.Net obfuscator suggestions
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111Why are you obfuscating your code? Do you thing obfuscation can stop reverse engineering? IMO, .NET obfuscators are all crap and there is no point in obfuscating your code. You could have written the piece of code that needs to be secured as an un-managed component. Probably with C++. If you have code that is insecure on client machine, you can execute that on your own server by providing a web service/WCF interface rather than providing an obfuscated assembly. I believe obfuscation will also makes reflection tough. :)
Navaneeth How to use google | Ask smart questions
-
Why are you obfuscating your code? Do you thing obfuscation can stop reverse engineering? IMO, .NET obfuscators are all crap and there is no point in obfuscating your code. You could have written the piece of code that needs to be secured as an un-managed component. Probably with C++. If you have code that is insecure on client machine, you can execute that on your own server by providing a web service/WCF interface rather than providing an obfuscated assembly. I believe obfuscation will also makes reflection tough. :)
Navaneeth How to use google | Ask smart questions
The "need" to obfuscate (or rather desirability of obfuscation) is IMO a major flaw in the design of .NET. I can understand that reflection requires that function calls be available but the source code of the contents of those functions, no. Making it necessary to write another component in another language in order to get a secured component is just stupid. Of course all code can be reverse engineered given enough resources but .NET hands you code on a plate. They could surely have included a
secure { }
keyword that prevented reflection on the code it brackets.
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111Hello, I (the peers working on .NET) will recommend SmartAssembly[^]. They're very happy with it. :)
It is a crappy thing, but it's life -^ Carlo Pallini
-
Hello, I (the peers working on .NET) will recommend SmartAssembly[^]. They're very happy with it. :)
It is a crappy thing, but it's life -^ Carlo Pallini
Thanks Rajesh :) Downloading trail...
Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111 -
Thanks Rajesh :) Downloading trail...
Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111Harvey Saayman wrote:
Downloading trail...
I hate it when there's a trail of the stuff that I download... ;)
It is a crappy thing, but it's life -^ Carlo Pallini
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111You can't entirely obfuscate WPF apps. I can hardly wait until my boss realizes that...
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
You can't entirely obfuscate WPF apps. I can hardly wait until my boss realizes that...
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001So, you'll propose VB .NET to him instead? :)
It is a crappy thing, but it's life -^ Carlo Pallini
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111Harvey Saayman wrote:
I need to obfuscate my binaries
Why? If it's required by your boss, well, ok.. but otherwise, honestly why? What is it going to do? It might deter some wannabe hacker - who wouldn't be a real danger anyway..
xenocode wrote:
* Protects .NET code against decompilation and reverse engineering
This is guaranteed to be a lie. Sure they can make .NET decompilers choke on it, but it won't protect against reverse engineering (nothing truly can)
-
The "need" to obfuscate (or rather desirability of obfuscation) is IMO a major flaw in the design of .NET. I can understand that reflection requires that function calls be available but the source code of the contents of those functions, no. Making it necessary to write another component in another language in order to get a secured component is just stupid. Of course all code can be reverse engineered given enough resources but .NET hands you code on a plate. They could surely have included a
secure { }
keyword that prevented reflection on the code it brackets.
I disagree. Ultimately everything has to be compiled to binary. Binary isn't encrypted or protected. What's the point of obfuscating some arbitrary middle layer. native code is just as easily reversible, except less people know how to do it because these isn't a simple tool like reflector. Just look at the number of cracked applications there are out there, that just proves that native code can easily be reversed and modified. If you have anything that you consider to be valuable, you need to take steps to protect it, even if you wrote it in a native language. The fact that .net code is so easily reversible doesn't make any difference. If anything it improves the situation because now people are aware that they mustn't put valuable IP unprotected in source code.
Simon
-
I disagree. Ultimately everything has to be compiled to binary. Binary isn't encrypted or protected. What's the point of obfuscating some arbitrary middle layer. native code is just as easily reversible, except less people know how to do it because these isn't a simple tool like reflector. Just look at the number of cracked applications there are out there, that just proves that native code can easily be reversed and modified. If you have anything that you consider to be valuable, you need to take steps to protect it, even if you wrote it in a native language. The fact that .net code is so easily reversible doesn't make any difference. If anything it improves the situation because now people are aware that they mustn't put valuable IP unprotected in source code.
Simon
Simon Stevens wrote:
What's the point of obfuscating some arbitrary middle layer.
To make it harder to copy. Would you send out a copy of your source code with a closed-source app? I doubt it. .NET isn't much different. Compiled native code makes it much harder to reproduce your IP. Cracked apps are usually just a small patch to get around the protection, not a recompilation of a program with the protection removed. .NET allows you to effectively see the source code which makes it much easier to copy your IP.
-
Hello, I (the peers working on .NET) will recommend SmartAssembly[^]. They're very happy with it. :)
It is a crappy thing, but it's life -^ Carlo Pallini
I second smartassembly, I've been using it for a couple of years. Very good product.
Wout
-
Simon Stevens wrote:
What's the point of obfuscating some arbitrary middle layer.
To make it harder to copy. Would you send out a copy of your source code with a closed-source app? I doubt it. .NET isn't much different. Compiled native code makes it much harder to reproduce your IP. Cracked apps are usually just a small patch to get around the protection, not a recompilation of a program with the protection removed. .NET allows you to effectively see the source code which makes it much easier to copy your IP.
Steve_Harris wrote:
Compiled native code makes it much harder to reproduce your IP.
No, that's my point. I don't think it does, at least not significantly. There are plenty of native debuggers and reverse tools out there. Ok, some inexperienced kid might not be able to do it, but it's still possible. Which to me makes things worse. A lot of people seem to think that compiling c++ code means it is protected and it really isn't. This false belief is more dangerous as they won't do anything to protect something that is genuinely important.
Steve_Harris wrote:
Would you send out a copy of your source code with a closed-source app?
I don't see why not. (I've never written a closed source app) Like I say, to someone who wants it, I don't really think the source is that hidden from then anyway.
Simon
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111From testing with reflector a few months ago, SmartAssembly was the only one to mess stuff up until it couldn't load at all. XHEO CodeVeil, pvLog.net, and DOtfuscator Pro both messed things up to the point that method contents weren't displayable. To make our customer happy (all the other components of the system they were selling were written in C++), we ended up buying Salamander[^] which compiled everything into native code.
It is a truth universally acknowledged that a zombie in possession of brains must be in want of more brains. -- Pride and Prejudice and Zombies
-
You can't entirely obfuscate WPF apps. I can hardly wait until my boss realizes that...
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
really? why not?
-- The Obliterator
I don't know for sure, but the XAML/BAML has something to do with it.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
Thanks Rajesh :) Downloading trail...
Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111A good (and cheaper) alternative is Crypto Obfuscator
-
Hey guys The system I've been developing for the past two years will be going into a live beta phase in a few weeks time, I cant wait to see it out there doing its thing :) I'm very excited! But before this can happen I need to obfuscate my binaries, I've had a look at xenocode's postbuild and dotfuscator so far. Can anyone please recommend and share experiences? It need not be free. Thanks <edit> Looks like the chaps at xenocode have been busy since I last evaluated their product postbuild two years ago.
Key Benefits
\* Protects .NET code against decompilation and reverse engineering \* Converts .NET applications to native binaries that run without the .NET Framework \* Embeds SQL Server Express databases directly into the application binary \* Eliminates compatibility errors by linking all application components into a single EXE \* Optimizes application performance with metadata reduction and code pruningMore info here[^] I'd really like to hear from someone else who uses this, especially about the
Converts .NET applications to native binaries that run without the .NET Frameworkfeature. </edit>Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Occupation == jobTitles.Programmer && you.Passion != Programming)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111We've evaluated several obfuscation tools and ended up purchasing CliSecure by SecureTeam. Their tool implements advanced obfuscation techniques such as control flow obfuscation & cross assembly obfuscation, however their real competitive edge is their code protection solution. After protecting your assemblies all method bodies appears empty, I've been told that the code is handed to the JIT compiler on a per method basis just when needed. This was the perfect solution for us since we didn't have to go through additional QA cycle once protecting our app due to inconsistencies that are normally introduced when using an obfuscator. Last but not least their support is superb. We got immediate response for any question asked and were satisfied with the quality on feedback we've got.
