Code Protection
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001John Simmons / outlaw programmer wrote:
We're looking for an industrial-strength obfuscator
Perl.
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001John Simmons / outlaw programmer wrote:
- Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered)
I can handle 1 and 3 - call regarding rates and availability...;P
Citizen 20.1.01
'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001Any skilled developer can hack around any tamper resistance you care to include in your program. As soon as the binary is out of your hands it's tamperable. The only way to prevent it is to be an application service provider and never give out your code. A skilled developer can reverse-engineer even native code. I've done it myself where a Windows Mobile device OEM provided an API for handling a beeper (as opposed to wave output) which was riddled with race conditions. I worked out how to bypass that API and go straight to the lower level. We're still using this bypass because they still haven't fixed the bugs, more than five years later. What I'm basically saying is that a determined pirate will find a way. Save yourself the pain of encountering a place where the obfuscator does something that the JIT compiler doesn't like. Don't bother with obfuscation.
DoEvents: Generating unexpected recursion since 1991
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I use MoleBox Pro[^] for different reasons than yours (to pack 3D content with a viewer application) but it may be something to look at. [Edit] I just noticed their FAQ says they plan on adding .NET support, so that will likely rule it out for now. [/edit] Cheers, Drew.
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I have personal experience with CodeVeil and Spices.Net obfuscator as well as others not on your list. We now use Spices.Net as CodeVeil screwed us over at a very critical moment in time when they didn't have full Vista support and we needed to release a Vista version immediately and the guy told us he would look at the problem in the next month and wasn't interested in full support for Vista until after it had been officially released to the public which is a crap attitude for a developer making tools for developers. Aside from that one incident they seemed good about support etc however we took an objective look at that point, tested out dozens of obfuscators both encrypting with boot loaders and regular obfuscators and decided that encrypted binaries were more trouble potentially than they were worth. If you sign your assemblies with a strong name they already have tamper resistance anyway and Spice.Net as all obfuscators allows for resigning after obfuscation so you don't really need a product that advertises that feature. An encrypted binary with a loader means you immediately lose the peace of mind of knowing an issue is with your code, because sometimes issues crop up that are with the encryption and loading system (which can be read from memory anyway since it has to be unencrypted *somewhere*). As far as what to add to your list there are a lot of them out there now, I've tried dozens of them over the years and we chose Spices.Net because the price was good for what you get and in the end they (simple obfuscators) all pretty much do the exact same thing, some are easier to use than others and we found Spices to have the best support and easiest to use logical interface. Note that you will need to set aside a good amount of time to fine tune the settings on whichever product you go with because (particularly with complex multi assembly applications) a lot of stuff will break at the highest level of obfuscation that they all provide. I.E. don't try one at default settings, see your app break and immediately dismiss the obfuscator as being crap, none of them are intelligent enough to not break a complex app the first time around without human intervention.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
Any skilled developer can hack around any tamper resistance you care to include in your program. As soon as the binary is out of your hands it's tamperable. The only way to prevent it is to be an application service provider and never give out your code. A skilled developer can reverse-engineer even native code. I've done it myself where a Windows Mobile device OEM provided an API for handling a beeper (as opposed to wave output) which was riddled with race conditions. I worked out how to bypass that API and go straight to the lower level. We're still using this bypass because they still haven't fixed the bugs, more than five years later. What I'm basically saying is that a determined pirate will find a way. Save yourself the pain of encountering a place where the obfuscator does something that the JIT compiler doesn't like. Don't bother with obfuscation.
