如何防止反编译/开裂净EXE [英] How to protect .Net exe from Decompiling/Cracking
问题描述
我真的很伤心,过几天我们推出了我们的软件做的。Net 4.0(桌面应用程序),3天后其裂纹是在互联网上公布。我们试图保护软件从此但不知何故,人们逃走了咔吧。
下面是该方案: 当应用程序启动第一次与Web服务器进行通信,并检查由用户通过凭据。如果凭证是正确的,然后该软件保存的值在注册表和发送机号回服务器并存储在数据库中。
现在,黑客已经替换为服务器的通信返回true;声明。他已经上传到网上的破解软件。 (我检查与Telrik JustDecompile)。
现在,下面是我的问题:
1 - 如何确保.net应用程序将不会被破解?
2-黑客现在知道我的code,因为他已经做了修改。我应该采取什么措施?
3我看了互联网上的有关 - 模糊处理。但黑客知道我的code我应该怎么办?
4-任何其他PRO提示,我可以使用,以避免破解软件?
5,我不知道,但可以将这些反射器软件还反编译在app.config敏感数据?
1 - 如何确保.net应用程序将不会被破解?
如果一台计算机可以运行code +黑客可以在比你更高权限级别上运行自己的code,有什么可以100%prevent从您的应用程序被破解。即使他们只是有机会获得可执行文件,但没有目标平台,他们仍然可以通过步和模仿什么目标平台会做,并找出如何保护正在做。
2 - 黑客现在知道我的code,因为他已经做了修改。我应该采取什么措施?
完全重写的认证部分,使他们不得不从头开始,但他们将再次得到它,那是早晚的事情有多长。
3我看了互联网上的有关 - 模糊处理。但黑客知道Ç我应该怎么做我的$ C $?
在尤金妮是出了瓶子,现在他们有非混淆code。没有什么可以做,除非你彻底重新编写的软件,因此他们必须从头开始。一个obfuscateor不会prevent的攻击者,他们只能够prevent它是保持二进制从他们手中的事。
4-任何其他PRO提示,我可以使用,以避免软件破解?
唯一的复制保护我所看到的远程拖延任何时间就是育碧确实与刺客信条:兄弟会。他们加密疗法级别的游戏盘,它必须从互联网,因为它需要下载的解密密钥(这是保持双星明的手的方法)。但是,这并不会永远工作,最终的黑客确实得到这些解密的水平,它被完全破解。这种做法正是我看到才能让周围没有法律介入的最长的时间(见2点在底部)
5,我不知道,但可以将这些反射器软件还反编译在app.config敏感数据?
所有的反射器软件需要做的是寻找那些加载的App.config和读什么的默认值一节。还有的的没有的安全的地方来存储在计算机上没有完全的控制权。如果它是在计算机上的,它可以被读取。如果它可以被读取,也可以逆向工程
唯一真正的解决方案,我可以看到prevent盗版是两个选项之一。
-
这个人从来没有得到您的应用程序,它是从一台服务器的控制下,流媒体以及他们从来没有看到的二进制文件。你给他们的唯一的事情是,他们需要驱动用户界面的信息。这是方法,所有网络游戏的工作。人们可以逆向工程要发送到UI什么,模仿的逻辑是在您的服务器怎么回事,但他们将永远无法完全看到它在做什么,如果你的软件是很复杂,它可能不是feeseable为攻击者重新创建服务器端code。这样做的缺点的方法是,你需要到主机服务器的用户连接,这将是一个反复出现的成本,你需要一种方法来重新政变。通常这种方法是所谓的胖客户端或瘦客户端取决于多少处理完成客户端和多少处理完成服务器端。请参见第22章的 http://msdn.microsoft .COM / EN-US /库/ ff650706相对=nofollow>微软应用架构指南,第二版。特别是我描述什么是显示在图4和5
-
该seccond选项是谁,你卖你的软件,也有他们的签字不是分发软件(而不是最终用户许可协议,必须由客户端物理签订实际合同)的法律合同。在该合同有巨额罚款适用于谁泄露了软件的人,则谜语指纹是独一无二的谁买的软件,以便当程序被泄露,你可以看到谁做的人你的计划。 (这是厂商六角射线用于他们的分解装置 IDA 中的方法一个快速谷歌搜索无法露面任何破解版出现不到6.1,他们是在的 6.3 )。这种方法不会停止盗版,但它可能会阻止复制到摆在首位被泄露。这也可以让你找回一些与程序被泄露摆在首位相关失去了成本。一个问题是,你将需要投入大量的指纹,他们将需要是微妙的,如果一个攻击者可以得到程序的两个副本,并可以在两者之间比较的文件,他就能知道什么是识别信息而只是把任何他们想要的,使他们不能告诉谁,他们从得到它。要做到这一点的唯一方法是投入了大量的红鲱鱼的,可不仅仅是被剥离出来,或随机的,也使鉴定code非关键到运行该软件,如果他们没有工作破解它,他们更愿意把它留在
更新:重新审视这个答案链接到它的另外一个问题,我认为实施#2解决方案的一个简单的方法之后
所有你需要做的是通过obfuscateor运行code,让它重命名类每个人,你卖你的软件(我仍然让他们签署一份许可协议,而不仅仅是点击一个最终用户许可协议,所以你可以强制下一部分)。然后,使模糊映射的数据库,当你看到你只需要找到项目中的一个类随时随地在互联网上泄露的副本,看它在你的数据库,你就会知道是谁泄露它,知道你需要谁去后的法律赔偿。
I am really sad that a few days we launched our software made in .Net 4.0 (Desktop application) and after 3 days its crack is available on the internet. We tried to protect the software from this but somehow people got away cracking it.
