This course aims to Introduce .NET programmers to the main concepts of application hacking, and what they can do to add a protection layer for their applications in order to prevent or decrease the possibility of hacking their applications.
Part 1 :
we will have a brief introduction about .NET programming and about the security limits that it contains, and we will cover why .NET applications can be easily hacked, also we will introduce you to our sample application that we will use in this course to apply our labs on.
Part 2 :
we will cover the steps that a hacker goes into while he tries to hack an application.
1-Code Decompilation or reverse engineering.
3-Alter and rebuild a hacked version.
and we will show each step alone in a special lecture ,applying each on our sample application.
Part 3 :
We will cover application protection techniques from both sides :
Copy protection and code protection.
Then we will cover 2 of the main copy protection techniques :
1- Hardware dependent copy protection , we will show you how to create a hardware id that users will use to register your application, in a way if your application is copied to another computers , then it will not work.
2-Online activation technique, we will show you how to make your application contact another server which must be online to be registered, we will simulate this technique by using SQL server database and a small application to manage.
3-And in the bonus section we will have an overview of an advanced copy protection technique which is Asymmetric encryption protection with license file.
Then after applying copy protection , we will show you how to protect you source code from reverse engineering by obfuscating the source code.
After applying each protection technique we will test our application to see how everything is working great.
Also we will see how to merge assemblies using ILMerge tool , and we will apply assembly signing and we will learn how can it improve our application security.
This course is for beginners to introduce them to the world of Application hacking and protection.
It's the first step for any programmer or computer scientist who need to know about application hacking and protection.
This course will be divided into two main parts :
The first part will discuss the concept of hacking applications
In the second part, we will discuss the concept of protecting applications.
1-web, mobile and enterprise applications are mostly being programmed in .NET
Also, .Net is being used in developing traditionally native software such as scientific, engineering and other intensive Network and graphic processing applications.
2-The main Disadvantage of .net is the security hole that it contains.
3-Why .NET can be easily hacked ?
Being a managed language distributed as an intermediate-level byte code, .NET is highly susceptible to reverse engineering and tampering attacks.
1-The fact is that achieving 100 % protection for your applications is almost impossible.
2- Number 2 facts says, if Achieving 100 % protection is somehow impossible, this does not mean to distribute your applications with no protection.
3-Software protection and hacking are always in a challenge, what we must achieve is a type of protection that makes the application harder to be hacked and away of amateur and unprofessional hackers, this the first point, the second point is to protect your application from totally being stolen, in which if somebody hacked your application they will not be able to distribute a damaged or altered version of it.
In this lecture we will explain a little bit about the sample application that we are going to use in this course in our testing labs.
But before we start and as an introductory note:
In this course we will use VB.net as our programming language, but the concepts we are talking about here in this course, are divided into two categories, some are general to all programming languages and some are specific only for .net framework.
So even if you are working with other programming languages you will find something that will help you here in our course.
In this lecture we will describe the 3 steps of hacking an application.
In this session: we will go into the first step and we will show you how to decompile a .NET application and get its source code. As we said there are many tools hackers use to achieve this job and many are free.
In our lab we will use .NET Reflector as our decompiling tool.
In the previous session we showed you how you can get the source code out of a .NET application very easily using .Net Reflector.
In this session we will go into the second step which is the process of analyzing the code to find valuable information or some vulnerability that we can use to hack the application. But before that we are going to create a simple serial number protection for our application to see how code analysis will help hackers to detect and break the protection
In the last session we discussed the code analysis process and we implemented a small lab and showed how it works.
The last step is altering process and rebuilding a hacked version of the application.
We will show two different ways a hacker may use to regenerate the application: the first way is altering the serial number, and regenerating another serial number.
The second way is to remove the security code in our application and rebuild a full registered version that doesn’t implement any security.
Before we start , you must now that .Net reflector and other decompilers by default don’t have the ability to alter the source code and save it , to do that we must install an addon called reflexeal .
Reflexeal allows you to alter the code and save it even without rebuilding the application , we will see how to do that in this Lecture
Okay now we will start discussing the main part of this course which is:
Protecting our .NET applications
Before we start, you must know an important point.
Any application has two protection types, the first type is code protection which is defending
from reverse engineering and decompilation,and the second type is copy protection.
Application copy protection means that if someone had your application legally,how to prevent him from selling or distributing your application to others illegally.
we will implement a lab to demonstrate this issue.
In this session we will discuss different techniques used to implement copy protection.
Maybe there is many techniques used in this field, in this course we will discuss the main 5 techniques and we will implement a lab on each one.
The technique that we are going to learn are :
In this lecture we will have an overview about the Hardware Dependent Key protection
In this lecture we will implement the File Encryption and decryption file , and we will generate our license file that will hold the registration state of the application.
Now we will create our application registration form that will be used by the user to register the application.
In this lecture we will create the Generate hardware ID Method that will generate a unique hardware ID for the computer running the application .
