Login/Register
.NET obfuscation tools/strategy [closed]
Asked Answered
Solved .netsecurityobfuscation
E

30

165

My product has several components: ASP.NET, Windows Forms App and Windows Service. 95% or so of the code is written in VB.NET.

For Intellectual Property reasons, I need to obfuscate the code, and until now I have been using a version of dotfuscator which is now over 5 years old. I'm thinking it is time to move to a new generation tool. What I'm looking for is a list of requirements which I should consider when searching for a new obfuscator.

What I know I should look for so far:

  • Serialization/De-serialization. In my current solution, I simply tell the tool not to obfuscate any class data members because the pain of not being able to load data which was previously serialized is simply too big.
  • Integration with Build Process
  • Working with ASP.NET. In the past, I have found this problematic due to changing .dll names (you often have one per page) - which not all tools handle well.
Equi answered 5/8, 2008 at 16:20 Comment(5)
Several duplicates: google.com/…Furl
See: msdn.microsoft.com/en-us/vcsharp/aa336818.aspx#obfuscatorsMoreta
See Agile.net .NET Obfuscator for an alternative solution for obfuscating your code. In particular check its code virtualization feature.Careerist
See a good list of obfuscators from ArmDot to Xenocode here on SO: https://mcmap.net/q/151571/-best-method-to-obfuscate-or-secure-net-assemblies-closedCovarrubias
For our large and complex .NET app most of .NET Obfuscators just failed and introduced bugs. .NET Reactor was the only one that met all our needs. I spent a great deal of time trying a dozen of obfuscators and summarized my findings here blog.ndepend.com/in-the-jungle-of-net-obfuscator-toolsSmelt
P
44

Back with .Net 1.1 obfuscation was essential: decompiling code was easy, and you could go from assembly, to IL, to C# code and have it compiled again with very little effort.

Now with .Net 3.5 I'm not at all sure. Try decompiling a 3.5 assembly; what you get is a long long way from compiling.

Add the optimisations from 3.5 (far better than 1.1) and the way anonymous types, delegates and so on are handled by reflection (they are a nightmare to recompile). Add lambda expressions, compiler 'magic' like Linq-syntax and var, and C#2 functions like yield (which results in new classes with unreadable names). Your decompiled code ends up a long long way from compilable.

A professional team with lots of time could still reverse engineer it back again, but then the same is true of any obfuscated code. What code they got out of that would be unmaintainable and highly likely to be very buggy.

I would recommend key-signing your assemblies (meaning if hackers can recompile one they have to recompile all) but I don't think obfuscation's worth it.

