[VB.NET/C#] Best way to protect your source against reflectors[Source Code]

psycho.ts · 02-12-2012, 05:58 PM

Okay, so i found this pretty easy way of changing your PE which results in a reflector that is unable to open your file. I tried uploading a modded PE to VirusTotal, but seems it results in 2 false positives. Found out even a blank .NET PE file will also set off alarm to those 2 specific AVs. So I think this wouldn't cause a false positive on a random project you want to protect.

Into the PE header
So i found a specific header in the .NET PEs, which is default a byte with the value of 16. This byte is found in every .NET exe at the 244th byte. So just did some more research and found out when you change this byte into for example 15, a .NET reflector isn't able to read the .NET PE. I tried some more values, 0 to 5 will corrupt the exe file, 6 till 15 will do what we want, and higher than 16 I haven't tried, so that's up to you :].

Lets get started
So we want to create an app that changes that 244th byte, which is pretty easy.

Create a function/sub and add this little code into that function/sub [VB.NET]:

Code:
Dim tmpStream As New IO.FileStream("Path to your .NET PE", IO.FileMode.Open, IO.FileAccess.Write)

 'We only need write permissions since we are only writing a single byte.

 tmpStream.Seek(244, IO.SeekOrigin.Begin)

 'This will place the file stream at the 244th byte, so we can overwrite that one

 tmpStream.WriteByte(6)

 'Writing our 244 byte in the PE file

 tmpStream.Close

 'Closing our file stream

[C#]:

Code:
System.IO.FileStream tmpStream = new System.IO.FileStream(@"Path to your .NET PE",

                 System.IO.FileMode.Open, System.IO.FileAccess.Write);

 tmpStream.Seek(244,System.IO.SeekOrigin.Begin);

 tmpStream.WriteByte(6);

 tmpStream.Close();

So as you can see, this is pretty easy. Now lets see the results:
before:
[Image: beforels.jpg]

after:

As you can see, after i changed that PE header, the reflector can't open the file, however it does run as you can see :]

Hope you learned something and please let me know what you think :].
-Player2
Credit goes to Player2

Jacob · 02-13-2012, 05:10 PM

that is fucking amazing! Biggrin

CaMoTraX · 02-25-2012, 02:36 PM

Awesome thanks mate Biggrin

Helps alot

Transitional · 12-29-2012, 02:24 PM

That's amazing, and very helpful. Thank you!

Deque · 12-29-2012, 09:20 PM

Have you ever tried to find out which part of the NT header this 244th byte is from, what it does and what it means by looking into the PE specification? I think this would be more interesting than just changing values and see what happens.

Also this value doesn't have to be the 244th byte. The position is not absolute, but relative to other values which are sometimes determined by an address. So you can make your method save and ensure that it doesn't only work with your sample files by finding the meaning of the value in the spec. I can help you with writing a program that determines the address of that value.

Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?

Coder-san · 12-30-2012, 03:21 PM

(12-29-2012, 09:20 PM)Deque Wrote: [...]

Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?

"reflectors" would be wrong, the product's name is ".Net Reflector". It is a source-code extractor. It reflects the source code of a .NET PE, in the form of VB.Net or C# code perfectly as the very project it was made from.
There are other software similar to that like "Dis#".

The reason people prefer to protect their code is to well ... protect their code from being stolen, mis-used, etc. But I personally don't see the point unless you are that good, in which case I doubt one would use .Net application solely.

And no don't worry, asking questions is not considered stupid. Pretending you know about something with a question mark in your head is stupid.

Deque · 12-30-2012, 05:05 PM

(12-30-2012, 03:21 PM)Coder-san Wrote:
(12-29-2012, 09:20 PM)Deque Wrote: [...]

Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?

"reflectors" would be wrong, the product's name is ".Net Reflector". It is a source-code extractor. It reflects the source code of a .NET PE, in the form of VB.Net or C# code perfectly as the very project it was made from.
There are other software similar to that like "Dis#".

The reason people prefer to protect their code is to well ... protect their code from being stolen, mis-used, etc. But I personally don't see the point unless you are that good, in which case I doubt one would use .Net application solely.

And no don't worry, asking questions is not considered stupid. Pretending you know about something with a question mark in your head is stupid.

Thank you for your explanation. What does this have to do with virustotal? Do virusscanner use .Net Reflectors?

Coder-san · 12-31-2012, 04:01 AM

No, the Op is telling that by using this modification you would get 2 false-positives in VirusTotal by some AVs. Which would've been a drawback, but he also told that even a "blank" .Net PE will show those 2 detections. Hence, he concluded that those 2 AVs will not bother on a random project with some codes.

Deque · 12-31-2012, 08:32 AM

(12-31-2012, 04:01 AM)Coder-san Wrote: No, the Op is telling that by using this modification you would get 2 false-positives in VirusTotal by some AVs. Which would've been a drawback, but he also told that even a "blank" .Net PE will show those 2 detections. Hence, he concluded that those 2 AVs will not bother on a random project with some codes.

Ah thank you. Now I understand everything.

EricTheGrey · 03-10-2013, 09:10 PM

Cool! Thank you for sharing this :wink: