security/obfuscation question

Re: security/obfuscation question

Hi Tim,

This isn't an exact answer to your question but I think it's worth
mentioning. If you ship your code, even native x86 code, it can be
decompiled by someone who knows what they are doing. Basically all you can
do is try to make the decompile process hard enough that people won't want
to do it.

Think of it like this, you have a really cool new laptop sitting in your
kitchen. If you leave your front door unlocked (ship an un-obfuscated
assembly) then anyone can just walk in and take your laptop. If you lock the
door and add a deadbolt (ship an obfuscated assembly) then it will now take
a more determined and more skilled thief to steal your laptop. Finally, if
you add a security system and hire someone to guard your laptop (ship native
x86 code) someone is going to have to REALLY want that laptop to go to the
trouble to try and steal it but it may still happen. It's just a matter of
how valuable the decompiled code is versus how much somebody wants it.

Hope this helps.

--
Rob Windsor
G6 Consulting
Toronto, Canada


"Tim Mulholland" <tim@eyerespons e.com> wrote in message
news:%23ucluo7d DHA.2320@TK2MSF TNGP12.phx.gbl. ..[color=blue]
> Hello all,
> Our company is trying to write some code in C#/.NET that we don't want an
> end user to be able to see. The algorithms are not that complex, but are
> sensitive such that if a user could decompile them, they'd be able to[/color]
bypass[color=blue]
> alot of things we don't want them to bypass.
> We've looked at some obfuscators and, although they make it more[/color]
confusing,[color=blue]
> they certainly don't make it impossible for someone to figure out if they
> have enough time on their hands.
> Because of that, we've turned to another option.
>
> This is what we're thinking - please feel free to poke holes in it and[/color]
tell[color=blue]
> me i'm wrong.
>
> First, we'll write the "sensitive" code in vanilla C++ and compile that[/color]
into[color=blue]
> a .dll file.
> Then, we'll statically link that .dll file into a Managed C++ .dll file[/color]
with[color=blue]
> some more functionality. (we've read that static linking only works for[/color]
C++[color=blue]
> into Managed C++)
> Last, we'll reference that .dll file from the main application (written in
> C#) and access the functionality provided by it via normal means.
>
> In addition to all this, we'll be signing all of our .NET assemblies using
> normal signing procedures documented all over the web.
>
> If i'm not mistaken, this will do two things.
> 1) The signing of the code, along with the versioning and things already
> built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
their[color=blue]
> own .dll that does other things we don't want.
> 2) By hiding the sensitive code in vanilla C++, which is then embedded in
> the Managed C++ dll, we're making it near impossible for someone to
> decompile the assembly and get to that information.
>
>
> We haven't tested #2 yet to make sure it works (we've just read it has,
> we're testing next). Does anyone know for sure that it does/doesn't work?
>
> Are we on the right track here? Is there possibly another option available
> to us?
>
> Thanks in advance,
>
> -T
>
>[/color]

Re: security/obfuscation question

As a slight aside, but also fairly related... is it possible to compile c#
code straight to native code (ie instead of having to develop the native
code in C++)?



