+- Sinisterly (https://sinister.ly)
+-- Forum: Coding (https://sinister.ly/Forum-Coding)
+--- Forum: Visual Basic & .NET Framework (https://sinister.ly/Forum-Visual-Basic-NET-Framework)
+--- Thread: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] (/Thread-VB-NET-C-Best-way-to-protect-your-source-against-reflectors-Source-Code)
Pages:
1
2
[VB.NET/C#] Best way to protect your source against reflectors[Source Code] - psycho.ts - 02-12-2012
Okay, so i found this pretty easy way of changing your PE which results in a reflector that is unable to open your file. I tried uploading a modded PE to VirusTotal, but seems it results in 2 false positives. Found out even a blank .NET PE file will also set off alarm to those 2 specific AVs. So I think this wouldn't cause a false positive on a random project you want to protect.
Into the PE header
So i found a specific header in the .NET PEs, which is default a byte with the value of 16. This byte is found in every .NET exe at the 244th byte. So just did some more research and found out when you change this byte into for example 15, a .NET reflector isn't able to read the .NET PE. I tried some more values, 0 to 5 will corrupt the exe file, 6 till 15 will do what we want, and higher than 16 I haven't tried, so that's up to you :].
Lets get started
So we want to create an app that changes that 244th byte, which is pretty easy.
Create a function/sub and add this little code into that function/sub [VB.NET]:
Code:
Dim tmpStream As New IO.FileStream("Path to your .NET PE", IO.FileMode.Open, IO.FileAccess.Write)
'We only need write permissions since we are only writing a single byte.
tmpStream.Seek(244, IO.SeekOrigin.Begin)
'This will place the file stream at the 244th byte, so we can overwrite that one
tmpStream.WriteByte(6)
'Writing our 244 byte in the PE file
tmpStream.Close
'Closing our file stream[C#]:
Code:
System.IO.FileStream tmpStream = new System.IO.FileStream(@"Path to your .NET PE",
System.IO.FileMode.Open, System.IO.FileAccess.Write);
tmpStream.Seek(244,System.IO.SeekOrigin.Begin);
tmpStream.WriteByte(6);
tmpStream.Close();So as you can see, this is pretty easy. Now lets see the results:
before:
![[Image: beforels.jpg]](http://img26.imageshack.us/img26/7929/beforels.jpg)
after:
![[Image: afterb.jpg]](http://img607.imageshack.us/img607/397/afterb.jpg)
As you can see, after i changed that PE header, the reflector can't open the file, however it does run as you can see :]
Hope you learned something and please let me know what you think :].
-Player2
Credit goes to Player2
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Jacob - 02-13-2012
that is fucking amazing!
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - CaMoTraX - 02-25-2012
Awesome thanks mate
Helps alot
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Transitional - 12-29-2012
That's amazing, and very helpful. Thank you!
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Deque - 12-29-2012
Have you ever tried to find out which part of the NT header this 244th byte is from, what it does and what it means by looking into the PE specification? I think this would be more interesting than just changing values and see what happens.
Also this value doesn't have to be the 244th byte. The position is not absolute, but relative to other values which are sometimes determined by an address. So you can make your method save and ensure that it doesn't only work with your sample files by finding the meaning of the value in the spec. I can help you with writing a program that determines the address of that value.
Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Coder-san - 12-30-2012
(12-29-2012, 09:20 PM)Deque Wrote: [...]
Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?
"reflectors" would be wrong, the product's name is ".Net Reflector". It is a source-code extractor. It reflects the source code of a .NET PE, in the form of VB.Net or C# code perfectly as the very project it was made from.
There are other software similar to that like "Dis#".
The reason people prefer to protect their code is to well ... protect their code from being stolen, mis-used, etc. But I personally don't see the point unless you are that good, in which case I doubt one would use .Net application solely.
And no don't worry, asking questions is not considered stupid. Pretending you know about something with a question mark in your head is stupid.
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Deque - 12-30-2012
(12-30-2012, 03:21 PM)Coder-san Wrote:(12-29-2012, 09:20 PM)Deque Wrote: [...]
Risking that I might sound stupid: What is a reflector and why do you have to protect your code from them?
"reflectors" would be wrong, the product's name is ".Net Reflector". It is a source-code extractor. It reflects the source code of a .NET PE, in the form of VB.Net or C# code perfectly as the very project it was made from.
There are other software similar to that like "Dis#".
The reason people prefer to protect their code is to well ... protect their code from being stolen, mis-used, etc. But I personally don't see the point unless you are that good, in which case I doubt one would use .Net application solely.
And no don't worry, asking questions is not considered stupid. Pretending you know about something with a question mark in your head is stupid.
Thank you for your explanation. What does this have to do with virustotal? Do virusscanner use .Net Reflectors?
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Coder-san - 12-31-2012
No, the Op is telling that by using this modification you would get 2 false-positives in VirusTotal by some AVs. Which would've been a drawback, but he also told that even a "blank" .Net PE will show those 2 detections. Hence, he concluded that those 2 AVs will not bother on a random project with some codes.
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - Deque - 12-31-2012
(12-31-2012, 04:01 AM)Coder-san Wrote: No, the Op is telling that by using this modification you would get 2 false-positives in VirusTotal by some AVs. Which would've been a drawback, but he also told that even a "blank" .Net PE will show those 2 detections. Hence, he concluded that those 2 AVs will not bother on a random project with some codes.
Ah thank you. Now I understand everything.
RE: [VB.NET/C#] Best way to protect your source against reflectors[Source Code] - EricTheGrey - 03-10-2013
Cool! Thank you for sharing this :wink: