|
Hi Kurt,
Cool. Thanks a lot. I really learn a lot from the reviews here. Lasly, I will make sure i won't repeat these mistakes in article 4 onwards.
Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Just curious if you could crack the XenoCode obfuscator with control flow obfuscation and the IL breaker turned on. If so, that would be good to know.
Get a XenoCode trial at http://www.xenocode.com to test your assembly and try to crack it. I am not associated with them, just curious as I have their product. Cheers!
--
William Stacey, MVP
http://mvp.support.microsoft.com
|
|
|
|
|
Hi William,
I will look into it. I am working on an article of the possibilities of obfuscation. Well much to r&d before writing that article. Give me some time.
Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Please be careful.
I am very interested in your articles and I would hate to see the full weight of the law descend upon you for cracking commercial software.
Keep up the good (or some would say bad) work. but I feel with open discussion of these issues can only force Microsoft to make things better for the author.
In the end if the commercial market doesn't take to .NET then it's doomed.
I await the next article. Type faster...
www.many-monkeys.com
|
|
|
|
|
Hi there,
Thanks for your comments. There will be an article coming out soon to clarify my mistakes on my article 1 - 3.
Well, I think i have some wrong concepts over here on Strong Name.
But i do believe that all these feedbacks will make me write better articles.
Again, i am trying to build awareness, that's all.
Furthermore, i don't crack commercial software. As you can see in my articles, the samples were written by myself. I didn't show any possibilities to crack an existing software out there.
Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
According to the cracker forums I sometimes monitor, this obfuscator has not provided sucessful protection. I believe any obfuscator can be defeated. The list of .net development tools protected by professional products, that have been cracked, is huge!
Forget about real protection and focus on basic protection. The best protection is to withold key bits of your binary from all except true purchasers. That is, don't put out a full version that is "protected", but make two builds: one for demos, missing code, and one for purchasers, or serious evalators that you can verify. Remember the crackers are just doing it for fun most of the time. They are not interested in using your product seriously.
|
|
|
|
|
I just tought 3 seconds about this, but this example is showing an independant assembly. If an assembly reference a Strong Named assembly and you tamper that referenced assembly, then that tampered assembly can't be referenced. Am I correct?
Etienne Fortin
|
|
|
|
|
Hi Etienne Fortin,
Yeah, in this article I am only refering to a single independent assembly. But for your 2nd question, I will reserve it for my coming articles. I am really working hard on something cool on the next releases of the articles. Give me some time
Hope you like it. Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Going one step further than that, the hacker could even sign the tampered assembly by his own private key - so potentially fooling the CLR, if the CLR grants trust to an assembly simply if it is signed.
I now more strongly feel that the onus is now on the system administator of the machine(s) to cleverly set trust and evidence based code access security policies for the CLR so that the compromised assemblies fail to execute. This can probably only be achieved if the policy is based on the publisher's identity - be it his public key or his digital certificate.
http://dotnetyogi.blogspot.com/[^]
|
|
|
|
|
Point taken.
I am looking into it. Cheers
Regards,
Chua Wen Ching
|
|
|
|
|
No.
The public key token will be different if you sign the assembly with a different key. So the loader won't be fooled at all.
If an exe loads a library which checks for a registration, and you change the public key token of the library, then the clr won't load the "hacked" dll at all. You'd have to modify all the assemblies that references a hacked one too.
|
|
|
|
|
Hi Hugo Hallman,
Thanks for the clarification. Point taken.
Cheers.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Totally agree. The hacker would have to 'unsign' and sign all the related assemblies. The CAS policies still wouldn't allow running that code if it has been set up to allow only trusted code to run. I have a feeling, in majority of the .Net running environments (especially the small to medium size sites) the code access security policies have not been set up at all. I think, as much as or more than the developers, the idea of .Net security has yet to sink in with the system administrators.
Thanks
|
|
|
|
|
"NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article."
Why not?
Horia Tudosie
|
|
|
|
|
|
Hi Chua Wen Ching,
It's great article to read, and you have given a good example of strong name assemblies , but what i know that strong name are used for side by side execution of assemblies which are applicable on Public Assemblies , but any way these were very good articles and hope to get Part IV soon from you
Cheers
Nitin Sandurea
|
|
|
|
|
Just wanted to say thanks for the articles so far. I agree they might be a little verboose, but I found it easy to read and understand. thanks again & keep going!
|
|
|
|
|
Great series of articles. One thing though...
Your disclaimer is ludicrous.
NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.
That's like me writing an article "50 Ways To Infiltrate Buildings and Plant Explosives" and including a disclaimer: "RabidKangaroo shall not be held responsible for any buildings that are destroyed due to the information provided in this article."
"Those that say a task is impossible shouldn't interrupt the ones who are doing it." - Chinese Proverb
|
|
|
|
|
Sorry, but the author is right. Security through obscurity does not work, and that's why even MS publishes deatiled information about vulnerabilities - knowing about a vulnerability in detail is the only true way of knowing if you're in danger and how you can protect yourself.
RabidKangaroo wrote:
That's like me writing an article "50 Ways To Infiltrate Buildings and Plant Explosives" and including a disclaimer: "RabidKangaroo shall not be held responsible for any buildings that are destroyed due to the information provided in this article."
RabidKangaroo never entered a building, right? A world where only hackers know how to break code is a world where no one is safe. Good programmers need to know how to break code. Trying hard to break your own code is the first line of defense against hackers.
Yes, even I am blogging now!
|
|
|
|
|
Daniel Turini wrote:
RabidKangaroo never entered a building, right? A world where only hackers know how to break code is a world where no one is safe. Good programmers need to know how to break code. Trying hard to break your own code is the first line of defense against hackers.
I agree with Daniel. To KNOW to do the attack is the best form of protecting. Writing Secure Code[^] among other very useful things, talks exactly about this...
Marcelo Palladino
Brazil
|
|
|
|
|
I don't believe there is enough content to provide a 3 part article. You could probably get good reviews (You already are but it could get better) if you condensed the 3 parts into a single part about Strong Names. Also you need to understand, like others have said, that Strong Naming isn't supposed to protected code from highjacking but to provide the ability to strongly name an aseembly for reference abilities. It also provides some other benefits when it comes to the CAS but that could be another article. The reason the hashing exists is to verify that the assembly is the same as it was before so that when an app loads the assembly it can be sure it has the one it is supposed to. If you remove the strong name then an app that references that assembly won't be able to find it thus defeating the purpose of trying to highjack the assembly.
Great article though. I need to get off my butt and submit the ones I have laying around. Kudos to you.
-
Drew
|
|
|
|
|
Hi adinnell,
Point taken. There will be a total of 9 articles or more. I will provide some detail explanations on strong name in my article 4, which is in the process.
Thanks
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Thanks for your series of articles, they are well written and easy to understand.
I really don't see the point of strong named assemblies after reading this. I didn't think it would be that easy to crack, but I guess, having clear text IL code will always make it easily breakable.
A previous comment said that Strong Named assemblies are just for more reliable referencing. I really had the impression that it was for security, but you have blown that theory sky high!
Thanks
Being in a minority of one, doesn't make you insane George Orwell However, in my case it does
|
|
|
|
|
Thanks. Hope you like it.
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
|
|
|
|
|
Don't forget this is very simplistic implementation of using strong names for security. A developer fluent in assembler could just as easily do something similar with compiled win32 code.
Strong names are also used for other reason like assigning privileges on a machine/enterprise based on the strong name or public (see Runtime security policy in .Net configuration, many Microsoft assembly are granted special privileges by their public key). .Restrictions can be applied for access to methods/classes in other systems based on public keys by using codeaccess security. (see StrongNameIdentityPermission).
Although as this article demonstrates Strong names could be compromised, if you employ a complete security model these changes can be detected. I would recommend that you sign all code, even if it is only deployed to desktops within your organisation. Security is not so much as preventing tamper completely, but making mechanisms that allow you to detect tamper and take appropriate action to prevent the system being compromised.
Rather than take the author at this word here suggest you get a good book on .Net security. The author is technically correct, his article is informative, but he has assumed that you are only using strong names for a single purpose which is only part of the .Net security model.
Sorry about the rant but as a consultant I often come into organisations where no security has been applied to .Net code, even on public web servers.
.Net code can be made secure, but like any good security system a compromise has to be expected and dealt with appropriately. To assume that you code/System will never be compromised just means you will never know when it is.
|
|
|
|