A NGENed assembly has a special non-accessible cache created where the
machine code in stored.  When you modify the IL assembly and re-execute it
the .Net Framework stops pointing the the cache and uses the IL cache
instead.  This is why you see the changes made to the IL assembly instead of
the cached machine code version.

--Robby

Marco van Nieuwenhoven <MarcovanNieuwenhoven@discussions.microsoft.com>
wrote:

You can see what it does, but actual semantic meaning is a lot harder
to understand without any reasonable names. Try decompiling any large
obfuscated app and see how easy it is to understand.

Most obfuscators build a map so that you can get back from an
obfuscated stack trace to a nicely named one (with the map).

Yes, it's more difficult to read. Not impossible though.

The link was
http://www.yoda.arachsys.com/csharp/faq/#framework.required - there are
links there to linkers which produce native code.

I'd ignore that if I were you - that was trying to understand how Robby
thought you could use an NGENed image without the original assembly. I
assume from his silence on the topic that he's now accepted that you
can't do it...

Are you talking hacking/cracking or getting the code posted at the code
project?  They are different.
Actually, cracking is just as simple on x86 code as it is with IL.  That is
because crackers live in debuggers and asm anyway.  From that perspective
obfuscated IL is harder for them as you add obfuscation and is different
then what they are used to.  So you will be able hack any app that lives on
a w/r medium.  But can you understand it is the other another problem and
the one you want to control as well as possible.  I really like Xeno code.
Is a fair price and works really well.  With conservitive settings and
control flow obfus, and ILDasm breaking turned on is great.  Can not use std
ILdasm to round trip, can not understand from Reflector or others and can
not reverse it.   Saying "can not" is misleading.  As everything is
possible - right?  I mean you would eventually find your RSA private key
with a brute force attack too.  So how hard is it is the key.  Even with a
good obfuscator you have to balance protection level as if you do to much
you start breaking things.  You still need to test whole app again after
obfuscation which is a big problem with the idea in general.

I read the docs.  They talk about things like "Protective Shields" and
"Train Cars" a lot.  But when you wade past the marketing fluff, it is an
RSA key store plain and simple.  It stores private keys and can take an
encrypted string (encrypted with public key) and decrypt it.  Here is the
basic process from what I read:
1) Encrypt exe, or dll with 128-bit Rijndael using random Secret and IV and
store.  Done at developers station.
2) Encrypt the secret and IV with the public key.  Save the cipher text and
public key with the cipher dll from Step 1.
3) One and 2 are the "package".  Other transforms and/or "magic"
splitting/blocking/train-car may be done.
4) Create the wrapper/loader around the cipher "package" and distribute
that.

When app starts:
1) Loader *.exe that is called by user.
2) Loader first checks that the HardLock(HL) is present with a ping msg.  If
not, return failure.
3) Loader loads "package" and extracts cipher Secret and IV and sends to HL.
4) HL decrypts the string(s) using private RSA key stored in the lock.
5) HL returns *clear secret and IV to caller.  This is the potential weak
link in the procedure.
6) Loader decrypts "package" in memory using Rijndael keys.
7) Loader can call an entry point to start the app.
8) Loader may also use a timer thread to periodically check the HL is always
there with some ping msg - or exit if not.
9) Loader has some magic to tell if a debugger is running.  Not sure about
validity of this statement or what is possible here.

So basically it uses Rijndael and RSA key pairs to encrypt the Rijndael keys
like you would do in normal digital envelope.  But the RSA private key is
stored in the lock.  Like all crypto, it comes down to protecting the keys
and to use the resulting clear text for only a very short time and remove it
from memory.  Here is where it comes back to the same problem we all have -
protecting the clear text in memory.  The driver api call to decrypt the rj
keys *has to return clear text to init Rijndael with - just has to be done.
If I can get the key, the HL is not much use anymore as I can run Rijndael
myself with the known key and iv.  The various "mixing" they also do would
slow you down a bit more.  The "crashing debugger" part is the most
interesting I think.  If they can do that in a fool proof way, then they
really have something there.  But they don't talk about the tech here other
then marking points.  I don't know enough about it to say either way.  If
they can't stop debuggers, then it would not be that much harder to crack
then a sw only solution.

Actually I have done all the same things in a sw-only license solution with
digital envelopes and ran into same issues.  It all comes down to protecting
that darn key - the rest is not so important.  Wonder if a USB sniffer would
show the returned clear text rj keys?  Cheers.