请记住，99%以上的用户不会有兴趣检查你的可执行文件，看看它是如何工作的。

考虑到很少有人会去尝试，而且大多数混淆器都是可以解决的，它值得你花时间和精力吗?

你最好把时间投入到改进你的产品上，让更多人愿意使用它。

我认为这个话题主要有两个方面。

A) .NET只是反向工程而不是原生的吗?

B)我们是什么类型的程序员?

标题: 保护.NET代码不受逆向工程的影响

我的观点:

Least preference to make commercial application in .NET, because it will expose even your comments on the built binary after decompile. (I don't know what is the logic to include the comments also with binary) So any one can just decompile it, rename/modify/change the look and resell the application in 24 hours. In native application rename/modify/change of look is not possible as easy as one could do in .NET Worried part in .NET is that you could get the whole project with solution from a single binary exe/dll.

想象一下现在的安全状况有多糟糕。 因此，即使是外行也可以轻松地对. net应用程序进行逆向工程。

如果它是本地应用程序，如c++ /VB6/Delphi，只有知道ASM的专家破解者才能修补exe，而不是像。net那样100%逆向工程。

但是现在整个世界都在使用。net，因为用它的高级特性和库很容易做项目。

好消息是，微软似乎在2020年支持。net的本地输出，这将使像我这样的程序员考虑将。net c#作为主要语言。

https://www.codeproject.com/Articles/5262251/Generate-Native-Executable-from-NET-Core-3-1-Proje?msg=5755590#xx5755590xx

不幸的是，你逃不掉的。最好的办法是用C语言编写代码，然后P/调用它。

这里有一个小小的catch-22，有人可能只是将您的应用程序反编译到CIL并杀死任何验证/激活代码(例如，对C库的调用)。请记住，用C语言编写的应用程序也会被更顽固的黑客逆向工程(看看现在的游戏被破解的速度就知道了)。没有什么可以保护您的应用程序。

最后，它的工作原理很像你的家，保护得足够好，这样就花费了太多的精力(意大利面条代码在这里会有所帮助)，这样攻击者就会转移到你的隔壁邻居(竞争:))。看看Windows Vista，肯定有10种不同的破解方法。

有包在那里，将加密你的EXE文件，并在用户被允许使用它时解密它，但再一次，这是使用一个通用的解决方案，毫无疑问已被破解。

激活和注册机制针对的是“普通人”:那些没有足够的技术知识来绕过它(或者就此而言，他们知道他们可以绕过它)的人。不要为饼干费心了，他们有太多的时间。

你无法阻止别人破解你的软件。

However, you can make them create cracks that will hurt your sales less. Keygenerators that can issue a valid registration code for your software are much worse than simple patches that remove registration incentives from your software. That's because a crack will work for one software version only, and will cease to work with the next software update you release. The keygenerator will continue to work until you change your registration key algorithm and that's something you don't want to do often because it will put off your honest clients.

因此，如果您正在寻找一种方法来对抗非法的密钥生成器，并且您不想使用不对称加密，因为这会生成很长的注册码，您可以看看部分密钥验证。

Partial Key Verification makes sure that each illegal keygenerator works only for one particular release of your software. Basically what you do is to make sure that each release of your software only links with the code for checking SOME digits of the registration code. Which digits exactly is random, so crackers would have to reverse engineer many different versions of your software and combine all this into one keygenerator in order to release a keygenerator that works for all versions of your software.

如果你定期发布新的软件版本，这将导致大量的密钥生成器散布在各种软件盗版档案中，这些文件不再工作。潜在的软件盗版者通常会寻找最新版本的破解或关键元素，所以他们可能会尝试其中的一些，并最终放弃。

我在我的(c++)新共享游戏中使用了部分密钥验证，它非常有效。之前我们遇到了很多无法对抗的关键生成器问题。后来出现了许多漏洞，一些按键生成器只适用于特定版本的游戏，但没有一个按键生成器适用于所有版本。我们定期发布游戏的小更新，让之前存在的所有漏洞都变得无用。

似乎有一个用于部分密钥验证的开源。net框架，尽管我还没有尝试过。

. net Reflector只能打开“托管代码”，这基本上意味着“。NET代码”。所以你不能用它来分解COM DLL文件、原生c++、经典的Visual Basic 6.0代码等。编译后的。net代码的结构非常方便、可移植、可发现、可验证等。net Reflector利用了这一点，让你窥探已编译的程序集，但反编译器和反汇编器绝不是。net特有的，它们和编译器一样早就存在了。

您可以使用混淆器使代码更难阅读，但是您不能在不使. net无法读取的情况下完全阻止它被反编译。市面上有一些产品(通常价格昂贵)声称可以将托管代码应用程序“链接”到本地代码应用程序，但即使这些产品真的可以工作，有决心的人总能找到方法。

然而，当涉及到混淆时，一分钱一分货。因此，如果您的代码是如此专有，以至于您必须竭尽全力来保护它，那么您应该愿意在一个好的混淆器上投资。

However, in my 15 or so years of experience writing code I've realized that being over-protective of your source code is a waste of time and has little benefit. Just trying to read original source code without supporting documentation, comments, etc. can be very difficult to understand. Add to that the senseless variable names that decompilers come up with and the spaghetti code that modern obfuscators create - you probably don't have to worry too much about people stealing your intellectual property.