DoEvents: Generating unexpected recursion since 1991
While what you say is true only an idiot would release licensed commercial .net code without any obfuscation at all because you're not trying to defend against *skilled* developers, that was never the point of any obfuscation scheme, you're protecting against the average moron with a copy of any of the zillion free tools for opening and generating source code from the assembly. Particularly the area that manages your licensing scheme whatever it happens to be or other proprietary and complex code that you don't want to just give away to an utter moron. And once you understand how it works it's pretty easy to ensure that the JIT is happy at all times.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
I have personal experience with CodeVeil and Spices.Net obfuscator as well as others not on your list. We now use Spices.Net as CodeVeil screwed us over at a very critical moment in time when they didn't have full Vista support and we needed to release a Vista version immediately and the guy told us he would look at the problem in the next month and wasn't interested in full support for Vista until after it had been officially released to the public which is a crap attitude for a developer making tools for developers. Aside from that one incident they seemed good about support etc however we took an objective look at that point, tested out dozens of obfuscators both encrypting with boot loaders and regular obfuscators and decided that encrypted binaries were more trouble potentially than they were worth. If you sign your assemblies with a strong name they already have tamper resistance anyway and Spice.Net as all obfuscators allows for resigning after obfuscation so you don't really need a product that advertises that feature. An encrypted binary with a loader means you immediately lose the peace of mind of knowing an issue is with your code, because sometimes issues crop up that are with the encryption and loading system (which can be read from memory anyway since it has to be unencrypted *somewhere*). As far as what to add to your list there are a lot of them out there now, I've tried dozens of them over the years and we chose Spices.Net because the price was good for what you get and in the end they (simple obfuscators) all pretty much do the exact same thing, some are easier to use than others and we found Spices to have the best support and easiest to use logical interface. Note that you will need to set aside a good amount of time to fine tune the settings on whichever product you go with because (particularly with complex multi assembly applications) a lot of stuff will break at the highest level of obfuscation that they all provide. I.E. don't try one at default settings, see your app break and immediately dismiss the obfuscator as being crap, none of them are intelligent enough to not break a complex app the first time around without human intervention.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
Thanks mucho - I passed that on to the boss for consideration.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001Another one is... .NET Reactor[^]
Steve Maier
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001You probably already know about dotfuscator. There is a commercial version, but it is EXPENSIVE.... I noticed another post about strong naming. Be aware that strong name signatures can be removed from a signed assembly. We actually did some of this to try and figure out how a hacker might get into our code easily. There are tools out there that will do this. David
-
I have personal experience with CodeVeil and Spices.Net obfuscator as well as others not on your list. We now use Spices.Net as CodeVeil screwed us over at a very critical moment in time when they didn't have full Vista support and we needed to release a Vista version immediately and the guy told us he would look at the problem in the next month and wasn't interested in full support for Vista until after it had been officially released to the public which is a crap attitude for a developer making tools for developers. Aside from that one incident they seemed good about support etc however we took an objective look at that point, tested out dozens of obfuscators both encrypting with boot loaders and regular obfuscators and decided that encrypted binaries were more trouble potentially than they were worth. If you sign your assemblies with a strong name they already have tamper resistance anyway and Spice.Net as all obfuscators allows for resigning after obfuscation so you don't really need a product that advertises that feature. An encrypted binary with a loader means you immediately lose the peace of mind of knowing an issue is with your code, because sometimes issues crop up that are with the encryption and loading system (which can be read from memory anyway since it has to be unencrypted *somewhere*). As far as what to add to your list there are a lot of them out there now, I've tried dozens of them over the years and we chose Spices.Net because the price was good for what you get and in the end they (simple obfuscators) all pretty much do the exact same thing, some are easier to use than others and we found Spices to have the best support and easiest to use logical interface. Note that you will need to set aside a good amount of time to fine tune the settings on whichever product you go with because (particularly with complex multi assembly applications) a lot of stuff will break at the highest level of obfuscation that they all provide. I.E. don't try one at default settings, see your app break and immediately dismiss the obfuscator as being crap, none of them are intelligent enough to not break a complex app the first time around without human intervention.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001We use Dotfuscator[^]. The free edition is included in VS 2005 (don't know if in 2008 too). It's very powerful, but quite expensive. You could also test a trial version of the much cheaper {smartassembly}[^]
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I've been using {smartassembly}[^] for my own products for about two years now. Very happy with it. Before I had used Spices.Net for a few years, which wasn't bad either.
Wout
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
I don't know anything about Java, I've never worked with it so I couldn't say but for .net there are numerous tools out there that can take an assembly and easily (one click) convert it back into source code in any supported .net language and when publishing commercial software it behooves one to make it at least difficult to circumvent a licensing system or prevent some chop shop in a 3rd world country from turning your entire application into their entire application and republishing it. Obfsucation is painless, cheap and easy and so it's a no brainer to use it with commercial software, I wouldn't bother of course with anything my livelihood wasn't depending on.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
You probably already know about dotfuscator. There is a commercial version, but it is EXPENSIVE.... I noticed another post about strong naming. Be aware that strong name signatures can be removed from a signed assembly. We actually did some of this to try and figure out how a hacker might get into our code easily. There are tools out there that will do this. David
An intelligent, determined hacker can circumvent *anything* that's not and never has been the point with these tools and it's no argument against taking reasonable precautions if they are cheap and easy and don't affect the software performance adversely. The old adage that locks are only designed to keep honest people out clearly applies to this situation as well. I don't want to spend forever and a lot of money on this, it's not worth it, but I'm not going to "flip up my skirt" either. :) In the end though, most if not the majority of piracy comes from the end users themselves being able to easily pass on your software to their friends not some uber hackers somewhere in a darkened room messing about. Take care of the casual stuff and you pretty much eliminate the problem to any degree worthwhile pursuing.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
-
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Jim Crafton wrote:
Is there some fundamental difference between how the two runtimes deal with the bytecode?
Not at all. My guess is that there are more desktop applications written with .NET than Java, or at least more commercial ones. Having said that, a simple search[^] shows that there are many Java bytecode obfuscators as well.
-
Jim Crafton wrote:
Is there some fundamental difference between how the two runtimes deal with the bytecode?
Not at all. My guess is that there are more desktop applications written with .NET than Java, or at least more commercial ones. Having said that, a simple search[^] shows that there are many Java bytecode obfuscators as well.
Weird, maybe Java was still new enough in 99 that people weren't as concerned, plus very little of our program was desktop based.
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
-
While what you say is true only an idiot would release licensed commercial .net code without any obfuscation at all because you're not trying to defend against *skilled* developers, that was never the point of any obfuscation scheme, you're protecting against the average moron with a copy of any of the zillion free tools for opening and generating source code from the assembly. Particularly the area that manages your licensing scheme whatever it happens to be or other proprietary and complex code that you don't want to just give away to an utter moron. And once you understand how it works it's pretty easy to ensure that the JIT is happy at all times.
"The great pleasure in life is doing what people say you cannot do." - Walter Bagehot
The average moron doesn't hack the binaries themselves. They download apps that does it for them, or serial number generators. Obfuscation is truly a waste of money.
-- Kein Mitleid Für Die Mehrheit
-
We're looking for an industrial-strength obfuscator with the following features: - Obfuscation - Self-unencrypting binaries - Tamper resistance (so the program won't run if the binaries have been altered) I've found the following and was wondering if a) anyone here has had experience with any of them, and b) if anyone knows of anything that I should add to my list of possible products. CodeArmor.Net[^] CodeVeil[^] Salamander Protector[^] Spices.Net Obfuscator[^]
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I'll second Xenocode (see below). We used Spices.Net for a while, but I just found the customer support and desire to keep it up to date better with Xenocode. However, if you really want to know what the obfuscator is like open up the obfuscated code in Reflector and see how intelligible it is.
Deja View - the feeling that you've seen this post before.
-
Out of curiosity why is this such a big deal in .Net? When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this. Is there some fundamental difference between how the two runtimes deal with the bytecode?
¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! VCF Blog
Jim Crafton wrote:
When I was doing Java coding in 98-99 I don't ever recall anyone worrying about this.
Wow. Obfuscation was SOP for our production builds when I was working with Java in 1999-2001. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com