帮助我选择.net obfuscator程序? [英] Help me choose .net obfuscator program?
问题描述
我在vb.net 2008(使用.net 3.5)中编写了一个程序。这是一个体面的大小计划。这个程序的一部分是访问在线数据库和加密/解密文件。要访问db我使用硬编码的密码。为了加密/解密文件,我使用一个硬编码的密钥。无论我做什么,我都需要至少硬编码两个东西之一。例如:即使我在加密文件中存储数据库密码,我需要硬编码密钥来解密它。或相反亦然。
I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.
所以在做了一些思考后,我想我需要模糊我的代码,以便至少这些硬编码的元素/值不容易看到。为了测试,我使用了一个程序来反汇编我的程序。令我惊讶的是,它显示了我的程序中的每一行代码。我觉得好像我的整个代码粘贴在我的exe。
So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.
因此,我需要模糊我的代码。看到我不需要太高级的设置。我的程序不是最高的共享软件程序或超级流行,我需要非常高的安全性。但我需要足够的安全性,以便我的基本代码,变量和敏感信息(密码等)不可见。
Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.
请帮助我选择一个好的obfuscator, 。它不应该太繁琐,使用,应该对我足够。此外,它应该是可信和安全的。我的意思是,我不希望我的应用程序崩溃或不稳定后,我模糊它。
Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.
我从Ezriz下载了.net反应器的试用版,似乎很好。你们建议什么?我不能折扣超过$ 200的东西。所以这个产品值得去。你们知道得更好。
I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.
感谢您的支持。
干杯,
Saurabh
Cheers, Saurabh
推荐答案
混淆无法解决这个问题。攻击者可以更改其 hosts 文件,将域名重定向到他控制的数据库。当您登录时,他将获得用户名/密码。
Obfuscation cannot solve this problem. An attacker can change his hosts file to redirect the domain name to a database he controls. When you login he will get the username/password.
另一个攻击是使用像 ollydbg 在内存中获取用户名/密码。在使用之前,用户名/密码必须是明文,攻击者将能够找到它。
Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.
安全通过耻辱永远不会工作。您将永远无法控制客户端。
Security Through Obscurity will never work. You will never be able to control the client.
一个更好的方法是设置一个SOAP(WCF)服务器来抽象数据库操作。构建查询的逻辑必须是服务器端。假设攻击者对您通过SOAP公开的任何功能拥有完全访问权限。
A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.
这篇关于帮助我选择.net obfuscator程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
