您使用什么来保护您的 .NET 代码免遭逆向工程?

发布于 2024-07-05 07:14:56 字数 200 浏览 12 评论 0原文

有一段时间我们使用一个名为 CodeVeil 的工具。 我只是想知道是否有更好的选择。

编辑:在更多人误解这个问题之前,我知道坚定的破解者可能能够击败这些工具中的任何一个。 不过我不太关心他们。 这些工具只是为了阻止“休闲破解者”,并阻止人们窃取我们公司的知识产权。 如果他们足够好,能够通过一个像样的工具,他们可能对窃取我们的蹩脚代码不感兴趣:-P

For a while we were using a tool called CodeVeil. I'm just wondering if there are better alternatives out there.

Edit: Before more people misunderstand the question, I'm aware that a determined cracker would probably be able to defeat any of these tools. I'm not too concerned about them though. These tools are just meant to stop the "casual cracker", and to stop people from stealing our company's IP. If they're good enough to get past a decent tool, they probably aren't interested in stealing our crappy code :-P

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

不知在何时 2024-07-12 07:14:56

有几种流行的混淆工具,包括 Dotfuscation,它有一个随 Visual Studio 2005 和 2008 一起提供的“轻型”版本。它们有一个 Pro 版本,它不仅仅可以重命名变量和函数名称。 然而,代码仍然是可见的,它只是被打乱了一点,使其更难以阅读和理解软件的逻辑流程。

另一种技术是使用其他程序来加密该程序,并在运行时对其进行解密。 然而,这也不是一个完美的解决方案。 事实上,据我所知,如果投入足够的时间和精力,没有任何完美的解决方案可以阻止坚定的工程师对软件进行逆向工程。

真正归结为确定保护级别,使其难以阻止普通黑客,并使逆向工程尽可能昂贵,因此至少逆向工程会在时间或成本方面付出代价。金钱,或者理想情况下,两者兼而有之。 逆向工程成本越高,愿意付出努力的人就越少。 这就是混淆的重点。

有些人认为使用像 C++ 编译器这样的编译器可以编译为本机代码可以防止这种逆向工程,但事实并非如此。 一个好的反汇编程序甚至可以对纯二进制可执行文件进行逆向工程,因此,完美的解决方案并不存在。 如果计算机可以读取并执行它,那么计算机正在使用的内存就可以被扫描和跟踪,从而绕过所有加密、混淆或任何其他防止代码落入坚定工程师之手的尝试。

There are several popular tools for obfuscation, including Dotfuscation, which has a "light" version that ships with Visual Studio 2005 and 2008. They have a Pro version that does more than just variable and function name renaming. However, the code is still viewable, it is just scrambled a bit to make it harder to read and grok the logic flow of the software.

Another technique is to use other programs that will encrypt the program, and decrypt it at runtime. However, this is not a perfect solution either. In fact, there is no perfect solution that I am aware of that will prevent a determined engineer from reverse engineering the software, if enough time and effort is applied to it.

What it really comes down to is determining the level of protection that will make it sufficiently difficult to dissuade the casual hacker, and make it as expensive to reverse engineer as you can, so at least the reverse engineering comes at a cost in either time or money, or ideally, both. The more expensive the reverse engineering costs, the fewer number of individuals that will be willing to put in the effort. And that is the big point to obfuscation.

Some think that using a compiler like the C++ compiler that compiles to native code will prevent this sort of reverse engineering, but it doesn't. A good disassembler will allow even pure binary executables to be reverse engineered, so therefore, a perfect solution does not exist. If the computer can read it and execute it, then the memory the computer is using can be scanned and tracked, bypassing all attempts to encrypt, obfuscate, or any other means of keeping your code out of the hands of a determined engineer.

不忘初心 2024-07-12 07:14:56

老实说,除了使用您提到的工具进行一些混淆之外,您无能为力。 .NET 仅比脚本语言高出一步,只不过脚本命令是二进制的并且称为 IL。 这有点过于简单化了,但与现实相差不远。 任何使用 Reflection 编写的优秀程序都可以用于对 .NET 应用程序进行逆向工程,或者如果您有足够的知识,则可以使用一个好的十六进制编辑器。

Honestly, there isn't a lot you can do besides some obfuscation with tools like you mentioned. .NET is just a step above scripting languages, except the script commands are binary and are called IL. That's a little over simplification, but it's not too far off reality. Any good program written using Reflection can be used to reverse engineer .NET applications, or if you have enough knowledge, a good hex editor.

各自安好 2024-07-12 07:14:56

很抱歉恢复旧帖子,但我认为 Eziriz 的 .NET Reactor 工作得非常出色。

事实上,我自己将它用于我的所有 .net 应用程序,并且显然没有现有工具可以反编译受 .net Reactor 保护的程序。 更多详细信息可以在信息页面上找到,http://www.eziriz.com/dotnet_reactor.htm< /a>. 使用试用版和 .net Reflector 进行测试,您可以亲自查看。

Sorry to resurrect an old post, but I think Eziriz's .NET Reactor works brilliantly.

In fact I use it myself for all my .net apps and apparently there is no existing tool out there that can decompile a program protected with .net reactor. More details can be found on there info page, http://www.eziriz.com/dotnet_reactor.htm. Test it out with the trial version and .net reflector and you can see for yourself.

