混淆是一种方法,但它不能防止破坏应用程序的盗版保护安全性。如何确保应用程序不被篡改,如何确保注册机制不会被逆向工程?

此外,还可以将c#应用程序转换为本机代码,而Xenocode的成本太高。

c#提供了很多特性,是编写代码的理想语言,所以用c++重新编写整个代码库是不可能的。

安全证书可以很容易地从. net中的签名程序集中删除。


这真的值得吗?只要有足够的决心,任何保护机制都可以被打破。考虑你的市场、产品价格、客户数量等。

如果您想要更可靠的东西,那么就使用硬件键,但这相当麻烦(对用户来说),而且成本更高。软件解决方案可能会浪费时间和资源,它们唯一会给你的是一种虚假的“安全感”。

还有一些想法(没有一个是完美的,因为没有完美的人)。

AntiDuplicate 改变语言,使用Skype的作者使用的好技巧 许可证服务器

不要在这上面浪费太多时间,因为破解者在典型技术方面有很多经验,比你领先几步。除非你想使用大量的资源,可能会改变编程语言(做Skype的方式)。


如果它是用。net编写并编译为CIL,则可以反映出来。如果安全性是一个问题,并且要避免混淆,那么我建议使用非托管语言编写应用程序,这种语言本质上更难以进行逆向工程。


你不能。

您可以采取一些步骤来增加一些难度,但最终本地机器上的任何可执行文件都是可以被破解的。最终,这些代码必须转换为本机机器码,每个可运行的应用程序都很容易受到攻击。

你要做的就是让它变得足够难破解,让它不值得人们去麻烦。

我有一些建议可以帮助你保护你的应用程序:

Obfuscate your code. Dotfuscator has a free edition and comes with Visual Studio. Use public/private key or asymmetric encryption to generate your product licenses. This ensures that only you can generate your license codes. Even if your application is cracked, you can be sure that they won't be releasing a key generator for your application, because it is impossible to reverse the key generating algorithm. Use a third-party packer to pack your .NET executable into an encrypted Win32 wrapper application. Themida is one of the better ones. This stops people from reflecting your application in .NET Reflector and makes it a pain to unpack for reversing. Write your own custom packer. If the third-party packers are too expensive, consider writing your own. Sometimes custom packers can be very effective, because there aren't well published methods on how to unpack them. The tutorial How to write your own packer gives a ton of good information on writing your own Win32 packer.

最终,如果人们想要破解你的应用,他们会的。看看所有的商业软件,它们有大量的资源来保护它们的应用程序,但它们在应用程序发布给公众之前就被破解了。

一个熟练的逆向工程师可以启动IDA-Pro,并像切黄油一样切开您的应用程序,无论您做什么。一个打包的应用程序可以被解包,而混淆只会阻止它变得像在公园里散步一样简单。您使用复杂许可代码所做的所有艰苦工作都可以通过一个单字节补丁来完成。

你只需要接受这样一个事实:人们很有可能会盗版你的软件。有些人无论如何都不会为你的应用程序付费,这些人是你不需要担心的。

然而,有许多企业永远不会冒着诉讼的风险,他们很乐意购买软件许可证,而许多计算机用户要么不想冒险,要么发现它是错误的,要么没有足够的技术知识来盗版。这些是你真正的客户,你应该把精力集中在为他们提供良好的用户体验上,而忽略那些破解你软件的人。

我的应用程序以前被盗版过,我认为这是对我个人的侮辱。我是一个小开发者,全身心地投入到一个应用中,而这些人却有胆量剽窃我的作品?!他们直接从我口袋里拿钱!

我立即添加了一堆严格的DRM代码,并试图破坏任何使用非法或破解副本的人。当然,我应该努力让我的应用程序变得更好,而不是试图阻止不可避免的事情。不仅如此,我还伤害了我真正的客户,因为我设置了这些额外的保护措施。

经过长时间的战斗,我意识到我是在与潮流作斗争,所有这些浪费的时间都是徒劳的。除了最基本的许可函数之外,我取出了所有的phone-home代码,并且再也没有回头。


不幸的是,你逃不掉的。最好的办法是用C语言编写代码,然后P/调用它。

这里有一个小小的catch-22,有人可能只是将您的应用程序反编译到CIL并杀死任何验证/激活代码(例如,对C库的调用)。请记住,用C语言编写的应用程序也会被更顽固的黑客逆向工程(看看现在的游戏被破解的速度就知道了)。没有什么可以保护您的应用程序。

