Should you obfuscate a commercial .Net application?
Asked Answered
F

16

40

I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe from reverse engineering?

Facetious answered 16/9, 2008 at 10:56 Comment(7)
Something to think about - Visual Studio 2010 is heavy in its use of managed code, and it's not obfuscated. In that case, it's a life saver because it's the only hope of figuring out some of the extensibility APIs (some Visual Studio features are simply extensions that install with the main product).Sunglasses
Nothing is safe from reverse engineering. What is the threat you're trying to defend against, specifically? How much do you stand to lose if somebody does reverse engineer your code? An obfuscator will slow people down, and keep some people out, but it can't be perfect, and it will have its own costs. Balance them wisely.Regan
Nope: github.com/0xd4d/de4dot/wiki/ChangelogSubbasement
Sure, nothing is safe from a determined reverse engineer, but that doesn't mean rolling over and giving out your code is the best option. A hurdle, no matter how marginal, is still a hurdle. That said, you have to consider the cost/benefit of obfuscating your code and determine if any downsides are worth it.Pro
It might be useful to qualify opinions of safety by saying what kind of engineering is not protected against. So for example if you have a license nag I think I would agree that "nothing is safe" from having it removed, however, in the matter of safety from the thief making the product his own, maintainable and enhanceable, probably depends on the original complexity pre-obfuscation and what kind of enhancements are likely to be attractive.Pissed
This is what I hate about .NET products. Nice to finally be able to do native x64 code, but the cost is your code is completely exposed due to the way MSIL works vs OpCode.Glower
Does this answer your question? Protect .NET code from reverse engineering?Midyear
G
40

You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.

It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.

Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)

You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.

Globose answered 16/9, 2008 at 11:3 Comment(5)
If they're properly obfuscated, wouldn't those logs become -near impossible- to interpret? "Much more difficult" seems a bit of an understatement here ;)Indwell
Well, keep in mind that (in theory) you have the original code to help, as well as the text of the log messages. The only thing that should be obfuscated would be the class and member names. In addition, many tools (Dotfuscator is one) create a map file to tell you what obfuscated construct name maps back to which original name - this can make it a pain to figure out exactly where the log messages come from, but nowhere near impossible.Globose
Also, the names of public and protected types and members are not obfuscated in order to preserve the API, so some parts of your stack traces will remain intact even after obfuscation.Schizophyceous
the free version of DotFuscator is garbage. It only obfuscates method names, not strings, etc. Code is still readable and easy to follow with Reflector.Glower
Dotfuscator Community Edition is only free for personal use. It is not free for commercial use.Hodge
P
29

Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.

If you have secrets in your code (like passwords), you're doing it wrong.

If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.

Pilloff answered 16/9, 2008 at 13:30 Comment(0)
D
12

At our company we evaluated several different obfuscation technologies, but they all had problems. The biggest problem was that we rely a lot on reflection, e.g. to dynamically create grids based upon property names.

So all of the obfuscators rename things, you can disable it of course, but then you lose a lot of the benefit of obfuscation.

Also, in our code we have a lot of NUnit tests which rely on a lot more of the methods and properties being public, this prevented some of the obfuscators from being able to obfuscate those classes.

In the end we settled on a product called .NET Reactor

It works very well, and we don't have any of the problems associated with the other products.

"In contrast to obfuscators .NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code. In detail, .NET Reactor builds a native wall between potential hackers and your .NET code. The result is a standard Windows based, not MSIL compatible, file. The original .NET code remains intact, well protected by native code and invisible for prying eyes. The original .NET code is not copied on harddisk at any time. There is no tool which is able to decompile .NET Reactor protected assemblies."

