Should You Obfuscate a Commercial .Net Application

Should you obfuscate a commercial .Net application?

You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.

It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.

Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)

You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.

Should I be worried about obfuscating my .NET code?

I wouldn't worry about it too much. I'd rather focus on putting out an awesome product, getting a good user base, and treating your customers right than worry about the minimal percentage of users concerned with stealing your code or looking at the source.

Is .NET code obfuscation really worth it?

I think its worth it. The cost to you is virtually nothing, and you make the hacker's life much harder. Even if they crack it, you have the satisfaction of knowing you wasted anywhere from several hours to several weeks of their lives. Just because a lock isn't perfect doesn't mean you don't lock your doors.

Is it a good idea to use .Net for commercial software?

I would consider the ability to reverse all the way back to variable names (and perhaps comments) a feature. .NET Reflector and the Java Decompiler are quite nice.

Even if it was written in C or C++, to an RCE it means nothing. People cut their teeth reading assembly and tinkering with OllyDBG, IDA Pro, and the like. Microsoft offers their own tools for reversing native code as well.

Considering how much commercial Java and .NET software is already around (and how easily it is decompiled), I doubt using .NET, over Java, over C++, C or assembly would make much of a difference when comparing how easy it is to get back the original source form.

Having said that, most of the commercial .NET software I have encountered writes the core of their program in (what appears to be) a C++ library and then interfaces with that through a .NET app.

How effective is obfuscation?

I've discussed why I don't think Obfuscation is an effective means of protection against cracking here:

Protect .NET Code from reverse engineering

However, your question is specifically about source theft, which is an interesting topic. In Eldad Eiliams book, "Reversing: Secrets of Reverse Engineering", the author discusses source theft as one reason behind reverse engineering in the first two chapters.

Basically, what it comes down to is the only chance you have of being targeted for source theft is if you have some very specific, hard to engineer, algorithm related to your domain that gives you a leg up on your competition. This is just about the only time it would be cost-effective to attempt to reverse engineer a small portion of your application.

So, unless you have some top-secret algorithm you don't want your competition to have, you don't need to worry about source theft. The cost involved with reversing any significant amount of source-code out of your application quickly exceeds the cost of re-writing it from scratch.

Even if you do have some algorithm you don't want them to have, there isn't much you can do to stop determined and skilled individuals from getting it anyway (if the application is executing on their machine).

Some common anti-reversing measures are:

  • Obfuscating - Doesn't do much in terms of protecting your source or preventing it from being cracked. But we might as well not make it totally easy, right?
  • 3rd Party Packers - Themida is one of the better ones. Packs an executable into an encrypted win32 application. Prevents reflection if the application is a .NET app as well.
  • Custom Packers - Sometimes writing your own packer if you have the skill to do so is effective because there is very little information in the cracking scene about how to unpack your application. This can stop inexperienced RE's. This tutorial gives some good information on writing your own packer.
  • Keep industry secret algorithms off the users machine. Execute them as a remote service so the instructions are never executed locally. The only "fool-proof" method of protection.

However, packers can be unpacked, and obfuscation doesn't really hinder those who want to see what you application is doing. If the program is run on the users machine then it is vulnerable.

Eventually its code must be executed as machine code and it is normally a matter of firing up debugger, setting a few breakpoints and monitoring the instructions being executed during the relevant action and some time spent poring over this data.

You mentioned that it took you several months to write ~20kLOC for your application. It would take almost an order of magnitude longer to reverse those equivalent 20kLOC from your application into workable source if you took the bare minimum precautions.

This is why it is only cost-effective to reverse small, industry specific algorithms from your application. Anything else and it isn't worth it.

Take the following fictionalized example: Lets say I just developed a brand new competing application for iTunes that had a ton of bells and whistles. Let say it took several 100k LOC and 2 years to develop. One key feature I have is a new way of serving up music to you based off your music-listening taste.

Apple (being the pirates they are) gets wind of this and decides they really like your music suggest feature so they decide to reverse it. They will then hone-in on only that algorithm and the reverse engineers will eventually come up with a workable algorithm that serves up the equivalent suggestions given the same data. Then they implement said algorithm in their own application, call it "Genius" and make their next 10 trillion dollars.

That is how source theft goes down.

No one would sit there and reverse all 100k LOC to steal significant chunks of your compiled application. It would simply be too costly and too time consuming. About 90% of the time they would be reversing boring, non-industry-secretive code that simply handled button presses or handled user input. Instead, they could hire developers of their own to re-write most of it from scratch for less money and simply reverse the important algorithms that are difficult to engineer and that give you an edge (ie, music suggest feature).

.NET obfuscation tools/strategy

Back with .Net 1.1 obfuscation was essential: decompiling code was easy, and you could go from assembly, to IL, to C# code and have it compiled again with very little effort.

Now with .Net 3.5 I'm not at all sure. Try decompiling a 3.5 assembly; what you get is a long long way from compiling.

Add the optimisations from 3.5 (far better than 1.1) and the way anonymous types, delegates and so on are handled by reflection (they are a nightmare to recompile). Add lambda expressions, compiler 'magic' like Linq-syntax and var, and C#2 functions like yield (which results in new classes with unreadable names). Your decompiled code ends up a long long way from compilable.

A professional team with lots of time could still reverse engineer it back again, but then the same is true of any obfuscated code. What code they got out of that would be unmaintainable and highly likely to be very buggy.

I would recommend key-signing your assemblies (meaning if hackers can recompile one they have to recompile all) but I don't think obfuscation's worth it.

Protect .Net application from Deobfuscators?

No app is 100% protected, but the commercial obfuscators make a pretty good job of making it hard.

Do you obfuscate your commercial Java code?

If you do obfuscate, stay away from obfuscators that modify the code by changing code flow and/or adding exception blocks and such to make it hard to disassemble it. To make the code unreadable it is usually enough to just change all names of methods, fields and classes.

The reason to stay away from changing code flow is that some of those changes makes it impossible for the JVM to efficiently optimize the code. In effect it will actually degrade the performance of your application.

Deploying C# application (Obfuscation)

Visual studio contains the "Dotfuscator" (Tools->Dotfuscator Software Services in VS 2010) which obfuscates your code for you. It can pose certain problems if you implement reflection in your code, but it does give you options as to what you want it to do to your code, so there is some flexibility there as well.


Related Topics

Get List of Zero Reference Codes in Visual Studio

Usage of Appdomain in C#

How to Loop Through a List<T> and Grab Each Item

How to "Await Yield Return Dosomethingasync()"

How to Get the Network Interface and Its Right Ipv4 Address

Does Mstest Have an Equivalent to Nunit's Testcase

How to Print Webview Content in a Windows Store App

How to Split Text into Words

Entity Framework: How to Disable Lazy Loading for Specific Query

How to Add 'Comments' to a Jpeg File Using C#

How to Parse Very Huge Xml Files in C#

C# Hashcode for Array of Ints

Creating Diagonal Pattern in Wpf

Why Does Visual Studio Type a Newly Minted Array as Nullable

Invalidoperationexception - Object Is Currently in Use Elsewhere

Using Dataannotations with Entity Framework

Minimal and Correct Way to Map One-To-Many with Nhibernate

Extremely Large Single-Line File Parse


Leave a reply



Submit