最后,它的工作原理很像你的家,保护得足够好,这样就花费了太多的精力(意大利面条代码在这里会有所帮助),这样攻击者就会转移到你的隔壁邻居(竞争:))。看看Windows Vista,肯定有10种不同的破解方法。

有包在那里,将加密你的EXE文件,并在用户被允许使用它时解密它,但再一次,这是使用一个通用的解决方案,毫无疑问已被破解。

激活和注册机制针对的是“普通人”:那些没有足够的技术知识来绕过它(或者就此而言,他们知道他们可以绕过它)的人。不要为饼干费心了,他们有太多的时间。


如何确保应用程序不被篡改,以及如何确保注册机制不会被逆向工程。

两者都有一个非常简单的答案:不要把目标代码交给不可信的一方,比如(显然)你的客户。在您的机器上托管应用程序是否可行只取决于它的功能。

如果它不是一个web应用程序,也许你可以允许SSH登录,X转发到应用服务器(或者远程桌面连接,我猜,对于Windows)。

如果你把目标代码交给书呆子,而他们认为破解你的程序可能很有趣,那么它就会被破解。没有办法。

如果你不相信我,那就指出一个没有被破解和盗版的引人注目的应用程序。

如果你使用硬件键,它会使生产成本更高,你的用户会因此讨厌你。在地板上爬来爬去,插拔你27个不同的USB设备,这真是个婊子,因为软件制造商不信任你(我想)。

有一些包可以加密你的EXE,并在允许用户使用它时解密它

当然,绕过它的方法是破解“我能使用它吗”测试,以便它总是返回true。

一个令人讨厌的技巧可能是以一种肮脏的方式在程序的其他地方使用执行测试的操作码的字节值,这将使程序很可能崩溃,除非值刚刚好。它让你链接到一个特定的架构,尽管:-(


广义上讲,有三种人。

Those who will not buy your software and resort to cracks, or if they don't find any, not use your software at all. Don't expect to make any money from this group. They rely either on their own skills or on crackers (who tend to prioritize their time depending on your useful and how big your audience is. The more useful, the sooner a crack will be available). The group of legitimate users who will buy (pay for) your software, irrespective of what protection mechanism you use. Don't make life hard for your legitimate users by using an elaborate protection mechanism since they are going to pay for it in any case. A complex protection mechanism can easily spoil the user experience and you don't want this happening to this group. Personally, I'd vote against any hardware solution, which adds to the cost of your software. A minority who will resort to "unethical" cracking and will only pay for your software because its features are protected by a licensing mechanism. You probably don't want to make it exceedingly easy for this group to circumvent your protection. However, all that effort you spend on protecting your software will pay back, depending on how big this group of people is. This entirely depends on the type of software you're building.

根据您所说的,如果您认为有足够多的少数人可以被推动购买您的软件,那么请继续执行某种形式的保护。考虑一下你能从这些少数人身上赚到多少钱,与你花在保护上的时间相比,或者你花在第三方保护API/工具上的钱。

如果您想实现自己的解决方案,那么使用公钥加密是防止容易被黑客攻击的好方法(与对称算法相反)。例如,您可以对您的许可证(序列号或许可证文件)进行数字签名。解决这个问题的唯一方法就是反编译、修改和重新编译代码(你可以使用Simucal回答中建议的技术来增加难度)。


Use online update to block those unlicensed copies. Verify serial number from different modules of your application and do not use a single function call to do the verification (so that crackers cannot bypass the verification easily). Not only check serial number at startup, do the verification while saving data, do it every Friday evening, do it when user is idle ... Verify application file check sum, store your security check sum in different places. Don't go too far on these kind of tricks, make sure your application never crash/get into malfunction while verifying registration code. Build a useful app for users is much more important than make a unbreakable binary for crackers.


你无法阻止别人破解你的软件。

However, you can make them create cracks that will hurt your sales less. Keygenerators that can issue a valid registration code for your software are much worse than simple patches that remove registration incentives from your software. That's because a crack will work for one software version only, and will cease to work with the next software update you release. The keygenerator will continue to work until you change your registration key algorithm and that's something you don't want to do often because it will put off your honest clients.

