Should HASP Vendor Code be encrypted/obfuscated?

Question

This is in regard to SafeNet/Aladdin Sentinel HASP keys. I've posted to their site but just in case anybody else knows the answer or would find the answer useful I'm posting here too.

According to the docs provided by SafeNet in "Software Protection and Licensing Guid.pdf" we are supposed to keep our Vendor Code secret, right?

Well, if I build the sample provided in "\Samples\Runtime\csharp\", then protect the app with Envelope, then decompile the Enveloped app in JetBrains dotPeek, I can see the Vendor Code string there very easily. It appears that Envelope does not obfuscate const strings. Or maybe it's class level strings, I don't know.

Is this the recommended way of using the Vendor Code? Doesn't seem very secret. If I put the Vendor Code string into a temporary variable in a function then it gets obfuscated. Is that the way it should be done? If so, shouldn't the sample code reflect that?

Thanks.

Answer 1

We had noticed the same thing. The reason const strings are not obfuscated is likely due to the fact that a const variable is a compile time constant, which allows the compiler to replace references to a const variable with the constant value itself at compile time. So there basically is no const string field to obfuscate by the time the enveloping process starts. (This isn't entirely true - the definition of the const is persisted in the IL, but just for documentation purposes; it's not referenced by any code.)

The way we dealt with this is by by using static readonly strings, initialized in a static constructor. Doing this stores the string values as runtime constants, allowing the enveloping process to access them properly for obfuscation. (This is verified by decompiling the assembly, as you mentioned.)