0

I want to protect my .dlls from reverse engineering.

My scenario:

I have an Asp.net website and that website I already hosted on client's server (IIS). Now I set some XYZ date in my system. That system should work until that date. once that date is become current date at that time User will get a popup message "your licence is expired. Please contact to Vendor."

Now clients comes to me and ask for re-new licence and pay me some amount. I will generate new date in an encrypted string. I will just give that encrypted string to the client. The client will insert that encrypted string in the system and that encrypted date will be stored in ABC table in the database.

Now some technical client tries to update that encrypted date in that ABC table in the database by de-compiling or reverse-engineering, and they will get the string token key which we used for encrypt/decrypt logic, and also gets the encrypt/decrypt function from my .dll.

Now they can easily generate the new date in an encrypted form and update that in table into database.

Please someone can help on that - How can I prevent this.

JJJ
  • 32,902
  • 20
  • 89
  • 102
prog1011
  • 3,425
  • 3
  • 30
  • 57
  • Why downvote ? - please comment – prog1011 Mar 27 '17 at 05:29
  • I voted it up.. – Second Person Shooter Mar 27 '17 at 05:30
  • Do you know obfuscation? – Second Person Shooter Mar 27 '17 at 05:31
  • You can't prevent it. – JJJ Mar 27 '17 at 05:32
  • For specific case of encryption you can use for example https://en.wikipedia.org/wiki/Public-key_cryptography so your app will decrypt using public key, and you can encrypt on your side only – Lanorkin Mar 27 '17 at 05:32
  • I've never really thought about all the issues and complexity of that but getting your own licensing mechanism up and running is not an easy task at all, especially bullet proofing it. I would try another approach where you host a service that validates the license key and user has to make a successful call before he can use your code. – Etienne Mar 27 '17 at 05:33
  • If your code is running on their machine, it's not possible. The only way you can reasonably protect your IP is via the legal system. – Rob Mar 27 '17 at 05:35
  • http://stackoverflow.com/questions/20676008/where-can-i-store-and-manage-application-license-information – Etienne Mar 27 '17 at 05:36
  • You can't protect it 100% secure, but you can try to make it way more harder for your clients. I use the tool ObfuserEx for that. It is Open Source and free. You can find it here: http://yck1509.github.io/ConfuserEx/ This just makes your code unreadable, but still workong after you compiled it (You import the ddl's). – Larce Mar 27 '17 at 05:44
  • @Lanorkin Please actually read that article that you linked to. Decryption is done with the private key. Besides, adding any key to client side code would result in the client being able to decrypt anything anytime. – Artjom B. Mar 27 '17 at 05:49
  • @ArtjomB. not sure you understand the idea. `This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.` Here OP looks like need just the first one - app need to ensure that license date in db is valid – Lanorkin Mar 27 '17 at 05:53
  • @Lanorkin So, you think that OP only needs to verify a signature and not encrypt anything (terminology is important). A signature doesn't protect against reverse-engineering, because the actual data that is signed will be unencrypted. – Artjom B. Mar 27 '17 at 06:01
  • @ArtjomB. Yes, I read the case this way. – Lanorkin Mar 27 '17 at 06:05

0 Answers0