Decompiling, is this a problem?

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Grant

    Decompiling, is this a problem?

    I've seen a couple of articles on the internet that VB.NET applications
    can be decompiled very easy. For those who have had experience with
    this, is it true? What steps can be taken to avoid this? I am using
    VB.NET Express but am willing to buy something (within reason) to
    prevent easy decompiling. Any suggestions are much appreciated.
  • AGP

    #2
    Re: Decompiling, is this a problem?


    "Grant" <grantroelofs@g mail.comwrote in message
    news:3GTwk.4559 0$G23.18352@new sreading01.news .tds.net...
    I've seen a couple of articles on the internet that VB.NET applications
    can be decompiled very easy. For those who have had experience with this,
    is it true? What steps can be taken to avoid this? I am using VB.NET
    Express but am willing to buy something (within reason) to prevent easy
    decompiling. Any suggestions are much appreciated.
    download the free Reflector from http://www.red-gate.com/products/reflector/
    and see how easy it is to see your source. VS2005 comes with a version of
    Dotfuscator (reach it from the Tools menu) that will do some obfuscation.
    ive had moderate success with it. you should probably look for a commercial
    aplication that will obfuscate your source.

    AGP


    Comment

    • Cor Ligthert[MVP]

      #3
      Re: Decompiling, is this a problem?

      Second attempt
      Grant,
      >
      >I've seen a couple of articles on the internet that VB.NET applications
      >can be decompiled very easy. For those who have had experience with
      >this, is it true? What steps can be taken to avoid this? I am using
      >VB.NET Express but am willing to buy something (within reason) to prevent
      >easy decompiling. Any suggestions are much appreciated.
      >
      And then? It is easier to create a program with VB.Net then to decompile
      it and to try to make another program from it.
      Those who are not able to do the first, are for sure not able to do the
      second.
      >
      As it is about security, then think that is it possible to decompile every
      program, it is just how smart you are.
      Use for security the security options or find more ways to do that outside
      the code.
      >
      Just my opinion.
      >
      Cor
      "Grant" <grantroelofs@g mail.comschreef in bericht
      news:3GTwk.4559 0$G23.18352@new sreading01.news .tds.net...
      I've seen a couple of articles on the internet that VB.NET applications
      can be decompiled very easy. For those who have had experience with this,
      is it true? What steps can be taken to avoid this? I am using VB.NET
      Express but am willing to buy something (within reason) to prevent easy
      decompiling. Any suggestions are much appreciated.

      Comment

      • Michel Posseth  [MCP]

        #4
        Re: Decompiling, is this a problem?

        >I've seen a couple of articles on the internet that VB.NET applications
        >can be decompiled very easy
        Please note that the same is true for all .Net languages ( VB.Net , C# ,
        J# , Delphi.Net etc etc etc )
        and also for Java
        >>For those who have had experience with this, is it true?
        Yes ....
        >>I am using VB.NET Express but am willing to buy something (within reason)
        >>to prevent easy decompiling. Any suggestions are much appreciated.
        There are lots of obfuscating tools out there , however none of them can
        give 100% guarantee
        that it is really impossible to reverse engineer your app .

        hth
        Michel




        "AGP" <sindizzy.pak@s ofthome.netschr eef in bericht
        news:oMUwk.2058 4$cW3.15906@nlp i064.nbdc.sbc.c om...
        >
        "Grant" <grantroelofs@g mail.comwrote in message
        news:3GTwk.4559 0$G23.18352@new sreading01.news .tds.net...
        >I've seen a couple of articles on the internet that VB.NET applications
        >can be decompiled very easy. For those who have had experience with
        >this, is it true? What steps can be taken to avoid this? I am using
        >VB.NET Express but am willing to buy something (within reason) to prevent
        >easy decompiling. Any suggestions are much appreciated.
        >
        download the free Reflector from
        http://www.red-gate.com/products/reflector/ and see how easy it is to see
        your source. VS2005 comes with a version of Dotfuscator (reach it from the
        Tools menu) that will do some obfuscation. ive had moderate success with
        it. you should probably look for a commercial aplication that will
        obfuscate your source.
        >
        AGP
        >

        Comment

        • Herfried K. Wagner [MVP]

          #5
          Re: Decompiling, is this a problem?

          "Grant" <grantroelofs@g mail.comschrieb :
          I've seen a couple of articles on the internet that VB.NET applications
          can be decompiled very easy. For those who have had experience with
          this, is it true? What steps can be taken to avoid this? I am using
          VB.NET Express but am willing to buy something (within reason) to
          prevent easy decompiling.
          There are three solutions:

          * Obfuscation
          * Encryption
          * Services


          Microsoft's solution:


          SLP Services Home
          <URL:http://www.microsoft.c om/slps/Default.aspx>


          You can use obfuscation (VS comes with a cut down version of a commecial
          obfuscator) to make reverse engineering harder.


          However, this is not a perfect solution. The only 100 % solution is to
          place the code on a server you own and expose the functionality via a
          service (Web service).

          --
          M S Herfried K. Wagner
          M V P <URL:http://dotnet.mvps.org/>
          V B <URL:http://dotnet.mvps.org/dotnet/faqs/>

          Comment

          • rowe_newsgroups

            #6
            Re: Decompiling, is this a problem?

            On Sep 7, 12:53 pm, Grant <grantroel...@g mail.comwrote:
            I've seen a couple of articles on the internet that VB.NET applications
            can be decompiled very easy.  For those who have had experience with
            this, is it true?  What steps can be taken to avoid this?  I am using
            VB.NET Express but am willing to buy something (within reason) to
            prevent easy decompiling.  Any suggestions are much appreciated.
            You have to ask yourself if you're actually writing anything that has
            a risk of being disassembled and "stolen". If you're not, then you
            have reason to muddy your development waters with obfuscation. Also
            evaluate the business value, are you going to get a good ROI for the
            additional work? Is your user base really interested in disassembling
            your code?

            Personally, I'd be willing to give my code to anyone that uses the
            application, the more eyes on my code the more bugs will be found.

            Thanks,

            Seth Rowe [MVP]

            Comment

            • AGP

              #7
              Re: Decompiling, is this a problem?


              "Herfried K. Wagner [MVP]" <hirf-spam-me-here@gmx.atwrot e in message
              news:%235CBj9aE JHA.5448@TK2MSF TNGP04.phx.gbl. ..
              "Grant" <grantroelofs@g mail.comschrieb :
              >I've seen a couple of articles on the internet that VB.NET applications
              >can be decompiled very easy. For those who have had experience with
              >this, is it true? What steps can be taken to avoid this? I am using
              >VB.NET Express but am willing to buy something (within reason) to prevent
              >easy decompiling.
              >
              There are three solutions:
              * Obfuscation * Encryption * Services
              >
              Microsoft's solution:
              >
              SLP Services Home <URL:http://www.microsoft.c om/slps/Default.aspx>
              >
              You can use obfuscation (VS comes with a cut down version of a commecial
              obfuscator) to make reverse engineering harder.
              >
              However, this is not a perfect solution. The only 100 % solution is to
              place the code on a server you own and expose the functionality via a
              service (Web service).
              >
              im glad that MS has a solution but IMHO that should have been built into VS.
              It seems thats just another way to suck money out of the developer. I just
              transitioned to .NET after some years of reluctance and am now finding out
              that the source is easily decompiled from my app. i've read some articles on
              why this is so easy and i understand but MS should have included something
              more than the dotfustactor. Ive tried it and it doesnt seem to work. their
              website is poorly arranged and they have yet to answer my inquiries. as a
              small devloper my options are limited as I cant go out and spend thousnds of
              dollars for better protection, yet i have to release updates in a timely
              manner. anyway, im looking for a good solution that is reasonable for a
              small developer. anyone have any suggestions?

              AGP


              Comment

              • rowe_newsgroups

                #8
                Re: Decompiling, is this a problem?

