42

I release a bunch of tools for free, but recently I have began to sell an application, that has private research, and people have been able to get my source code, and one person publically released my entire source. I spent a lot of time on this program, just to have someone crack it, and release my entire source.

How can I go about protecting my program? I have tried HWID, but people are still able to crack it. I know I am limited by C#, but it the most convenient to use. I just need a way to protect my programs from people trying to do this.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Ben
  • 749
  • 1
  • 7
  • 18
  • When you say 'crack', do you mean 'decompile'? – egrunin Oct 03 '13 at 15:57
  • 1
    possible duplicate: http://stackoverflow.com/q/551892/643085 – Federico Berasategui Oct 03 '13 at 15:57
  • Although the question HighCore linked to is a little different than this one, the top answer to that question directly answers this question, and answers it well. – hatchet - done with SOverflow Oct 03 '13 at 16:01
  • It may be OT, but how you ensured that the code had really been stolen? – Antonio Ragagnin Oct 03 '13 at 16:08
  • @ChrisMantle: I find it amusing that the answers to that question tell you how to continue using the program for free when it's gone commercial, considering the question is how to protect commercial software. :) – zimdanen Oct 03 '13 at 16:10
  • @zimdanen Indeed :) But there are still a few free ones listed there, too. – Chris Mantle Oct 03 '13 at 16:23
  • There's no technical solution to human nature. Some people will always steal. As you *try* to add countermeasures, you will inevitably reach a break-point where you're inconveniencing your legitimate users more than those who will pirate you software. – Damien_The_Unbeliever Oct 03 '13 at 16:25
  • For some of the `Global asax` events have seen simply `[Obfuscation()]` above the name of the method would work without any externals, but for others use cases external tools listed by @sebastiaan-van-den-broek are required. – Daniel Danielecki Jun 16 '20 at 13:23

4 Answers4

37

You could have a look at the many obfuscation tools that are out there, for example these:

Sebastiaan van den Broek
  • 5,818
  • 7
  • 40
  • 73
  • 5
    You can still view the [deleted question _free-obfuscation-tools-for-net_](https://stackoverflow.com/questions/805549/free-obfuscation-tools-for-net) on the [internet wayback machine](https://web.archive.org/web/20130627174912/http://stackoverflow.com:80/questions/805549/free-obfuscation-tools-for-net) – stomy Aug 08 '17 at 00:01
  • 1
    What about [Babel Obfuscator](http://www.babelfor.net) (_they also have .NET Licensing_). – stomy Aug 08 '17 at 00:12
  • 1
    Link [codefort.org/download](http://codefort.org/download) doesn't work anymore. View it [here](https://web.archive.org/web/20130622042028/http://codefort.org:80/download). – stomy Aug 08 '17 at 00:23
  • 1
    [confuser.codeplex.com/](http://confuser.codeplex.com/) has been succeeded by [https://yck1509.github.io/ConfuserEx/](https://yck1509.github.io/ConfuserEx/). – stomy Aug 08 '17 at 00:30
  • @stomy thanks! I added the successor link, keeping the rest in case people want to google alternative downloads. – Sebastiaan van den Broek Aug 09 '17 at 07:23
  • 3
    ConfuserEx has now been succeeded by https://github.com/XenocodeRCE/neo-ConfuserEx – Steve Smith Feb 24 '20 at 09:33
  • 1
    @SteveSmith thanks, I added it and also removed all the superfluous text referring to an answer even older than this one. – Sebastiaan van den Broek Feb 24 '20 at 09:40
8

Well, the problem with languages like C#/Java is that they are generally much easier to de-obfuscate. The way to secure this is generally to put this stuff into a webservice, but you said you couldn't really do that. What about porting specific non-trivial functions over to a language like C, and obfuscate that. Your C# program could then use reflection to make calls to this external/unmanaged dll. It would increase the difficulty for de-obfuscating, but the problem is that if someone wants it bad enough, they can figure it out as it is client-side.

It may be that legal action is the only real solution here, but this is not a site for legal advice, and I am not qualified to give it if it were.

Additionally, this could be a business decision. Consider Making your software open-source and post a donation link. I am also not qualified to give business advice, but this is worth considering. It may actually increase your revenue, not to mention the other benefits that come with releasing open-source software.

Gray
  • 7,050
  • 2
  • 29
  • 52
4

There's Dotfuscator (http://www.preemptive.com/products/dotfuscator/overview). But the best solution in some cases is to offer what you do as a web site (Software as a Service).

Consider this tool for example to convert VB to C#: http://converter.telerik.com/

Or this tool to format JSON: http://jsonformatter.curiousconcept.com/

This may or may not work for you. I don't know what the nature of the software you're trying to protect is.

Trevor Elliott
  • 11,292
  • 11
  • 63
  • 102
  • It is. But any client side code can be cracked if there is a will to do so. Every PC game for the past 20 years has always been cracked regardless of SecuROM and other DRM. The web is the only really safe route. – Trevor Elliott Oct 03 '13 at 16:11
  • Yeah. What would be the option for me. I have to distribute the program to each individual person, I can't really just do a service type thing. I have tried HWID and more stuff, and pretty much all of that just gets bypassed. – Ben Oct 03 '13 at 16:14
2

No, your code needs to contain the information needed to decrypt itself, its an impossible problem to solve.

Your best solution is to put your intellectual property on a server in the cloud that only you have access to. Give your customers a unique login, audit their access to check for abuse, off load as much grunt work onto your customers machines, but keep your algorithms locked into the cloud.

carpenterjc
  • 107
  • 6