C# - Prevent recompilation

Question

I am currently working on an application developed in C#. We are looking for ways to secure our app. I know that preventing decompilation is almost impossible but I want to know if there are ways to prevent recompilation.

I mean if someone decompile my app, change source code (for example to skip if statement where license is checked) and then recompile, he's winning. Are there ways to avoid that recompilation?

You can sign your assemblies! http://stackoverflow.com/questions/3975723/c-why-sign-an-assembly — Callum Linington, Jul 20 '16 at 07:56
Don't give the compiled code to the attacker (E.g. run the code only on machines that you control. If necessary, expose *functionality* via appropriate remote access techniques (HTTP, RPC, etc)) — Damien_The_Unbeliever, Jul 20 '16 at 08:02
@CallumLinington - signing does nothing useful here. The attacker can simply choose to recompile the code and not sign it at all. — Damien_The_Unbeliever, Jul 20 '16 at 08:04
The application which I am talking about is software that we sell so the attacker could get the software @Damien_The_Unbeliever — sa.l_dev, Jul 20 '16 at 08:09
Reverse engineering is impossible to prevent, and you can only raise the bar a little bit higher by using onfuscation, digital signature, as well as ahead of time compilation. Each of them can help in some aspects. — Lex Li, Jul 20 '16 at 12:31

score 1 · Answer 1 · answered Jul 20 '16 at 08:10

1

You can't really prevent recompilation since in the end it is all IL, and that can be reversed engineered quite easily.

However, some obfuscation tools use property and field names that are not valid in C#, meaning that recompiling your code is a hell. First all those issues have to be resolved, which I have tried to do for one of our own obfuscated assemblies as a test: I stopped trying after a few hours, which shows it was pretty effective.

Also, obfuscation tools will scramble your code in such way it is hard to understand what is actually happening, so that would make finding and understanding the license system very hard.

answered Jul 20 '16 at 08:10

Patrick Hofman

153,850
22
249
325

Would [compiling to native code](https://msdn.microsoft.com/en-us/library/dn584397(v=vs.110).aspx) be a good/better obfuscation strategy? – Matteo Umili Jul 20 '16 at 08:18
That is an option, yes, but it also has some drawbacks when developing. – Patrick Hofman Jul 20 '16 at 08:24

score 1 · Answer 2 · answered Jul 20 '16 at 08:28

In practice if you are going to distribute your (compiled) code you can't do anything (useful) about de/re-compiling. You will end up spending a lot of time / money on "preventing" it just to find out it couldn't be done anyways.

Large companies spend a significant amount of money to prevent this (for example Adobe) and their products still get cracked.

You can try obfuscation like Patrick suggested, but this would just add a little obstacle for crackers but really mess up your stack traces. You will be forced to store and manage mapping files to decode (release version) stack traces.

C# - Prevent recompilation

2 Answers2