因此,如果您正在寻找一种方法来对抗非法的密钥生成器,并且您不想使用不对称加密,因为这会生成很长的注册码,您可以看看部分密钥验证。

Partial Key Verification makes sure that each illegal keygenerator works only for one particular release of your software. Basically what you do is to make sure that each release of your software only links with the code for checking SOME digits of the registration code. Which digits exactly is random, so crackers would have to reverse engineer many different versions of your software and combine all this into one keygenerator in order to release a keygenerator that works for all versions of your software.

如果你定期发布新的软件版本,这将导致大量的密钥生成器散布在各种软件盗版档案中,这些文件不再工作。潜在的软件盗版者通常会寻找最新版本的破解或关键元素,所以他们可能会尝试其中的一些,并最终放弃。

我在我的(c++)新共享游戏中使用了部分密钥验证,它非常有效。之前我们遇到了很多无法对抗的关键生成器问题。后来出现了许多漏洞,一些按键生成器只适用于特定版本的游戏,但没有一个按键生成器适用于所有版本。我们定期发布游戏的小更新,让之前存在的所有漏洞都变得无用。

似乎有一个用于部分密钥验证的开源。net框架,尽管我还没有尝试过。


你可以. .

Microsoft SLP ServicesInishTech的Software Potential提供了在不影响应用程序功能的情况下帮助保护代码的能力。

更新:(披露:我在Eazfuscator.NET工作)微软SLP ServicesSoftware潜在的不同之处在于虚拟化代码的能力,所以你肯定可以。从最初提出这个问题到现在已经过去了好几年;今天,有更多的产品也可以在类似的基础上工作,例如:

敏捷。网 Eazfuscator。网


net反应堆

更新

Jared指出de4dot声称能够反编译它。

.NET Reactor provides complete protection for your sensitive intellectual property by converting your .NET assemblies into unmanaged processes which cannot be understood as CIL, and which no existing tool can decompile. Hackers have no access to any intelligible form of your source. Powerful and flexible, the .NET Reactor licensing features allow you to enforce your license conditions and protect your revenue stream by using hardware and software locks. The license manager can build trial or permanent licenses, in a matter of seconds. A fully documented software development kit (SDK), complete with examples, allows you to call the licensing system directly from your code, allowing you to create custom extensions to the licensing system.


除了购买保护之外,您(或您的开发人员)还可以学习复制保护。

这些想法是:

首先,尝试编写一个将自己写入控制台的程序。这是一个著名的问题。这个任务的主要目的是练习编写自引用代码。

其次,您需要开发一种技术,以某种方式重写一些代码 可依赖于其他方法的CIL。

你可以编写一个虚拟机(但是使用。net)。在这里放一些代码。 最终,虚拟机运行另一个运行代码的虚拟机。 这是针对很少调用的函数的一部分,目的是为了不太降低性能。

将一些逻辑重写为c++ /CLI,并混合托管代码和非托管代码。这将使拆卸变得坚硬。在这种情况下,不要忘记提供x64二进制文件。


只需编写一个好的应用程序和一个简单的保护系统。不管你选择什么保护,它都会被逆转……所以不要浪费太多时间/金钱。


还有Salamander,这是一个来自Remotesoft的原生。net编译器和链接器,可以在没有。net框架的情况下部署应用程序。我不知道它是否符合它所宣称的。


抱歉,完全保护应用程序是不可能的。


如果微软能想出一个解决方案,我们就不会有盗版的Windows版本,所以没有什么是非常安全的。下面是来自Stack Overflow的一些类似问题,您可以实现自己的保护方式。如果你正在发布不同的版本,那么你可以针对不同的版本采用不同的技术,这样当第一个版本被破解时,第二个版本就可以接管。

基于许可证管理c++应用程序的特性 使用license文件保护DLL文件 授权/保护软件?


Here's one idea: you could have a server hosted by your company that all instances of your software need to connect to. Simply having them connect and verify a registration key is not sufficient -- they'll just remove the check. In addition to the key check, you need to also have the server perform some vital task that the client can't perform itself, so it's impossible to remove. This of course would probably mean a lot of heavy processing on the part of your server, but it would make your software difficult to steal, and assuming you have a good key scheme (check ownership, etc), the keys will also be difficult to steal. This is probably more invasive than you want, since it will require your users to be connected to the internet to use your software.