Pitiable answered 5/8, 2008 at 16:20 Comment(16)
Totally disagree. Signing can't replace obfuscation. Signing is aimed againt hacking your code. But if you what to hide you idea, algorithms, etc obfuscation is the only way.Fluffy
I don't think signing can replace obfuscation, it just makes it much harder to hack. Obfuscation fails to hide your idea - if they want to copy that they will anyway, and obfuscation won't even make it much more difficult. In particular as algorithms are all operators obfuscation doesn't have much effect on them - they're usually one of the easiest things to extract.Pitiable
Obfuscation may not be worth it if your talking about a team with lots of resources at it's disposable, but obfuscation is great to protect against the "average" developer who wants nothing more than to use Reflector to open up your assembly and save the source code as a project and making adjustments. Obfuscation has it's place and to rule it out completely is the wrong attitude to have. It's a layer of defense.Implosion
@VincePanuccio You're missing my point: the average developer is not going to be able to decompile any .Net project >= version 2 and get something compilable thanks to all the compiler 'magic' in later versions. Obfuscation is a pain to maintain and adds massive overhead to investigating every bug/stacktrace, but it doesn't stop anyone determined and won't even slow down the casual copy-paster taking a method or two. It's an expensive and weak layer of defence that's just not worth it.Pitiable
When you decompile, the source is in a messy state but logically it still follows the same paths. There is no compiler 'magic' voodoo. I know because I had lost a repository recently and used reflector to recover the source code. Obfuscation is only a pain to "maintain", if it's is not part of your build process. It does add overhead, but are we all writing computationally intensive apps? No. It's a weak layer of defence for a weak attacker.Implosion
You're absolutely right, keeping the source map is such a HUGH overhead. I never thought storing a file somewhere was such a pain :PImplosion
Everybodys seems to have missed phoenix ntcore.com/phoenix.php which is decentBallentine
I agree with Keith. If you use licensing protection simply write it in C++/CLI so it's more complex to understand how it works.Bosket
What a horrible answer. Have you actually tried decompiling lately? Decompilers have gotten better, not worse. Reflector gives near original-source quality, sans comments of course.Sulfaguanidine
@BlueRaja-DannyPflughoeft this answer is from 2008, at which point Reflector was miles behind C# 3.5 - 8 years is a long time in this sort of tech. However, I still don't think obfuscation is worth it for 3 reasons: 1) you could take a competent team off a big project and they could write it from scratch with no access to the original code in half the time. 2) you stick a new team on an unfamiliar large code base (even with comments) and they'll take ages before they can usefully enhance it, and 3) reverse engineering is always possible, but always illegal.Pitiable
@Pitiable 1. Not every project is a corporate project with multiple teams of developers, what a strangely constricted world-view. Even if they were, rewriting most programs requires some amount of reverse engineering (eg. server protocols, file formats, etc). 2. Reverse engineering is not illegal, at least not in the US. A TOS is not a contract, and is not illegal to break. Many people make their living off of reverse engineering (Antivirus devs, Mono devs, AMD engineers, etc. etc.). See hereSulfaguanidine
@BlueRaja-DannyPflughoeft ah, not what I meant, but I was short of words. Reverse engineering your product to sell as a competitor, avoid paying for it or otherwise gain competitive advantage is illegal. Obfuscation really isn't going to do anything to protect/obscure server protocols or file formats - it's really poor at hiding algorithms or anything else computational. All it does is make your business logic code hard to read back. The question is: does obfuscation protect IP? My answer is not enough to make it worth the hassle.Pitiable
@Pitiable Please, do you mean that code signing can prevent decompilation entirely??!! If yes, can self-signing certs make it?Disjunctive
@AhmedSuror no. Key signing just means strong names. Suppose you have one DLL that checks a license key - hackers decompile it, recompile a new one that bypasses the checks and replaced it. If you have strong references they can't do that, they also have to recompile everything that calls it. You're just making more work for them. Self-signed certs would still have that effect, but would potentially put off people from using your software if they do trust your authority (though possibly fine internally in a large corp with internal cert chains).Pitiable
@Pitiable As I understood, if - for example - I had a hard-coded connection string in a DLL and the DLL is signed the connection string should be encrypted and not readable even after decompilation, am I right? Also what is meant by If you have strong references ? Thanks in advanceDisjunctive
@AhmedSuror No. If you have a string in a DLL it can always be reflected. You can have a one way hash or the public part of an asymmetric key, but there's no way to have a "hard-coded connection string" that cannot be extracted. Strong named assembies are really their own topic but basically it blocks swapping one assembly for another with the same named classes/methods (which you can do in .NET otherwise).Pitiable
B
50

We've tried a number of obfuscators. None of them work on a large client/server app that uses remoting. Problem is that client and server share some dlls, and we haven't found any obfuscator that can handle it.

We've tried DotFuscator Pro, SmartAssembly, XenoCode, Salamander, and several small time apps whose names escape me.

Frankly, I'm convinced obfuscation is a big hack.

Even the problems it addresses is not entirely a real problem. The only thing you really need to protect is connection strings, activation codes, security-sensitive things like that. This nonsense that another company is going to reverse-engineer your whole codebase and create a competing product from it is something from a paranoid manager's nightmare, not reality.