The Method code is found in the resources of this lecture, also i added a brief explanation of WMI that is used in the Generation process.
And i added a simple application that can help you in using WMI to Generate your custom hardware ID.
Now we will add the main 2 methods , The TryRegister() Method that is responsible for registering the application if the User serial number was correct.
and the second method is the Validation method that is used to validate if the application is registered by reading the Encrypted License File.
Both methods are attached to the resources of this lecture.
In this lecture we will develop a small application that will help us in generating serial numbers for users.
The source code of the application is in the resources of this lecture.
Now after we finished the process, we will test the application protection in this lecture
Before we implement the Online activation method, we will have an overview in this lecture
Before we start implementing the online validation technique and as we said before we are going to move the copy protection code to a separate library , this helps if you have multiple applications that you want to apply the protection on.and in this course we are showing you this in order to have an idea of different scenarios.
In this lecture we will create the database that will hold the registration information of our application, this database will be mssql. and its a simulation for our central server.
Now we will implement the interface that will manage the database created before, so we can add ,delete , update the records in the database.
In this lecture we will implement the method that will validate the application info entered by the user .
Now we will modify the registration form to be suitable with our new registration method.
After we finished implementing our online copy protection technique we will test our application now.
After we have implemented copy protection for our application, now we want to implement code protection, because as we explained in section 2, if the application is not code protected then it can be very easily hacked.
To protect our code we use a method called Obfuscation.
Obfuscation makes the assemblies and the executable unreadable with Decompiling tools that we explained before in section 2 , there are several obfuscation tools available and some are free,
Here is a list of some Obfuscators that you can use:
DotFuscator. This can be integrated with visual studio in the build process, and have a community edition which is free.
This is a powerful Obfuscator with the advantage of being open source
Euzfuscator: this is a very powerful Obfuscator and it has many advanced techniques like renaming, string encryption, unreadable characters and many others, but the main drawback that is not free
This also a good obfuscator that you can use , its free and open source, we will use confuser in this course to protect our code
Merging assemblies is a very important step before code obfuscation,
Firstly, what we mean by merging assemblies
is to merge sensitive License related assemblies into you main executable
But why we must do that, and not obfuscate each alone?
Simply, because when we obfuscate an assembly, the public APIs of that assembly must remain unobfuscated
so they can be used by other assemblies, thus the obfuscation will be less effective if we keep the sensitive assemblies separate from the main executable.
How to merge assemblies
For assembly merging we will use
Microsoft IL Merge tool which is command line free tool used to perform .Net assembly merging
You can download IL merge from the link attached to this lecture or you can download the
zipped file of the application that I attached too ,also I put another GUI version of IL Merge that will make the process easier
As a small note, to make the assembly merge effective , we will use the
/internalize flag in IL merge which will make the public APIs in the merged assembly internal so they will be obfuscated too.
Okay let’s now merge our assemblies in our application to prepare them for obfuscation.
let's now protect our code by applying code obfuscation on our application source code.
As we said before we will have an overview about Asymmetric key protection technique .
but we will not apply it since its out of the level of this course, it is an advanced topic.
In this lecture we will explain what is signing assemblies and how to apply on our application assemblies.
As a summary of our course :
We had a small introduction about .NET programming and security
We learned how hackers can hack your application by explaining the three steps application hacking process then we learned how we can implement both code and copy protecting for our applications.
And the last lecture was an implementation to a secured trial version of our application
This course is for beginners in this field, and a way to introduce you to the world of application hacking and protection.
Just as a small recommendation , when you want to protect your application , be accurate in selecting the best type of protection that ensures security but in the same time you must think of users using your application , you must make it simple and easy for them ,and don’t forget that developing a free version of your application will always be a good way to decrease your application hacking risk in one side , and in the other it’s a good advertising for you full or enterprise version of you application.
The most thing that I don't love to do, is talking about myself, but here in udemy I am obliged to do, I fell in love with computers when I was 8 yeas old, I made a full windows installation at 9.I tried my best to learn topics related to computers as much as I can, I learned programming, network and server administration, Hacking and security, computer maintenance, virtualization, Linux and even adobe and Autodesk graphic and design products.
All my life is the computer , until the day I am writing this biography, I have more than 8 years experience in Network and server administration, more than 6 years in .NET, JAVA, C++ Programming, and of course Database design and administration.
I used to teach these materials for 4 years in my company until I decided to move my experience to the world, I teach several free courses on youtube, and now I am releasing high-quality courses here in udemy
Besides that, I studied psychology, philosophy, and cosmology.Also, I know 3 languages, English, Arabic & Persian.
I hope that you will learn a lot out of my courses.
And I will be very glad to help anybody, just contact me I will be with you.
Qualifications and education
★ BS in computer science
★ Masters in computer science
★ MCSA 2003-2008-2012-2016
★ MCSE 2003-2008-2012-2016
★ VMware VCP
★ VMware VCAP
★ Cisco CCNP
★ SQL Server administration