Software piracy runs rampant these days! You need to protect your code using a good licensing scheme and obfuscation. If you develop software for a living (and since you are reading this magazine, I assume you are), at some point you will most likely figure out how to protect your investment in that software. Two things you will need to do to accomplish this are to add licensing to your software, and to obfuscate your code so others cannot reverse engineer your hard work. These two tools are absolutely essential in your efforts to protect your software. This article will provide you with an overview on how you can use these tools to protect yourself from piracy.
As long as people have been selling software, those same people have been trying to come up with ways to protect that software from piracy. I am sure there is at least one program on your machine that you have not paid for. If there is, then stop and think about the programmer that wrote that software. He spent hundreds of hours on a program and wants to get paid for that effort. He has bills to pay, and is just trying to make an honest living. If you sell your software too, then you don’t want someone to use your software without paying for it.
As we all know, .NET assemblies can be reverse-engineered quite easily with a myriad of tools available on the Internet. This means that any code you write and distribute as a .DLL or .EXE is just like giving your source code to your users. OK, it will probably take a developer to extract the source code, but again, it is very simple to do. If you have spent hundreds or thousands of hours developing your software and you are trying to sell it to all users, then you need to protect your investment.
Licensing
There are two kinds of licenses that you might want to grant to users for the .NET software you develop. You may be developing a .NET control that you want other developers to use, or you may be developing an application that an end user will use. If you are developing a control for other developers to use, you will need to grant them a license to be able to use your control at design-time within VS.NET. However, you will also want a license that allows the same control to run unlimited at runtime within the application they develop.
If you are developing an application for an end user, then you will most likely need to do a few things. First you will need some mechanism for a user to purchase and download the software. You will need to add code to your application that allows them to register their software from the machine that it will be run on. You may need to grant them a license to just run your software on one machine, or maybe multiple machines. This is code you will have to write (or maybe purchase) to do this license checking. Let’s take a look at how you might accomplish this licensing.
How to License Your Code
There are many ways that you can implement licensing within your .NET application. Microsoft has some classes in the .NET Framework such as LicenseManager and LicenseProvider located within the System.ComponentModel namespace. While you can create your own licensing system with these classes, it is up to you to figure out the best (most secure) method of assigning a license for your application. For example, you may implement a license provider that calls a web service to verify that your customer is licensed to use your application. You may implement a license provider that opens a file on disk, or a registry key, reads in a “key value” and uses that value to verify that their license is valid. What you put into the file or the registry to verify that they are licensed is up to you.
One technique you might use for your “key value” is to take the strong-name of your EXE, information from the user’s machine and send that information to a web service. That information is then used in the web service to generate a unique key value that you send back and store in your license file. Each time your application runs, it checks the information in this file and makes sure that it matches what is returned from the web service. Of course this approach mandates that the user is connected to the Internet each time they run your application. You could also take the information that is returned from the web service, encrypt it and store that data on your local machine. Then compare the data stored with the hash information. If they are the same, then you know your application is licensed correctly.
There are also a lot of third-party companies that sell licensing for .NET applications. In most situations I have found it is far more cost-effective to just buy a licensing solution than to take the time to develop one on your own. Just perform a Bing or Google search for “.NET licensing” and you will find a half a dozen software licensing packages for .NET applications.
Ensure DLLs Only Run from One EXE
Here is a very common scenario that you might have to consider when writing your application. You create a single EXE file that is your main application, but you use several DLLs that are called from that EXE. Do you need to license your EXE and each DLL as well? Not necessarily. You simply check to ensure that your DLLs are being called from the EXE that has the same public key token. This technique requires that you sign all your EXE and DLL files with the same .PFX file. A .PFX file is a Personal Information Exchange file that contains a public and a private key that is cryptographically secure based on the private information you used to create the file. These keys are used to generate the public key token that will be unique for your .PFX file. You can create a .PFX file right from within Visual Studio by going into the Project Properties and selecting Signing.
Once you have an EXE and DLLs signed with the same PFX file you can check if the public key token is the same from your EXE and DLLs. If they are not the same, then your DLL could throw an exception because that would mean that someone is trying to call your DLL from another application. You can write the following code in your DLL to make sure it was called from an assembly that has the same strong name:
using System.Reflection;
internal static void CheckForSamePublicToken() {
byte[] current;
byte[] entry;
current = Assembly.GetExecutingAssembly().
GetName().GetPublicKeyToken();
entry = Assembly.GetEntryAssembly().
GetName().GetPublicKeyToken();
if(current.Length != entry.Length)
throw new ApplicationException(
"Can't run this DLL from this assembly.");
for (int i = 0; i < current.Length - 1; i++) {
if (current[i] != entry[i])
throw new ApplicationException(
"Can't run this DLL from this assembly.");
}
}
The above code gets the current executing assembly’s public key token and the public key token from the calling assembly. It then compares two key tokens to see if they are the same. If any byte is different an exception is thrown. This is a very simple method of ensuring that someone does not reuse any of the DLLs from your application.
Obfuscation
Licensing is only one half of the equation when you are trying to protect your investment. Since it is so easy to decompile .NET assemblies you must employ some obfuscation to your final assemblies. Obfuscation is the process of making your .NET code unreadable to .NET de-compilers. There are many obfuscation products on the market and each one has things it does well and things it may not do so well. Microsoft ships the Dotfuscator Community Edition with most editions of Visual Studio, however, for anything but the most basic obfuscation task you will want to purchase a better tool.
Many of the professional obfuscation tools on the market allow you to do the following obfuscations to your .NET code:
- Rename methods, classes, variables with unreadable characters
- Allow Error Reporting for unhandled exceptions that may have been generated by the obfuscation process
- Combine all assemblies into one EXE
- Remove non-essential code
- Turn the flow control of your methods into spaghetti code
- Resource compression and encryption
- Encode and encrypt strings in your application
- Prevent disassembly by ILDASM and other de-compilers
- Generate a .pdb file of obfuscated code to allow you to debug your obfuscated code
By employing these various obfuscation techniques your code will become almost completely undecipherable to most of the de-compilers you can find. Of course, you generally only need to perform obfuscation on desktop applications and DLLs that you sell to others. If you are running an ASP.NET application you probably don’t need to use obfuscation since the code runs on a server where a user does not have access to the .NET assemblies.
Summary
Licensing and obfuscation are two tools that you will need in your programmer’s arsenal to protect your software application from piracy. You can come up with a licensing scheme on your own, but it will likely be more cost effective to just buy a third-party licensing package. Purchasing an obfuscation tool is also a good investment. Use my bulleted checklist in this article as a starting point for choosing an obfuscation tool. There is a lot more on the topics of licensing and obfuscation than I can cover here, but I hope I have given you some ideas on the best ways to start protecting your software.