views:

2457

answers:

6

I plan to release one small, low priced utility. Since this is more hobby than business, I planned to use Dotfuscator Community Edition that is shipped with VS2008.

How good is it?

I could also use definition of "good enough obfuscator" - what features are missing from Dotfuscator Community Edition to make it good enough.

Edit:

I checked pricing on number of commercial obfuscators and they cost a lot. Is it worth it?

Are commercial versions that much better protecting from reverse engineering?

I'm not very afraid of my application being cracked (it will be disappointing if application is so bad that no one is interested in cracking it). It's not heavily protected anyway, not overly complex serial key and licence checks on few places in code. It just bugs me that without obfuscation, somebody can easily get source code, rebrand it and sell it as its own.

Does this happens a lot?

Edit 2:

Can somebody recommend commercial obfuscator. I found lots of them, all of them are expensive, some even don't have price listed on web site.

Feature wise, all products seem more or less similar.

What is minimal set of features obfuscator should have?

+21  A: 

In a nutshell, the main difference between Dotfuscator Community Edition and the other "professional" editions is that Community Edition will only really obfuscate and change your namespaces, method names, and other "public" accessible aspects of your classes. It won't delve into the functions themselves and obfuscate the "private" code within the function.

Also, the Community Edition doesn't do anything to obfuscate such things as control flow within your application, nor will it "combine" code from multiple assemblies into one assembly. These are features that are available within the "professional" paid-for versions.

The best comparison between the Community Edition (the "free" version that comes with Visual Studio) and the "professional", paid-for editions can be found by looking at the following two links:

Preemptive Dotfuscator Editions Comparison

Dotfuscator Community Edition 3.0 on MSDN

The MSDN link is slightly out of date, however, gives a much better explanation of the actual features that are available within the various editions of Dotfuscator.

EDIT:

Commercial obfuscators do cost a lot of money, and as to wether they are worth the money? Well, that's a judgement call that really only you can make. Personally, I would say that it isn't worth it in your scenario. Firstly, because you're only wanting to protect one application ("I plan to release one small, low priced utility.") and secondly, you say that you're not overly concerned with the application being "cracked" ("I'm not very afraid of my application being cracked.").

I understand how it can bug you that compiled .NET applications, without any obfuscation, can be easily reverse engineered to their original source code, and that someone may make use of this to steal your software and sell it as their own, however, the fact remains that software piracy does exist and you will probably never stop it.

Trying to stop software piracy has been debated ad-nausem both on here (Stack Overflow) and all over the internet. Take a look at the answers to this Stack Overflow question:

Methods to stop Software Piracy ?

The bullet-points on the accepted answer seem to sum it up very nicely. The general consensus seems to be that you need to focus your time and energies more on making your product as great as it can be rather than using this same time trying to protect something that, given enough time/money, an "attacker" can "crack"/steal your software anyway, despite your best efforts to prevent him from doing so.

Does this happens a lot?

I would say that it probably happens a lot less than you think it does. Sure, software gets cracked, but I don't think too many people actually steal other's source code and completely re-brand it to sell as their own. I'm not saying it doesn't, or hasn't happened, but it's certainly not a common occurrence.

To summarise, I'd say that your best bet would be to focus on making your utility as great as it can be and use the free Dotfuscator obfuscator, since it requires very little investment of time/money, to obfuscate your code from the most obvious prying eyes, but don't loose any sleep over the fact that if someone wants to crack/steal your product/code badly enough, they will do.

CraigTP
Note that the PreEmptive link references CE features that are in the version shipping with Visual Studio 2010. Which has some increased functionality from that which ships with VS2008.
mletterle
Thanks for info. I edited question. Care to comment on additional questions?
zendar
@mletterle - Very good point. I hadn't spotted the mention of VS 2010 at the bottom of the page, but I knew that PreEmptive had updated their "compare editions" section of their website.
CraigTP
@zendar - Please see my edited answer in response to your question edits.
CraigTP
Thanks again. That was answer I really wanted to hear :). You should make it as separate answer so I can vote it up again.
zendar
@zendar - I'll leave my answer in one piece (although I appreciate your offer to vote me up again!) as it's now a complete (multi-parted) answer to your complete (multi-parted) question. If this does indeed answer your question, I'd appreciate you "accepting" this answer! Thanks.
CraigTP
+3  A: 

I think Dotfuscator Community Edition shipped with Visual Studio is quite a naive solution. It provides only symbol renaming and does not obfuscate control flow at all. And if someone decides to stole your code it will only need to refactor back all names, which is quite easy with small amount of classes.

Also you can rely on not so perfect decompilation provided by Reflector (it usually messes switch blocks, makes lots of gotos, mismatch if-else blocks, etc.).

But I suggest you try Eziriz .NET Reactor. It costs only $179 (AFAIK best price/features ratio). It provides standard obfuscation techniques such as symbol renaming, string encryption, control flow obfuscation. As a good bonus it creates native launcher for you app, which will contain your main assembly and all third party references encrypted and loaded on demand. Plus it provides some licensing capabilities.

Anyway reversing .NET application is not so hard, I did it for fun and can say that it's only matter of time and money (and of course common sense) how fast your application will be cracked or reversed.

Oleg I.
A: 

Thanks Oleg! .NET Reactor seems very fairly priced.

aron
+3  A: 

At a minimum, an obfuscator should have:

  1. String encryption
  2. Symbol renaming
  3. Control flow obfuscation

Good to have features are:

  1. Resource protection
  2. Assembly merging/embedding
  3. External method call hiding
  4. Ability to auto-sign obfuscated assemblies
  5. Support for satellite assemblies
  6. Dead-code elimination
  7. Meta-data reduction
  8. Anti-decompiler (Reflector)
  9. Anti-tamper
  10. Anti-Debugging

Take a look at our Crypto Obfuscator product which supports all of these.

logicnp
+1  A: 

Another way to get around reverse engineering code is where you place your dll's if you cannot really afford obfuscators which do add support. And in your assembies before deployment tell the compiler where to look for them which was an old practice to hinder reverse engineering. But like it was already said, concentrate mostly on developing an excellent product and good coding practices, then you will be able to afford a nice obfuscator application in the future. Also, try not to worry to much about others cracking your code because most hackers crack code just find a way to use the product without paying for it and not to steal code or to learn from for beginning programmer. Yeah, I wish JIT only supported c# and vb.net which would have really cut down on reverse engineering but since jit can read many due to .net being really language friendly that is the price. So code away and make some money, buy some additional securities.

bvrwoo
+1  A: 

I am with Oleg on .NET Reactor, dotfuscator is like drawing the human genome by hand and not that secure either. It really seems like the Dotfuscator people have obfuscated the UI!