Content by Category
.NET 1.x
.NET 2.0
.NET 3.0
.NET 3.5
.NET 4.0
.NET 4.5
.NET Assemblies
.NET Framework
.NET Getting Started
Accessibility
ADO.NET
Advertorials
Agile Development
AJAX
Amazon Web Services
Analysis Services
Android
Architecture
Arduino
ASP .NET Web API
ASP.NET
ASP.NET MVC
ASP.NET WebForms
Azure
B2B (Business Integration)
BDD
Big Data
Bing
BizTalk
Book Excerpts
Build and Deploy
Business Intelligence
C#
C++
ClickOnce
Cloud Computing
Code Contracts
CODE Framework Info - non Technical
CODE on the Road!
COM+
Community
Conferences
Continuous Integration
Crystal Reports
CSLA.NET
CSS
Data
Debugger
Design Patterns
Development Process
Display Technologies
Distributed Computing
Document Database
DotNetNuke
DSL
Dynamic Languages
Dynamic Programming
Editorials
Enterprise Services ("COM+")
Entity Framework
Events
Expression Blend
F#
Fox to Fox
Frameworks
Functional Programming
Git
Graphics
HTML 5
Internet Explorer 8.0
Interviews
IOS
iPhone
Iron Ruby
Java
Java Script
JavaScript
jQuery
JSON
Lightswitch
LINQ
Linux
LUA
Mac OS X
MDX
Messaging
Metro
Microsoft Application Blocks
Microsoft Business Rules Framework
Microsoft Dynamics
Microsoft Expression
Microsoft Office
Mobile Development
Mobile PC
Mono
MsBuild
MVVM
MySQL
Network
NHibernate
node.js
NOSQL
Nuget
Object Oriented Development
Objective C
Odata
OLAP
Open Source
Opinion
Opinions
Oracle
ORM
Other Languages
Parallel Programming
Patterns
PHP
Podcasts
Post Mortem
PowerPoint
Print/Output
Prism
Product News
Product Reviews
Project Management
Prolog
Python
Q&A
Rails
Rake
Razor
Reporting Services
REST
RIA Services
Ruby
Ruby on Rails
Scheme
Search
Security
Services
SharePoint
SignalR
Silverlight
SOA
Social Networks
Software & Law
Software Business
Source Control
Speech-Enabled Applications
SQL Server
SQL Server 2000
SQL Server 2005
SQL Server 2008
SQL Server 2012
SQL Server CE/AnyWhere/Mobile/Compact
SSIS
Subversion
Sync Framework
Tablet PC
TDD
Team System
Techniques
Testing and Quality Control
TFS
Tips
TypeScript
UI Design
UML
User Groups
VB Script
VB.NET
Version Control
VFP and .NET
VFP and SQL Server
Virtual Earth
Vista
Visual Basic
Visual Basic 6 (and older)
Visual FoxPro
Visual Studio .NET
Visual Studio 11
Visual Studio 2005
Visual Studio 2008
Visual Studio 2010
Visual Studio 2011
Visual Studio 2012
Visual Studio Tools for Office
VSX
WCF
Web Development (general)
Web Services
WebMatrix
WF
Whitepapers
Windows 7
Windows 8
Windows Azure
Windows Live
Windows Phone 7
Windows Phone SDK
Windows Server
Windows Vista
WinForms
WinRT
Workflow
WPF
XAML
Xiine Documentation
XML
XNA
XSLT



LearnNow


XAMALOT
 


SSWUG

Reader rating:
Click here to read 1 comment about this article.
Article source: CoDe (2010 Nov/Dec)

Licensing and Obfuscation

Software piracy runs rampant these days! You need to protect your code using a good licensing scheme and obfuscation. If you develop software for a living (and since you are reading this magazine, I assume you are), at some point you will most likely figure out how to protect your investment in that software. Two things you will need to do to accomplish this are to add licensing to your software, and to obfuscate your code so others cannot reverse engineer your hard work. These two tools are absolutely essential in your efforts to protect your software. This article will provide you with an overview on how you can use these tools to protect yourself from piracy.