"Rob Windsor" <rwindsor@NO.MO RE.SPAM.bigfoot .com> wrote in message
news:uAr5487dDH A.3592@tk2msftn gp13.phx.gbl...[color=blue]
> Hi Tim,
>
> This isn't an exact answer to your question but I think it's worth
> mentioning. If you ship your code, even native x86 code, it can be
> decompiled by someone who knows what they are doing. Basically all you can
> do is try to make the decompile process hard enough that people won't want
> to do it.
>
> Think of it like this, you have a really cool new laptop sitting in your
> kitchen. If you leave your front door unlocked (ship an un-obfuscated
> assembly) then anyone can just walk in and take your laptop. If you lock[/color]
the[color=blue]
> door and add a deadbolt (ship an obfuscated assembly) then it will now[/color]
take[color=blue]
> a more determined and more skilled thief to steal your laptop. Finally, if
> you add a security system and hire someone to guard your laptop (ship[/color]
native[color=blue]
> x86 code) someone is going to have to REALLY want that laptop to go to the
> trouble to try and steal it but it may still happen. It's just a matter of
> how valuable the decompiled code is versus how much somebody wants it.
>
> Hope this helps.
>
> --
> Rob Windsor
> G6 Consulting
> Toronto, Canada
>
>
> "Tim Mulholland" <tim@eyerespons e.com> wrote in message
> news:%23ucluo7d DHA.2320@TK2MSF TNGP12.phx.gbl. ..[color=green]
> > Hello all,
> > Our company is trying to write some code in C#/.NET that we don't want[/color][/color]
an[color=blue][color=green]
> > end user to be able to see. The algorithms are not that complex, but are
> > sensitive such that if a user could decompile them, they'd be able to[/color]
> bypass[color=green]
> > alot of things we don't want them to bypass.
> > We've looked at some obfuscators and, although they make it more[/color]
> confusing,[color=green]
> > they certainly don't make it impossible for someone to figure out if[/color][/color]
they[color=blue][color=green]
> > have enough time on their hands.
> > Because of that, we've turned to another option.
> >
> > This is what we're thinking - please feel free to poke holes in it and[/color]
> tell[color=green]
> > me i'm wrong.
> >
> > First, we'll write the "sensitive" code in vanilla C++ and compile that[/color]
> into[color=green]
> > a .dll file.
> > Then, we'll statically link that .dll file into a Managed C++ .dll file[/color]
> with[color=green]
> > some more functionality. (we've read that static linking only works for[/color]
> C++[color=green]
> > into Managed C++)
> > Last, we'll reference that .dll file from the main application (written[/color][/color]
in[color=blue][color=green]
> > C#) and access the functionality provided by it via normal means.
> >
> > In addition to all this, we'll be signing all of our .NET assemblies[/color][/color]
using[color=blue][color=green]
> > normal signing procedures documented all over the web.
> >
> > If i'm not mistaken, this will do two things.
> > 1) The signing of the code, along with the versioning and things already
> > built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
> their[color=green]
> > own .dll that does other things we don't want.
> > 2) By hiding the sensitive code in vanilla C++, which is then embedded[/color][/color]
in[color=blue][color=green]
> > the Managed C++ dll, we're making it near impossible for someone to
> > decompile the assembly and get to that information.
> >
> >
> > We haven't tested #2 yet to make sure it works (we've just read it has,
> > we're testing next). Does anyone know for sure that it does/doesn't[/color][/color]
work?[color=blue][color=green]
> >
> > Are we on the right track here? Is there possibly another option[/color][/color]
available[color=blue][color=green]
> > to us?
> >
> > Thanks in advance,
> >
> > -T
> >
> >[/color]
>
>[/color]

Re: security/obfuscation question

We as a team have discussed this.
Some of us are more inclined to allow the signing to do its job and let that
be.
Others think we need to hide the algorithms more than an obfuscator will
(obfuscators mess with the function calls, but the code in the functions
themselves is pretty easy to decipher).
If this scenario works, we can run with it fairly easy (the code already
exists in both C++ and C#), we're just trying to see if this is
viable/possible.
Thanks for the input though,

