembly. (As an example. in Visual Studio go to: Add Reference, Browse, and then notice that 'exe' is a valid component to reference.)

So the question is really more general: is it safe to deploy .NET assemblies of any type to your customers? As another answer says, the only guaranteed safe approach is to not deploy at all, but keep the assemblies on your own server (eg develop a web application).

Obfuscation will not stop someone from accessing your code, just make it harder (for a while) for them to understand it.

Ash
  • 60,973
  • 31
  • 151
  • 169
1

I'm going to sidestep the actual question you asked in order to more quickly point you in the direction you need to go.

You need to look into .Net code obfuscation. Here's a good post from someone else asking essentially the same question, but in different terms:

.NET obfuscation tools/strategy

Edit - added

Here's a good article on the issue you're asking about.

https://web.archive.org/web/20210802164229/https://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/080404-1.aspx

And @Mitch Wheat is right. Obfuscation will only get you so far. But it's a start. If you're going to be redistributing your dll's, you'll need to get used to the idea that someone persistent enough is going to crack them.

Community
  • 1
  • 1
David
  • 72,686
  • 18
  • 132
  • 173
  • Will that also obfuscate the functions and subroutines? – Cyclone Sep 21 '09 at 03:10
  • I'm going to have to advise you to read the article at the second link rather than answer that. The article covers the topic much more clearly than I can in a few posts or an answer here, and it sounds like you need to look at the basics of the topic. (no offense). – David Sep 21 '09 at 03:16
1

A small question

Is you application a web application or a C# (windows forms/command prompt) application.

If it is a web application, you can put the logic which you want to hide in a web service hosted on some other URL not accessible to public.

Also if it is a windows application, you can still obfuscate the dll. But remember, you can make the hackers difficult to decompile but not impossible. I also had a similar question in the link below.

How to preventing decompilation of any C# application

You have to weigh the benefits of decompilation over the business returns of hiding/leaving the code as it is.

Hope this helps.

Community
  • 1
  • 1
Kalpak
  • 3,510
  • 4
  • 22
  • 21