As long as people have been selling software, those same people have been trying to come up with ways to protect that software from piracy. I am sure there is at least one program on your machine that you have not paid for. If there is, then stop and think about the programmer that wrote that software. He spent hundreds of hours on a program and wants to get paid for that effort. He has bills to pay, and is just trying to make an honest living. If you sell your software too, then you don’t want someone to use your software without paying for it.

As we all know, .NET assemblies can be reverse-engineered quite easily with a myriad of tools available on the Internet. This means that any code you write and distribute as a .DLL or .EXE is just like giving your source code to your users. OK, it will probably take a developer to extract the source code, but again, it is very simple to do. If you have spent hundreds or thousands of hours developing your software and you are trying to sell it to all users, then you need to protect your investment.

Licensing

There are two kinds of licenses that you might want to grant to users for the .NET software you develop. You may be developing a .NET control that you want other developers to use, or you may be developing an application that an end user will use. If you are developing a control for other developers to use, you will need to grant them a license to be able to use your control at design-time within VS.NET. However, you will also want a license that allows the same control to run unlimited at runtime within the application they develop.

If you are developing an application for an end user, then you will most likely need to do a few things. First you will need some mechanism for a user to purchase and download the software. You will need to add code to your application that allows them to register their software from the machine that it will be run on. You may need to grant them a license to just run your software on one machine, or maybe multiple machines. This is code you will have to write (or maybe purchase) to do this license checking. Let’s take a look at how you might accomplish this licensing.

How to License Your Code

There are many ways that you can implement licensing within your .NET application. Microsoft has some classes in the .NET Framework such as LicenseManager and LicenseProvider located within the System.ComponentModel namespace. While you can create your own licensing system with these classes, it is up to you to figure out the best (most secure) method of assigning a license for your application. For example, you may implement a license provider that calls a web service to verify that your customer is licensed to use your application. You may implement a license provider that opens a file on disk, or a registry key, reads in a “key value” and uses that value to verify that their license is valid. What you put into the file or the registry to verify that they are licensed is up to you.

One technique you might use for your “key value” is to take the strong-name of your EXE, information from the user’s machine and send that information to a web service. That information is then used in the web service to generate a unique key value that you send back and store in your license file. Each time your application runs, it checks the information in this file and makes sure that it matches what is returned from the web service. Of course this approach mandates that the user is connected to the Internet each time they run your application. You could also take the information that is returned from the web service, encrypt it and store that data on your local machine. Then compare the data stored with the hash information. If they are the same, then you know your application is licensed correctly.

There are also a lot of third-party companies that sell licensing for .NET applications. In most situations I have found it is far more cost-effective to just buy a licensing solution than to take the time to develop one on your own. Just perform a Bing or Google search for “.NET licensing” and you will find a half a dozen software licensing packages for .NET applications.

Ensure DLLs Only Run from One EXE

Here is a very common scenario that you might have to consider when writing your application. You create a single EXE file that is your main application, but you use several DLLs that are called from that EXE. Do you need to license your EXE and each DLL as well? Not necessarily. You simply check to ensure that your DLLs are being called from the EXE that has the same public key token. This technique requires that you sign all your EXE and DLL files with the same .PFX file. A .PFX file is a Personal Information Exchange file that contains a public and a private key that is cryptographically secure based on the private information you used to create the file. These keys are used to generate the public key token that will be unique for your .PFX file. You can create a .PFX file right from within Visual Studio by going into the Project Properties and selecting Signing.