Barracoon answered 5/8, 2008 at 16:20 Comment(13)
Most obfuscation tools have the ability to exclude classes or methods etc...actually Dotfuscator was introducing a feature that if it detected certain uses of the classes it would auto exclude it for youVilify
Dotfuscator itself is a client server application using web services (if you enable their SoS functionality), and Dotfuscator does use itself to obfuscate itself. So this should not be an issueVilify
Bravo Judah! The only way to stay ahead is to develop new, better code, not clinging to code you've already written. You end up investing time, effort and maybe even money into something which is irrelevant. Obfuscation is not worth it.Epicene
That's why I don't like this reputation system, you have 19 votes and you have not provided an aswer. The user is not asking for your opinion about obfuscation, he wants to know more about obfucation techniques.Busily
I provided information about my experiences using several existing obfuscators. And my opinion derived from that experience.Mccaffrey
+1 for "Frankly, I'm convinced obfuscation is a big hack." You couldn't have put it any better than this.Aliunde
A very valid need for protecting your code is selling expensive specialized apps to companies that will use them internally with only a few users. The temptation is to reverse the code to allow internally hacking and modifications for their own purposes, avoid maintenance contracts, or to even hack trial versions to get the goodies out that they need.Furore
While I get backslash17s point, as someone researching a topic, I always find it helpful for professionals discussion on whether a topic is necessary or not. Sometimes the most helpful points for me are these types of discussions.Greenwald
Even though this is an answer from 2009, I can't help but to leave a comment. This is the most naive answer I have ever seen on the internet getting so many upvotes. and if you are wondering why anyone would ever want to reverse engineer applications, you will never know because those people will not share their motives with you. But just go ahead and don't use obfuscation.... You're application will be a candy store for your competitors.Ga
@Ga Except that doesn't happen. It's like a boogey man: oh noes, these unknown people somewhere out there might just look at the compiled IL and spit out machine-generated, commentless C#! But think about that - why would they? Create a competing product? That doesn't happen; it opens the company up to legal action. Security-sensitive things? That's when you use encryption.Mccaffrey
There's nothing paranoid about it. People can download a tool and see most of your exact source code. For me it has absolutely nothing to do with people de-compiling and then re-compiling as a new app, it has to do with taking chunks of my source code for use without my permission. Apparently every app should just be open source? If you don't protect your source code that's what it ends up being. I have plenty of experience with this and looking at my own code most of the decompiled code is exactly the same as how I wrote it. Even my comments are in there.Pericardium
If you are going to leave an opinion in the future, don't make it an absolute opinion, qualify when and where your opinion applies. Here's an (non optimised) example: you are releasing a new compressor technology to partners and don't know if you'll patent it - obfuscation makes it very unlikely they'll try to reverse engineer it.Densify
Infiniminer, an inspiration for Minecraft, was abandoned after the developer released an "un-obfuscated .NET assembly", leading the community to make multiple clones each with their own balancing decisions (obviously Minecraft itself was written in Java, so it doesn't really count). The point to take from this is that it's not a boogey man, it does happen, and there is at least one famous example.Refrigerator
H
47

I am 'Knee Deep' in this now, trying to find a good solution. Here are my impressions so far.

Xenocode - I have an old licence for Xenocode2005 which I used to use for obfuscating my .net 2.0 assemblies. It worked fine on XP and was a decent solution. My current project is .net 3.5 and I am on Vista, support told me to give it a go but the 2005 version does not even work on Vista (crashes) so I and now I have to buy 'PostBuild2008' at a gobsmacking price point of $1900. This might be a good tool but I'm not going to find out. Too expensive.

Reactor.Net - This is a much more attractive price point and it worked fine on my Standalone Executeable. The Licencing module was also nice and would have saved me a bunch of effort. Unfortunately, It is missing a key feature and that is the ability to Exclude stuff from the obfuscation. This makes it impossible to achieve the result I needed (Merge multiple assemblies together, obfuscate some, not-Obfuscate others).

SmartAssembly - I downloaded the Eval for this and it worked flawlessly. I was able to achieve everything I wanted and the Interface was first class. Price point is still a bit hefty.

Dotfuscator Pro - Couldn't find price on website. Currently in discussions to get a quotation. Sounds ominous.

Confuser - an open source project which works quite well (to confuse ppl, just as the name implies).

Note: ConfuserEx is reportedly "broken" according to Issue #498 on their GitHub repo.