您不能完全保护任何应用程序(托管与否)。如果像Playstation和iPad这样的系统都被破解了——厂商甚至控制着硬件——你的应用还有什么希望呢?幸运的是，你并不是真的想这么做。在我看来，你需要确保你的应用程序足够安全，这样别人就不会意外地窃取你的产品。

例如，如果使用每台机器许可证，那么它不应该只在安装到新的第二台机器上时才能工作。你需要一个好的错误消息来防止额外的支持呼叫，但不要花费额外的时间让它难以解决，也不要用它来打击用户。

另一个例子是限时审判。甚至不用担心简单的事情，比如用户是否可以回滚系统时钟。这样做的人知道他们违反了您的许可，只要用户知道他们违反了您的许可，您就做得够多了。

You need to do this much because users don't care about your license. Licenses are made-up things that nobody cares about until they need to. No one reads them, and they really shouldn't have to. Therefore the best way to tell the user where the boundaries are is if the out-of-the-box behavior for your application complies with the license. In this first case that means either failing to install or installing in trial-version mode the second time. For the latter, it might just mean checking a plain-text date in a configuration file. Either way, make sure you handle it in an elegant, helpful, and respectful manner.

So that explains what it means do just that much. But why not go any further? Why not plug every little hole you can find? The answer is in two parts. First, if someone will cross the ethical threshold of consciously breaking your license terms — even in a simple way — they'll also be willing to do something more difficult or dangerous like pull your application from a torrent site — and there is a certain amount of danger involved in running applications downloaded from untrusted sources. Making it any harder is only a minor annoyance for these users and risks causing problems with your paying customers. Keeping it simple may prevent someone from digging into your application and releasing a more comprehensive crack. Second, you have few eyes available to look for flaws; the hackers have many, and they have more practice finding them. You only need to miss one little flaw, and your app will have the same distribution on pirate sites as if you did nothing. You have to be right every time; they only have to be lucky once. So the effort required is very high, and the likelihood of any measure of success is very low.

Ultimately, if someone wants to pirate your application (as opposed to just using it), and that is their main goal, they will. There's nothing you can do to stop them. This is the nature of software; once the files that make up your product are on a user's computer they will be able to do with them as they wish. This is especially relevant in managed environments like Java or .NET, but it definitely applies to native code as well. Time is on their side, and given enough time any digital security can be broken.

Since you can't stop users from pirating your product, your best course of action is to engage this class of user in a way the uses them to your benefit. It is often possible to get them working for you rather than against you. With that in mind, no matter what your application is, it's probably worth it to keep a free version that is almost completely functional and doesn't expire. The difference between even a US$1 price tag and free is huge, if for no other reason than that the customer doesn't have to trust you with their credit card. A free edition of your product will not only effectively kill pirated distribution (why risk a pirated version when you can be legitimate for the same price?), it has the potential to dramatically expand your audience.

结果是，你可能需要提高付费版的价格，这样最终你就有10万免费用户，而不是2000个用户，每人20美元，其中500人愿意为“专业版”支付99美元。这比你花大量时间锁定你的产品赚得更多。不仅如此，你还可以通过多种重要方式吸引这些免费用户并利用这种关系。

一是支持。悲观主义者会借此机会抱怨支持10万免费用户的成本增加，但令人惊讶的事情却发生了:你的产品基本上可以自给自足。在没有资金支持成本的大型开源项目中，您经常会看到这种情况。用户会挺身而出，让它成为现实。

Free users generally have reduced support expectations to begin with, and for good reason. All you need to do is mark the free edition as only qualifying for community support and put up a user-moderated online forum for that purpose. Your support knowledge base is self-generating, and advanced users will shepherd those who need extra hand-holding on your behalf. Even more importantly, this will allow you to identify and correct bugs faster, ultimately improving the quality of your product and lowering total support costs. This wasn't possible before because your user base wasn't large enough, but when you treat the free users as customers it can work very well.

另一个是反馈。通过观察你的论坛，你可以学到重要的改进想法，否则你可能从来没有考虑过。这可以让你最终将更多免费用户转变为付费用户，并创造出更有吸引力的产品，从而吸引更多用户。

最后，你需要考虑市场营销。所有这些免费用户现在都是粉丝，而不是对手，他们会采取相应的行动。不仅如此，当你发布下一个版本时，这些用户都将通过你批准的分发渠道，而不是其他未知的机制。这意味着在你的下一个版本中，你开始与更大的、高度感兴趣和支持你的观众建立联系。

The best features to reserve for the professional edition are tools aimed at making it easy to do corporate deployment and management. A cracker won't see these as a compelling enough reason to hack it for his own use, but for a business looking to buy 300 licenses and push it out company-wide this is a must-have. Of course, the professional edition will be pirated anyway, but again: don't sweat it because you probably wouldn't be able to sell the product to those pirates no matter what you did, so it's not costing you any revenue.

While psychologically it can be hard to give away your product this much, hopefully you can understand how it really is the best way to go. Not only that, it's the only way to go in the long term. I know someone is out there thinking that they don't want to do it this way. After all, they've got by just fine selling their locked-down $20 product for years. But that's just too bad, because if you don't do it this way, eventually someone else will. And their product will be just as good as yours, or close enough they can get away with claiming that. Then all of a sudden your pricing looks outrageous, sales drop dramatically, and there's nothing else you can do. You can opt for an additional middle tier if you must, but it's unlikely to help you.