Tim

"Rob Windsor" <rwindsor@NO.MO RE.SPAM.bigfoot .com> wrote in message
news:uAr5487dDH A.3592@tk2msftn gp13.phx.gbl...[color=blue]
> Hi Tim,
>
> This isn't an exact answer to your question but I think it's worth
> mentioning. If you ship your code, even native x86 code, it can be
> decompiled by someone who knows what they are doing. Basically all you can
> do is try to make the decompile process hard enough that people won't want
> to do it.
>
> Think of it like this, you have a really cool new laptop sitting in your
> kitchen. If you leave your front door unlocked (ship an un-obfuscated
> assembly) then anyone can just walk in and take your laptop. If you lock[/color]
the[color=blue]
> door and add a deadbolt (ship an obfuscated assembly) then it will now[/color]
take[color=blue]
> a more determined and more skilled thief to steal your laptop. Finally, if
> you add a security system and hire someone to guard your laptop (ship[/color]
native[color=blue]
> x86 code) someone is going to have to REALLY want that laptop to go to the
> trouble to try and steal it but it may still happen. It's just a matter of
> how valuable the decompiled code is versus how much somebody wants it.
>
> Hope this helps.
>
> --
> Rob Windsor
> G6 Consulting
> Toronto, Canada
>
>
> "Tim Mulholland" <tim@eyerespons e.com> wrote in message
> news:%23ucluo7d DHA.2320@TK2MSF TNGP12.phx.gbl. ..[color=green]
> > Hello all,
> > Our company is trying to write some code in C#/.NET that we don't want[/color][/color]
an[color=blue][color=green]
> > end user to be able to see. The algorithms are not that complex, but are
> > sensitive such that if a user could decompile them, they'd be able to[/color]
> bypass[color=green]
> > alot of things we don't want them to bypass.
> > We've looked at some obfuscators and, although they make it more[/color]
> confusing,[color=green]
> > they certainly don't make it impossible for someone to figure out if[/color][/color]
they[color=blue][color=green]
> > have enough time on their hands.
> > Because of that, we've turned to another option.
> >
> > This is what we're thinking - please feel free to poke holes in it and[/color]
> tell[color=green]
> > me i'm wrong.
> >
> > First, we'll write the "sensitive" code in vanilla C++ and compile that[/color]
> into[color=green]
> > a .dll file.
> > Then, we'll statically link that .dll file into a Managed C++ .dll file[/color]
> with[color=green]
> > some more functionality. (we've read that static linking only works for[/color]
> C++[color=green]
> > into Managed C++)
> > Last, we'll reference that .dll file from the main application (written[/color][/color]
in[color=blue][color=green]
> > C#) and access the functionality provided by it via normal means.
> >
> > In addition to all this, we'll be signing all of our .NET assemblies[/color][/color]
using[color=blue][color=green]
> > normal signing procedures documented all over the web.
> >
> > If i'm not mistaken, this will do two things.
> > 1) The signing of the code, along with the versioning and things already
> > built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
> their[color=green]
> > own .dll that does other things we don't want.
> > 2) By hiding the sensitive code in vanilla C++, which is then embedded[/color][/color]
in[color=blue][color=green]
> > the Managed C++ dll, we're making it near impossible for someone to
> > decompile the assembly and get to that information.
> >
> >
> > We haven't tested #2 yet to make sure it works (we've just read it has,
> > we're testing next). Does anyone know for sure that it does/doesn't[/color][/color]
work?[color=blue][color=green]
> >
> > Are we on the right track here? Is there possibly another option[/color][/color]
available[color=blue][color=green]
> > to us?
> >
> > Thanks in advance,
> >
> > -T
> >
> >[/color]
>
>[/color]

Re: security/obfuscation question

As an option, you may want to take a look of our
Salamander .NET protector, it prevents .NET disassembly
and decompilation by replacing MSIL with x86 machine code.


(the protected code still requires .NET framework,
strings and resources can also be protected)

We are also working on a native compiler that links and
converts .NET assemblies to native image, .NET framework
is not required.

more info on the first part, the linker and mini-
deployment tool, is available here:


This linker is also capable of constructing a bare
minimum set of .NET framework to ship with your product,
so the client machine does not have to install the whole
framework. A typical windows app usually results in a 5MB
zip file, which can be unzipped and run without further
installation. Samples are provided on the web.

Thanks,

Huihong
Remotesoft
[color=blue]
>-----Original Message-----
>Hello all,
>Our company is trying to write some code in C#/.NET that[/color]
we don't want an[color=blue]
>end user to be able to see. The algorithms are not that[/color]
complex, but are[color=blue]
>sensitive such that if a user could decompile them,[/color]
they'd be able to bypass[color=blue]
>alot of things we don't want them to bypass.
>We've looked at some obfuscators and, although they make[/color]
it more confusing,[color=blue]
>they certainly don't make it impossible for someone to[/color]
figure out if they[color=blue]
>have enough time on their hands.
>Because of that, we've turned to another option.
>
>This is what we're thinking - please feel free to poke[/color]
holes in it and tell[color=blue]
>me i'm wrong.
>
>First, we'll write the "sensitive" code in vanilla C++[/color]
and compile that into[color=blue]
>a .dll file.
>Then, we'll statically link that .dll file into a[/color]
Managed C++ .dll file with[color=blue]
>some more functionality. (we've read that static linking[/color]
only works for C++[color=blue]
>into Managed C++)
>Last, we'll reference that .dll file from the main[/color]
application (written in[color=blue]
>C#) and access the functionality provided by it via[/color]
normal means.[color=blue]
>
>In addition to all this, we'll be signing all of[/color]
our .NET assemblies using[color=blue]
>normal signing procedures documented all over the web.
>
>If i'm not mistaken, this will do two things.
>1) The signing of the code, along with the versioning[/color]
and things already[color=blue]
>built-in, will prevent a user from replacing the Managed[/color]
C++ .dll with their[color=blue]
>own .dll that does other things we don't want.
>2) By hiding the sensitive code in vanilla C++, which is[/color]
then embedded in[color=blue]
>the Managed C++ dll, we're making it near impossible for[/color]
someone to[color=blue]
>decompile the assembly and get to that information.
>
>
>We haven't tested #2 yet to make sure it works (we've[/color]
just read it has,[color=blue]
>we're testing next). Does anyone know for sure that it[/color]
does/doesn't work?[color=blue]
>
>Are we on the right track here? Is there possibly[/color]
another option available[color=blue]
>to us?
>
>Thanks in advance,
>
>-T
>
>
>.
>[/color]

