tags:

views:

1981

answers:

7
+2  Q: 

C# - Obfuscation at source-code level more effective than obfuscators?

Learning from my last question, most member names seem to get included in the Project Output.

Looking at some decompilers like 9rays, Salamander, Jungle, many obfuscating techniques seem to have been already defeated, there's this one particularly scary claim:

Automatically removes string encryptions injected by obfuscators ~ Salamander

So is manual, source-code level obfuscating more effective than post-compile / mid-compile lathered, 'superficial' obfuscation by well known (easily defeated??) obfuscating programs?

+2  A: 

The problem there is you will be sacrificing readability to do it. If your project is that sacred to protect, I believe it is safe to assume two things:

  1. The project is large enough that the hit in readability will come back to bite you in the ass.
  2. The people who want to reverse-engineer it will do so anyway. It will just take a slightly larger feat of intelligence to determine what things do (instead of just reading the member names).
lc  2009-01-05 15:22:35
3. Since we use propitiatory techniques and algorithms, it becomes pretty much impossible to figure out and the decompilers just abandon it.
Jenko  2009-01-05 15:32:18
"propitiatory" seems to have been obfuscated by the SO comment compiler. Do you mean "proprietary"?
ChrisA  2009-01-05 15:42:06
I think "impossible to figure out" is a very relative term. Everyone always has access to some kind of assembly code. All I'm saying is that if what you're trying to protect is worth all the trouble to obfuscate it, it'll be worth all the same trouble to disassemble on the other end.
lc  2009-01-05 15:45:49
that depends on the effort required to decompile. If I have to spend a year with very skilled developers turning asm back into C++, I won;t bother. If I can drop a dll into an app and it happens in half an hour - I will.
gbjbaanb  2009-01-05 15:56:53
+7  A: 

Maybe, debatably, but you'll destroy maintainability to do so.

Is this really worth it?

Actually this just comes down to security through obscurity, i.e. it's not security at all it's just an inconvenience. you should work fromt he assumption that any party interested enough will decompile your code if they can access it. It's not worth the pain you'll inflict on yourself to make it very slightly more time consuming for the evil haxxors. Deal with the real security problems of access.

annakata  2009-01-05 15:24:05
Readability needn't be affected. Comments can take the place of great member names.
Jenko  2009-01-05 15:29:27
So our only choices are the ones Mitch leaved us with...
Jenko  2009-01-05 15:33:31
And you're going to put a comment explaining "what the hell" next to every reference to IFoogleBargle are you?
annakata  2009-01-05 15:34:19
+14  A: 

Obfuscating source-code is going to be self-defeating in terms of maintenance.

If your project is so 'secret', I guess you have two choices:

  • Place the 'secret' proprietry code behind a service on a server that you control

  • Code it in a language so not easy to decompile such as C/C++

Mitch Wheat  2009-01-05 15:26:27
Are there any pre-compile obfuscators? So that you'd get, as it were, intermediate source code whose member names (preferably randomised, not encrypted) would only be seen in the IL in release mode, for instance?
ChrisA  2009-01-05 15:38:50
+2  A: 

annakata is correct. Really all you can do is make it more difficult (and costly) for the person to reverse engineer the software.

My company identified several areas in which we wanted to make it as difficult as possible for reverse engineering. For example our files are a binary format which each object in our hierarchy responsible for saving itself and reading back the correct version. This means for a person to read our files they would have replicate our entire hierarchy in the code they create to read our files. In addition much of the information in the Job file is useful without the corresponding bit in the shop standards files. So they have to do the work twice in order to understand what the job file is saying.

Several critical areas (dongle protection, communication with our metal cutting machines) reside in Win32DLL. Which means that they would have to know assembly and how to make DLL that replicate other DLLs signatures in order to reverse engineer our software. Plus our design with our CAM software is that it is highly interactive with the cutting machine (information being exchanged all the time)

From the few time we heard about competitors trying to deal with our machines alone they wound up replacing the electronics with their own in order to finish the job. Major bucks to do this.

Part of the steps we took was based on our own experience with trying to deal with competition's machine and software. We took that experience and learned how to tweak our setup. Of course we have limits in that we are not going sacrifice reliability or maintenance just for the purpose of defeating reverse engineering.

For your case, you will have to ask yourself what part of your software would be of interest to your competitors and proceed from there. If you are a vertical market developer (machine control, specialized accounting, etc) I suggest using a USB dongle for software control.

Otherwise use a serial number system and accept that people are going to pirate your software and build that into your business model. The purpose of a serial number scheme is that is relatively unintrusive, and hinders causal copying plus give you a remote chance of tracking down where the copy came from.

RS Conley  2009-01-05 15:43:57
+2  A: 

As people stated obfuscation is about raising the bar. If you obfuscate your assembly you will stop a casual developer whose just curious but you won't stop a slightly motivated person from reverse engineering.

If you want to raise the bar a little further many obfuscation tools let you use non-printable characters as member names. use reflector on itself to have a look. This will stop a lot more people, I might look at obfuscated code to understand it, but if I can't read it, I'm not going to go through the pain of dumping it to IL, and renaming all the members manually, no motiviation for me to waste that much time.

However for some people there is a motiviation so you need to go another step if your business requirements nessecitate it. But no matter what you do if the computer can read it, there will be someone out there who can read it too. The goal is to reduce the number of people who can read it or would be motivated to read it.

There are also some tricks which you can use to make reflector break (Obfuscator from PreEmptive breaks reflector in some cases but of course you can still read the IL). I had an interesting conversation once with a developer of an obfusction tool and I won't be able to do it justice but he had a way to make reflector completly break by having the code jump dynamically around. For example one moment in your function a then you'd jump to the middle of function b. Doign this cause PEVerify to raise errors so they never actually implemented it but kind of neat idea.

JoshBerke  2009-01-05 15:57:02
+2  A: 

I am alarmed that you're even considering code level obfuscation. Won't you be obfuscating the code for yourself too? How do you intend to ever work on it again? For the sake of maintainability this shouldn't be done.

But consider this: -

Suppose there was a script/app that you can run that would open your project and cleverly obfuscate every string/variable name in your project and you compiled it afterward while your original code is securely untouched in a separate location.

Now that's some idea.

Cyril Gupta  2009-01-05 16:18:19
I've worked on source code that was processed like this in the past, where source was delivered because it ran on a BASIC interpreter (yes many yers ago). At least, I *think* it was automatically obfuscated.
Andy Dent  2009-02-02 05:46:31
+1  A: 

Actually code level obfuscation is less secure than what the obfuscators out there can do. This is primarily because obfuscators can take advantage of strict CLI implementation details that are not permitted by language compilers. For instance, it is entirely legal for private fields to all have the same name - but there isn't a compiler out there that will let you do that.

Paul Alexander  2009-04-18 03:18:33

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?