                On Sep 9, 8:32 pm, "AGP" <sindizzy....@s ofthome.netwrot e:
                "Herfried K. Wagner [MVP]" <hirf-spam-me-h...@gmx.atwrot e in messagenews:%23 5CBj9aEJHA.5448 @TK2MSFTNGP04.p hx.gbl...
                >
                >
                >
                "Grant" <grantroel...@g mail.comschrieb :
                I've seen a couple of articles on the internet that VB.NET applications
                can be decompiled very easy.  For those who have had experience with
                this, is it true?  What steps can be taken to avoid this?  I am using
                VB.NET Express but am willing to buy something (within reason) to prevent
                easy decompiling.
                >
                There are three solutions:
                * Obfuscation * Encryption * Services
                >
                Microsoft's solution:
                >
                SLP Services Home <URL:http://www.microsoft.c om/slps/Default.aspx>
                >
                You can use obfuscation (VS comes with a cut down version of a commecial
                obfuscator) to make reverse engineering harder.
                >
                However, this is not a perfect solution.  The only 100 % solution is to
                place the code on a server you own and expose the functionality via a
                service (Web service).
                >
                im glad that MS has a solution but IMHO that should have been built into VS.
                It seems thats just another way to suck money out of the developer. I just
                transitioned to .NET after some years of reluctance and am now finding out
                that the source is easily decompiled from my app. i've read some articleson
                why this is so easy and i understand but MS should have included something
                more than the dotfustactor. Ive tried it and it doesnt seem to work. their
                website is poorly arranged and they have yet to answer my inquiries. as a
                small devloper my options are limited as I cant go out and spend thousndsof
                dollars for better protection, yet i have to release updates in a timely
                manner. anyway, im looking for a good solution that is reasonable for a
                small developer. anyone have any suggestions?
                >
                AGP
                I still stick to my above statements.

                What are you writing that's so important that no unauthorized people
                can see the code?

                Thanks,

                Seth Rowe [MVP]

                Comment

                • Cor Ligthert[MVP]

                  #9
                  Re: Decompiling, is this a problem?

                  AGP,

                  Then make it yourself, nobody forbids you to do that. (As long as you are
                  not using illegal others inteligence).

                  Cor

                  "AGP" <sindizzy.pak@s ofthome.netschr eef in bericht
                  news:wAExk.1962 5$LG4.11954@nlp i065.nbdc.sbc.c om...
                  >
                  "Herfried K. Wagner [MVP]" <hirf-spam-me-here@gmx.atwrot e in message
                  news:%235CBj9aE JHA.5448@TK2MSF TNGP04.phx.gbl. ..
                  >"Grant" <grantroelofs@g mail.comschrieb :
                  >>I've seen a couple of articles on the internet that VB.NET applications
                  >>can be decompiled very easy. For those who have had experience with
                  >>this, is it true? What steps can be taken to avoid this? I am using
                  >>VB.NET Express but am willing to buy something (within reason) to
                  >>prevent easy decompiling.
                  >>
                  >There are three solutions:
                  >* Obfuscation * Encryption * Services
                  >>
                  >Microsoft's solution:
                  >>
                  >SLP Services Home <URL:http://www.microsoft.c om/slps/Default.aspx>
                  >>
                  >You can use obfuscation (VS comes with a cut down version of a commecial
                  >obfuscator) to make reverse engineering harder.
                  >>
                  >However, this is not a perfect solution. The only 100 % solution is to
                  >place the code on a server you own and expose the functionality via a
                  >service (Web service).
                  >>
                  >
                  im glad that MS has a solution but IMHO that should have been built into
                  VS. It seems thats just another way to suck money out of the developer. I
                  just transitioned to .NET after some years of reluctance and am now
                  finding out that the source is easily decompiled from my app. i've read
                  some articles on why this is so easy and i understand but MS should have
                  included something more than the dotfustactor. Ive tried it and it doesnt
                  seem to work. their website is poorly arranged and they have yet to answer
                  my inquiries. as a small devloper my options are limited as I cant go out
                  and spend thousnds of dollars for better protection, yet i have to release
                  updates in a timely manner. anyway, im looking for a good solution that is
                  reasonable for a small developer. anyone have any suggestions?
                  >
                  AGP
                  >

                  Comment

                  • AGP

                    #10
                    Re: Decompiling, is this a problem?

                    >
                    im glad that MS has a solution but IMHO that should have been built into
                    VS.
                    It seems thats just another way to suck money out of the developer. I just
                    transitioned to .NET after some years of reluctance and am now finding out
                    that the source is easily decompiled from my app. i've read some articles
                    on
                    why this is so easy and i understand but MS should have included something
                    more than the dotfustactor. Ive tried it and it doesnt seem to work. their
                    website is poorly arranged and they have yet to answer my inquiries. as a
                    small devloper my options are limited as I cant go out and spend thousnds
                    of
                    dollars for better protection, yet i have to release updates in a timely
                    manner. anyway, im looking for a good solution that is reasonable for a
                    small developer. anyone have any suggestions?
                    >
                    AGP
                    I still stick to my above statements.

