tags:

views:

307

answers:

5
+3  Q: 

Help me choose .net obfuscator program ?

Dear Guys,

I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.

So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.

Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.

Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.

I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.

Thank you for your support.

Cheers, Saurabh

+14  A: 

Obfuscation cannot solve this problem. An attacker can change his hosts file to redirect the domain name to a database he controls. When you login he will get the username/password.

Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.

Security Through Obscurity will never work. You will never be able to control the client.

A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.

Rook  2010-07-19 06:46:24
And I was just about to say the exact same thing. It's relatively quick and easy to set this up with WCF Data Services, you should look into it.
John Leidegren  2010-07-19 06:49:10
Good advice. Obfuscation is no end-all solution (though it can add an extra layer of protection at the end.)
Noldorin  2010-07-19 08:01:50
Ditto. Obfuscation is only a protection against the most casual of attacks.
Wayne Werner  2010-07-19 14:59:58
A: 

I use Eazfuscator:http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx

It powerful and it's free. Wonderful tool extremely simple to use.

Pierre 303  2010-07-19 07:55:33
Thank you guys. But see I dont care if an attacker goes all the way in. I want basic-intermediate security. If someone really wants to crack it, he will do it no matter what. Regarding obfuscator program which would should I go for ?Pierre I will try Eazfuscator. Its just that is that free one good enough compared to other ones like .net reactor etc.
Saurabh  2010-07-19 11:17:10
I used Xenocode for years, and other commercial products. When I found Eazfuscator, I couldn't believe that was free. I'm now using it since 2 years, and will never go back to Xenocode.
Pierre 303  2010-07-19 12:12:20
@Saurabh obfuscation is meant to help protect intellectual property from your competitors. It was never meant to secure client side security issues. I have no idea who told you that this would help, but they are very wrong.
Rook  2010-07-19 15:14:30
I still want to use obfuscator to protect basic content in my program and ensure its not visible to others. I tried Eazfuscator but it failed to obsfucate my program. Is there any other good obfuscator ?
Saurabh  2010-07-20 03:52:27
what was the error message?
Pierre 303  2010-07-20 07:22:54
The system cannot find the file <something>. This was strange. My program uses thirdparty dlls but they were in the same folder.
Saurabh  2010-07-20 09:13:13
A: 

Have you tried Crypto Obfuscator? It is affordable and has variety of protections.

logicnp  2010-07-20 06:05:35
Comparing the features and price, I think .net reactor would be a better bet than crypto obfuscator.
Saurabh  2010-07-20 12:26:03
Reactor is cheaper, but Crypto Obfuscator has way more features. Also consider tech support (non-existent for reactor), tool support like command-line, MSBuild, authenticode signing, etc.
logicnp  2010-07-21 02:35:05
You are right buddy but I do not need the amount of features that crypto obfuscator has. .net reactor is sufficient plus it help me save cash compared to crypto. ya the non existent support is the only drawback.
Saurabh  2010-07-21 16:51:56
The problem with Reactor is, the obfuscation is very shallow. Only SmartAssembly and Crypto Obfuscator obfuscate code seriously (i.e. change almost all stuff to mess). See this thread: http://stackoverflow.com/questions/337134/what-is-the-best-net-obfuscator-on-the-market
macias  2010-09-03 20:02:12
A: 

I use Eziriz .NET Reactor for a while now and it works great for me. I used Eazfuscator before but it wasn't really powerful.

.Net Reactor has awesome features such as Anti ILDASM and Native Exe file generation. Also it'll fit your budget. You can use Trial before purchasing it and test if it works with your scenario.

Qorbani  2010-07-20 22:39:39
I think .net reactor will do the job. But I emailed them (general query) and got no response from them. That was disappointing.
Saurabh  2010-07-21 12:09:11
I never tried to communicate with them, but I saw lots of complains about that.
Qorbani  2010-07-21 16:05:49
I hope if i buy I get the key or whatever to unlock instantly. The last thing I want is to get stuck up and with no one to reply I will be in a mess.
Saurabh  2010-07-21 16:52:57
+1  A: 

I use CliSecure for more than a year now and it works great for me, I was using some of the low end obfuscators in the past and either they were failing too many times or I couldn't get enough help from their support groups, eventually I decided the cost of ownership for me is much higher than what I've initially paid for the product and decided to take a leap forward and purchase a high end obfuscator. CliSecure supports many forms of obfuscation you should be looking at, a nice summary of obfuscation features supported is available on their website.

Gery Elema  2010-09-25 20:03:46

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application