Results 1 to 12 of 12

Thread: Obfuscating

  1. #1

    Thread Starter
    Frenzied Member vbgladiator's Avatar
    Join Date
    May 2001
    Posts
    1,950

    Obfuscating

    Hi,

    I use the dotfuscator for obfuscating my exe. (the version that comes with vs)
    when using encryption, I have the IV value and the Key value hard coded in the application. After obfuscating the application, it is still showing and only the method and property names are changed.
    Am I missing something or did I forget to set some setting?
    Or does that version of dotfuscator isn't good enough?
    Or maybe I cannot do that at all.

    Thanks,
    Don't anthropomorphize computers -- they hate it

  2. #2
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: Obfuscating

    You obviously can't change the value of a key otherwise your encryption would not work.

    Obfuscating only re-names and possibly compresses some of your code to make it difficult for someone else to figure out. That's all. Your strings won't get renamed (else none of them would work).

    If you can't have an encryption key embedded into your application then you may want to re-think your design.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  3. #3

    Thread Starter
    Frenzied Member vbgladiator's Avatar
    Join Date
    May 2001
    Posts
    1,950

    Re: Obfuscating

    In that case, I can use something like CodeVeil to scramble the MSIL header so that programs like Reflector cannot detect it, no?
    Don't anthropomorphize computers -- they hate it

  4. #4
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: Obfuscating

    Quote Originally Posted by vbgladiator
    In that case, I can use something like CodeVeil to scramble the MSIL header so that programs like Reflector cannot detect it, no?
    Doesn't matter. Anyone would still be able to just grab the string. With .Net there isn't anything you can do because the Framework has to compile it on the user's system.

    Even if you manage to block the user from even opening the file in a text viewer, if you have it in a string a person can easily retreive it from the ram.

    Why do you need to hide the encryption key? What exactly are you doing? There may be a better way.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  5. #5

    Thread Starter
    Frenzied Member vbgladiator's Avatar
    Join Date
    May 2001
    Posts
    1,950

    Re: Obfuscating

    I have licensing routines where I have to have the keys for encrypting.
    Don't anthropomorphize computers -- they hate it

  6. #6
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: Obfuscating

    Quote Originally Posted by vbgladiator
    I have licensing routines where I have to have the keys for encrypting.
    Oh ok. Then that's not a big deal. Every application that has ever done a check on the user's computer gets easily cracked so if you must check it on the user's computer then no biggie if it gets cracks; they all do.

    Now, if you wanted, you could create a Web Service that your application uses to verify serial numbers against. This way no one would ever see your encryption keys. The only issue is a user has to be connected to the internet to do this.

    If you just want to try "hiddin" the encryption key then, perhaps you could build the encryption routines in C++ and compile it with the highest optimizations (which can make it a PITA to disassemble). Then call those from your application.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  7. #7

    Thread Starter
    Frenzied Member vbgladiator's Avatar
    Join Date
    May 2001
    Posts
    1,950

    Re: Obfuscating

    Yeah, i thought so as well.
    Well, thanks for all the replies.
    Don't anthropomorphize computers -- they hate it

  8. #8
    PowerPoster Jenner's Avatar
    Join Date
    Jan 2008
    Location
    Mentor, OH
    Posts
    3,712

    Re: Obfuscating

    Check out this post. There are some links to using SecureStrings and the Key Management API. Once again, it'll stall a good hacker and maybe deter some of the ones who aren't all that serious about your program, but nothing is going to guarantee a program to be uncrackable.

    Eventually, it has to enter the computer's CPU unencrypted, and all good hackers know Assembly code like we know our native language.

  9. #9
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: Obfuscating

    Quote Originally Posted by Jenner
    Check out this post. There are some links to using SecureStrings and the Key Management API.
    Unfortuantely SecureStrings and the DPAPI wouldn't do much good for this situation. Since the key has to be shipped with the application, it's already embedded as a string (you can't serialize SecureStrings I believe) and the DPAPI helps safe guard your data from others but the logged in user could still use / view it. Besides, the DPAPI would require the encryption key to be stored seperately.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  10. #10
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: Obfuscating

    The full version of dotfuscator (the one that ships with VS is community edition) has added support for string encryption during the obfuscation process.

    The full version is rather expensive though, so it would really only make sense if this is a major concern for intellectual property.

  11. #11

    Thread Starter
    Frenzied Member vbgladiator's Avatar
    Join Date
    May 2001
    Posts
    1,950

    Re: Obfuscating

    Yeah, that's what I thought. I saw that option being disabled.
    Thanks,
    Don't anthropomorphize computers -- they hate it

  12. #12
    Fanatic Member
    Join Date
    Jul 2007
    Posts
    530

    Re: Obfuscating

    I Hated Vb.Net when I read it first time about Security !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width