TheSwamp

Code Red => .NET => Topic started by: Augusto on August 05, 2020, 08:45:00 AM

Title: How do you deal with reverse engineering in .NET?
Post by: Augusto on August 05, 2020, 08:45:00 AM
Hello guys!
I hope everything is fine with you and your families.

I don't have much to say in this post, as the title says it all.

It seems a little frustrating that programs written in C # or VB.net are easily decompiled.

How do you feel about this issue and how do you try to inhibit this type of action?
Could you tell me about your experiences?

Cheers,

Augusto
Title: Re: How do you deal with reverse engineering in .NET?
Post by: John Kaul (Se7en) on August 05, 2020, 09:14:11 AM
I assume you are referring to programs that you sell.
I don't write in .NET but I would take the stance that if a person was willing to pay for the application then the odds are they wouldn't really want--or care--to decompile if they needed it fixed; they would send an email instead. Of course you could get a competitor buying and decompiling your program but I think you'd have to take your chances.

If your talking about programs that you do not sell.
Release the source code on a code hosting site and get collaborators.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: zero.half on August 05, 2020, 10:46:25 AM
You can try with obfuscation, chances are this can make reverse engineering not worth the effort.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: John Kaul (Se7en) on August 05, 2020, 11:36:50 AM
And impossible to maintain.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 05, 2020, 12:21:44 PM
I don't worry about it. Even programs written in straight up C++ are able to be reverse engineered.

I've had the dubious task of reverse engineering lots of software and the bottom line is that if the computer can understand what it is supposed to do, then a human can reconstitute it into understandable code.

I use .NET because of the ease of development (arguably C++ or any other language could have the same thing said about them)

Decompilers don't reconstitute code as it is written, rather they reconsitute code as it is executed. Meaning that your "switch" may be reconstituted as a series of "if" or vice versa depending upon how the compiler and decompiler interpreted the machine code. That is only an example, but I think you get the meaning.

With obfuscation, the code is still readable, but you will have to actually figure out what each thing is and does. Not terribly difficult for a seasoned programmer.

With compiled binaries, reverse engineering generally generally has two forms. One where they reverse engineer the code to make changes to the program for whatever reason, and another where they simply identify the single point of failure, usually a registration schemata, where the application returns true or false for the registration status. The latter is quite simple to accomplish and is not easily prevented. The first one requires someone who is familiar with assembler and can readily convert it to an upper level language, or software to do it. Those people and software exists. There is no getting beyond that.

Bottom line, if you are worried about someone stealing your program, then you are probably going to be worried about someone stealing your program. If you are worried about your prospective clients reverse engineering it and using it, you probably aren't charging them enough money. After all, the money in software isn't what you have in development and production costs, it's what value the product brings to the end user.

It's why I am now selling an AutoCAD addon product for $900 per seat now, when the initial company who owned it was selling it for $30 per seat. They did not see the value in it and the clients didn't see the value in it. And it's all written in .NET.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: huiz on August 05, 2020, 03:10:49 PM
If those stealing programmers are able to create a running program out of obfuscated code, they are also good enough to rebuild your idea from scratch, and make it probably better.


The best way is to be the first with a great idea and create a huge user base. Even if others copy your idea you still are market leader.




And a little obfuscating will help calm your mood.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 05, 2020, 03:51:34 PM
If those stealing programmers are able to create a running program out of obfuscated code, they are also good enough to rebuild your idea from scratch, and make it probably better.


The best way is to be the first with a great idea and create a huge user base. Even if others copy your idea you still are market leader.




And a little obfuscating will help calm your mood.
All true, but sometimes time is more important. I was contacted by a company that had an internally developed comprehensive application. It would have taken me several months to rewrite from scratch and make it work like it should. Their developer died and for whatever reason they had access to only part of the code. The developer also obfuscated.

I reconstituted the code in C# in a couple of hours, manually unobfuscated the code, ported it into new VS projects, documented everything, made their required changes and provided them updated binaries and complete source code that they could continue to update in-house, all within a couple of weeks.

I was paid quite well for the service. I could have rewritten it and probably would have charged them less money, but they didn't have time to waste. When you have multi-million dollar contracts on the line, you do what is necessary.