Heartless answered 5/8, 2008 at 16:20 Comment(7)
can you post how much dotfuscator quoted?Foch
@Anthony I recently bought a license in early 2011. The quote was $2475 USD for the minimum 1 build machine + 1 developer license. Includes 12 months of upgrades and support.Ellmyer
I wasn't using .NET Reactor when this post was made, but now you can exclude portions of your code from obfuscation using the System.Reflection.Obfuscation attribute. There are also some settings which let you do things like exclude all methods or all serializable types.Raddy
DotFuscator quoted me $4999, which was reduced to $4500 because of a 10% discount. This was for 1 dev licenses! In discussions it was reduced to $2500 but still way too expensive.Bolton
.NET Reactor now has an Exclusion Rules Editor allowing to exclude certain classes, methods or properties from obfuscation. Also, you can use checkbox "Merge Only" to exclude a specific dll from obfuscationMoise
I used .Net Reactor for years. It works fine, but there are some problems with this tool. Firstly, sometimes when you upgrade .Net Reactor to a newer version, the obfuscated code may stop working properly. It happened to me several times. In particular, you protect the same assembly with a newer version but it throws unexpected exceptions in runtime. Secondly, these guys have one of the worst supports in the world. I requested the support several times but they never answered. Very frustrating, especially taking into account the fact that the company license costs few hundred of dollars.Harney
Confuserex is not broken. It still does a great job of renaming and stripping meta dataParatrooper
P
44

Back with .Net 1.1 obfuscation was essential: decompiling code was easy, and you could go from assembly, to IL, to C# code and have it compiled again with very little effort.

Now with .Net 3.5 I'm not at all sure. Try decompiling a 3.5 assembly; what you get is a long long way from compiling.

Add the optimisations from 3.5 (far better than 1.1) and the way anonymous types, delegates and so on are handled by reflection (they are a nightmare to recompile). Add lambda expressions, compiler 'magic' like Linq-syntax and var, and C#2 functions like yield (which results in new classes with unreadable names). Your decompiled code ends up a long long way from compilable.

A professional team with lots of time could still reverse engineer it back again, but then the same is true of any obfuscated code. What code they got out of that would be unmaintainable and highly likely to be very buggy.

I would recommend key-signing your assemblies (meaning if hackers can recompile one they have to recompile all) but I don't think obfuscation's worth it.

Pitiable answered 5/8, 2008 at 16:20 Comment(16)
Totally disagree. Signing can't replace obfuscation. Signing is aimed againt hacking your code. But if you what to hide you idea, algorithms, etc obfuscation is the only way.Fluffy
I don't think signing can replace obfuscation, it just makes it much harder to hack. Obfuscation fails to hide your idea - if they want to copy that they will anyway, and obfuscation won't even make it much more difficult. In particular as algorithms are all operators obfuscation doesn't have much effect on them - they're usually one of the easiest things to extract.Pitiable
Obfuscation may not be worth it if your talking about a team with lots of resources at it's disposable, but obfuscation is great to protect against the "average" developer who wants nothing more than to use Reflector to open up your assembly and save the source code as a project and making adjustments. Obfuscation has it's place and to rule it out completely is the wrong attitude to have. It's a layer of defense.Implosion
@VincePanuccio You're missing my point: the average developer is not going to be able to decompile any .Net project >= version 2 and get something compilable thanks to all the compiler 'magic' in later versions. Obfuscation is a pain to maintain and adds massive overhead to investigating every bug/stacktrace, but it doesn't stop anyone determined and won't even slow down the casual copy-paster taking a method or two. It's an expensive and weak layer of defence that's just not worth it.Pitiable
When you decompile, the source is in a messy state but logically it still follows the same paths. There is no compiler 'magic' voodoo. I know because I had lost a repository recently and used reflector to recover the source code. Obfuscation is only a pain to "maintain", if it's is not part of your build process. It does add overhead, but are we all writing computationally intensive apps? No. It's a weak layer of defence for a weak attacker.Implosion
You're absolutely right, keeping the source map is such a HUGH overhead. I never thought storing a file somewhere was such a pain :PImplosion
Everybodys seems to have missed phoenix ntcore.com/phoenix.php which is decentBallentine
I agree with Keith. If you use licensing protection simply write it in C++/CLI so it's more complex to understand how it works.Bosket
What a horrible answer. Have you actually tried decompiling lately? Decompilers have gotten better, not worse. Reflector gives near original-source quality, sans comments of course.Sulfaguanidine
@BlueRaja-DannyPflughoeft this answer is from 2008, at which point Reflector was miles behind C# 3.5 - 8 years is a long time in this sort of tech. However, I still don't think obfuscation is worth it for 3 reasons: 1) you could take a competent team off a big project and they could write it from scratch with no access to the original code in half the time. 2) you stick a new team on an unfamiliar large code base (even with comments) and they'll take ages before they can usefully enhance it, and 3) reverse engineering is always possible, but always illegal.Pitiable
@Pitiable 1. Not every project is a corporate project with multiple teams of developers, what a strangely constricted world-view. Even if they were, rewriting most programs requires some amount of reverse engineering (eg. server protocols, file formats, etc). 2. Reverse engineering is not illegal, at least not in the US. A TOS is not a contract, and is not illegal to break. Many people make their living off of reverse engineering (Antivirus devs, Mono devs, AMD engineers, etc. etc.). See hereSulfaguanidine
@BlueRaja-DannyPflughoeft ah, not what I meant, but I was short of words. Reverse engineering your product to sell as a competitor, avoid paying for it or otherwise gain competitive advantage is illegal. Obfuscation really isn't going to do anything to protect/obscure server protocols or file formats - it's really poor at hiding algorithms or anything else computational. All it does is make your business logic code hard to read back. The question is: does obfuscation protect IP? My answer is not enough to make it worth the hassle.Pitiable
@Pitiable Please, do you mean that code signing can prevent decompilation entirely??!! If yes, can self-signing certs make it?Disjunctive
@AhmedSuror no. Key signing just means strong names. Suppose you have one DLL that checks a license key - hackers decompile it, recompile a new one that bypasses the checks and replaced it. If you have strong references they can't do that, they also have to recompile everything that calls it. You're just making more work for them. Self-signed certs would still have that effect, but would potentially put off people from using your software if they do trust your authority (though possibly fine internally in a large corp with internal cert chains).Pitiable
@Pitiable As I understood, if - for example - I had a hard-coded connection string in a DLL and the DLL is signed the connection string should be encrypted and not readable even after decompilation, am I right? Also what is meant by If you have strong references ? Thanks in advanceDisjunctive
@AhmedSuror No. If you have a string in a DLL it can always be reflected. You can have a one way hash or the public part of an asymmetric key, but there's no way to have a "hard-coded connection string" that cannot be extracted. Strong named assembies are really their own topic but basically it blocks swapping one assembly for another with the same named classes/methods (which you can do in .NET otherwise).Pitiable
G
23

If your looking for a free one you could try DotObfuscator Community Edition that comes with Visual Studio or Eazfuscator.NET.

Since June 29, 2012, Eazfuscator.NET is now commercial. The last free available version is 3.3.

Grandnephew answered 5/8, 2008 at 16:20 Comment(0)
L
18

I have been using smartassembly. Basically, you pick a dll and it returns it obfuscated. It seems to work fine and I've had no problems so far. Very, very easy to use.

Lindi answered 5/8, 2008 at 16:20 Comment(3)
Smartassembly is quite useless. A cracker puts your application into DumbAssembly and all the "protection" is removed with mouse click: woodmann.com/collaborative/tools/index.php/DumbassemblySmooth
As of now, Google safe browsing flags woodmann's site as being unsafe. Also, woodmann's site has a whole article about him previously suffering a malware infection, so I don't really want to navigate his site when Google doesn't trust it.Pyrex
SmartAssembly is crap. There are so many cases when the tool will show an error and nobody in their support team can explain what this error means and how to overcome it. Actually their support doesn't care and I have the feeling that this product is created just to make some money until it is completely dead.Compander
G
10

I have tried almost every obfuscator on the market and SmartAssembly is the best in my opinion.

Gonium answered 5/8, 2008 at 16:20 Comment(2)
Smartassembly is quite useless. A cracker puts your application into DumbAssembly and all the "protection" is removed with mouse click: woodmann.com/collaborative/tools/index.php/DumbassemblySmooth
As of now, Google safe browsing flags woodmann's site as being unsafe. Also, woodmann's site has a whole article about him previously suffering a malware infection, so I don't really want to navigate his site when Google doesn't trust it.Pyrex
S
9

I've been also using SmartAssembly. I found that Ezrinz .Net Reactor much better for me on .net applications. It obfuscates, support Mono, merges assemblies and it also also has a very nice licensing module to create trial version or link the licence to a particular machine (very easy to implement). Price is also very competitive and when I needed support they where fast. Eziriz

Just to be clear I'm just a custumer who likes the product and not in any way related with the company.