Re: security/obfuscation question

Will,
This is a definite no-no I'm afraid. C# is 100% managed and HAS to be run
within the runtime.

HTH
Kieran

"Will Clark" <willz@btopenwo rld.com> wrote in message
news:bjnn8o$4m$ 1@sparta.btinte rnet.com...[color=blue]
> As a slight aside, but also fairly related... is it possible to compile c#
> code straight to native code (ie instead of having to develop the native
> code in C++)?
>
>
>
> "Rob Windsor" <rwindsor@NO.MO RE.SPAM.bigfoot .com> wrote in message
> news:uAr5487dDH A.3592@tk2msftn gp13.phx.gbl...[color=green]
> > Hi Tim,
> >
> > This isn't an exact answer to your question but I think it's worth
> > mentioning. If you ship your code, even native x86 code, it can be
> > decompiled by someone who knows what they are doing. Basically all you[/color][/color]
can[color=blue][color=green]
> > do is try to make the decompile process hard enough that people won't[/color][/color]
want[color=blue][color=green]
> > to do it.
> >
> > Think of it like this, you have a really cool new laptop sitting in your
> > kitchen. If you leave your front door unlocked (ship an un-obfuscated
> > assembly) then anyone can just walk in and take your laptop. If you lock[/color]
> the[color=green]
> > door and add a deadbolt (ship an obfuscated assembly) then it will now[/color]
> take[color=green]
> > a more determined and more skilled thief to steal your laptop. Finally,[/color][/color]
if[color=blue][color=green]
> > you add a security system and hire someone to guard your laptop (ship[/color]
> native[color=green]
> > x86 code) someone is going to have to REALLY want that laptop to go to[/color][/color]
the[color=blue][color=green]
> > trouble to try and steal it but it may still happen. It's just a matter[/color][/color]
of[color=blue][color=green]
> > how valuable the decompiled code is versus how much somebody wants it.
> >
> > Hope this helps.
> >
> > --
> > Rob Windsor
> > G6 Consulting
> > Toronto, Canada
> >
> >
> > "Tim Mulholland" <tim@eyerespons e.com> wrote in message
> > news:%23ucluo7d DHA.2320@TK2MSF TNGP12.phx.gbl. ..[color=darkred]
> > > Hello all,
> > > Our company is trying to write some code in C#/.NET that we don't want[/color][/color]
> an[color=green][color=darkred]
> > > end user to be able to see. The algorithms are not that complex, but[/color][/color][/color]
are[color=blue][color=green][color=darkred]
> > > sensitive such that if a user could decompile them, they'd be able to[/color]
> > bypass[color=darkred]
> > > alot of things we don't want them to bypass.
> > > We've looked at some obfuscators and, although they make it more[/color]
> > confusing,[color=darkred]
> > > they certainly don't make it impossible for someone to figure out if[/color][/color]
> they[color=green][color=darkred]
> > > have enough time on their hands.
> > > Because of that, we've turned to another option.
> > >
> > > This is what we're thinking - please feel free to poke holes in it and[/color]
> > tell[color=darkred]
> > > me i'm wrong.
> > >
> > > First, we'll write the "sensitive" code in vanilla C++ and compile[/color][/color][/color]
that[color=blue][color=green]
> > into[color=darkred]
> > > a .dll file.
> > > Then, we'll statically link that .dll file into a Managed C++ .dll[/color][/color][/color]
file[color=blue][color=green]
> > with[color=darkred]
> > > some more functionality. (we've read that static linking only works[/color][/color][/color]
for[color=blue][color=green]
> > C++[color=darkred]
> > > into Managed C++)
> > > Last, we'll reference that .dll file from the main application[/color][/color][/color]
(written[color=blue]
> in[color=green][color=darkred]
> > > C#) and access the functionality provided by it via normal means.
> > >
> > > In addition to all this, we'll be signing all of our .NET assemblies[/color][/color]
> using[color=green][color=darkred]
> > > normal signing procedures documented all over the web.
> > >
> > > If i'm not mistaken, this will do two things.
> > > 1) The signing of the code, along with the versioning and things[/color][/color][/color]
already[color=blue][color=green][color=darkred]
> > > built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
> > their[color=darkred]
> > > own .dll that does other things we don't want.
> > > 2) By hiding the sensitive code in vanilla C++, which is then embedded[/color][/color]
> in[color=green][color=darkred]
> > > the Managed C++ dll, we're making it near impossible for someone to
> > > decompile the assembly and get to that information.
> > >
> > >
> > > We haven't tested #2 yet to make sure it works (we've just read it[/color][/color][/color]
has,[color=blue][color=green][color=darkred]
> > > we're testing next). Does anyone know for sure that it does/doesn't[/color][/color]
> work?[color=green][color=darkred]
> > >
> > > Are we on the right track here? Is there possibly another option[/color][/color]
> available[color=green][color=darkred]
> > > to us?
> > >
> > > Thanks in advance,
> > >
> > > -T
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: security/obfuscation question

