What do you use to protect your .NET code from reverse engineering? [closed]

Asked 20/9, 2008 at 2:15 Answered 27/7, 2011 at 19:15

For a while we were using a tool called CodeVeil. I'm just wondering if there are better alternatives out there.

Edit: Before more people misunderstand the question, I'm aware that a determined cracker would probably be able to defeat any of these tools. I'm not too concerned about them though. These tools are just meant to stop the "casual cracker", and to stop people from stealing our company's IP. If they're good enough to get past a decent tool, they probably aren't interested in stealing our crappy code :-P

Ricker answered 20/9, 2008 at 2:15 Comment(0)

I've had a lot of success with Xenocode Postbuild. The tool can obfuscate .NET assemblies, protect agaist Reflector disassembly, combine .NET assemblies into a single executable ("virtualization") and even compile .NET applications to standalone executables that do not need .NET runtime installed.

Vanhook answered 20/9, 2008 at 3:15 Comment(0)

I remain unconvinced by the value of these tools. None of the technology solutions prevent reverse engineering any better than legal guards such as licences, trademarks, patents, copyrights etc...

.NET really is large transparent source movement. It's much better that instead you frame terms of use around your IP such as licencing and copyright.

Frangos answered 20/9, 2008 at 2:22 Comment(5)

And when you export your software to a country that does not play by the same rules as your own country does? (china f.ex). Please do not state truisms that are obviously non-true. – Connotation 15/10, 2012 at 14:41

Casper, the point is that none of these tools will protect your software from folk determined to reverse-engineer/crack them. Agree that there are plenty of countries that don't enforce/respect any IP law - but as I pointed out, these tools won't protect you any better either. At best they deter casual inspection. – Frangos 15/10, 2012 at 15:26

Again with the truisms: A properly obfuscated assembly will be order of magnitudes harder to reverse engineer than non-obfuscated assemblies. That is a fact which you can examine yourself. If you feel you have some insight into why this is not the case, please supply argumentation, instead of stating truisms. However I do share your sentiment, that we should not really waste our time and money with obfuscation, but that doesnt change the fact that doing so WILL make it harder to reverse engineer. – Connotation 15/10, 2012 at 16:10

We can split hairs over "harder", but it seems fruitless. It's minutes not hours now before my code is usable in someone else's project. Grab Reflector and have a look at the C# output from an obscured assembly. It already has shape and essence of your code albeit name-mangled naming and optimized. Throw in a decent refactoring tool like Resharper and start copying and pasting. Its quite sickening how simple it is now. – Frangos 16/10, 2012 at 19:25

It really depends on the reason for obfuscation nad the size of the project. If you are trying to protect an algorithm, then yes, obfuscation does not really make sense. If you are trying to protect a whole software suite from being reverse engineered and maintained by another company, then NO you are not correct. For any reasonable sized project obfuscation will make it untenable to maintain and extend. – Connotation 17/10, 2012 at 13:41

Compiling your .NET application results in output assemblies that contain a great deal of meta information. This information makes it very easy to reconstruct something very close to the original code. An excellent free tool called .NET Reflector can be used to do exactly that and is a popular way to examine how the base class libraries work. Download and use that tool to view reconstructed C#/VB.NET versions of assembly contents.

If you're a commerical organization then you do not want people to find it easy to look at your expensive to produce code. A popular method is to use Obfuscation to scramble the contents in a way that does not alter how it runs but does make it hard to understand. Obfuscation uses techniques such as renaming variables and methods. Working out the purpose of methods 'a1', 'a2', 'a3' is much harder than the original 'GetName', 'UpdateInterestRate' and 'SetNewPassword'.

So using obfuscation makes it much harder for people to understand what you code is doing and the algorithms it uses. It does not however make it impossible. In the same way C++ code can still be understood by an assembler expert who is willing to spent time working through your binary, an MSIL expert can eventually work out your obfuscated code. But it increases the barrier to the point where few will bother trying.

