加密 .Net 应用程序和程序集 [英] encrypting a .Net application and assemblies
问题描述
我有一个加密/复制保护问题.
I have an encryption/copy protection question.
我正在为一家使用加密狗的公司编写应用程序.请不要告诉我软件保护没有用,或者我应该让它自由飞翔,或者我花在这上面的任何时间都是浪费;这不是一个关于软件保护有效性的哲学问题,更像是一个操作方法.
I'm writing an application for a company that uses a dongle. Please don't tell me that software protection is useless, or that I should just let it fly free into the air, or that any time I spend doing this is a waste; this isn't a philosophical question about the validity of software protection, more like a how-to.
据我所知,破解受加密狗保护的软件的第一步是从代码中删除对加密狗的所有调用(即修补可执行文件).此外,据我所知,我可以在 .NET 中创建强名称"以保护应用程序和程序集,正如 在这篇 MSDN 文章中.
As I understand it, the first step in cracking a dongle-protected piece of software is to remove all the calls to the dongle from the code (ie, patch the executable). Also as I understand it, I can create 'strong names' in .NET in order to protect the application and the assembly, as explained in this MSDN article.
强命名是否足以确保我的应用程序无法轻松修补?还是我需要使用某种加密库?如果我需要使用一个库,是哪个库,或者我可以从哪里获得有关设置它的信息?
Is strong naming enough to ensure that my application can't be easily patched? Or do I need to use some sort of encryption library? If I need to use a library, which one, or where can I get information about setting this up?
当然,下一步是将重要的算法放在加密狗上.我意识到这些只是专用破解器的减速带,但随着我们市场份额的增长,减速带将帮助我们达到不那么强烈地感受到盗版刺痛的地步(我希望如此).
The next step, of course, is to put important algorithms on the dongle. I realize that these are just speed bumps to the dedicated cracker, but as our market share grows, the speed bump will help us get to the point where the sting of piracy is not so keenly felt (I hope).
谢谢!
推荐答案
程序集强命名从来都不是为了防止控制机器的攻击者而设计的.来自 msdn 延迟签名条目:
Assembly strong naming was never designed to protect against an attacker who is in control of the machine. From the msdn entry on delay signing:
以下示例关闭了对名为的程序集的验证myAssembly.dll.
The following example turns off verification for an assembly called myAssembly.dll.
sn –Vr myAssembly.dll
强名称的设计目标是提供名称的唯一性并保护用户(而不是发布者)免受攻击.如果用户想要禁用所有强名称检查,或者甚至可能删除您的签名并使用他自己的密钥重新签署程序集,那么从技术上讲,没有什么可以阻止他这样做.
The design goal of strong names is to provide name uniqueness and to protect the user (not the publisher) against an attacker. If the user wants to disable all strong name checks, or maybe even strip out your signature and re-sign the assembly with his own key then there is technically speaking nothing to prevent him from doing so.
简单地从加密文件加载程序集也不是很有用,因为解密代码本身无法加密,因此很容易成为逆向工程的目标.
Simply loading your assemblies from an encrypted file is also not very useful because the decryption code itself cannot be encrypted and is therefore an easy target for reverse engineering.
正如其他海报所提到的,您正在寻找的是混淆.您可能已经拥有这样的工具:Visual Studio(至少 2005 和 2008)随附社区版的 PreEmptive Solutions' Dotfuscator. Microsoft 也有自己的 "软件许可和保护服务"产品.
As mentioned by other posters, what you are looking for is obfuscation. You probably already have such a tool: Visual Studio (at least 2005 and 2008) comes with the community edition of PreEmptive Solutions’ Dotfuscator. Microsoft also has its own "Software Licensing and Protection Services" product.
混淆有一些技术上的缺点:
Obfuscation has some technical disadvantages however:
- 它可能会使您的构建过程复杂化.你需要一个未混淆的和一个混淆构建,因为后者不可调试.
- 我喜欢有一个针对意外异常的错误对话框,用户可以在其中单击复制详细信息"并向我发送包含一些技术信息(包括堆栈跟踪)的邮件.然而,通过混淆,你可以忘记获得任何有用的东西来自 Exception.StackTrace.
- 如果您的代码使用了 reflection 那么事情很可能会发生在混淆的构建中中断,因为内部类型和成员名称未保留.
- it may complicate your build process. You need an unobfuscated and an obfuscated build, because the latter is not debuggable.
- I like to have an error dialog for unexpected exceptions where the user can click "copy details" and send me a mail with some technical information including the stack trace. With obfuscation however, you can forget about getting anything useful from Exception.StackTrace.
- if your code makes use of reflection then there is a good chance that things will break in the obfuscated build, because internal type and member names are not preserved.
这篇关于加密 .Net 应用程序和程序集的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
