Assembly modification protection not working?

AntoineCAntoineC Posts: 12
edited June 25, 2010 6:34AM in SmartAssembly 5
I am unclear about the Assembly Modification protection.

Here is what I have done:
- Created a WinForm sample application (. NET 2.0)
- Used SmartAssembly with the following options:
- Strong Name Signing
- Obfuscation default settings
- String Encoding: "I want to use strings encoding with improved protection"
- All other settings to default

After build, SA reports: "The assembly has been protected against any modification" as expected.

To check that, I have changed one byte in the protected .exe (in a char array I could locate easily).

Then, ran again the protected app. Result: the modified app just works!

This is not at all what I was expecting. I was assuming to get an error message or at least the app failing to start since it has been "protected against any modifications".

Am I wrong? Or has SmartAssembly failed to protect my application?

Let me know!

Tested on SmartAssembly 5.


PS: the Microsoft Strong Name tool (sn.exe) does report: "validation failed" on the modified app. So, I am sure that I did make a mistake and that the application is indeed modified.


  • Paul.MartinPaul.Martin Posts: 83 New member
    I think the wording that SmartAssembly uses is a little bit strong in this case.

    SmartAssembly does not perform a full hash of the assembly to verify that nothing has changed, so it will not detect changing a primitive constant in a hex editor.
    If you want this sort of functionality either strong name signing the assembly (and then verifying on load) or using code signing (Authenticode) is the best and simplest way.

    However SmartAssembly will protect against modifications by decompilation/recompilation, code injection and most modification to the actual code.
  • Thanks for your reply, Paul.

    The wording in SmartAssembly is a bit misleading for that feature.

    - change the wording.
    - much better: add to SmartAssembly what your are telling me! Since SmartAssembly already Strong Name sign the assemblies, it should not be too complicated to compute and verify a hash.

  • Paul.MartinPaul.Martin Posts: 83 New member
    The wording has been fixed for the forthcoming update.

    We do have a feature, to add self-verification to protected assemblies, listed on the roadmap for SmartAssembly (SA-77). So hopefully it will make it in at some point soon (although no promises).
Sign In or Register to comment.