Anastatius answered 20/9, 2008 at 2:50 Comment(0)

Honestly, there isn't a lot you can do besides some obfuscation with tools like you mentioned. .NET is just a step above scripting languages, except the script commands are binary and are called IL. That's a little over simplification, but it's not too far off reality. Any good program written using Reflection can be used to reverse engineer .NET applications, or if you have enough knowledge, a good hex editor.

Candlepower answered 20/9, 2008 at 2:20 Comment(0)

Sorry to resurrect an old post, but I think Eziriz's .NET Reactor works brilliantly.

In fact I use it myself for all my .net apps and apparently there is no existing tool out there that can decompile a program protected with .net reactor. More details can be found on there info page, http://www.eziriz.com/dotnet_reactor.htm. Test it out with the trial version and .net reflector and you can see for yourself.

Juieta answered 8/12, 2008 at 9:39 Comment(2)

The pricing definitely seems to be more attractive than CodeVeil – Ricker 8/12, 2008 at 10:0

Yep worth every cent, and comes with a basic licencing manager :) – Juieta 8/12, 2008 at 12:16

There are several popular tools for obfuscation, including Dotfuscation, which has a "light" version that ships with Visual Studio 2005 and 2008. They have a Pro version that does more than just variable and function name renaming. However, the code is still viewable, it is just scrambled a bit to make it harder to read and grok the logic flow of the software.

Another technique is to use other programs that will encrypt the program, and decrypt it at runtime. However, this is not a perfect solution either. In fact, there is no perfect solution that I am aware of that will prevent a determined engineer from reverse engineering the software, if enough time and effort is applied to it.

What it really comes down to is determining the level of protection that will make it sufficiently difficult to dissuade the casual hacker, and make it as expensive to reverse engineer as you can, so at least the reverse engineering comes at a cost in either time or money, or ideally, both. The more expensive the reverse engineering costs, the fewer number of individuals that will be willing to put in the effort. And that is the big point to obfuscation.

Some think that using a compiler like the C++ compiler that compiles to native code will prevent this sort of reverse engineering, but it doesn't. A good disassembler will allow even pure binary executables to be reverse engineered, so therefore, a perfect solution does not exist. If the computer can read it and execute it, then the memory the computer is using can be scanned and tracked, bypassing all attempts to encrypt, obfuscate, or any other means of keeping your code out of the hands of a determined engineer.

Shiv answered 20/9, 2008 at 2:33 Comment(0)

DISCLAIMER: I don't work for RedGate the makers of SmartAssembly. I'm just a very happy customer who found a good, affordable solution.

The choice is very simple, choose SmartAssembly! Don't waste your time or money with the other obfuscators in the marketplace. I spent more money in terms of non-billable hours evaluating competing products. They all had fatal flaws and were next to impossible to debug. SmartAssembly is an easy-to-use, well documented, polished application with excellent support. Post a question on their forum and expect an answer reasonably fast by the actual developers.

SmartAssembly is more than an obsfuscator. It has a slew of features, including a built-in, highly customizable crash report generator that your customers can automatically email to you. You can view these reports on either your own server or on red-gates servers. I can't tell you how useful this is when you're beta testing or releasing the product to customers. It also generates debugger files so you can debug any post-release issues you may encounter with your obsfucated product.

If you are delivering a commercial application, it makes sense to spend the money on a decent obsfuscator. A bad choice here can compromise your intellectual property or worse lead you to days of gruesome debugging. What would this cost in comparison to what SmartAssembly costs?

Kristinakristine answered 27/7, 2011 at 19:15 Comment(0)

-2

I've heard that Obfusticator is good; it's used on .Net Reflector.

Delastre answered 20/9, 2008 at 2:18 Comment(0)

-2

Another is Crypto Obfuscator - its more affordable than some others, and has various obfuscation and protection methods to hinder the causal and not-so-casual hackers.

Roster answered 24/11, 2009 at 5:59 Comment(0)

Recommended topics

Hot tags