                    What are you writing that's so important that no unauthorized people
                    can see the code?

                    Thanks,

                    Seth Rowe [MVP]

                    >>>
                    I guess what is in my code is not really releveant. some of it is
                    proprietary algorithms and other stuff is common. just like any other
                    developer that makes commercial apps i dont want competing devlopers from
                    just decompiling and using code that i have worked long and hard to perfect.
                    if you are willing to open source your code then that is great and i have no
                    problems with that. but i dont want my code to be out in the open for
                    everyone to see. its just that simple. if the case was that every piece of
                    code should be seen then there wouldnt be a need for obfustcators and
                    encryption services like the one that MS is offering.

                    AGP


                    Comment

                    • AGP

                      #11
                      Re: Decompiling, is this a problem?


                      "Cor Ligthert[MVP]" <notmyfirstname @planet.nlwrote in message
                      news:91B5816B-CC5E-49F0-8390-8768BBAB7996@mi crosoft.com...
                      AGP,
                      >
                      Then make it yourself, nobody forbids you to do that. (As long as you are
                      not using illegal others inteligence).
                      >
                      Cor
                      >
                      make what? an obfuscator? im not saying that i want to make one i just want
                      to know what options are out there.

                      AGp


                      Comment

                      • Grant

                        #12
                        Re: Decompiling, is this a problem?

                        rowe_newsgroups wrote:
                        On Sep 9, 8:32 pm, "AGP" <sindizzy....@s ofthome.netwrot e:
                        >"Herfried K. Wagner [MVP]" <hirf-spam-me-h...@gmx.atwrot e in messagenews:%23 5CBj9aEJHA.5448 @TK2MSFTNGP04.p hx.gbl...
                        >>
                        >>
                        >>
                        >>"Grant" <grantroel...@g mail.comschrieb :
                        >>>I've seen a couple of articles on the internet that VB.NET applications
                        >>>can be decompiled very easy. For those who have had experience with
                        >>>this, is it true? What steps can be taken to avoid this? I am using
                        >>>VB.NET Express but am willing to buy something (within reason) to prevent
                        >>>easy decompiling.
                        >>There are three solutions:
                        >>* Obfuscation * Encryption * Services
                        >>Microsoft's solution:
                        >>SLP Services Home <URL:http://www.microsoft.c om/slps/Default.aspx>
                        >>You can use obfuscation (VS comes with a cut down version of a commecial
                        >>obfuscator) to make reverse engineering harder.
                        >>However, this is not a perfect solution. The only 100 % solution is to
                        >>place the code on a server you own and expose the functionality via a
                        >>service (Web service).
                        >im glad that MS has a solution but IMHO that should have been built into VS.
                        >It seems thats just another way to suck money out of the developer. I just
                        >transitioned to .NET after some years of reluctance and am now finding out
                        >that the source is easily decompiled from my app. i've read some articles on
                        >why this is so easy and i understand but MS should have included something
                        >more than the dotfustactor. Ive tried it and it doesnt seem to work. their
                        >website is poorly arranged and they have yet to answer my inquiries. as a
                        >small devloper my options are limited as I cant go out and spend thousnds of
                        >dollars for better protection, yet i have to release updates in a timely
                        >manner. anyway, im looking for a good solution that is reasonable for a
                        >small developer. anyone have any suggestions?
                        >>
                        >AGP
                        >
                        I still stick to my above statements.
                        >
                        What are you writing that's so important that no unauthorized people
                        can see the code?
                        >
                        Thanks,
                        >
                        Seth Rowe [MVP]
                        http://sethrowe.blogspot.com/

                        My has a key stored as a string variable for encryption which I want
                        hidden. Don't care too much about the rest. Any better ways to hide this?

                        Comment

                        • Michel Posseth  [MCP]

                          #13
                          Re: Decompiling, is this a problem?

