0

Recently I did an experiment with one of my c# .NET compiled exe by renaming the extension to .txt. When viewed in the Notepad, I was able to see all my source code in English Language which made me confused if I was looking at a .cs file or a .exe file.

After this event I realized that anyone who has this exe can copy all the codes an re-compile them into a clone with some hidden additional codes (or malwares) that could harm my reputation among users.

However I know a little about obfuscation which can rename all methods and properties into a non-human readable format, still I would like to ask here, isn't an exe program supposed to be (only) in a computer readable binary format (as I have learnt in school)? Why is there a need of obfuscation additionally? Is this problem only limited to exe which has a CLR header? Should I consider creating applications on other languages like C, if I want to make it hard to decompile? Please Answer...

Edit:- Most of the codes can be seen in this area and I am unaware of what part of the source code it consists of. eg. code screenshot

Edt:- Also when I do the same with an exe that is compiled using Visual Foxpro (where Encrypted is checked in Project Properties), not even a single readable text is seen except some assembly infos. What encryption technique is used in it, can we use it (or like that) in dotnet (free or paid)?

Source - https://www.tek-tips.com/viewthread.cfm?qid=286147

Ashish Sinha
  • 87
  • 2
  • 10
  • Can you share a sample EXE with us? – mjwills Jan 13 '21 at 09:37
  • `After this event I realized that anyone who has this exe can copy all the codes an re-compile them into a clone with some hidden additional codes (or malwares) that could harm my reputation among users.` Whether it is text or binary, that can be done. Don't stress about it. – mjwills Jan 13 '21 at 09:37
  • 2
    I think you are confused. A compiled .net executable will be exactly that, a compiled executable and apart from some strings here and there will not be readable like a cs file at all. Noone will be able to load this into visual studio and recompile it... However on saying that, any angry school kid with a few hours on their hand can reverse engineer a .net application. If you need security, put the resources you need to secure behind a remote service – TheGeneral Jan 13 '21 at 09:40
  • @mjwills How can I upload here? – Ashish Sinha Jan 13 '21 at 09:51
  • 1
    @00110001 dotPeek or dnSpy will decompile in 10 seconds – Charlieface Jan 13 '21 at 09:55
  • @Charlieface yup, which is my angry schoolkid point. But an exe should definitely not be a readable file – TheGeneral Jan 13 '21 at 09:56
  • @mjwills , I already searched this before but could't find a way to upload a file. – Ashish Sinha Jan 13 '21 at 10:29
  • Check the first comment at https://meta.stackexchange.com/questions/47689/how-can-i-attach-a-file-to-a-post . Dropbox or OneDrive are often the simplest option. – mjwills Jan 13 '21 at 10:30
  • 3
    That's not the source code. That's the *metadata*, such as the names of types and their members. You will also, of course, and hopefully unsurprisingly, find any string *literals* that your code uses embedded in the exe. – Damien_The_Unbeliever Jan 13 '21 at 10:30
  • Are you doing a Release or Debug build? – mjwills Jan 13 '21 at 10:34
  • @mjwills Release. – Ashish Sinha Jan 13 '21 at 10:36
  • 3
    Whether to obfuscate or switch to another language is up to you. You have a concern based on several presumptions (that your program will be popular enough that you have to worry about your reputation whilst at the same time you have an unclear distribution system such that people won't find the genuine program) that you're probably far from currently being in. You can spend time worrying about this and trying to prevent it or spend time worrying about features that *your users will notice and value*. You need the latter before you're going to need the former. – Damien_The_Unbeliever Jan 13 '21 at 10:43
  • Just a point from experience: obfuscation isn't worth the hassle. The obfuscation tools have many downsides (random corruption of your executable which introduces subtle runtime errors being one of them), and are very easily reversible using freely-available tools such as de4dot/dnspy (literally, click and drag the obfuscated assembly into de4dot, and the de-obfuscated version pops out the other end a few seconds later) – canton7 Jan 13 '21 at 10:48
  • I'd agree with all this. If you have some code which really is genuinely valuable, unique intellectual property then it's probably worth hiding it behind an API on a server, where it can't easily be found. Either that or maybe re-writing it in a language which compiles to genuine binaries which are hard to decompile. Whether that's realistic or practical depends a bit on what your application is or does. – ADyson Jan 13 '21 at 10:54

0 Answers0