|
-
Feb 8th, 2008, 10:37 AM
#1
Thread Starter
Frenzied Member
Obfuscating
Hi,
I use the dotfuscator for obfuscating my exe. (the version that comes with vs)
when using encryption, I have the IV value and the Key value hard coded in the application. After obfuscating the application, it is still showing and only the method and property names are changed.
Am I missing something or did I forget to set some setting?
Or does that version of dotfuscator isn't good enough?
Or maybe I cannot do that at all.
Thanks,
Don't anthropomorphize computers -- they hate it
-
Feb 8th, 2008, 11:08 AM
#2
Re: Obfuscating
You obviously can't change the value of a key otherwise your encryption would not work.
Obfuscating only re-names and possibly compresses some of your code to make it difficult for someone else to figure out. That's all. Your strings won't get renamed (else none of them would work).
If you can't have an encryption key embedded into your application then you may want to re-think your design.
-
Feb 8th, 2008, 11:35 AM
#3
Thread Starter
Frenzied Member
Re: Obfuscating
In that case, I can use something like CodeVeil to scramble the MSIL header so that programs like Reflector cannot detect it, no?
Don't anthropomorphize computers -- they hate it
-
Feb 8th, 2008, 12:02 PM
#4
Re: Obfuscating
 Originally Posted by vbgladiator
In that case, I can use something like CodeVeil to scramble the MSIL header so that programs like Reflector cannot detect it, no?
Doesn't matter. Anyone would still be able to just grab the string. With .Net there isn't anything you can do because the Framework has to compile it on the user's system.
Even if you manage to block the user from even opening the file in a text viewer, if you have it in a string a person can easily retreive it from the ram.
Why do you need to hide the encryption key? What exactly are you doing? There may be a better way.
-
Feb 8th, 2008, 12:05 PM
#5
Thread Starter
Frenzied Member
Re: Obfuscating
I have licensing routines where I have to have the keys for encrypting.
Don't anthropomorphize computers -- they hate it
-
Feb 8th, 2008, 12:25 PM
#6
Re: Obfuscating
 Originally Posted by vbgladiator
I have licensing routines where I have to have the keys for encrypting.
Oh ok. Then that's not a big deal. Every application that has ever done a check on the user's computer gets easily cracked so if you must check it on the user's computer then no biggie if it gets cracks; they all do.
Now, if you wanted, you could create a Web Service that your application uses to verify serial numbers against. This way no one would ever see your encryption keys. The only issue is a user has to be connected to the internet to do this.
If you just want to try "hiddin" the encryption key then, perhaps you could build the encryption routines in C++ and compile it with the highest optimizations (which can make it a PITA to disassemble). Then call those from your application.
-
Feb 8th, 2008, 12:28 PM
#7
Thread Starter
Frenzied Member
Re: Obfuscating
Yeah, i thought so as well.
Well, thanks for all the replies.
Don't anthropomorphize computers -- they hate it
-
Feb 8th, 2008, 12:31 PM
#8
Re: Obfuscating
Check out this post. There are some links to using SecureStrings and the Key Management API. Once again, it'll stall a good hacker and maybe deter some of the ones who aren't all that serious about your program, but nothing is going to guarantee a program to be uncrackable.
Eventually, it has to enter the computer's CPU unencrypted, and all good hackers know Assembly code like we know our native language.
-
Feb 8th, 2008, 12:36 PM
#9
Re: Obfuscating
 Originally Posted by Jenner
Unfortuantely SecureStrings and the DPAPI wouldn't do much good for this situation. Since the key has to be shipped with the application, it's already embedded as a string (you can't serialize SecureStrings I believe) and the DPAPI helps safe guard your data from others but the logged in user could still use / view it. Besides, the DPAPI would require the encryption key to be stored seperately.
-
Feb 8th, 2008, 01:19 PM
#10
Re: Obfuscating
The full version of dotfuscator (the one that ships with VS is community edition) has added support for string encryption during the obfuscation process.
The full version is rather expensive though, so it would really only make sense if this is a major concern for intellectual property.
-
Feb 8th, 2008, 05:38 PM
#11
Thread Starter
Frenzied Member
Re: Obfuscating
Yeah, that's what I thought. I saw that option being disabled.
Thanks,
Don't anthropomorphize computers -- they hate it
-
Feb 8th, 2008, 05:57 PM
#12
Fanatic Member
Re: Obfuscating
I Hated Vb.Net when I read it first time about Security !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|