                          make what? an obfuscator? im not saying that i want to make one i just
                          want to know what options are out there.
                          VB6 ofcourse compiled with optimizations in Native code cause VB6 apps
                          compiled in P-Code can also be decompiled to some level :-)
                          ofcourse above is a joke

                          To get you started :
                          This is a nice and cheap obfuscator
                          Desaware Inc. specializes in components and tools for Microsoft Visual Basic, Visual Basic .NET and C# Developers.




                          HTH

                          Michel











                          "AGP" <sindizzy.pak@s ofthome.netschr eef in bericht
                          news:8fFyk.145$ W06.82@flpi148. ffdc.sbc.com...
                          >
                          "Cor Ligthert[MVP]" <notmyfirstname @planet.nlwrote in message
                          news:91B5816B-CC5E-49F0-8390-8768BBAB7996@mi crosoft.com...
                          >AGP,
                          >>
                          >Then make it yourself, nobody forbids you to do that. (As long as you are
                          >not using illegal others inteligence).
                          >>
                          >Cor
                          >>
                          >
                          make what? an obfuscator? im not saying that i want to make one i just
                          want to know what options are out there.
                          >
                          AGp
                          >
                          >

                          Comment

                          • rowe_newsgroups

                            #14
                            Re: Decompiling, is this a problem?

                            On Sep 12, 10:06 pm, "AGP" <sindizzy....@s ofthome.netwrot e:
                            im glad that MS has a solution but IMHO that should have been built into
                            VS.
                            It seems thats just another way to suck money out of the developer. I just
                            transitioned to .NET after some years of reluctance and am now finding out
                            that the source is easily decompiled from my app. i've read some articles
                            on
                            why this is so easy and i understand but MS should have included something
                            more than the dotfustactor. Ive tried it and it doesnt seem to work. their
                            website is poorly arranged and they have yet to answer my inquiries. asa
                            small devloper my options are limited as I cant go out and spend thousnds
                            of
                            dollars for better protection, yet i have to release updates in a timely
                            manner. anyway, im looking for a good solution that is reasonable for a
                            small developer. anyone have any suggestions?
                            >
                            AGP
                            >
                            I still stick to my above statements.
                            >
                            What are you writing that's so important that no unauthorized people
                            can see the code?
                            >
                            Thanks,
                            >
                            Seth Rowe [MVP]http://sethrowe.blogsp ot.com/
                            >
                            >
                            >
                            I guess what is in my code is not really releveant. some of it is
                            proprietary algorithms and other stuff is common. just like any other
                            developer that makes commercial apps i dont want competing devlopers from
                            just decompiling and using code that i have worked long and hard to perfect.
                            if you are willing to open source your code then that is great and i haveno
                            problems with that. but i dont want my code to be out in the open for
                            everyone to see. its just that simple. if the case was that every piece of
                            code should be seen then there wouldnt be a need for obfustcators and
                            encryption services like the one that MS is offering.
                            >
                            AGP
                            Granted if you are using proprietary algorithms I can understand why
                            you would want to protect them, but in my experience I rarely see
                            something so special that another skilled developer couldn't simple
                            write it again. In my opinion, your competitor would be silly to just
                            disassemble and try to pass the code off as there own, especially
                            since products like Reflector aren't perfect and a lack on unit tests
                            (surely you are using unit tests right?) would put them in an
                            extremely dangerous situation.

                            Also, please understand I didn't say you should open source your
                            applications, I merely said I wouldn't worry about disassembly. Open
                            source is a massive commitment, and it doesn't make good business
                            sense for many businesses to implement.

                            Thanks,

                            Seth Rowe [MVP]

                            Comment

                            • rowe_newsgroups

                              #15
                              Re: Decompiling, is this a problem?

                              My has a key stored as a string variable for encryption which I want
                              hidden.  Don't care too much about the rest.  Any better ways to hidethis?
                              Very, very, very, very dangerous. Even in "classic" vb, I used to open
                              up executables in notepad and pull out any string constructs. This is
                              basically "security by obscurity" and you are opening up yourself for
                              disaster if this encryption key is protecting something very valuable.
                              Unfortunately, without doing a full review of your application it'd be
                              hard to recommend a good alternative, but I recommend you do a system
                              review.

                              Thanks,

                              Seth Rowe [MVP]

                              Comment

                              Working...