Once you have an EXE and DLLs signed with the same PFX file you can check if the public key token is the same from your EXE and DLLs. If they are not the same, then your DLL could throw an exception because that would mean that someone is trying to call your DLL from another application. You can write the following code in your DLL to make sure it was called from an assembly that has the same strong name:

using System.Reflection;

internal static void CheckForSamePublicToken() {
  byte[] current;
  byte[] entry;

  current = Assembly.GetExecutingAssembly().
       GetName().GetPublicKeyToken();
  entry = Assembly.GetEntryAssembly().
       GetName().GetPublicKeyToken();

  if(current.Length != entry.Length)
    throw new ApplicationException(
      "Can't run this DLL from this assembly.");

  for (int i = 0; i < current.Length - 1; i++) {
    if (current[i] != entry[i])
      throw new ApplicationException(
        "Can't run this DLL from this assembly.");
  }
}

The above code gets the current executing assembly’s public key token and the public key token from the calling assembly. It then compares two key tokens to see if they are the same. If any byte is different an exception is thrown. This is a very simple method of ensuring that someone does not reuse any of the DLLs from your application.

Obfuscation

Licensing is only one half of the equation when you are trying to protect your investment. Since it is so easy to decompile .NET assemblies you must employ some obfuscation to your final assemblies. Obfuscation is the process of making your .NET code unreadable to .NET de-compilers. There are many obfuscation products on the market and each one has things it does well and things it may not do so well. Microsoft ships the Dotfuscator Community Edition with most editions of Visual Studio, however, for anything but the most basic obfuscation task you will want to purchase a better tool.

Many of the professional obfuscation tools on the market allow you to do the following obfuscations to your .NET code:

  • Rename methods, classes, variables with unreadable characters
  • Allow Error Reporting for unhandled exceptions that may have been generated by the obfuscation process
  • Combine all assemblies into one EXE
  • Remove non-essential code
  • Turn the flow control of your methods into spaghetti code
  • Resource compression and encryption
  • Encode and encrypt strings in your application
  • Prevent disassembly by ILDASM and other de-compilers
  • Generate a .pdb file of obfuscated code to allow you to debug your obfuscated code

By employing these various obfuscation techniques your code will become almost completely undecipherable to most of the de-compilers you can find. Of course, you generally only need to perform obfuscation on desktop applications and DLLs that you sell to others. If you are running an ASP.NET application you probably don’t need to use obfuscation since the code runs on a server where a user does not have access to the .NET assemblies.

Summary

Licensing and obfuscation are two tools that you will need in your programmer’s arsenal to protect your software application from piracy. You can come up with a licensing scheme on your own, but it will likely be more cost effective to just buy a third-party licensing package. Purchasing an obfuscation tool is also a good investment. Use my bulleted checklist in this article as a starting point for choosing an obfuscation tool. There is a lot more on the topics of licensing and obfuscation than I can cover here, but I hope I have given you some ideas on the best ways to start protecting your software.

Paul D. Sheriff

&

By: Paul D. Sheriff

Paul D. Sheriff is the President of PDSA, Inc. (www.pdsa.com), a Microsoft Partner in Southern California. Paul acts as the Microsoft Regional Director for Southern California assisting the local Microsoft offices with several of their events each year and being an evangelist for them. Paul has authored several books, webcasts, videos and articles on .NET, SQL Server and SharePoint. You can reach Paul via email at PSheriff@pdsa.com or at Paul Sheriff’s Inner Circle (www.PaulSheriffInnerCircle.com).

PSheriff@pdsa.com

How would you rate the quality of this article?
1 2 3 4 5
Poor      Outstanding

Tell us why you rated the content this way. (optional)

Average rating:
4.1 out of 5

8 people have rated this article.

Instantly Search Terabytes Of Text
“Lightning Fast”
– Redmond Mag
“Covers all data
sources” – eWeek
25+ fielded & full-text search options
dtSearch’s own document filters highlight hits in popular file types
Web Spider supports static & dynamic data
APIs for .NET, Java, C++, SQL, etc.
Win / Linux (64-bit & 32-bit)
www.dtSearch.com
 

      AppsWorld Europe

 

SSWUG  

© by EPS Software 1993 - 2013. All rights reserved.
6605 Cypresswood Dr., Suite 300, Spring, TX 77379
Voice: (+1) 832-717-4445 --- Fax: (+1) 832-717-4460
Contact us via email: info@code-magazine.com
CoDe Magazine Privacy Policy