根据我的经验,让你的应用程序或库更难破解会伤害你诚实的客户,而只会稍微延迟那些不诚实的客户。专注于制作一款优秀的,低摩擦的产品,而不是花费大量精力去推迟不可避免的事情。


当涉及到。net时,如果你正在发布Windows窗体应用程序(或任何客户端有可移植可执行文件的应用程序),它就有可能被破解。

如果你想坚持使用。net,并且想把你的源代码被窃取的几率降到最低,那么你可以考虑将它部署为ASP。NET应用程序,而不是使它成为一个Windows窗体应用程序。


您不能完全保护任何应用程序(托管与否)。如果像Playstation和iPad这样的系统都被破解了——厂商甚至控制着硬件——你的应用还有什么希望呢?幸运的是,你并不是真的想这么做。在我看来,你需要确保你的应用程序足够安全,这样别人就不会意外地窃取你的产品。

例如,如果使用每台机器许可证,那么它不应该只在安装到新的第二台机器上时才能工作。你需要一个好的错误消息来防止额外的支持呼叫,但不要花费额外的时间让它难以解决,也不要用它来打击用户。

另一个例子是限时审判。甚至不用担心简单的事情,比如用户是否可以回滚系统时钟。这样做的人知道他们违反了您的许可,只要用户知道他们违反了您的许可,您就做得够多了。

You need to do this much because users don't care about your license. Licenses are made-up things that nobody cares about until they need to. No one reads them, and they really shouldn't have to. Therefore the best way to tell the user where the boundaries are is if the out-of-the-box behavior for your application complies with the license. In this first case that means either failing to install or installing in trial-version mode the second time. For the latter, it might just mean checking a plain-text date in a configuration file. Either way, make sure you handle it in an elegant, helpful, and respectful manner.

So that explains what it means do just that much. But why not go any further? Why not plug every little hole you can find? The answer is in two parts. First, if someone will cross the ethical threshold of consciously breaking your license terms — even in a simple way — they'll also be willing to do something more difficult or dangerous like pull your application from a torrent site — and there is a certain amount of danger involved in running applications downloaded from untrusted sources. Making it any harder is only a minor annoyance for these users and risks causing problems with your paying customers. Keeping it simple may prevent someone from digging into your application and releasing a more comprehensive crack. Second, you have few eyes available to look for flaws; the hackers have many, and they have more practice finding them. You only need to miss one little flaw, and your app will have the same distribution on pirate sites as if you did nothing. You have to be right every time; they only have to be lucky once. So the effort required is very high, and the likelihood of any measure of success is very low.

Ultimately, if someone wants to pirate your application (as opposed to just using it), and that is their main goal, they will. There's nothing you can do to stop them. This is the nature of software; once the files that make up your product are on a user's computer they will be able to do with them as they wish. This is especially relevant in managed environments like Java or .NET, but it definitely applies to native code as well. Time is on their side, and given enough time any digital security can be broken.

Since you can't stop users from pirating your product, your best course of action is to engage this class of user in a way the uses them to your benefit. It is often possible to get them working for you rather than against you. With that in mind, no matter what your application is, it's probably worth it to keep a free version that is almost completely functional and doesn't expire. The difference between even a US$1 price tag and free is huge, if for no other reason than that the customer doesn't have to trust you with their credit card. A free edition of your product will not only effectively kill pirated distribution (why risk a pirated version when you can be legitimate for the same price?), it has the potential to dramatically expand your audience.

结果是,你可能需要提高付费版的价格,这样最终你就有10万免费用户,而不是2000个用户,每人20美元,其中500人愿意为“专业版”支付99美元。这比你花大量时间锁定你的产品赚得更多。不仅如此,你还可以通过多种重要方式吸引这些免费用户并利用这种关系。

一是支持。悲观主义者会借此机会抱怨支持10万免费用户的成本增加,但令人惊讶的事情却发生了:你的产品基本上可以自给自足。在没有资金支持成本的大型开源项目中,您经常会看到这种情况。用户会挺身而出,让它成为现实。

Free users generally have reduced support expectations to begin with, and for good reason. All you need to do is mark the free edition as only qualifying for community support and put up a user-moderated online forum for that purpose. Your support knowledge base is self-generating, and advanced users will shepherd those who need extra hand-holding on your behalf. Even more importantly, this will allow you to identify and correct bugs faster, ultimately improving the quality of your product and lowering total support costs. This wasn't possible before because your user base wasn't large enough, but when you treat the free users as customers it can work very well.

