Options other than obfuscation and packing to stop c# wpf decompilation?

As a c# n00b I was shocked to see how easy it is to fire up DotPeek and decompile a c# program. I'd like to add a some protection to my software to make it harder for crackers to pirate my software. I know they can never be defeated but a minimal amount will do.

So far I've tried obfuscation with confuser, Dotfuscator, Skater and many more. All seem to leave my software unable to load or with various problems in DataGrids and WPF windows even with minimal obfuscation set.

I've tried packers but I couldn't seem to find any that support/work with .net.

I thought I might be able to compile the code with .NET Native but c# WPF is not supported.

Are there any other options left to me?

4 answers

  • answered 2018-01-11 21:00 user6537157

    You can't protect your code 100%.

    Try to code safely and keep in mind that an attacker/hacker can reproduce your code. Obfuscation dosen't matter a lot.

  • answered 2018-01-11 21:01 Adam Brown

    If you make some critical functionality of the software dependent on data that can only be downloaded with a valid account on a website, that might be the best way. Ultimately, there isn't anything to make a single-machine solution completely reverse-engineering proof.

    As to your original question, obfuscation breaks things. It's a painful and messy process to go through and work out why, and fix the issues, but that's really what you'd need to do, if you can't rely on an always-online solution.

  • answered 2018-01-11 21:15 Majid khalili

    It is almost impossible to fully protect your code, but with wpf I had the similar problem and asked here.

    Finally my solution was to minimum config that works for wpf(which you can find with try and catch based on your external links it might differ) and lock your application to work only some hardware specific unique ID like mac address.

    For new version of our software we are trying to validate application with server, in our case application cannot work more that two days in row without connection to the server, of course keep counting during these days is important to which we got a solution that only works for our case and you can think of one for your project.

  • answered 2018-01-12 16:11 mm8

    The best (and only) way to really stop someone from stealing your code is to not give them access to it. That's why should store all business critical code in a secure site and not include it in the binaries that you ship to the end users.

    In other words, don't include any sensitive code in a client application that is installed on an end user's computer. The client app should instead connect to a remote server, typically via a service or API, where the sensitive code lives and is executed.

    You should count on that any code you distribute might still be decompiled even if you obfuscate it to make it harder to do so.