Tim,

If you really think that it is necessary, I dont really see why this wouldnt
work as long as signing works correctly (unfortunately I've never tried this
so I can't comment). The unmanaged C++ code will be in pure unmanaged
machine code so it will be about has hard to decompile as you can reasonably
get.

HTH
Kieran

"Tim Mulholland" <tim@eyerespons e.com> wrote in message
news:%23rzIVp8d DHA.568@TK2MSFT NGP11.phx.gbl.. .[color=blue]
> We as a team have discussed this.
> Some of us are more inclined to allow the signing to do its job and let[/color]
that[color=blue]
> be.
> Others think we need to hide the algorithms more than an obfuscator will
> (obfuscators mess with the function calls, but the code in the functions
> themselves is pretty easy to decipher).
> If this scenario works, we can run with it fairly easy (the code already
> exists in both C++ and C#), we're just trying to see if this is
> viable/possible.
> Thanks for the input though,
>
> Tim
>
> "Rob Windsor" <rwindsor@NO.MO RE.SPAM.bigfoot .com> wrote in message
> news:uAr5487dDH A.3592@tk2msftn gp13.phx.gbl...[color=green]
> > Hi Tim,
> >
> > This isn't an exact answer to your question but I think it's worth
> > mentioning. If you ship your code, even native x86 code, it can be
> > decompiled by someone who knows what they are doing. Basically all you[/color][/color]
can[color=blue][color=green]
> > do is try to make the decompile process hard enough that people won't[/color][/color]
want[color=blue][color=green]
> > to do it.
> >
> > Think of it like this, you have a really cool new laptop sitting in your
> > kitchen. If you leave your front door unlocked (ship an un-obfuscated
> > assembly) then anyone can just walk in and take your laptop. If you lock[/color]
> the[color=green]
> > door and add a deadbolt (ship an obfuscated assembly) then it will now[/color]
> take[color=green]
> > a more determined and more skilled thief to steal your laptop. Finally,[/color][/color]
if[color=blue][color=green]
> > you add a security system and hire someone to guard your laptop (ship[/color]
> native[color=green]
> > x86 code) someone is going to have to REALLY want that laptop to go to[/color][/color]
the[color=blue][color=green]
> > trouble to try and steal it but it may still happen. It's just a matter[/color][/color]
of[color=blue][color=green]
> > how valuable the decompiled code is versus how much somebody wants it.
> >
> > Hope this helps.
> >
> > --
> > Rob Windsor
> > G6 Consulting
> > Toronto, Canada
> >
> >
> > "Tim Mulholland" <tim@eyerespons e.com> wrote in message
> > news:%23ucluo7d DHA.2320@TK2MSF TNGP12.phx.gbl. ..[color=darkred]
> > > Hello all,
> > > Our company is trying to write some code in C#/.NET that we don't want[/color][/color]
> an[color=green][color=darkred]
> > > end user to be able to see. The algorithms are not that complex, but[/color][/color][/color]
are[color=blue][color=green][color=darkred]
> > > sensitive such that if a user could decompile them, they'd be able to[/color]
> > bypass[color=darkred]
> > > alot of things we don't want them to bypass.
> > > We've looked at some obfuscators and, although they make it more[/color]
> > confusing,[color=darkred]
> > > they certainly don't make it impossible for someone to figure out if[/color][/color]
> they[color=green][color=darkred]
> > > have enough time on their hands.
> > > Because of that, we've turned to another option.
> > >
> > > This is what we're thinking - please feel free to poke holes in it and[/color]
> > tell[color=darkred]
> > > me i'm wrong.
> > >
> > > First, we'll write the "sensitive" code in vanilla C++ and compile[/color][/color][/color]
that[color=blue][color=green]
> > into[color=darkred]
> > > a .dll file.
> > > Then, we'll statically link that .dll file into a Managed C++ .dll[/color][/color][/color]
file[color=blue][color=green]
> > with[color=darkred]
> > > some more functionality. (we've read that static linking only works[/color][/color][/color]
for[color=blue][color=green]
> > C++[color=darkred]
> > > into Managed C++)
> > > Last, we'll reference that .dll file from the main application[/color][/color][/color]
(written[color=blue]
> in[color=green][color=darkred]
> > > C#) and access the functionality provided by it via normal means.
> > >
> > > In addition to all this, we'll be signing all of our .NET assemblies[/color][/color]
> using[color=green][color=darkred]
> > > normal signing procedures documented all over the web.
> > >
> > > If i'm not mistaken, this will do two things.
> > > 1) The signing of the code, along with the versioning and things[/color][/color][/color]
already[color=blue][color=green][color=darkred]
> > > built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
> > their[color=darkred]
> > > own .dll that does other things we don't want.
> > > 2) By hiding the sensitive code in vanilla C++, which is then embedded[/color][/color]
> in[color=green][color=darkred]
> > > the Managed C++ dll, we're making it near impossible for someone to
> > > decompile the assembly and get to that information.
> > >
> > >
> > > We haven't tested #2 yet to make sure it works (we've just read it[/color][/color][/color]
has,[color=blue][color=green][color=darkred]
> > > we're testing next). Does anyone know for sure that it does/doesn't[/color][/color]
> work?[color=green][color=darkred]
> > >
> > > Are we on the right track here? Is there possibly another option[/color][/color]
> available[color=green][color=darkred]
> > > to us?
> > >
> > > Thanks in advance,
> > >
> > > -T
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: security/obfuscation question

