帮我选择 .net 混淆器程序吗?
我在vb.net 2008(使用.net 3.5)中编写了一个程序。这是一个大小合适的程序。该程序的一部分是访问在线数据库并加密/解密文件。为了访问数据库,我使用硬编码密码。为了加密/解密文件,我使用了硬编码密钥。无论我做什么,我至少需要对这两件事之一进行硬编码。例如:即使我将数据库密码存储在加密文件中,我也需要对密钥进行硬编码才能解密它。或者反之亦然。
因此,经过一番思考后,我认为我需要混淆我的代码,以便至少这些硬编码的元素/值不会轻易可见。事实上,为了测试,我使用了一个程序来反汇编我的程序。令我惊讶的是,它向我展示了程序中的每一行代码。我感觉好像我的整个代码都粘贴到了我的exe中。
因此我需要混淆我的代码。看我不需要太高级的设置。我的程序不是顶级共享软件程序之一,也不是超级流行的程序,因此我需要非常高的安全性。但我需要足够的安全性,以便我的基本代码、变量和敏感信息(密码等)不可见。
请帮助我选择一个好的混淆器来完成这项工作。使用起来应该不会太繁琐,对我来说应该足够了。另外,它应该是值得信赖和安全的。我的意思是,我不希望我的应用程序在混淆后崩溃或不稳定。
我已经从 Ezriz 下载了 .net Reactor 的试用版,似乎没问题。你们有什么建议?我买不起超过 200 美元的东西。那么这款产品到底值不值得入手呢?你们更了解。
感谢您的支持。
干杯, 索拉布
I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.
So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.
Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.
Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.
I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.
Thank you for your support.
Cheers,
Saurabh
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
混淆不能解决这个问题。攻击者可以更改他的
hosts
文件,将域名重定向到他控制的数据库。当您登录时,他将获得用户名/密码。另一种攻击是使用 ollydbg 之类的调试器来获取内存中的用户名/密码。用户名/密码在使用前必须是明文形式,攻击者将能够找到它。
通过模糊实现安全永远不会起作用。你将永远无法控制客户。
更好的方法是设置 SOAP (WCF) 服务器来抽象数据库操作。构建查询的逻辑必须是服务器端的。假设攻击者可以完全访问您通过 SOAP 公开的任何函数。
Obfuscation cannot solve this problem. An attacker can change his
hosts
file to redirect the domain name to a database he controls. When you login he will get the username/password.Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.
Security Through Obscurity will never work. You will never be able to control the client.
A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.
我现在使用 Eziriz .NET Reactor 一段时间了,它对我来说非常有用。我以前用过Eazfuscator,但它不是很强大。
.Net Reactor 具有出色的功能,例如 Anti ILDASM 和 Native Exe 文件生成。而且它也适合您的预算。您可以在购买前使用试用版并测试它是否适合您的场景。
I use Eziriz .NET Reactor for a while now and it works great for me. I used Eazfuscator before but it wasn't really powerful.
.Net Reactor has awesome features such as Anti ILDASM and Native Exe file generation. Also it'll fit your budget. You can use Trial before purchasing it and test if it works with your scenario.
您应该强烈考虑 Babel .net 混淆器。在我看来,尽管它是一个控制台应用程序,但它在价格、许可(不锁定到单台计算机)和功能方面都是迄今为止最好的。
You should strongly consider Babel .net obfuscator. In my opinion even though it is a console application it is by far the best for price, licensing (not locked to a single computer) and features.
我使用 Eazfuscator:http://www.foss.kharkov。 ua/g1/projects/eazfuscator/dotnet/Default.aspx
它功能强大而且免费。很棒的工具,使用起来非常简单。
I use Eazfuscator:http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx
It powerful and it's free. Wonderful tool extremely simple to use.