另一个是反馈。通过观察你的论坛,你可以学到重要的改进想法,否则你可能从来没有考虑过。这可以让你最终将更多免费用户转变为付费用户,并创造出更有吸引力的产品,从而吸引更多用户。

最后,你需要考虑市场营销。所有这些免费用户现在都是粉丝,而不是对手,他们会采取相应的行动。不仅如此,当你发布下一个版本时,这些用户都将通过你批准的分发渠道,而不是其他未知的机制。这意味着在你的下一个版本中,你开始与更大的、高度感兴趣和支持你的观众建立联系。

The best features to reserve for the professional edition are tools aimed at making it easy to do corporate deployment and management. A cracker won't see these as a compelling enough reason to hack it for his own use, but for a business looking to buy 300 licenses and push it out company-wide this is a must-have. Of course, the professional edition will be pirated anyway, but again: don't sweat it because you probably wouldn't be able to sell the product to those pirates no matter what you did, so it's not costing you any revenue.

While psychologically it can be hard to give away your product this much, hopefully you can understand how it really is the best way to go. Not only that, it's the only way to go in the long term. I know someone is out there thinking that they don't want to do it this way. After all, they've got by just fine selling their locked-down $20 product for years. But that's just too bad, because if you don't do it this way, eventually someone else will. And their product will be just as good as yours, or close enough they can get away with claiming that. Then all of a sudden your pricing looks outrageous, sales drop dramatically, and there's nothing else you can do. You can opt for an additional middle tier if you must, but it's unlikely to help you.


. net Reflector只能打开“托管代码”,这基本上意味着“。NET代码”。所以你不能用它来分解COM DLL文件、原生c++、经典的Visual Basic 6.0代码等。编译后的。net代码的结构非常方便、可移植、可发现、可验证等。net Reflector利用了这一点,让你窥探已编译的程序集,但反编译器和反汇编器绝不是。net特有的,它们和编译器一样早就存在了。

您可以使用混淆器使代码更难阅读,但是您不能在不使. net无法读取的情况下完全阻止它被反编译。市面上有一些产品(通常价格昂贵)声称可以将托管代码应用程序“链接”到本地代码应用程序,但即使这些产品真的可以工作,有决心的人总能找到方法。

然而,当涉及到混淆时,一分钱一分货。因此,如果您的代码是如此专有,以至于您必须竭尽全力来保护它,那么您应该愿意在一个好的混淆器上投资。

However, in my 15 or so years of experience writing code I've realized that being over-protective of your source code is a waste of time and has little benefit. Just trying to read original source code without supporting documentation, comments, etc. can be very difficult to understand. Add to that the senseless variable names that decompilers come up with and the spaghetti code that modern obfuscators create - you probably don't have to worry too much about people stealing your intellectual property.


你和很多人分享的秘密就不是秘密了。如果你的代码中有秘密的东西,混淆它是没有保护的;它只需要去混淆一次。如果你有什么秘密不想和你的客户分享,那就不要和你的客户分享。将代码编写为web服务,并将超级机密代码保存在自己的服务器上,只有您可以看到它。


坦率地说,有时我们需要混淆代码(例如,注册许可类等)。在这种情况下,您的项目不是免费的。在我看来,你应该花钱买个好东西。

Dotfuscator隐藏代码,. net Reflector在尝试反编译时显示错误。


我可以推荐使用混淆器。


混淆代码!在混淆c#代码中有一个例子。


如果您希望人们能够运行您的代码(如果您不希望,那么为什么要首先编写它?),那么他们的CPU需要能够执行您的代码。为了能够执行代码,CPU需要能够理解它。

由于cpu是愚蠢的,而人类不是,这意味着人类也可以理解代码。

只有一种方法可以确保你的用户不会得到你的代码:不要把你的代码给他们。

这可以通过两种方式实现:软件即服务(SaaS),即在服务器上运行软件,只允许用户远程访问它。例如,这就是Stack Overflow使用的模型。我很确定Stack Overflow不会混淆他们的代码,但是你不能反编译它。

The other way is the appliance model: instead of giving your users your code, you give them a computer containing the code. This is the model that gaming consoles, most mobile phones and TiVo use. Note that this only works if you "own" the entire execution path: you need to build your own CPU, your own computer, write your own operating system and your own CLI implementation. Then, and only then can you protect your code. (But note that even the tiniest mistake will render all of your protections useless. Microsoft, Apple, Sony, the music industry and the movie industry can attest to that.)

