Jun 02

If you are a .NET developer, how would you feel if your original C# or VB source code was published on the Web for the world to see?  That’s exactly what happens if you release your .NET software without obfuscation.


What is Obfuscation? 

Obfuscation is the process of scrambling and encrypting your .NET software so that it cannot be easily reverse-engineered.  The goal is to stop all casual hackers and as many serious hackers as possible from trying inspect and crack your code. 

Obfuscation often includes the following processes:

  • Rename symbolic metadata–such as class, field, event, and method names–into meaningless characters
  • Convert compiled IL code into “spaghetti code,” inserting decoy branches and re-ordering instructions to confuse hackers and crash decompilers
  • Encrypt text strings
  • Strip all debugging information and PDB symbol references from your assembly

Why Obfuscate?

To protect your valuable intellectual property.

Programs written for .NET can be reverse-engineered quite easily.  Anyone with a decompiler such as the free .NET Reflector can look at your application or component assemblies and literally see almost your entire original source code, including names, logic and flow.  Your copy protection mechanisms, proprietary business logic, and any embedded license keys or passwords are available for all to see.  Anyone can inspect your software to find and exploit security flaws, steal unique ideas and license keys, or to pirate your application.  To plug this massive security hole and protect your software, you should obfuscate it. 

Obfuscation Costs

There are some downsides to obfuscating your software:

  • Can break code that depends on reflection, serialization, or remoting
  • Can make it more difficult to diagnose and debug problems in your code
  • Adds another step and potential error source to your build process
  • Increases your assembly size, from 2K-200K or more depending on your original assembly size and the level of obfuscation that you use
  • Good obfuscation tools are expensive

How to Obfuscate

Microsoft Visual Studio .NET includes a free community edition of one of the popular commercial obfuscators.  Unfortunately, this version does not encrypt text strings and has other limitations.  You get what you pay for, so you probably don’t want to skimp when it comes to protecting your valuable intellectual property.

There are many good commercial obfuscators, but you will find them to be quite expensive, ranging from $400-$2000.  We use Xenocode at Mini-Tools and are quite happy with it.  For a list of .NET obfuscators, be sure to check out this amazing How-To Select Guide for Obfuscators.  Software distributor SharpToolbox also lists many popular obfuscators.

Seeing is Believing

The following example shows how .NET applications are like an open book without obfuscation.

Consider this simple method that returns a specified number of characters from the start of a text string.  Here is the original C# source code:

/// <summary>
/// Returns the specified number of characters from the start of a string.
/// </summary>
/// <param name="s">Any string. OK if null.</param>
/// <param name="count">Number of characters to get. Ignored if zero or less.</param>
static public string Left( string s, int count )
{
    string left = null;
    if (s != null && count > 0)
    {
        if (count > s.Length)
            count = s.Length;
        left = s.Substring( 0, count );
    }
    return left;
}

When the application is compiled into an executable file–but is not obfuscated–this is what the method looks like in Reflector.  Note that the only thing missing from this reverse-engineered code are the comments:

public static string Left(string s, int count)
{
    if ((s == null) || (count <= 0))
    {
        return null;
    }
    if (count > s.Length)
    {
        count = s.Length;
    }
    return s.Substring(0, count);
}

And here is what the method looks like after it has been obfuscated:

public static string x72d92bd1aff02e37(string xe4115acdf4fbfccc, int x673be0868c5231b1)
{
    // This item is obfuscated and can not be translated.
}

Notice a difference?  As you can see, obfuscation is essential to protect your original source code.

Share and Enjoy:
  • Twitter
  • Facebook
  • Reddit
  • LinkedIn
  • Digg
  • DotNetKicks
  • StumbleUpon
  • Slashdot
  • Technorati
  • Google Bookmarks
  • Print
  • email

Article published on June 2, 2007




Tags: , , , , , , , , , ,

5 Responses to “Obfuscation? Gesundheit!”

  1. Timm Says:

    Update: We are switching obfuscators from Xenocode to Eziriz .NET Reactor. Article and obfuscator review coming soon…

  2. Sameera Says:

    Hi,
    Can you please let me know of your experiance with .NET Reactor. We are considering it vs. {smartassembly}. The problem with Reactor is that there’s hardly any reviews on it other than those on download sites (which are hard to trust).
    Any input from you would be great.

    Thanks.

  3. Alex Says:

    Reactor is not bat at all, however the support is the worst ever.
    They stop responding to your emails if something is wrong.
    For instance it you install a new hard drive in your computer ,
    the Reactor license expires and you will never ever get your license
    from the vendor.

  4. wcoenen Says:

    Do there exist studies which show that obfuscation decreases piracy or reverse engineering?

    Even if piracy is decreased, is revenue increased? Piracy doesn’t necessarily equal lost sales. It may even have the opposite effect of free advertising.

    As for protecting your business logic from competitors reverse engineering it… What kind of applications are we talking about here? The business logic of a typical applications is more or less trivial to figure out by just using the application.

    I’m not so sure this obfuscation thing is useful at all. I’ll believe it when I see some real data.

  5. Timm Says:

    wcoenen:

    You bring up some very good discussion points. I don’t know of any formal studies regarding obfuscation, but absent hard scientific data, sometimes one has to make decisions based on common sense.

    For example, you are correct that business logic is relatively easy to decipher just by studying how software works, but it still takes a lot of effort to write the detailed code. An application we developed recently took 14 months of coding by ten highly skilled developers. So naturally one would expect that it would take a competitor somewhere around 140 man-months to copy our software, maybe a little less with our application as a guide. But without obfuscation, a competitor armed with a good decompiler could reproduce our entire application in about 10 minutes. Without obfuscation, you might as well publish your original C# source code on the Web.

    Regarding piracy, our experience is that piracy does indeed affect sales. Given a choice between paying and getting something for free, especially when it comes to something intangible such as software or music or web content, most people will choose free. If you read the blogs of very successful shareware authors such as Nick Bradbury (HomeSite, TopStyle, FeedDemon) and Chris Thornton (Clipmate), they are able to detect exactly when their software is cracked and posted on the Web because of a sudden dramatic drop in sales. While there may be a small percentage of customers who obtain software via piracy but then develop a conscience and later pay, marketing through piracy is not a winning strategy. A better strategy is to provide a basic free version of your software and have an advanced pay version.

    Bottom line, if you feel comfortable posting your source code on the web, then obfuscation will not benefit you. But if your source code and intellectual property is something you wish to protect, then obfuscation is a must for .NET applications and libraries.

    Thank you for commenting!

Leave a Reply