[RESOLVED] .Net to native?

[Mutant_Fruit]

http://www.telerik.com
http://codicesoftware.com/xpfront.aspx
http://www.mindtouch.com/
http://unity3d.com/
http://www.medsphere.com/
http://www.fanfaresoftware.com/
http://www.vistadb.net/
http://www.coversant.net/


Though that's not really relevant at all to the topic

What exactly is it that makes you afraid of someone decompiling your code? What was the reason you asked the question in the first place?


EDIT:

Update: I guess I was right on the money, so to speak: "Games for the Wii and iPhone would need to statically link the Mono runtimes, invoking the need for a commercial license." (http://www.desktoplinux.com/articles/AT7746284247.html). There are already AOT-compiled Mono games running on the iPhone (http://arstechnica.com/open-source/n...ne-and-wii.ars) and the dev tools license cost $1400+ (http://unity3d.com). If Novell and others can do it then Microsoft can do it. Well, that means in the future developers will have to pay both for the dev tools and for their apps to run in "Intelectual Property-protected"-mode on client's machines.

The fine print with that while you can AOT an assembly, you still need to retain all the .NET metadata to allow the program to run. If you can 100% AOT the *entire* assembly (can get tricky with reflection/generics), then you can strip out the method bodies. So if you decompiled the assembly, all the classes/methods would be there, but the method body would be empty. If anyone actually wanted to hack your program, they still have all the ASM and can still run any normal ASM to C converter to get easily readable C code.

[tr00don]

What exactly is it that makes you afraid of someone decompiling your code?

If anyone actually wanted to hack your program, they still have all the ASM and can still run any normal ASM to C converter to get easily readable C code.

You are funny, really. I guess you must be an open-source developer. You want to know "what makes me afraid of" something like that. I could answer that it's personal choice. Or I could answer that 99% of commercial software is not open-source.

If what you say about native code conversion to C were enough to reverse-engineer commercial software then the IT industry would not exist. I think you speak from a purely theoretical perspective. By the way, do you work in academia?

I suggest you visit http://trescom.org and share your ideas with those fans who have been trying to "analyze" the Trespasser executable ever since the PC game was released back in 1998.

[Mutant_Fruit]

You are funny, really. I guess you must be an open-source developer. You want to know "what makes me afraid of" something like that. I could answer that it's personal choice. Or I could answer that 99% of commercial software is not open-source.

I think i just phrased my question badly. I'm wondering why you asked the question. Did you ask because you are worried that someone will decompile your code, make minor changes, then resell it?

Are you worried because you have some amazing algorithms which must be kept top secret?

Are you worried that people will bypass your registration mechanism?

If what you say about native code conversion to C were enough to reverse-engineer commercial software then the IT industry would not exist.

How do you think people hack software and crack dvd/bluray encryption? It's very doable, it just requires a lot of time and effort.

So before we get too far derailed from the topic, I think you are being needlessly fearful. If someone actually cares enough to crack/hack/decompile your app, they will. Obviously a .NET language will be easier to decompile and a C or ASM app will be harder, but still doable.

Or I could answer that 99% of commercial software is not open-source.

100% of commercial software isn't open source according to the open source definition. Though whether or not you open source your application doesn't impact the language you write it in. .NET doesn't enforce your application is open source, so I'm not quite sure why you're mentioning this.

[Zaccheus@Work]

Obfuscated software can still be decompiled.

So can a native program, but in both cases, the class names, function names, and variable names are made meaningless - which is the important thing.

[darwen]

I tend to agree with Mutant_Fruit.

I'd say 99% of most applications wouldn't give you anything useful if you were to decompile them.

There's nothing to stop someone from using one of your assemblies in their own applications of course, but then again the same is true if you write a COM component.

Of code which is highly sensitive I'd say it falls into two categories :

(1) Code containing data which must be protected - e.g. encryption keys. You can get at these equally well if the key is in code or if it is in .NET. Anyway you can move the encryption/decryption parts into native code to make it more difficult for a hacker.

(2) Algorithms. Again I have to say I can't think of a single algorithm which would need protecting this much apart from possibly because of a speed optimisation. In this case the code will be in native anyway...

I really don't see the ability to decompile .NET code as a problem. And have worked for a few commercial companies actively using it to develop desktop applications and they don't see it as a problem either.

And bear in mind I'd say that 99% of the time and cost in producing a working piece of software has nothing to do with clever algorithms etc. It has just to do with volume of work and how long it takes to write a line of code.

Far more important is what you intend to do with the software in future...

Darwen.

[tr00don]

I'm glad most of you feel safe knowing that all .Net code you develop and release is freely available to the rest of the world. After all, who would need it? From this perspective, Intellectual Property lawyers may want to start looking for new jobs. The IT industry will soon have a strong reason to stop fighting over trade secrets and software patents. All algorithms one can possibly create will end up in the public domain. Software development will no longer be about coding optimal data structures and algorithms but about how fast one can type at the keyboard.

Few realize that there is an ongoing effort to create new types of property. In a world where natural resources are limited and the population is growing, intellectual property is the best option newcommers have to become owners of something they didn't inherit but can build through their own effort in a free market economy. And if history is any guide, property needs to be protected and defended or it could be lost. Isn't that the way of life in the New World? That is also why DRM is here to stay, whether we like it or not; but that's another story.

If I did software development for a living, to put bread on the table and gas in the tank, and I knew that my code can be easily decompiled by my competitors then I probably couldn't sleep at night. Fortunately, I don't have to do that.

Arguments about how easy it is to reverse-engineer assembler code are greatly exaggerated. It may be "easy" to hack into code to bypass a S/N validation routine but it is a lot more difficult to infer a 200 KB algorithm that uses dynamic data structures and recursive procedure calls.

That being said, I strongly believe open-source software has its solid place in the IT ecosystem and is critically important for start-ups, academic developers, hobbyist programmers, and most importantly, for sharing ideas. In Silicon Valley all began with the Homebrew Computer Club.

[Zaccheus@Work]

You seem to be ignoring some basic facts here.

[Mutant_Fruit]

Intellectual property is the best option newcommers have to become owners of something they didn't inherit but can build through their own effort in a free market economy.

Which is why there's a huge fight to make software unpatentable in the US and it's already unpatentable in the EU.

That is also why DRM is here to stay, whether we like it or not; but that's another story.

Look at the history of DRM, it has always been cracked/worked around and it only angers the legitimate customer when they lose access to their legally purchased data. DRM won't be gone completely in the next few years, but in the longer term it's going to go. DRM is already being phased out in a number of high profile cases, the iTunes store and Vodaphone (http://tech.yahoo.com/news/nm/200903...vodafone_music) being two prime examples.

Arguments about how easy it is to reverse-engineer assembler code are greatly exaggerated. It may be "easy" to hack into code to bypass a S/N validation routine but it is a lot more difficult to infer a 200 KB algorithm that uses dynamic data structures and recursive procedure calls.

And how could you do the same for a .NET assembly which has been obfusticated? It'd be just as hard.

[tr00don]

Sorry, I couldn't resist...

Which is why there's a huge fight to make software unpatentable in the US and it's already unpatentable in the EU.

That is a good fight and hopefully it will be successful because M$ and the gang have gone way too far in their greed. Pretty soon we will all have to pay them a fee just to be allowed to click on a button.

Look at the history of DRM, it has always been cracked/worked around and it only angers the legitimate customer when they lose access to their legally purchased data.

And rightly so, because, again, the greed of these corporations has no limits. They don't inform the customer about the limitations of the license, they call it "marketing strategy". I call it misleading the customer.

And how could you do the same for a .NET assembly which has been obfusticated? It'd be just as hard.

"At best, obfuscation merely makes it time-consuming, but not impossible, to reverse engineer a program... No-one can guarantee that obfuscation will present any particular level of difficulty to a reverse engineer." (http://en.wikipedia.org/wiki/Obfusca...hen_used_alone)

"The bytecode formats used by many virtual machines (such as the Java Virtual Machine or the .NET Framework Common Language Runtime) often include extensive metadata and high-level features that make decompilation quite feasible. Machine language has typically much less metadata, and is therefore much harder to decompile." (http://en.wikipedia.org/wiki/Decompiler)

[Mutant_Fruit]

At the end of the day, it's your choice. You deem .NET to only be suitable for opensource applications, so don't use it. I'm not particularly bothered either way. All I know is that there are plenty of high profile companies selling high profile software who appear to have none of the fears you do.

As for your wikipedia quotes, that pretty much sums up exactly what I was saying.

EDIT: It's also worth pointing out that if anyway does decompile my commercial application and attempts to resell it, they'd be in jail so fast they wouldn't be able to organise a phonecall to their significant other And yes, it is easy to tell. That's from personal experience. Google 'monotorrent' and 'seedpeer' if you want to see the details.

[dglienna]

OFFICE 2007?

Expressions WEB?

just about everything Microsoft is doing the framework now...

[Zaccheus@Work]

"The bytecode formats used by many virtual machines (such as the Java Virtual Machine or the .NET Framework Common Language Runtime) often include extensive metadata and high-level features that make decompilation quite feasible. Machine language has typically much less metadata, and is therefore much harder to decompile." (http://en.wikipedia.org/wiki/Decompiler)

The very next sentence is: "Some compilers and post-compilation tools produce obfuscated code (that is, they attempt to produce output that is very difficult to decompile). This is done to make it more difficult to reverse engineer the executable."

The article then goes on to show how easily machine code can be reverse engineered.

[tr00don]

The article then goes on to show how easily machine code can be reverse engineered.

Try reading and figuring out this sample: http://www.microapl.co.uk/asm2c/sample86C.html

Then have a look at this: http://www.microapl.co.uk/asm2c/RelogixPrices.html

That should give everybody an idea of how "easy" it is, in practice, to reverse-engineer native code.

But there is hope for .Net programmers. Mono can do static linking (with licensing implications) so I guess M$ will provide a tool to the same purpose, sooner or later -- for a price, of course.

[Mutant_Fruit]

Now, suppose you have a .NET assembly where every variable is called "a", every method is called "a" and every class is called "a". Wouldn't that be just as difficult to reverse engineer?

EDIT: Also throw in whatever other obfustications you feel like, such as obfusticating constants, if/while loops etc.

[tr00don]

Now, suppose you have a .NET assembly where every variable is called "a", every method is called "a" and every class is called "a". Wouldn't that be just as difficult to reverse engineer?

Absolutely! And it would be as difficult for me, if I were to write that application, to debug my code.

You win. And hey, watch out for nasty seedpeers...

I'm off this thread.