This is a simple way to protect your application from any so-called “cracker”, without involving obfuscation. Remember that this works only against Reflector (tested on: v220.127.116.11), any other decompilers are “immune”.
The main idea is this: you change the value of NumberOfRvaAndSizes from the optional header of your application (IMAGE_OPTIONAL_HEADER).
Note that NumberOfRvaAndSizes is usually 16 (0x10) in any PE, however we can change that value to any number between: 0x6 and 0x9. Values outside this range will crash the application.
This value holds the number of data directories (IMAGE_DATA_DIRECTORY) - Reflector’s problem is that it always expects the value to be 16 even though the application doesn’t require that.
Modifying the optional header
On 32-bit systems, the value of NumberOfRvaAndSizes is always stored on the 244th byte (0x00000F4), so you can change that value with a simple Hex Editor.
It will look like this:
After you change that value with one between 6 and 9, save the application and you’re done.
If you try to open this in Reflector it should return an error message:
“Invalid number of data directories in NT header.”
- might not work on 64 bit systems.
- not a “global” fix, other decompilers can still get the source code.
- still a weak method, any skilled cracker would notice that.