金兰素衣 2024-07-12 07:14:56

编译 .NET 应用程序会生成包含大量元信息的输出程序集。 这些信息使得重建非常接近原始代码的东西变得非常容易。 一个名为 .NET Reflector 的优秀免费工具可以用来完成此任务,并且是检查基类库如何工作的流行方法。 下载并使用该工具查看重构的 C#/VB.NET 版本的程序集内容。

如果您是一个商业组织,那么您不希望人们发现很容易查看您昂贵的生成代码。 一种流行的方法是使用混淆来扰乱内容,这种方式不会改变其运行方式,但会使其难以理解。 混淆使用重命名变量和方法等技术。 弄清楚方法“a1”、“a2”、“a3”的用途比原来的“GetName”、“UpdateInterestRate”和“SetNewPassword”要困难得多。

因此,使用混淆会使人们更难理解你的代码在做什么以及它使用的算法。 但这并不意味着不可能。 就像愿意花时间研究二进制文件的汇编专家仍然可以理解 C++ 代码一样,MSIL 专家最终也可以解决你混淆的代码。 但这增加了障碍,以至于很少有人愿意尝试。

Compiling your .NET application results in output assemblies that contain a great deal of meta information. This information makes it very easy to reconstruct something very close to the original code. An excellent free tool called .NET Reflector can be used to do exactly that and is a popular way to examine how the base class libraries work. Download and use that tool to view reconstructed C#/VB.NET versions of assembly contents.

If you're a commerical organization then you do not want people to find it easy to look at your expensive to produce code. A popular method is to use Obfuscation to scramble the contents in a way that does not alter how it runs but does make it hard to understand. Obfuscation uses techniques such as renaming variables and methods. Working out the purpose of methods 'a1', 'a2', 'a3' is much harder than the original 'GetName', 'UpdateInterestRate' and 'SetNewPassword'.

So using obfuscation makes it much harder for people to understand what you code is doing and the algorithms it uses. It does not however make it impossible. In the same way C++ code can still be understood by an assembler expert who is willing to spent time working through your binary, an MSIL expert can eventually work out your obfuscated code. But it increases the barrier to the point where few will bother trying.

⊕婉儿 2024-07-12 07:14:56

我在 Xenocode Postbuild 方面取得了很大的成功。 该工具可以混淆 .NET 程序集、防止 Reflector 反汇编、将 .NET 程序集合并为单个可执行文件(“虚拟化”),甚至将 .NET 应用程序编译为不需要安装 .NET 运行时的独立可执行文件。

I've had a lot of success with Xenocode Postbuild. The tool can obfuscate .NET assemblies, protect agaist Reflector disassembly, combine .NET assemblies into a single executable ("virtualization") and even compile .NET applications to standalone executables that do not need .NET runtime installed.

眼睛会笑 2024-07-12 07:14:56

我仍然不相信这些工具的价值。 没有任何技术解决方案能够比许可证、商标、专利、版权等法律保护更好地防止逆向工程。.NET

确实是一场大型的透明源运动。 最好围绕您的知识产权制定使用条款,例如许可和版权。

I remain unconvinced by the value of these tools. None of the technology solutions prevent reverse engineering any better than legal guards such as licences, trademarks, patents, copyrights etc...

.NET really is large transparent source movement. It's much better that instead you frame terms of use around your IP such as licencing and copyright.

别想她 2024-07-12 07:14:56

我听说 Obfusticator 很好; 它用于.Net Reflector。

I've heard that Obfusticator is good; it's used on .Net Reflector.

紫南 2024-07-12 07:14:56

另一个是 Crypto Obfuscator - 它比其他一些更便宜,并且具有各种混淆功能以及阻止偶然和不那么偶然的黑客的保护方法。

Another is Crypto Obfuscator - its more affordable than some others, and has various obfuscation and protection methods to hinder the causal and not-so-casual hackers.

御弟哥哥 2024-07-12 07:14:56

免责声明:我不为 SmartAssembly 的制造商 RedGate 工作。 我只是一个非常高兴的客户,找到了一个好的、负担得起的解决方案。

选择很简单,选择SmartAssembly! 不要在市场上的其他混淆器上浪费你的时间或金钱。 我在评估竞争产品的非计费时间方面花费了更多的钱。 它们都有致命的缺陷并且几乎无法调试。 SmartAssembly 是一款易于使用、文档齐全、完善的应用程序,并提供出色的支持。 在他们的论坛上发布问题,并期待实际开发人员尽快给出答案。

SmartAssembly 不仅仅是一个混淆器。 它具有许多功能,包括内置的、高度可定制的崩溃报告生成器,您的客户可以自动通过电子邮件发送给您。 您可以在您自己的服务器或 red-gates 服务器上查看这些报告。 当您进行 Beta 测试或向客户发布产品时,我无法告诉您这有多么有用。 它还生成调试器文件,以便您可以调试模糊产品可能遇到的任何发布后问题。

如果您要交付商业应用程序,那么花钱买一个像样的混淆器是有意义的。 这里的错误选择可能会损害您的知识产权,或者更糟糕的是导致您经历数天的可怕调试。 与 SmartAssembly 的成本相比,这个成本是多少?

DISCLAIMER: I don't work for RedGate the makers of SmartAssembly. I'm just a very happy customer who found a good, affordable solution.

The choice is very simple, choose SmartAssembly! Don't waste your time or money with the other obfuscators in the marketplace. I spent more money in terms of non-billable hours evaluating competing products. They all had fatal flaws and were next to impossible to debug. SmartAssembly is an easy-to-use, well documented, polished application with excellent support. Post a question on their forum and expect an answer reasonably fast by the actual developers.

SmartAssembly is more than an obsfuscator. It has a slew of features, including a built-in, highly customizable crash report generator that your customers can automatically email to you. You can view these reports on either your own server or on red-gates servers. I can't tell you how useful this is when you're beta testing or releasing the product to customers. It also generates debugger files so you can debug any post-release issues you may encounter with your obsfucated product.

If you are delivering a commercial application, it makes sense to spend the money on a decent obsfuscator. A bad choice here can compromise your intellectual property or worse lead you to days of gruesome debugging. What would this cost in comparison to what SmartAssembly costs?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文