I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe from reverse engineering?
+3
A:
No, obfuscation has been proven that it does not prevent someone from being able to decipher the compiled code. It makes it more difficult to do so but not impossible.
Kevin
2008-09-16 10:58:51
+21
A:
You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.
It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.
Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)
You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.
Blair Conrad
2008-09-16 11:03:08
If they're properly obfuscated, wouldn't those logs become -near impossible- to interpret? "Much more difficult" seems a bit of an understatement here ;)
Kawa
2009-10-21 13:05:10
Well, keep in mind that (in theory) you have the original code to help, as well as the text of the log messages. The only thing that should be obfuscated would be the class and member names. In addition, many tools (Dotfuscator is one) create a map file to tell you what obfuscated construct name maps back to which original name - this can make it a pain to figure out exactly where the log messages come from, but nowhere near impossible.
Blair Conrad
2009-10-23 05:59:24
Also, the names of public and protected types and members are not obfuscated in order to preserve the API, so some parts of your stack traces will remain intact even after obfuscation.
Andrew Arnott
2010-07-17 04:31:07
+1
A:
It's quite simple to reverse engineer a .net app using .net reflector - since the app will generate VB, VC and C# code straight from the MSIL, and it's possible to pull out all kinds of useful gems.
Code obfuscators hide code quite well from most reverse engineering hacks, and would be a good idea to use on proprietary and competitive code that adds value to your app.
There's a pretty good article on obfuscation and it's workings here
Martin
2008-09-16 11:05:56
Good code obfuscators will cause apps like ILDASM and Reflector to crash... but that still doesn't stop people that really want to know how your code works.
Matthew Whited
2009-10-21 13:11:53
+2
A:
...snip... these messages can become much more difficult to interpret
Yes, but the free community edition that comes with Visual Studio has a map functionality. With that you can back track the obfuscated method names to the original names.
Magnus Johansson
2008-09-16 11:10:02
+1
A:
I've had success putting the output from one free obfuscator into a different obfuscator. In Dotfuscator CE, only some of the obfuscation tricks are included, so using a second obfuscator that has different tricks makes it more obfuscated.
harriyott
2008-09-16 11:10:42
That's like claiming that applying ZIP after RAR makes the archive smaller.
EFraim
2009-08-05 06:09:33
No it isn't. There are some things that aren't obfuscated in CE, and loading the obfuscated DLL in Reflector shows up the unobfuscated items as clearly readable. After obfuscating with the second tool, these items are obfuscated, and there is nothing readable in Reflector.
harriyott
2009-08-05 09:08:13
Enjoy debugging those stack traces from your customers when your app crashes.
Matthew Whited
2009-10-21 13:13:03
There's a mapping file generated, so (although tedious) it is possible to match them up again.
harriyott
2009-10-21 14:26:46
+5
A:
The fact that you actually can reverse engineer it does not make obfuscation useless. It does raise the bar significantly.
An unobfuscated .NET assembly will show you all the source, highlighted and all just by downloading the .NET Reflector. Add obfuscation to that and you'll reduce very significatively the amount of people who'll be able to modify the code.
It depends on you are you protecting yourself from. If you'll ship it unobfuscated, you might as well open source the application and benefit from marketing. Shipping it obfuscated will only allow people to relatively easily generate modified binaries through patches instead of being able to steal your code and create a direct competitor. Getting the actual source from obfuscated code is very hard, depending on the obfuscator, of course.
Vinko Vrsalovic
2008-09-16 11:11:09
+8
A:
At our company we evaluated several different obfuscation technologies, but they all had problems. The biggest problem was that we rely a lot on reflection, e.g. to dynamically create grids based upon property names.
So all of the obfuscators rename things, you can disable it of course, but then you lose a lot of the benefit of obfuscation.
Also, in our code we have a lot of NUnit tests which rely on a lot more of the methods and properties being public, this prevented some of the obfuscators from being able to obfuscate those classes.
In the end we settled on a product called .NET Reactor
It works very well, and we don't have any of the problems associated with the other products.
"In contrast to obfuscators .NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code. In detail, .NET Reactor builds a native wall between potential hackers and your .NET code. The result is a standard Windows based, not MSIL compatible, file. The original .NET code remains intact, well protected by native code and invisible for prying eyes. The original .NET code is not copied on harddisk at any time. There is no tool which is able to decompile .NET Reactor protected assemblies."
RickL
2008-09-16 11:18:22
Based on your description, this wouldn't appear to stop a determined hacker with an x86 decompiler. If a computer can execute it then the code can be decompiled.
Ant
2008-09-16 13:39:59
@Ant : You try and reverse engineer a native code application. A simple for loop will be tens of instructions apparently unrelated.
Andrei Rinea
2008-10-09 18:39:09
Ripping the .net code from a packed .net application from anything packed with Reactor is trivial at best. There are even several tutorials out there for it.
Simucal
2008-11-17 03:43:19
And based on your description automatically destroys any portability benefit.
EFraim
2009-08-05 06:11:07
+3
A:
I think that it depends on the type of your product. If it is directed to be used by developers - obfuscation will hurt your customers. We've been using the ArcGIS products at work, and all the DLLs are obfuscated. It's making our job a lot harder, since we can't use Reflector to decipher weird behaviors. And we're buying customers who paid thousands of dollars for the product.
So please, don't obfuscate unless you really have to.
Doron Yaacoby
2008-09-16 13:22:00
+1
A:
This post and the surrounding question have some discussion which might be of value. It isn't a yes-or-no issue.
Leigh Caldwell
2008-09-16 13:26:20
+9
A:
Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.
If you have secrets in your code (like passwords), you're doing it wrong.
If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.
Jay Bazuzi
2008-09-16 13:30:43
+1
A:
I am very confortable reading x86 assembly code, what about people that is working with assembly for more than 20 years ?
You will always find someone that only need a minute to see what your c# or c code is doing...
Arabcoder
2009-10-21 13:00:51
+3
A:
Just a note to anyone else reading this years later - I just skimmed through the Dotfuscator Community Edition (that comes with VS2008) license a few hours ago, and I believe that you cannot use this version to distribute a commercial product, or to obfuscate code from a project that involves any developers other than yourself. So for commercial app developers, it's really just a trial version.
Nick M
2010-01-26 09:16:57
A:
Yes, we do. We use BitHelmet obfuscator. It's new, but it works really well.
Daniel Dolz
2010-04-06 13:45:18
+2
A:
Yes you definitely should. Not to protect it from a determined person, but to get some profit and have customers. By the way, if you reach a point here someone tries to crack your software, that means you sell a popular software.
The problem is what tool to choose for the job. Check out my experience with commercial obfuscators: http://stackoverflow.com/questions/337134/what-is-the-best-net-obfuscator-on-the-market/2356575#2356575
ileon
2010-04-24 21:45:41
A:
But is it really worth the effort to select, buy and use such a tool?
I found Eazfuscator cheap (free), and easy to use: took about a day. I already had extensive automated tests (good coverage), so I reckon I could find any bugs that are/were introduced by obfuscation.
ChrisW
2010-04-24 21:57:49