The way that I would approach it is to write your sensative algorithms as
win32 dll's and just use P/Invoke to access them directly with C#.

"Tim Mulholland" <tim@eyerespons e.com> wrote in message
news:#ucluo7dDH A.2320@TK2MSFTN GP12.phx.gbl...[color=blue]
> Hello all,
> Our company is trying to write some code in C#/.NET that we don't want an
> end user to be able to see. The algorithms are not that complex, but are
> sensitive such that if a user could decompile them, they'd be able to[/color]
bypass[color=blue]
> alot of things we don't want them to bypass.
> We've looked at some obfuscators and, although they make it more[/color]
confusing,[color=blue]
> they certainly don't make it impossible for someone to figure out if they
> have enough time on their hands.
> Because of that, we've turned to another option.
>
> This is what we're thinking - please feel free to poke holes in it and[/color]
tell[color=blue]
> me i'm wrong.
>
> First, we'll write the "sensitive" code in vanilla C++ and compile that[/color]
into[color=blue]
> a .dll file.
> Then, we'll statically link that .dll file into a Managed C++ .dll file[/color]
with[color=blue]
> some more functionality. (we've read that static linking only works for[/color]
C++[color=blue]
> into Managed C++)
> Last, we'll reference that .dll file from the main application (written in
> C#) and access the functionality provided by it via normal means.
>
> In addition to all this, we'll be signing all of our .NET assemblies using
> normal signing procedures documented all over the web.
>
> If i'm not mistaken, this will do two things.
> 1) The signing of the code, along with the versioning and things already
> built-in, will prevent a user from replacing the Managed C++ .dll with[/color]
their[color=blue]
> own .dll that does other things we don't want.
> 2) By hiding the sensitive code in vanilla C++, which is then embedded in
> the Managed C++ dll, we're making it near impossible for someone to
> decompile the assembly and get to that information.
>
>
> We haven't tested #2 yet to make sure it works (we've just read it has,
> we're testing next). Does anyone know for sure that it does/doesn't work?
>
> Are we on the right track here? Is there possibly another option available
> to us?
>
> Thanks in advance,
>
> -T
>
>[/color]