TypeMock originally a framework to create mock objects, recently published the core API as TypeMock Open-API and on the same foundation, a project name CThru which gives you the “mocking” ability in the wild! This means now you can intercept calls to any API (except for some core .NET API and TypeMock API itself) and mock-out any of the existing functionality. This is really huge! But this is a sword with two blades! Let”s see how a mischief cracker with bad intentions and high imagination can crack open your commercial component without even touching any IL code or modifying .NET assembly in anyway!

This is only for educational purpose. I”m only demonstrating this for you to be more cautious when publishing you commercial product, designed to be used by developers.

Let’s say we have a commercial component which uses a sophisticated algorithm to check if it is running in trial mode and if it does, it will then throw an exception, because trial period has expired.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class CommercialComponent
{
    public void Run()
    {
        if(IsExpired())
            throw new ApplicationException("Your application is expired");

        //continue
    }

    private bool IsExpired()
    {
        //Check using a sophesticated algorithm
        //like checking an encrypted license file, checking a 
        //webservice, register, etc.
        return true;
    }
}

First step is to create an aspect. CThru aspects are like any other AOP framework, you can tap into object creation or any method call.

1
2
3
4
5
6
7
8
9
10
11
12
13
public class LicenseHackAspect : Aspect
{
    public override bool ShouldIntercept(InterceptInfo info)
    {
        return info.MethodName == "IsExpired"
    }

    public override void MethodBehavior(DuringCallbackEventArgs e)
    {
        e.MethodBehavior = MethodBehaviors.ReturnsCustomValue;
        e.ReturnValueOrException = false;
    }
}

Now on application start, you tell CThru engine to start and register all aspects. It is still no brainer. Let”s create a unit test to show this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[TestFixture]
public class OpeningPrivateAPITests
{
    [SetUp]
    public void Setup()
    {
        CThruEngine.StopListeningAndReset();
        Assert.IsTrue(CThruEngine.EventsAreClear);
    }

    [TestFixtureTearDown]
    public void Teardown()
    {
        CThruEngine.StopListeningAndReset();
        Assert.IsTrue(CThruEngine.EventsAreClear);
    }

    [Test]
    public void Can_Intercept_Private_Properties()
    {
        var aspect = new LicenseHackAspect();
        var component = new CommercialComponent();

        CThruEngine.AddAspect(aspect);
        CThruEngine.StartListening();

        try
        {
            component.Run();
        }
        catch (Exception)
        {
            Assert.Fail("Should not throw exception");
        }
    }
}

And the test now passes!

So, is it just me that feels this is a very simple (attractive?) way for crackers? Fortunately, to use CThru you need to have Typemock Isolator installed on your machine which is not a free product.

Other than the point shown here, CThru is a powerful AOP framework with which you can achieve a lot with just a few lines of code. The only problem, is according to the license page, the end-user buying your product still needs to buy another license from TypeMock.

Thoughts?