.NET Reactor encryption vs obfuscation

Asked 14/6, 2017 at 20:9 Answered 12/11, 2020 at 15:23

I have a requirement to protect our assemblies against reverse engineering, to lessen the risk of IP theft or license hacks. .NET Reactor looks powerful and we already have a license for it.

Reading through the documentation it seems there are several mechanisms for preventing decompilation other than obfuscation. I've read that obfuscation can foul up serialization, which a big part of our system, and I am hoping to avoid it completely.

I'm mainly interested in NecroBit, which claims to encrypt the CIL, making it "impossible to decompile/reverse engineer." It seems to me that if this is true, obfuscation or any other settings would be pointless.

Can any experienced .NET Reactor users give any more practical explanation of the various options and/or suggest a good permutation for a serialized system? What are some good tools for testing this software's claims?

Isolated answered 14/6, 2017 at 20:9 Comment(5)

I always think that claims like impossible to decompile/reverse engineer are just marketing. To be loaded by the CLR an assembly will have to be at least in memory, and, of course, unencrypted. I believe any method (including obfuscation) will just make the disassembly process more difficult, but never impossible. – Rescript 14/6, 2017 at 20:27

This may help you clarify what is the state of the art about assembly protection. – Rescript 14/6, 2017 at 20:29

If you send me your assembly, I have all the time in the world to attempt to reverse engineer it. Its going to be loaded as executable instructions at the end of the day (otherwise it wouldnt work) so I can just take a memory dump. If you have really important algorithms, hide them behind a web service, and dont distribute them – Andantino 14/6, 2017 at 20:59

All of this is just to increase the work-factor, that is how hard and how long it will take. Nothing is 100%, Gemalto "World leader in Digital Security" and RSA both got hacked and both are first-line crypto companies. That said: define your threat model, that is the value of whatever you need to hide, the attacker skill and how much time an attacker will devote. Then choose the level of protection you need. Keep in mind that your security efforts will negatively affect your development efforts and most likely increase the bug count. – Reproduction 14/6, 2017 at 21:42

If you want really good security hire a security professional in the same way a General Practitioner (MD) refers to a specialist. As the saying goes: "You need to know your limitations". – Reproduction 14/6, 2017 at 21:44

As long as the corresponding classes are marked as serializable you can tell .NET Reactor to exclude this classes from obfuscation:

Mummify answered 12/11, 2020 at 15:23 Comment(5)

I tried [ObfuscationAttribute(ApplyToMembers = true, Exclude = true)] on class declaration, looks not work, why class need to be marked as serializable to use Obfuscation? I have not seen such a requirement in .NET reactor's, help, version is 5.9.8.0 – Vories 24/11, 2020 at 0:55

I just see your post @ #60855683 about the helper tool. I'm trying it now. thanks! – Vories 24/11, 2020 at 1:2

Not work, I use .net reactor 5.9.8.0, I try to exclude the whole class from .Net reactor's ALL protection method, because .net reactor broken the cross AppDomain code, [System.Reflection.Obfuscation(Feature = "EXCLUDE:NECROBIT,OBFUSCATION,STRINGENCRYPTION,ANTITAMP,CONTROLFLOW,SNREMOVAL")] after .net reactor, I open the assembly by dnspy, looks this class still be encrypted/obfuscated. – Vories 24/11, 2020 at 1:7

There is no requirement to mark a class as serializable to use obfuscation. I showed a way how to easily exclude classes/members from serialization (grinder22 referred to a serialized system). The obfuscation exclusion options only prevents renaming of the corresponding classes/members but the other protection features are still applied. – Mummify 25/11, 2020 at 1:28

In order to exclude protection features other than obfuscation you need to set a special assembly attribute to enable declarative protection: [assembly: System.Reflection.Obfuscation(Feature = "DECLARATIVEPROTECTION")] It works fine with the latest .NET Reactor version and should work fine with 5.9.8.0 as well. – Mummify 25/11, 2020 at 1:29

Hopefully this helps some other people using .NET Reactor or similar tools. I'm aware the limitations of any tool. The goal was to reduce the risk of licensing hacks as much as possible with minimal effort. My company has been burned before and the boss wanted it.

Our project in particular is a WPF desktop using Prism. I found when I tried to Merge my assemblies into a single fat exe, some of my interface registrations were failing to resolve in the Unity container. We decided it was ok to protect each dll individually rather than fight with this. Once I did that this tool worked nicely. I literally checked every protection option for the desktop.

Our services run SignalR hubs in a self-hosted OWIN process. In this case the Native EXE File option would not work. We got Bad Image Format exceptions when we ran the services. Otherwise all options checked.

Beyond that I ran into some spotty issues where we were using reflection in the form of Type.GetMethod(string). I had to exclude a few methods and classes with an ObfuscationAttribute.

I was anticipating issues with JSON serialization but didn't get any. Everything just worked :)

Isolated answered 20/6, 2017 at 14:8 Comment(0)

I have been using netreactor for many years. I use the iserialization interface together with a serialization binder to get around obfuscation etc. It works through every protection method that Netreactor has.

        Stream s = null;

        BinaryFormatter b = new BinaryFormatter();
        Binder CB = new Binder();
        b.Binder = CB;

        try
        {
            s = File.Open(fileName, FileMode.OpenOrCreate);
            //to serialize
            b.Serialize(s, yourObject);
            // to deserialize
            yourObject = (YourClass)b.Deserialize(s);
        }
        catch
        {

        }


        finally
        {
            s.Close();
        }

    [Serializable]
    public class YourClass : System.Runtime.Serialization.ISerializable
    {
       //Explicit serialization function
       public void GetObjectData(SerializationInfo info, StreamingContext ctxt)
       {

          info.AddValue("stringVar", stringVar); 
          // and so forth...
       }

       // Deserialization
       public YourClass(SerializationInfo info, StreamingContext ctxt)
       {
          stringvar = (string)info.GetValue("stringVar", typeof(string));
          // and so forth
       }
    }
    // the serialization binder
    public class Binder : SerializationBinder
    {

       public override Type BindToType(string assemblyName, string typeName)
       {
            return System.Type.GetType(typeName); // Get it from this 
            //assembly

       }
   }

Monreal answered 25/2, 2018 at 15:51 Comment(1)

I can't tell from your intro - are you saying that this is a method to get at the source code despite .Net Reactor, or that this is the method to make something within your code serialize correctly with it in place? – Finnic 27/8, 2021 at 21:10

Recommended topics

Hot tags