I have a .NET application which is built using VB .NET. I've disassembled it using ildasm (shipped with .NET). I'm using .NET 2003. How to protect this software so that "malicious people" won't be able to see the source code or disassembling it ? I'm also thinking about a .NET obfuscator right now. Any suggestion ?
If you ask me, I would say, "don't bother". It is already well-known how to break down .net executable. I mean, if I know it, really-"malicious" people should have known it for ages.
For the time being, I'm only using an obfuscator for the .NET application. Fortunately, the data I want to protect can be relocated into another DLL file. I'm planning to code this "satellite" DLL in C and assembly language. As for the need to protect the .NET application code itself, it is my consideration to "rise the bar" for these "malicious people". Anyway, thx for your input :grin:
Even with an obfuscator, just a little extra time, I've been able to figure out a 3rd party library. basically, it changes "myfunctionname()" to "A" and "myfunctionname2" to "B" or something like that and all the references to it so you can't know what the function name is, but you can still see what it is doing. Some of them wil compile invalid metadata so the most popular IL Dissassemblers will choke on it but then many more will simply ignore it and read what it can. If you are producing an application, you can do some creative obfuscating, if you are producing a linkable library then you are limited in the types of obfuscating you can do. You can "raise the bar" but you're not really raising it. Anyway who wants to know what you are doing and has about 3 hours to spare on even a moderately complicated assembly will have not much problems discovering what you are doing. Anyway, it very difficult to have any revolutionary techniques that are worth protecting that everyone else isn't already doing (yet somehow we are always convincing ourselves that no one else is doing it). If you are protecting a connection string or something security related, you should encrypt the string and decrypt it before using it.