Dealing with code obfuscation

One problem that you have nowadays, if you work with .NET client-side applications is that your executable can easily be reverse-engineered. You can download something like JetBrains dotPeek for free – and you can reverse-engineer your code from IL back to higher-level languages like VB.NET or C#.

This of course means that anyone who has your .exe or your .dll can pretty much look at your code – stealing it or worse, modifying it to create malware, under your name!

The way to combat this is to obfuscate (to make obscure, or unclear) your compiled objects before they are released to production.

What are your options?
Well, you do have some options:

What does DotFuscator do?
This is the free product that is included with Visual Studio. Well, it’s better than nothing in that it does basic obfuscation. For example, if you have code that looks like this:

class Program
{
    private const Int32 SomeMagicNumber = 123456;

    static void Main(string[] args)
    {
        String firstName = "John";
        String lastName = "Doe";

        SomeMethodName(firstName, lastName);
    }

    private static void SomeMethodName(String firstName, String lastName)
    {
    }
}

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Then DotFuscator will obscure the code into something like this:

internal class a
{
    private const int a = 123456;

    private static void a(string[] A_0)
    {
        a.a("John", "Doe");
    }

    private static void a(string A_0, string A_1)
    {
    }
}

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Again, this isn’t bad and it’s better than nothing – but also, you can get a significantly more obfuscated result by using a 3rd-party tool.

What does LogicNP Crypto Obfuscator do?
Again, I go back to LogicNP (see my review of their Crypto Licensing for .NET product) for their Crypto Obfuscator for .NET.

What does this do different or better than DotFuscator? Well, instead of just slightly obscuring the structure of your assembly, it makes it absolutely, positively unrecognizable! It uses a clever combination of encryption and redirection to completely eliminate the idea of reverse-engineering your code.

From the same simple code example above, when I run that through Crypto Obfuscator for .NET, the result ends up looking like this in dotPeek:

image

image

I can’t even begin to tell you what happened to my code. The app still runs though and this is extremely well-protected against reverse-engineering. To me, this is a much more professional-quality solution – for a reasonable amount of money.

What else does it do?
It doesn’t stop there – you have tons of options about how to encrypt and/or obfuscate the types and members in your assembly. For example, you can explicitly ignore certain types or members – or create your own naming rules, etc. You can also tie this in with their licensing product and leave no-sign that you are using their products – making it even harder for the attacker to tamper with your assembly.

So again, it kind of comes down to how much is your time worth? This is a very powerful product that really takes things to the next level when it comes to what you want for obfuscation.

Also – this supports .exe, .dll, and even .xap files (for those deploying MS-based “apps”).

By the way, you can get a 30-day trial of that software here:
http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

2 comments on “Dealing with code obfuscation
  1. CryptoObfuscator can be deobfuscated by de4dot. Consider using a more powerfull and up-to-date obfuscator such as Disguiser.NET at https://www.disguiser.net/

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: