What do you use to protect your .NET code from reverse engineering?

Question

For a while we were using a tool called CodeVeil. I'm just wondering if there are better alternatives out there.

Edit: Before more people misunderstand the question, I'm aware that a determined cracker would probably be able to defeat any of these tools. I'm not too concerned about them though. These tools are just meant to stop the "casual cracker", and to stop people from stealing our company's IP. If they're good enough to get past a decent tool, they probably aren't interested in stealing our crappy code :-P

Answer 1

I've heard that Obfusticator is good; it's used on .Net Reflector.

Answer 2

Honestly, there isn't a lot you can do besides some obfuscation with tools like you mentioned. .NET is just a step above scripting languages, except the script commands are binary and are called IL. That's a little over simplification, but it's not too far off reality. Any good program written using Reflection can be used to reverse engineer .NET applications, or if you have enough knowledge, a good hex editor.

Answer 3

Open Source it :D

Answer 4

I remain unconvinced by the value of these tools. None of the technology solutions prevent reverse engineering any better than legal guards such as licences, trademarks, patents, copyrights etc...

.NET really is large transparent source movement. It's much better that instead you frame terms of use around your IP such as licencing and copyright.

Answer 5

There are several popular tools for obfuscation, including Dotfuscation, which has a "light" version that ships with Visual Studio 2005 and 2008. They have a Pro version that does more than just variable and function name renaming. However, the code is still viewable, it is just scrambled a bit to make it harder to read and grok the logic flow of the software.

Another technique is to use other programs that will encrypt the program, and decrypt it at runtime. However, this is not a perfect solution either. In fact, there is no perfect solution that I am aware of that will prevent a determined engineer from reverse engineering the software, if enough time and effort is applied to it.

What it really comes down to is determining the level of protection that will make it sufficiently difficult to dissuade the casual hacker, and make it as expensive to reverse engineer as you can, so at least the reverse engineering comes at a cost in either time or money, or ideally, both. The more expensive the reverse engineering costs, the fewer number of individuals that will be willing to put in the effort. And that is the big point to obfuscation.

Some think that using a compiler like the C++ compiler that compiles to native code will prevent this sort of reverse engineering, but it doesn't. A good disassembler will allow even pure binary executables to be reverse engineered, so therefore, a perfect solution does not exist. If the computer can read it and execute it, then the memory the computer is using can be scanned and tracked, bypassing all attempts to encrypt, obfuscate, or any other means of keeping your code out of the hands of a determined engineer.

Answer 6

Compiling your .NET application results in output assemblies that contain a great deal of meta information. This information makes it very easy to reconstruct something very close to the original code. An excellent free tool called .NET Reflector can be used to do exactly that and is a popular way to examine how the base class libraries work. Download and use that tool to view reconstructed C#/VB.NET versions of assembly contents.

If you're a commerical organization then you do not want people to find it easy to look at your expensive to produce code. A popular method is to use Obfuscation to scramble the contents in a way that does not alter how it runs but does make it hard to understand. Obfuscation uses techniques such as renaming variables and methods. Working out the purpose of methods 'a1', 'a2', 'a3' is much harder than the original 'GetName', 'UpdateInterestRate' and 'SetNewPassword'.

So using obfuscation makes it much harder for people to understand what you code is doing and the algorithms it uses. It does not however make it impossible. In the same way C++ code can still be understood by an assembler expert who is willing to spent time working through your binary, an MSIL expert can eventually work out your obfuscated code. But it increases the barrier to the point where few will bother trying.

Answer 7

I've had a lot of success with Xenocode Postbuild. The tool can obfuscate .NET assemblies, protect agaist Reflector disassembly, combine .NET assemblies into a single executable ("virtualization") and even compile .NET applications to standalone executables that do not need .NET runtime installed.

Answer 8

Sorry to resurrect an old post, but I think Eziriz's .NET Reactor works brilliantly.

In fact I use it myself for all my .net apps and apparently there is no existing tool out there that can decompile a program protected with .net reactor. More details can be found on there info page, http://www.eziriz.com/dotnet_reactor.htm. Test it out with the trial version and .net reflector and you can see for yourself.

Answer 9

Another is Crypto Obfuscator - its more affordable than some others, and has various obfuscation and protection methods to hinder the causal and not-so-casual hackers.