或者,您可以什么都不做,这意味着您的代码将自动受到版权法的保护。


是的。如果代码没有混淆,. net代码非常容易进行逆向工程。

混淆将给试图逆向工程您的软件的人增加一层烦恼。根据你得到的版本不同,你会得到不同程度的保护。

Visual Studio包括Dotfuscator的一个版本。因为它是一个捆绑版本,你肯定不会得到最强烈的混淆。如果您查看它们的特性列表,就会清楚地看到您遗漏了什么(以及应用程序将如何使您的代码更安全)。

还有其他一些免费或开源的。net混淆器(但我不能评论它们的质量或使用的各种方法):

Obfuscar 巴别塔。网上

最后,没有什么是完美的。如果有人真的想看看你的软件是如何工作的,他们会的。


客户端上运行的任何东西都可以被反编译和破解。混淆只会让它更难。我不了解你的应用程序,但99%的情况下,我认为不值得这么做。


是的,. net二进制文件(EXE和DLL)可以很容易地反编译成接近源代码。检查. net Reflector工具。在任何。net二进制文件上尝试一下。最好的选择是混淆文件,它们仍然可以被。net Reflector反编译,但它们会造成一团不可读的混乱。我不认为好的混淆器是免费或廉价的。一个是Visual Studio附带的Dotfuscator社区版。


请记住,99%以上的用户不会有兴趣检查你的可执行文件,看看它是如何工作的。

考虑到很少有人会去尝试,而且大多数混淆器都是可以解决的,它值得你花时间和精力吗?

你最好把时间投入到改进你的产品上,让更多人愿意使用它。


只是补充一个警告:如果你打算使用混淆,检查一切仍然工作!混淆可能会改变类名和方法名。因此,如果你使用反射来调用某些方法和/或类(就像在插件架构中),你的应用程序在混淆后可能会失败。另外,堆栈跟踪对于跟踪错误可能是无用的。


好吧,你不能完全保护你的产品不被破解,但你可以最大化/增强安全级别,让它有点难以被新手和中级破解者破解。

但请记住,没有什么是不可破解的,只有服务器端的软件受到了很好的保护,无法被破解。无论如何,为了增强应用程序中的安全级别,您可以执行一些简单的步骤来防止某些黑客“不是全部”破解您的应用程序。下面这些步骤会让你抓狂甚至绝望:

Obfuscate your source code, obviously this will make your source code look like a mess and unreadable. Trigger several random checking routines inside your application like every two hours, 24 hours, one day, week, etc. or maybe after every action the user take. Save your released application's MD5 checksum on your server and implement a routine that can check the current file MD5 checksum with the real one on you server side and make it randomly triggered. If the MD5 checksum has been changed that means this copy has been pirated. Now you can just block it or release an update to block it, etc. Try to make a routine that can check if some of your codes (functions, classes, or specific routines) are actually have been modified or altered or even removed. I call it (code integrity check). Use free unknown packers to pack your application. Or, if you have the money, go for commercial solutions such as Thamida or .NET Reactor. Those applications get updated regularly and once a cracker unpack your application, you can just get a new update from those companies and once you get the new update, you just pack your program and release a new update. Release updates regularly and force your customer to download the latest update. Finally make your application very cheap. Don't make it too expensive. Believe me, you will get more happy customers and crackers will just leave your application, because it isn't worth their time to crack a very cheap application.

这些只是防止新手和中级破解者破解应用程序的简单方法。如果您有更多保护应用程序的想法,请不要羞于实现它们。这只会让破解者的生活变得艰难,他们会感到沮丧,最终他们会离开你的应用程序,因为它不值得他们花费时间。

最后,你还需要考虑花时间编写一个好的、高质量的应用程序。不要把时间浪费在编写复杂的安全层上。如果一个优秀的破解者想要破解你的应用程序,无论你做什么,他/她都会做。

现在去实现一些玩具饼干…


最好的答案是第一个来自小开发人员自己的经验,上面讨论的所有反反转技术对于任何严肃的反向工程师来说都是101个教科书案例。

一些商业DRM解决方案相当不错,但它们总是在数小时(或数天)内使用自定义DRM解决方案破解每一款AAA级游戏。只有一个全新的DRM解决方案的引入——有时——延迟是不可避免的,可能需要几个星期。

