1

I have project and I am in process of implementing licensing. I've decided to go with opensource library for it because I understand that no matter how much effort you put in protecting your app it can be hacked any way.

I was thinking about ways to hack it and now i see that basically since it is open source project it should be easy to avoid assertion of license. Hacker needs to download open source library and simply drop version where assert method do not validate anything.

So my question is what are the options to prevent loading of recompiled libraries. I want to load libraries which i used when i build my project.

Vova Bilyachat
  • 18,765
  • 4
  • 55
  • 80

2 Answers2

2

Easiest solution will be to sign your compiled DLL with your private key and then compile rest of the project against the signed DLL. This will ensure that when someone will replace DLL with different (or no signature) the application will fail to load. Unless you don't want to give others way to validate your DLL you don't need to have certificate from CA, you can just generate your own public/private key.

This thread discuss this topic in more detail (C#: why sign an assembly?) and this MSDN article deals with how to sign your DLLs.

shrpq
  • 467
  • 3
  • 8
  • 1
    Obviously one who can recompile disassembled code will not know about "skip verification" tool... – Alexei Levenkov Jan 01 '18 at 07:16
  • @AlexeiLevenkov not even disassembled. Download from git and compile. – Vova Bilyachat Jan 01 '18 at 07:52
  • and what about this ? https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element – Vova Bilyachat Jan 01 '18 at 07:56
  • Question was how to prevent attacker to throw in modified DLL so his code will not load it up instead of original. Windows has built-in facility for this for long, long time in Digital Signatures (https://msdn.microsoft.com/en-us/library/windows/desktop/aa381977(v=vs.85).aspx), signing the assemblies is just applying this technique in .NET world. Most of the worlds security relies on public/private key cryptography so I would say this approach is well proven to work and requires minimum effort. If you want to secure source code from reading there are different techniques (obfuscation). – shrpq Jan 01 '18 at 16:23
2

You can follow this strategy. When you compile the software Store the Dll hash inside your app (that's unreadable for hacker even through decompile). Compare it every time when your software run on client machine. If file hash doesn't match user has tempered the file.

Anirudha Gupta
  • 9,073
  • 9
  • 54
  • 79