Selfsatisfaction answered 5/8, 2008 at 16:20 Comment(7)
I have a number of friends who swear by .Net Reactor - though not on the products website there's a helpful google group for the product as well: groups.google.com/group/net-reactor-users?hl=enElectrophoresis
+1 for Eziriz. I've had excellent results with it. It's the best there is right now, IMO.Acatalectic
.NET Reactor Sucks. I changed my computer, sent email twice regarding the license file, and got no answer. You see the .NET Reactor license is hardware locked.Shortstop
Thats normal. How do you expect that they believe you? How do they know that you really changed your computer and are not trying to run a licence of your friend on your computer? For that is a hardware lock! If it could be used on multiple computers a hardware lock would be useless.Smooth
(PS. We chose Reactor largely on the basis of this SO response.)Loge
I wrote an application to parse C# projects and obfuscate on the source code level and then build the projects. I have a reason for that: I have to build it against WinForms, Web, Mono, Silverlight, and WPF. And they all run wellInfield
I'm using Reactor for a quite long time now, and till this moment I cannot figure out how to use their license system!!Disjunctive
G
7

The short answer is that you can't.

There are various tools around that will make it harder for someone to read your code - some of which have been pointed out by other answers.

However, all these do is make it harder to read - they increase the amount of effort required, that is all. Often this is enough to deter casual readers, but someone who is determined to dig into your code will always be able to do so.

Gobbledegook answered 5/8, 2008 at 16:20 Comment(3)
if(efforts.Required > codeFromScratch.Costs) DoNoReverseEngineer();Slavophile
@NicolasDorier, Operator '>' cannot be applied to operands of type 'System.TimeSpan' and 'decimal'Hyphenate
@Saeb sure they can, casting from TimeSpan to money(decimal) is what most businesses are about.Dasyure
M
6

Crypto Obfuscator address all your concerns and scenarios. It :

  1. Automatically excludes types/members from obfuscation based on rules. Serialized types/fields are one of them.
  2. It can be integrated into the build process using MSBUild.
  3. Supports ASP.Net projects.
Materfamilias answered 5/8, 2008 at 16:20 Comment(3)
fyi @Materfamilias wrote Crypto.Dividivi
Crypto appears to be no longer supported.Paperboard
I've tried several, "Crypto" seemed very aggressive and helpful, but when running the obfuscated DLL in De4dot I got the original code... Sorry for ruining the party....Teece
I
6

We have a multi tier app with an asp.net and winform interface that also supports remoting. I've had no problems with using any obfuscator with the exception of the encrypting type which generates a loader which can be problematic in all sorts of unexpected ways and just not worth it in my opinion. Actually my advice would be more along the lines of "Avoid encrypting loader type obfuscators like the plague". :)

In my experience any obfuscator will work fine with any aspect of .net including asp.net and remoting, you just have to become intimate with the settings and learn how far you can push it in which areas of your code. And take the time to attempt reverse engineering on what you get and see how it works with the various settings.

We used several over the years in our commercial apps and settled on Spices obfuscator from 9rays.net because the price is right, it does the job and they have good support though we really haven't needed the support in years anymore but to be honest I don't think it really matters which obfuscator you use, the issues and learning curve are all the same if you want to have it work properly with remoting and asp.net.

As others have mentioned all you're really doing is the equivalent of a padlock, keeping otherwise honest people out and or making it harder to simply recompile an app.

Licensing is usually the key area for most people and you should definitely be using some kind of digitally signed certificate system for licensing anyway. Your biggest loss will come from casual sharing of licenses if you don't have a smart system in place, the people that break the licensing system were never going to buy in the first place.

It's really easy to take this too far and have a negative impact on your customers and your business, do what is simple and reasonable and then don't worry about it.

Ivon answered 5/8, 2008 at 16:20 Comment(0)
H
5

For the past two days I've been experimenting with Dotfuscator Community Edition advanced (a free download after registering the basic CE that comes bundled with Visual Studio).

I think the reason more people don't use obfuscation as a default option is that it's a serious hassle compared to the risk. On smaller test projects I could get the obfuscated code running with a lot of effort. Deploying a simple project via ClickOnce was troublesome, but achievable after manually signing the manifests with mage. The only problem was that on error the stack trace came back obfuscated and the CE doesn't have a deobfuscator or clarifier packaged.

I tried to obfuscate a real project which is VSTO based in Excel, with Virtual Earth integration, lots of webservice calls and an IOC container and lot's of reflection. It was impossible.