I still do the occasional project for them from time to time.

Speaking of which. I'm just about done with a project I've been working on solo for nearly 4 years. Yes, a project, in development for 4 years. Close to 2m lines of code. Finishing up beta testing and now to deploy. I'm hoping this is my huge payday!
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Atook on August 05, 2020, 10:24:10 PM
Speaking of which. I'm just about done with a project I've been working on solo for nearly 4 years. Yes, a project, in development for 4 years. Close to 2m lines of code. Finishing up beta testing and now to deploy. I'm hoping this is my huge payday!

That's great, congrats Keith!
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 06, 2020, 04:03:50 PM
Speaking of which. I'm just about done with a project I've been working on solo for nearly 4 years. Yes, a project, in development for 4 years. Close to 2m lines of code. Finishing up beta testing and now to deploy. I'm hoping this is my huge payday!

That's great, congrats Keith!

Thanks!

I am currently waiting on the website to be finished and then it will be game-on!
With a 2% US market share (I've got that many pre-orders) I can probably spend more time doing things I want to do. Regardless, it won't be chump change.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: John Kaul (Se7en) on August 06, 2020, 04:04:56 PM
Let me know when you're hiring. :)
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 06, 2020, 04:20:29 PM
Let me know when you're hiring. :)

I've considered it provided the income stream actually pans out
Title: Re: How do you deal with reverse engineering in .NET?
Post by: CADbloke on August 08, 2020, 11:46:05 PM
Keith - awsome news! Congrats! I'd ask for a job too but I'm a fair way in the queue behind John, eh. I'm excited for you, well done.

Augusto: don't waste your time defending your code from people who would never ever pay for it anyway, especially at the probable expense of your customers (unpredictable weird problems), support (garbage stacktraces) and your productivity (you have better things to do). I have had to reverse-engineer obfuscated code before and it is ridiculously easy, I'm talking drag-drop onto de4dot, run JustDecompile on that executable and edit the code for an hour or 2 easy. All an obfuscator buys you is scrambled names for some of the things. More at https://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering

Just make it easy for your customers to comply and pay you, and encourage them to do so. Use some kind of licensing (see https://www.theswamp.org/index.php?topic=50609). I sell a .NET app for $3.3k and I don't have a piracy problem, well apart from the odd rogue in China but meh. Sell to businesses, they don't steal stuff (as much). They also don't want the malware that comes with pirated software.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: dgorsman on August 09, 2020, 12:58:02 PM
Let me know when you're hiring. :)

Sounds like something for the new job board.   ;-)
Title: Re: How do you deal with reverse engineering in .NET?
Post by: MP on August 09, 2020, 05:04:35 PM
I’d say wow but I’m not surprised. You’ve always been ambitious and industrious, be it authoring solutions or upgrading properties for re-sale. Wishing you enduring "beyond expectation" success and financial freedom Keith. Cheers.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: MP on August 09, 2020, 05:25:32 PM
I'm just about done with a project I've been working on solo for nearly 4 years. Yes, a project, in development for 4 years. Close to 2m lines of code.

{blink}

2m lines / 48 months / 160 hours / 60 min ~ 4 lines code per minute = working from non trivial existing code base and/or use of many third party code libraries. Amiright? Does not diminish visioneering, architecting or applied expertise, just an observation / musing out loud.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 10, 2020, 01:15:07 PM
I'm just about done with a project I've been working on solo for nearly 4 years. Yes, a project, in development for 4 years. Close to 2m lines of code.

{blink}

2m lines / 48 months / 160 hours / 60 min ~ 4 lines code per minute = working from non trivial existing code base and/or use of many third party code libraries. Amiright? Does not diminish visioneering, architecting or applied expertise, just an observation / musing out loud.

To be fair, I've worked a whole lot more than 160 hours per month. Some months was significantly more. For a while the normal day was 18-20 hours but after a few months production wasn't on my side. Too much re-work because of exhaustion. Excitement when a project is new :-)

Also keep in mind that much of the code (maybe 40%) was able to be ported from an earlier project maybe 10 years old or so. Some modules required significant rewrite while some required almost nothing.

