Assembly modification protection not working?

.NET obfuscator and automated error reporting

Moderators: Luke Jefferson, Alex.Davies, melvyn.harbour

Assembly modification protection not working?

Postby AntoineC » Wed Jun 23, 2010 12:35 pm

I am unclear about the Assembly Modification protection.

Here is what I have done:
- Created a WinForm sample application (. NET 2.0)
- Used SmartAssembly with the following options:
- Strong Name Signing
- Obfuscation default settings
- String Encoding: "I want to use strings encoding with improved protection"
- All other settings to default

After build, SA reports: "The assembly has been protected against any modification" as expected.

To check that, I have changed one byte in the protected .exe (in a char array I could locate easily).

Then, ran again the protected app. Result: the modified app just works!

This is not at all what I was expecting. I was assuming to get an error message or at least the app failing to start since it has been "protected against any modifications".

Am I wrong? Or has SmartAssembly failed to protect my application?

Let me know!

Tested on SmartAssembly 5.

Thanks,

Antoine
PS: the Microsoft Strong Name tool (sn.exe) does report: "validation failed" on the modified app. So, I am sure that I did make a mistake and that the application is indeed modified.
AntoineC
 
Posts: 8
Joined: Wed Jun 16, 2010 4:50 pm

Postby Paul.Martin » Wed Jun 23, 2010 6:54 pm

I think the wording that SmartAssembly uses is a little bit strong in this case.

SmartAssembly does not perform a full hash of the assembly to verify that nothing has changed, so it will not detect changing a primitive constant in a hex editor.
If you want this sort of functionality either strong name signing the assembly (and then verifying on load) or using code signing (Authenticode) is the best and simplest way.

However SmartAssembly will protect against modifications by decompilation/recompilation, code injection and most modification to the actual code.
Paul.Martin
 
Posts: 83
Joined: Wed Feb 03, 2010 11:20 am
Location: Cambridgeshire

Postby AntoineC » Thu Jun 24, 2010 9:54 pm

Thanks for your reply, Paul.

The wording in SmartAssembly is a bit misleading for that feature.

Suggestion:
- change the wording.
- much better: add to SmartAssembly what your are telling me! Since SmartAssembly already Strong Name sign the assemblies, it should not be too complicated to compute and verify a hash.

Antoine
AntoineC
 
Posts: 8
Joined: Wed Jun 16, 2010 4:50 pm

Postby Paul.Martin » Fri Jun 25, 2010 11:34 am

The wording has been fixed for the forthcoming update.

We do have a feature, to add self-verification to protected assemblies, listed on the roadmap for SmartAssembly (SA-77). So hopefully it will make it in at some point soon (although no promises).
Paul.Martin
 
Posts: 83
Joined: Wed Feb 03, 2010 11:20 am
Location: Cambridgeshire


Return to SmartAssembly 5

Who is online

Users browsing this forum: No registered users and 0 guests