If obfuscation is really a critical requirement, you should design your application with that in mind from the start, testing the obfuscated builds as you progress. Otherwise, if it's a fairly complex project, you're going to end up with a serious amount of pain.

Haiti answered 5/8, 2008 at 16:20 Comment(0)
C
4

I've recently tried piping the output of one free obfuscator into the another free obfuscator - namely Dotfuscator CE and the new Babel obfuscator on CodePlex. More details on my blog.

As for serialization, I've moved that code into a different DLL and included that in the project. I reasoned that there weren't any secrets in there that aren't in the XML anyway, so it didn't need obfuscation. If there is any serious code in those classes, using partial classes in the main assembly should cover it.

Crookes answered 5/8, 2008 at 16:20 Comment(1)
-1, because "yo dawg, I heard you like obfuscators so I ran an obfuscator on the output of an obfuscator... want to know more? gimme page hits". But I find the second paragraph a very good suggestion.Word
C
3

I found the Agile.Net provide pretty good protection for your .Net Assembly because it offer not only obfuscation but also encryption. Download a free trail.
http://secureteam.net/NET-Code-Protection.aspx http://secureteam.net/downloads.aspx

Cytokinesis answered 5/8, 2008 at 16:20 Comment(1)
Eazfuscator said why not MSIL encription: see gapotchenko.com/eazfuscator.net/kb/100028Unmitigated
N
3

Avoid Reactor. It is completely useless (and yes I paid for a license). Xenocode was the best one I encountered and bought a license for too. The support was very good but I didn't need it much as it just worked. I tested every obfuscator I could find and my conclusion is that xenocode was far and away the most robust and did the best job (also possibility to post process your .NET exe to a native exe which I didn't see anywhere else.).

There are two main differences between reactor and xenocode. The first one is that Xenocode actually works. The second is that the execution speed of your assemblies is no different. With reactor it was about 6 million times slower. I also got the impression that reactor was a one man operation.

Nonunion answered 5/8, 2008 at 16:20 Comment(1)
.NET Reactor has a lot of options. Some of them involve runtime protection and will slow down application a bit, but this is the price for additional security you get. However I seriously doubt if there will be any slow down if you'll just use .NET Reactor obfuscation, without any other optionsMoise
A
3

You could use "Dotfuscator Community Edition" - it comes by default in Visual Studio 2008 Professional. You can read about it at:

http://msdn.microsoft.com/en-us/library/ms227240%28VS.80%29.aspx
http://www.preemptive.com/dotfuscator.html

The "Professional" version of the product costs money but is better.

Do you really need your code obfuscated? Usually there is very little wrong with your application being decompiled, unless it is used for security purposes. If you are worried about people "stealing" your code, don't be; the vast majority of people looking at your code will be for learning purposes. Anyway, there is no totally effective obfuscation strategy for .NET - someone with enough skill will always be able to decompile/change you application.

Amesace answered 5/8, 2008 at 16:20 Comment(3)
+1 for this. I've tried just about every free .NET obfuscator out there, and Dotfuscator was the only one that actually obfuscated a substantial proportion of the MSIL in my ASP.NET applications.Predicate
@Saille, have you used the free Dotfuscator - Community Edition for that? I just had a sales chat and they say the pro edition costs 2000 EUR. :(Gunpowder
Dotfuscator is worthless.Blowzed
C
3

I have had no problems with Smartassembly.

Capitulary answered 5/8, 2008 at 16:20 Comment(0)
D
3

You should use whatever is cheapest and best known for your platform and call it a day. Obfuscation of high-level languages is a hard problem, because VM opcode streams don't suffer from the two biggest problems native opcode streams do: function/method identification and register aliasing.

What you should know about bytecode reversing is that it is already standard practice for security testers to review straight X86 code and find vulnerabilities in it. In raw X86, you cannot necessarily even find valid functions, let alone track a local variable throughout a function call. In almost no circumstances do native code reversers have access to function and variable names --- unless they're reviewing Microsoft code, for which MSFT helpfully provides that information to the public.

"Dotfuscation" works principally by scrambling function and variable names. It's probably better to do this than publish code with debug-level information, where the Reflector is literally giving up your source code. But anything you do beyond this is likely to get into diminishing returns.

Disarticulate answered 5/8, 2008 at 16:20 Comment(0)
P
2

Here's a document from Microsoft themselves. Hope that helps..., it's from 2003, but it might still be relevant.