充分利用DRM需要花费大量的时间和金钱,而且很容易损害性能、可靠性、兼容性/可移植性和客户关系。要么坚持一些像样的商业DRM,不要试图太聪明,承担你的(更少的)损失,要么完全忘记它……

一个DRM解决方案的例子,它挖了自己的(商业)坟墓:http://en.wikipedia.org/wiki/StarForce


我也做了一些关于黑客安全的考虑,在我的设计中,我想添加他们,因为他们中的一些人似乎没有被提及:

我在我的应用程序中有一个脚本接口。为了确保,脚本只能调用(python)打算调用的方法-脚本i有一个scriptvisibilityattribute和System.Dynamic.DynamicMetaObjectProvider,它可以识别这些属性。

license使用公钥/私钥。

ViewModels需要被解锁,给解锁函数一个密码。

CoreRoutines可以在加密狗上实现。(周围有加密狗支持)

像包装这样的大解决方案并不是计划好的。

当然,这种脚本/viewModel方法并没有使我们不可能从代码中解锁和调用脚本不可见的函数,但它使这样做变得更加困难——就像所有与反黑客相关的工作一样。


根据微软博客中的以下问题:

https://blogs.msdn.microsoft.com/amb/2011/05/27/how-to-prevent-ildasm-from-disassembling-my-net-code/

如何防止ILDASM分解程序集?

. net有一个名为SuppressIldasmAttribute的属性,它可以防止分解代码。例如,考虑以下代码:

using System;
using System.Text;
using System.Runtime.CompilerServices;
[assembly: SuppressIldasmAttribute()]

namespace HelloWorld
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello world...");
        }
    }
}

如你所见,只有两个不同之处:

我们添加了System.Runtime.CompilerServices命名空间减速。 我们添加了[assembly: SuppressIldasmAttribute()]属性。

在Visual Studio中构建应用程序后,当我们尝试在ILDASM中打开生成的EXE文件时,现在我们得到以下消息:


下面是一些。net混淆工具的详细对比表:

截图来自obfuscators.io


看起来永远是本地的,现在不需要在混淆器; 看起来像网芯RT可行的解决方案;很快所有的应用程序都将使用。net core;https://www.codeproject.com/Articles/5262251/Generate-Native-Executable-from-NET-Core-3-1-Proje?msg=5753507 xx5753507xx https://learn.microsoft.com/en-us/archive/msdn-magazine/2018/november/net-core-publishing-options-with-net-core

没有测试过,也许用旧的win .net SDK可能做类似的事情。


我认为这个话题主要有两个方面。

A) .NET只是反向工程而不是原生的吗?

B)我们是什么类型的程序员?

标题: 保护.NET代码不受逆向工程的影响

我的观点:

Least preference to make commercial application in .NET, because it will expose even your comments on the built binary after decompile. (I don't know what is the logic to include the comments also with binary) So any one can just decompile it, rename/modify/change the look and resell the application in 24 hours. In native application rename/modify/change of look is not possible as easy as one could do in .NET Worried part in .NET is that you could get the whole project with solution from a single binary exe/dll.

想象一下现在的安全状况有多糟糕。 因此,即使是外行也可以轻松地对. net应用程序进行逆向工程。

如果它是本地应用程序,如c++ /VB6/Delphi,只有知道ASM的专家破解者才能修补exe,而不是像。net那样100%逆向工程。

但是现在整个世界都在使用。net,因为用它的高级特性和库很容易做项目。

好消息是,微软似乎在2020年支持。net的本地输出,这将使像我这样的程序员考虑将。net c#作为主要语言。

https://www.codeproject.com/Articles/5262251/Generate-Native-Executable-from-NET-Core-3-1-Proje?msg=5755590#xx5755590xx


使用Skater . net混淆器。该. net保护工具针对de4dot, de4dot是一个去混淆器,它将原始受保护的程序集成员名称重命名为人类可读的字符串。溜冰者与之对抗!

最近,MindSystemm集团发布了一个名为Skater的特殊工具。NetDeobfuscator [url: https://github.com/MindSystemm/Skater.NetDeobfuscator],它利用了Skater. net混淆器的漏洞。 混淆器的开发者Rustemsoft LLC收到了一个迫切需要保护关键的Skater . net混淆器算法和软件基础设施的信号,以便为Skater用户提供更强的源代码保护。这个问题已经解决了。