AND
Code - C#: [Select]
  1. { // sometimes this is a line of code
  2. } // as is this

There are a few third party libraries that needed to be tweaked (not rewritten) and some of my own libraries that didn't require anything other than:
Code - C#: [Select]
  1. using somelibrary;

Even still, I rebuild them before testing just to make sure I have the latest references.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: MP on August 11, 2020, 06:06:04 PM
To be fair, I've worked a whole lot more than 160 hours per month. Some months was significantly more. For a while the normal day was 18-20 hours but after a few months production wasn't on my side. Too much re-work because of exhaustion. Excitement when a project is new :-)

Can easily see that.

Also keep in mind that much of the code (maybe 40%) was able to be ported from an earlier project maybe 10 years old or so. Some modules required significant rewrite while some required almost nothing.

Ditto previous comment + previous post.

AND
Code - C#: [Select]
  1. { // sometimes this is a line of code
  2. } // as is this

Counts as legit code to me.

There are a few third party libraries that needed to be tweaked (not rewritten) and some of my own libraries that didn't require anything other than:
Code - C#: [Select]
  1. using somelibrary;

Even still, I rebuild them before testing just to make sure I have the latest references.

{nodding}

At peaks in my current assignment (solely a coder until about 2 weeks ago) I've reached ridiculous peak coding rates of just over a line per minute (11K lines month, 37.5 hour work weeks), noting (1) 80/20 LISP/VBA, both which I've leveraged for decades so rare need for help / google (2) the majority of the work was highly enjoyable - I was inspired - or there were stupid deadlines (3) can't rule out some copy / paste tho every solution was written leveraging existing libraries I wrote or by adding to said libraries (4) buckets of coffee.

Title: Re: How do you deal with reverse engineering in .NET?
Post by: Keith™ on August 12, 2020, 12:35:51 AM
A kindred spirit ...
and here it is midnight, swapping libraries (I hate that I have to support some legacy data, but it pays well), editing some code and rebuilding binaries for anther version.

One of my beta testers sent a few data files to me today that couldn't be loaded ... whoda thunk there was a huge difference between 9 and 11

Oh and a "feature" requested by the testers included a notification of the record total prior to processing. They got that, but in the meantime, I broke the code ... :-/

and finally
Code - C#: [Select]
  1. ft ^= filetype.ID; //damnit I hate when they add filetypes and I don't filter them out ... at least it's only a few lines
Title: Re: How do you deal with reverse engineering in .NET?
Post by: abwenZ on September 10, 2020, 09:47:59 PM
...
Decompilers don't reconstitute code as it is written, rather they reconsitute code as it is executed. Meaning that your "switch" may be reconstituted as a series of "if" or vice versa depending upon how the compiler and decompiler interpreted the machine code. That is only an example, but I think you get the meaning.
...

You're wrong. That's what disassemblers are.

A decompiler and a disassembler are different tools, obviously the decompilers do not rebuild native code (you know IDA or a similar tool?), but they are capable of reconstructing the disassembled code of a .NET or Java app/dll

Tools for static analysis:

Native (and more):
Ghidra: https://www.nsa.gov/resources/everyone/ghidra/
IDA  (not free): https://www.hex-rays.com/products/ida/

For .NET: https://github.com/0xd4d

For Java (not free) http://neshkov.com/dj.html

the latter is an app (native code) that is "protected" with Themida, but...


Title: Re: How do you deal with reverse engineering in .NET?
Post by: Augusto on December 17, 2020, 08:09:52 AM
Hello guys!

I would like to respond individually to everyone who had the time to respond to this topic, but unfortunately I believe I have missed the timing of the discussion. I hope this topic is useful for other people just as it was for me. That said, I thank everyone who contributed and who willingly shared their knowledge.

I wish you and your family a great end of year and that the year 2021 is full of health, prosperity and freedom.

Best regards,

Augusto.
Title: Re: How do you deal with reverse engineering in .NET?
Post by: nobody on December 17, 2020, 11:35:46 AM
Thanks Augusto. You to. As far as reverse engineering we can't stop people but that's no reason to make it easy (in my humble opinion)