Plight answered 5/8, 2008 at 16:20 Comment(0)
C
2

I've been obfuscating code in the same application since .Net 1, and it's been a major headache from a maintenance perspective. As you've mentioned, the serialization problem can be avoided, but it's really easy to make a mistake and obfuscate something you didn't want obfuscated. It's easy to break the build, or to change the obfuscation pattern and not be able to open old files. Plus it can be difficult to find out what went wrong and where.

Our choice was Xenocode, and were I to make the choice again today I would prefer to not obfuscate the code, or use Dotfuscator.

Carbuncle answered 5/8, 2008 at 16:20 Comment(0)
P
1

There's a good open source version called Obfuscar. Seems to work fine. Types, properties, fields, methods can be excluded. The original is here: https://code.google.com/p/obfuscar/, but since it seems to not be updated anymore

Pearce answered 5/8, 2008 at 16:20 Comment(1)
I had a look at this today - note date of my comment! - and it's a bit messy to get going. I also lost the best part of hour trying to get it to re-sign the assembly using a .pfx file. It threw an unintelligible, undocumented error; seems you can only sign using an .snk.Nolan
M
1

I had to use a obfuscation/resource protection in my latest rpoject and found Crypto Obfuscator as a nice and simple to use tool. The serialization issue is only a matter of settings in this tool.

Materfamilias answered 5/8, 2008 at 16:20 Comment(2)
@logicnp, this is your second post in this thread endorsing this product. Please disclose if you have a relationship to the developer of this product.Forsyth
Sorry but de4dot can deobfuscate that. I would recommend using ConfuserEx.Toneme
E
1

the free way would be to use dotfuscator from within visual studio, otherwise youd have to go out and buy an obfuscator like Postbuild (http://www.xenocode.com/Landing/Obfuscation.aspx)

Ellora answered 5/8, 2008 at 16:20 Comment(1)
im not sure i understand the downvote here, why not give an explanation?Ellora
P
1

It all depends on the programming language, which you use. Read the article: Obfuscated code

Precious answered 5/8, 2008 at 16:20 Comment(0)
T
1

We're using SmartAssembly on our windows client. Works just fine.

Does add some extra problems too. Printing out your class names in log files/exceptions have to be de-obfuscated. And of course can't create a class from its name. So it's a good idea to take a look at your client and see which problems you can get by obfuscating.

Timothee answered 5/8, 2008 at 16:20 Comment(0)
S
0

SmartAssembly is great,I was used in most of my projects

Stanchion answered 5/8, 2008 at 16:20 Comment(0)
R
0

I also use smartassembly. However, I don't know how it works for a web application. However, I'd like to point out that if your app uses shareware type protection, make sure it don't check a license with a boolean return. it's too easy to byte crack. http://blogs.compdj.com/post/Binary-hack-a-NET-executable.aspx

Remorseless answered 5/8, 2008 at 16:20 Comment(0)
D
0

You may also want to look at new code protection technologies such as Metaforic and V.i.Labs and new software copy protection technologies such as ByteShield. Disclosure: I work for ByteShield.

Dianndianna answered 5/8, 2008 at 16:20 Comment(0)
S
-1

Obfuscating is not a real protection.

If you have a .NET Exe file there is a FAR better solution.

I use Themida and can tell that it works very well.

The only drawback of Themida is that it cannot protect .NET Dlls. (It also protects C++ code in Exe and DLLs)

Themida is by far cheaper than the here mentioned obfuscators and is the best in anti piracy protection on the market. It creates a virtual machine were critical parts of your code are run and runs several threads that detect manipulation or breakpoints set by a cracker. It converts the .NET Exe into something that Reflector does not even recognize as a .NET assembly anymore.

Please read the detailed description on their website: http://www.oreans.com/themida_features.php

Smooth answered 5/8, 2008 at 16:20 Comment(0)
H
-1

I tried Eziriz demo version....I liked it. But never brought the software.

Hoskins answered 5/8, 2008 at 16:20 Comment(1)
how can this be a wiki answer from the community?Francklin
B
-2

I have tried a product called Rummage and it does a good job in giving you some control ... Although it lacks many things that Eziriz offers but price for Rummage is too good...

Beare answered 5/8, 2008 at 16:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.