Dogfight answered 16/9, 2008 at 11:18 Comment(4)
Based on your description, this wouldn't appear to stop a determined hacker with an x86 decompiler. If a computer can execute it then the code can be decompiled.Zeeba
@Zeeba : You try and reverse engineer a native code application. A simple for loop will be tens of instructions apparently unrelated.Sosthina
Ripping the .net code from a packed .net application from anything packed with Reactor is trivial at best. There are even several tutorials out there for it.Onwards
And based on your description automatically destroys any portability benefit.Ductile
K
7

The fact that you actually can reverse engineer it does not make obfuscation useless. It does raise the bar significantly.

An unobfuscated .NET assembly will show you all the source, highlighted and all just by downloading the .NET Reflector. Add obfuscation to that and you'll reduce very significatively the amount of people who'll be able to modify the code.

It depends on you are you protecting yourself from. If you'll ship it unobfuscated, you might as well open source the application and benefit from marketing. Shipping it obfuscated will only allow people to relatively easily generate modified binaries through patches instead of being able to steal your code and create a direct competitor. Getting the actual source from obfuscated code is very hard, depending on the obfuscator, of course.

Kimbell answered 16/9, 2008 at 11:11 Comment(0)
M
4

I think that it depends on the type of your product. If it is directed to be used by developers - obfuscation will hurt your customers. We've been using the ArcGIS products at work, and all the DLLs are obfuscated. It's making our job a lot harder, since we can't use Reflector to decipher weird behaviors. And we're buying customers who paid thousands of dollars for the product.

So please, don't obfuscate unless you really have to.

Measurement answered 16/9, 2008 at 13:22 Comment(0)
T
4

Things you should take into account:

  • Obfuscation does not protect your code or logic. It just makes it harder to read and understand.
  • Obfuscation does no one stop from reverse engineering. It just slows the process down.
  • Your intellectual property is protected by law in most countries. So if an competitor uses your code or specific implementation, you can sue him.

The one and only problem obfuscation can solve is that someone creates a 1:1 (or close to 1:1) copy of your specific implementation.

Also in an ideal world reverse engineering of an obfuscated application is economical unattractive.

But back to reality:

  • There exists no tool on this planet that stops someone from copying user interfaces, behaviors or results any application provide or produce. Obfuscation is in this situations 100% useless
  • The best obfuscator on the market cannot stop one from using some kind of disassembler or hex editor and for some geeks this is pretty good to look into the heart of an application. It's just harder than on an unobfuscated code.

So the reality is that you can make it harder and more time consuming to look into your application but you won't really get any reliable protection. Regardless if you use a free or an commercial product.

Advanced technologies like control flow obfuscation or code virtualization may help to make understanding of logic sometimes really hard but they can also cause a lot of funny and hard to debug or solve problems. So they are sometimes more like an additional problem than a solution.

From my point of view obfuscation is not worth the money some companies charge for their products. If you want to nag casual developers, open source obfuscators are good enough. If you want to make it as hard as possible to look into the heart of your applications, you need to use cryptographic containers with virtual execution environments and virtual filesystems but they also provide attack vectors and may also be a source for a bag full of problems.

Your intellectual property and your products are in most countries protected by law. So if there's one competitor analyzing and copying your code, you can sue him. If a bad guy or and hacker or cracker takes your application you are pranked - but an obfuscator does not make a difference.

So you should first think about your targets, your market and what you want to achieve with an obfuscator. As you can read here (and at other places) obfuscation does not really solve the problem of reverse engineering. It only makes it harder and more time consuming. But if this is what you want, you may have a look to open source obfuscators like e.g. sharpObfuscator or obfuscar which may be good enough to nag casual coders (a List can be found here: List of .NET Obfuscators on Wikipedia).

If it is possible in your scenario you might also be interested in SaaS-Concepts. This means that you provide access to your software but not the software itself. So the customer normally has no access to your assemblies. But depending on service level, security and user base it can be expensive, complex and difficult to realize a reliable, confident and performant SaaS-Service.

Thirtyeight answered 19/4, 2014 at 0:49 Comment(0)
P
3

No, obfuscation has been proven that it does not prevent someone from being able to decipher the compiled code. It makes it more difficult to do so but not impossible.

