What is best way to protect C# app?

[wbdn]

My app written in c#. I want sell it what is best way to use hwid binding? I use written in c++ app to get mac+motherboard serial+motherboard uuid+hdd serial. After i have hwids i want encrypt this using rsa and save in mysql base. What is best way to check hwid in c# app? And if encrypted hwid = hwid from mysql then launch app else terminate?

c++ app i want protect with themida, c# with confuserex + themida

[ιvancιтooz]

Try with appfuscator

[atom0s]

Themida will give you nothing but problems with a mixture of C#/C++, I've tried using it in the past and had nothing but issues with it. Between certain settings refusing to work on Windows 8/8.1, to threading issues with it just deadlocking the application for no reason etc. Their protection is not that great either. People can download a simple to use script from this forum to undo all of it.

ConfuserEx is also not great unless you do a handful of modifications to it. The base package as-is is already entirely defeated in a simple drag and drop to unpack method. You need to do customization's to it if you plan to use it and have any bit of real security. You can also use its extension system to add some of your own custom protections to prevent unpacking more. But either way it's not going to be impossible to unpack it entirely.

One big thing to help with security is requiring an internet connection and streaming parts of the application on load with a valid account, hardware info, etc. It's not impossible to defeat but it is a lot more complicated for someone to emulate the information streamed to your application if you change it constantly.

[yck1509]

FYI:

 

If I remember correctly, Themida does not support .NET natively; it just pack it, add some native anti code and that's it, so it is trivial to unpack a Themida protected .NET application.

 

ConfuserEx's default protections might be easy to defeat. However, there are many parameters people seldom use that provides much better protections.

 

If you want to look into application streaming, you might be interest in netmodules. It's an official way to distribute codes. See http://blogs.msdn.com/b/junfeng/archive/2005/02/12/371683.aspx for details.

 

I'm not experienced with Appfuscator. Judging from recent interest in it, it looks like a interesting protection. However, it seems not that hard to defeat their protection, but apparently there is no public tool for it (or there is no interest in creating one), so it might be a secure choice for a while.

 

Disclaimer: I'm author of Confuser/ConfuserEx.

Edited March 9, 2015 by yck1509

[wbdn]

One big thing to help with security is requiring an internet connection and streaming parts of the application on load with a valid account, hardware info, etc. It's not impossible to defeat but it is a lot more complicated for someone to emulate the information streamed to your application if you change it constantly.

Thanks for answer. Can you tell me please more about what you mean by streaming parts of application? How I should make check inside the app for valid account? Hacker can modify function and function will always return true(e.g. Any account always valid)

Edited March 9, 2015 by wbdn

[atom0s]

FYI:

 

If I remember correctly, Themida does not support .NET natively; it just pack it, add some native anti code and that's it, so it is trivial to unpack a Themida protected .NET application.

 

ConfuserEx's default protections might be easy to defeat. However, there are many parameters people seldom use that provides much better protections.

 

If you want to look into application streaming, you might be interest in netmodules. It's an official way to distribute codes. See http://blogs.msdn.com/b/junfeng/archive/2005/02/12/371683.aspx for details.

 

I'm not experienced with Appfuscator. Judging from recent interest in it, it looks like a interesting protection. However, it seems not that hard to defeat their protection, but apparently there is no public tool for it (or there is no interest in creating one), so it might be a secure choice for a while.

 

Disclaimer: I'm author of Confuser/ConfuserEx.

One issue with Confuser/ConfuserEx is that no matter what parameters you use with the extra bits, the end result is still embedded into the application for unpacking making unpackers not really need to do any work to handle the extra parameters. The unpackers posted for ConfuserEx on these forums already shows that no matter what variation of parameters you use, it will still unpack just as easily.

Thanks for answer. Can you tell me please more about what you mean by streaming parts of application? How I should make check inside the app for valid account? Hacker can modify function and function will always return true(e.g. Any account always valid)

The account validation would happen on your end. Not on the clients. Sure they can patch the application for that one check, but you just need to protect the other service calls as well. For example, in one of my old applications this is how we setup some validation and authing:

- On the client computer; the application will generate a unique key for that users system based on various system info, hardware info etc.

- The unique key is then hashed and combined with their login information to our forums.

- When the application loads it validates their information. (Their username/password must be correct, and the unique key must be inside of their account information.)

- If the info is not valid the application will exit.

- If the info is valid, the application will then request required information from the server for the application to run.

At this point the requested information is validated with the same user information. Their username/password/unique key are checked in this call as well so even if they do bypass the first validation in the client, the server WILL NOT send them needed info if their account is invalid.

And so on with the other service calls. Each call requires their user information in order to work.

Another method you could do is use a session based system. By that I mean:

- Client requests to log into the service via a username/password.

- If valid info is given, service sends back a session token.

- All future service calls require that session token in order to be valid.

So in a Pseudo setup:

// Obtain a session token..var token = service.GetSessionToken("username", "password");if (token == null)    return;// Obtain some needed info..var neededInfo = service.GetRequiredApplicationData(token);if (neededInfo == null)    return;// Do stuff with the needed info here..

In this case GetRequiredApplicationData will not return anything from the server if the token is invalid preventing people from just bypassing if / then checks in your application.

[kgh0701]

as far as i know , there is no good way to protect c# application . Rather than protecting c# app itselt , you'd better to append native dll that handles authorization between client and server ,protected with VMProtect with lastest VirtualMachine.