Here is the scenario: When the application launches first time it communicates with the web server and checks the credentials passed by the user. If the credentials are correct then the software saves the values in the Registry and sends the MachineID back to the server and stores it in the database.
Now, the hacker has replaced the Server communication with a "return true;" statement. and he has uploaded the cracked software on the net. (I checked that with Telrik JustDecompile).
Now, following are my questions:
1- How to make sure that .Net application will not get cracked ?
2- The hacker now knows my code since he has done the modification. What steps should i take ?
3- I read on the internet about - obfuscators . But the hacker knows my code what should i do ?
4- Any other Pro tips that i can use to avoid getting the software cracked ?
5- I am not sure but can these reflector softwares also decompile the App.Config with sensitive data ?
1- How to make sure that .Net application will not get cracked ?
If a computer can run your code + The hacker can run his own code at a higher privilege level than you, there is nothing that can 100% prevent your app from being cracked. Even if they just have access to the executable but not the target platform they still can step through and mimic what the target platform would do and figure out how the protection is being done.
2- The hacker now knows my code since he has done the modification. What steps should i take ?
Totally rewrite the authentication portion so they have to start from scratch but they will get it again, it is just a matter of how long.
3- I read on the internet about - obfuscators . But the hacker knows my code what should i do ?
The jinni is out of the bottle now that they have the non-obfuscated code. There is not much you can do unless you drastically re-write the software so they have to start from scratch. A obfuscateor will not prevent a determined attacker, they only thing that can prevent it is keeping the binary out of their hands.
4- Any other Pro tips that i can use to avoid getting the software cracked ?
The only copy protection I have seen to remotely delay for any period of time is what Ubisoft did with Assassin's Creed: Brotherhood. They encrypted ther levels with the game disk and it had to download the decryption key from the internet as it was needed (This is the keeping the binary out of their hands approach). But that did not work forever, eventually the hackers did get those levels decrypted and it was fully cracked. This approach is just what I saw take the longest time to get around without legal involvement (See point 2 at the bottom)
5- I am not sure but can these reflector softwares also decompile the App.Config with sensitive data ?
All the reflector software needs to do is look for the section that loads App.config and read what the defaults are. There is no secure place to store information on a computer you do not have full control over. If it is on the computer, it can be read. If it can be read, it can be reverse engineered.
The only real solution I can see to prevent piracy is one of two options.
The person never gets your app, it is streamed from a server under your control and they never get to see the binary. The only thing you send them is the information they need to drive the UI. This is the approach that all MMO's work on. People can reverse engineer what you are sending to the UI and mimic the logic that is going on on your servers but they will never be able to outright see what it is doing and if your software is complex enough it may not be feeseable for the attacker to recreate the server side code. The downside to this approach is you will need to host servers for your users to connect to, this will be a reoccurring cost you will need a way to re-coup. Often this method is called a "Rich Client" or "Thin Client" depending on how much processing is done client side and how much processing is done server side. See Chapter 22 of "Microsoft Application Architecture Guide, 2nd Edition". Specifically I am describing what is shown in figure 4 and 5
The seccond option is whoever you sell your software too have them sign a legal contract not to distribute the software (not a EULA, a actual contract that must be physically signed by the client). In that contract have large fines be applied to the person who leaks the software, then riddle your program with fingerprints that are unique to the person who buys the software so that when the program is leaked you can see who did it. (This is the method the vendor Hex-Rays use for their disassembler IDA. A quick google search could not turn up any cracked versions newer than 6.1, they are on 6.3). This method will not stop piracy, but it may discourage the copy to be leaked in the first place. This also lets you recover some lost costs associated with the program being leaked in the first place. One issue is that you will need to put a lot of fingerprints and they will need to be subtle, if a attacker can get two copies of the program and can compare the files between the two he will be able to tell what is the identifying information and just put whatever they want in so they can't tell who they got it from. The only way to do this is put a lot of red-herrings in that can't just be stripped out or randomized, also make the identifying code non-critical to running the software, if they don't have to work to crack it they are more likely to leave it in.
Update: After revisiting this answer to link to it for another question I thought of a easy way of implementing the #2 solution.
All you need to do is run your code through an obfuscateor and let it rename your classes for every person you sell your software to (I would still make them sign a license agreement, not just click a EULA so you can enforce the next part). You then make a database of the obfuscation mapping, when you see a leaked copy on the internet you just need to find one class anywhere in the project, look it up in your database, and you will know who leaked it and know who you need to go after for legal damages.
这篇关于如何防止反编译/开裂净EXE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