Pulpboard answered 16/9, 2008 at 10:58 Comment(0)
G
3

I've had success putting the output from one free obfuscator into a different obfuscator. In Dotfuscator CE, only some of the obfuscation tricks are included, so using a second obfuscator that has different tricks makes it more obfuscated.

Goodall answered 16/9, 2008 at 11:10 Comment(5)
That's like claiming that applying ZIP after RAR makes the archive smaller.Ductile
No it isn't. There are some things that aren't obfuscated in CE, and loading the obfuscated DLL in Reflector shows up the unobfuscated items as clearly readable. After obfuscating with the second tool, these items are obfuscated, and there is nothing readable in Reflector.Goodall
Enjoy debugging those stack traces from your customers when your app crashes.Infiltration
There's a mapping file generated, so (although tedious) it is possible to match them up again.Goodall
You may also use a third and a fourth obfuscator. But it wont change the facts. Obfuscation is almost useless if the target is protection of intellectual property or if you want to make reverse engineering impossible. IMHO obfuscation is just snake oil. Most applications have a user interface. They require some kind of input and they may create some output. The user may interact in some way. Reverse engineering often isn't necessary in this cases. Observing and thinking most likely is enough for a skilled developer to create a "copy cat" ;-)Thirtyeight
Q
3

I am very confortable reading x86 assembly code, what about people that is working with assembly for more than 20 years ?

You will always find someone that only need a minute to see what your c# or c code is doing...

Quarantine answered 21/10, 2009 at 13:0 Comment(0)
V
3

Just a note to anyone else reading this years later - I just skimmed through the Dotfuscator Community Edition (that comes with VS2008) license a few hours ago, and I believe that you cannot use this version to distribute a commercial product, or to obfuscate code from a project that involves any developers other than yourself. So for commercial app developers, it's really just a trial version.

Vestry answered 26/1, 2010 at 9:16 Comment(1)
As far as I can tell from preemptive.com/eula, this restriction applies to the evaluation period (of premium versions?), not the Community Edition.Scandium
B
2

...snip... these messages can become much more difficult to interpret

Yes, but the free community edition that comes with Visual Studio has a map functionality. With that you can back track the obfuscated method names to the original names.

Bran answered 16/9, 2008 at 11:10 Comment(0)
P
1

It's quite simple to reverse engineer a .net app using .net reflector - since the app will generate VB, VC and C# code straight from the MSIL, and it's possible to pull out all kinds of useful gems.

Code obfuscators hide code quite well from most reverse engineering hacks, and would be a good idea to use on proprietary and competitive code that adds value to your app.

There's a pretty good article on obfuscation and it's workings here

Polygynist answered 16/9, 2008 at 11:5 Comment(1)
Good code obfuscators will cause apps like ILDASM and Reflector to crash... but that still doesn't stop people that really want to know how your code works.Infiltration
B
1

This post and the surrounding question have some discussion which might be of value. It isn't a yes-or-no issue.

Bromism answered 16/9, 2008 at 13:26 Comment(0)
R
1

Yes you definitely should. Not to protect it from a determined person, but to get some profit and have customers. By the way, if you reach a point here someone tries to crack your software, that means you sell a popular software.

The problem is what tool to choose for the job. Check out my experience with commercial obfuscators: https://stackoverflow.com/questions/337134/what-is-the-best-net-obfuscator-on-the-market/2356575#2356575

Rotz answered 24/4, 2010 at 21:45 Comment(0)
C
0

Yes, we do. We use BitHelmet obfuscator. It's new, but it works really well.

Cowen answered 6/4, 2010 at 13:45 Comment(0)
G
0

But is it really worth the effort to select, buy and use such a tool?

I found Eazfuscator cheap (free), and easy to use: took about a day. I already had extensive automated tests (good coverage), so I reckon I could find any bugs that are/were introduced by obfuscation.

Glycogenesis answered 24/4, 2010 at 21:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.