Best method to obfuscate or secure .Net assemblies [closed]

Asked 12/9, 2008 at 20:38 Answered 12/9, 2008 at 22:15

I'm looking for a technique or tool which we can use to obfuscate or somehow secure our compiled c# code. The goal is not for user/data security but to hinder reverse engineering of some of the technology in our software.

This is not for use on the web, but for a desktop application.

So, do you know of any tools available to do this type of thing? (They need not be free)

What kind of performance implications do they have if any?

Does this have any negative side effects when using a debugger during development?

We log stack traces of problems in the field. How would obfuscation affect this?

Beluga answered 12/9, 2008 at 20:38 Comment(1)

duplicate: #3025 – Johnston 21/8, 2009 at 13:52

This is a pretty good list of obfuscators from Visual Studio Marketplace Obfuscators

ArmDot
Crypto Obfuscator
Demeanor for .NET
DeployLX CodeVeil
Dotfuscator .NET Obfuscator
Semantic Designs: C# Source Code Obfuscator
Smartassembly
Spices.Net
Xenocode Postbuild 2006
.NET Reactor

I have not observed any performance issues when obfuscating my code. If your just sending text basted stack traces you might have a problem translating the method names.

Lucindalucine answered 12/9, 2008 at 21:56 Comment(4)

It would be nice to have links. If you get a chance, could you add them? – Paintbrush 14/9, 2008 at 16:52

@newbieguy I have tried to use ConfuserEx because it is free and open source but after obfuscating my exe file, virustotal detected it as a virus (when I scan my exe it without obfuscating it is clear). Not acceptable. – Kammerer 9/2, 2018 at 20:49

I don't disagree with you, its true that almost any antivirus program detects it too. Its because (afaik) many people uses ConfuserEx on obfuscating their virus (excuse my english). – Gonocyte 10/2, 2018 at 21:16

This is not a problem of the obfuscator.. I it is bad anti-virus software which gives false alarms. If you have a software which is protected by strong protection (this applies also to protected C++ software) you will almost always get false alarms from antivirus software. On the other hand antivirus software does not detect many real threats. So I do not use antivirus software at all. I have no infection since decades. Antivirus makes your computer very slow and the detection ratio of real threats is not more than 80%. On the other hand these false alarms suck. – Barren 12/6, 2018 at 16:18

There are tools that also 'deobfuscate' obfuscated DLLs - I'd suggest turning the piece that needs to be protected into an unmanaged component.

Bongbongo answered 12/9, 2008 at 21:2 Comment(2)

At which point we will just turn to de-assemblers just like they do for cracking the copy-protection on computer games. – Defroster 12/9, 2008 at 21:58

@Jonathan Allen: It's called disassembler, not de-assembler. By the way, you don't need to disassemble. HexRays has a good C/C++ DECOMPILER (See IDA Pro Advanced). – Schreibman 11/12, 2016 at 8:38

http://xheo.com/products/code-protection

Done the job for me in the past.

Morganstein answered 12/9, 2008 at 22:15 Comment(0)

-9

You are wasting your time going down that path. If you have code that you don't want anyone to see, you need to keep it behind closed doors. For example, only execute that code on your own server using a web service interface.

Obfuscating your code only deters the most casual of people. As the video game industry leaned a long time ago, no code is safe from cracking.

Defroster answered 12/9, 2008 at 22:1 Comment(4)

It's absolutely true that none of the protection options will stop the most determined attacks. That doesn't translate to "wasting your time". That's comparable to suggesting you not lock your car when you leave it because a skilled thief can break in. It's still an asset worth protecting and it's negligent not to try and protect it. There is a balance to be struck between protection and aggravating customers and making a minor investment in protecting against 99% of the script kiddies and attackers out there. – Esoteric 5/5, 2009 at 0:52

Safety from unauthorized use of a "cracked" copy is not the same as safety from reverse engineering to extract code for a competitive product. If competition requires improvements and evolution, perhaps obfuscation is sufficient for programs that are already complicated pre-obfuscation. – Samuella 2/12, 2014 at 17:26

Cracking a video game is very interesting for crackers, so the best crackers in the world get involved. But few people are able to reverse engineer assembler code. This is done by very experienced crackers. Did you know that even experts in Antivirus companies needed several MONTHS to analyze Stuxnet? You should not think that these experts will have the time and motivation to crack YOUR code. An ordinary application is not as interesting as a video game. Everything can be cracked in theory. But how much is the effort and who is willing to invest that much time in cracking YOUR application? – Barren 12/6, 2018 at 16:48

you are missing the point, obfuscation is to stop someone stealing your code not to deter a hacker - if they do steal it, all they get is unmaintainable rubbish, that would be easier for them to write their own code than de-obfuscate it. – Acinus 17/6, 2021 at 11:45

Recommended topics

Hot tags