Interesting Read - Obfuscation is Dead. Long live Obfuscation
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997IMHO, people are expecting too much when it comes to obfuscation. Yes, it may be useful to deter a casual amateur hacker from reverse-engineering an application, but that's it. If a skilled and determined person wants to see the internals of an application, they will eventually attach a debugger to it and see the assembly code - there is nothing you can do to prevent it if you are shipping binaries to customers.
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997We only do obfuscation because our clients demand it.
I'm not a stalker, I just know things. Oh by the way, you're out of milk.
Forgive your enemies - it messes with their heads
-
IMHO, people are expecting too much when it comes to obfuscation. Yes, it may be useful to deter a casual amateur hacker from reverse-engineering an application, but that's it. If a skilled and determined person wants to see the internals of an application, they will eventually attach a debugger to it and see the assembly code - there is nothing you can do to prevent it if you are shipping binaries to customers.
True enough. I have used a tool that compiled MSIL to native code and bundled in all the needed native assemblies from the framework (so instead of a 2 meg app, and a 400meg framwork you had a 100 meg app) when a client wanted the version of an app we wrote for them to be as secure as the portion of a system written in c++. Unfortunately the software was sufficiently brittle (it would break new service packs (hotfixes???) to the framework) and buggy (I had to manually add several dlls it overlooked) that I can't recommend it to anyone.
3x12=36 2x12=24 1x12=12 0x12=18
-
We only do obfuscation because our clients demand it.
I'm not a stalker, I just know things. Oh by the way, you're out of milk.
Forgive your enemies - it messes with their heads
I just submitted my final recommendation (after a week of research, combined with dickin' around with a dozen different packages) - avoid doing it if possible. We'll see what happens.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997Obfuscation for my .NET application would be worthless. First, the app itself is a merely a front end to a group of native mode Windows services. While the UI app does provide significant value to the customer, it's not rocket science and doesn't contain any significant IP elements. Second, and most important, stealing the app doesn't buy you anything. The app and the services are used to run a $2-5M piece of equipment, making the value of the app in the system price essentially zero. We actually make our money from consumables and refurbishment. The only reason I could see to obfuscate our application would be to protect it from competitors' prying eyes. If they want to steal my eye candy, so be it. Given that the functional code is natively compiled and embedded in dozens of processors, I'm not too worried.
Software Zen:
delete this;
Fold With Us![^] -
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997I have yet to come across an argument that convinces me that the value achieved from obfuscation in any way outweighs the effort and extra resources required to implement it.
I wanna be a eunuchs developer! Pass me a bread knife!
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997Obfuscation is like a locked door. It deters casual snoopers and juvenile vandals, but not professional burglars.
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997Reverse engineering was never limited to .net assemblies. Native code binaries have always been reverse engineered. Obfuscation helps making reverse engineering closer in difficulty to native code binaries. It can avoid the less hardcore crackers to get sensitive information or steal code. But no binary (native or IL) can avoid beeing reverse engineered. This is as much true as the few days it takes after a game beeing released to a crack be available. Does it mean I should not obfuscate my application? It depends. If I'm just trying to avoid my client's employee from cracking the encryption key, it might be well worth it. But it all depends on case, I don't beleive obfuscation is simply dismissable.
-
We only do obfuscation because our clients demand it.
I'm not a stalker, I just know things. Oh by the way, you're out of milk.
Forgive your enemies - it messes with their heads
Perhaps they have a reason for it. I beleive obfuscation is a case by case analysis. See my reply...
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997I can imagine a few less dubious uses. The one thing surprising for me is that it can be done with a generic tool. Hats off! There's probably a lot of code out there that could benefit from that before obfuscation.
Agh! Reality! My Archnemesis![^]
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
I can imagine a few less dubious uses. The one thing surprising for me is that it can be done with a generic tool. Hats off! There's probably a lot of code out there that could benefit from that before obfuscation.
Agh! Reality! My Archnemesis![^]
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy:sigh: this is how computers are designed ! And still IT industry earns a lot from softwares ! Perhaps laws make them buy legal one ! But i think msft should do something , even a little do make .NET exes safe from usual crackers ! :-\
-
:sigh: this is how computers are designed ! And still IT industry earns a lot from softwares ! Perhaps laws make them buy legal one ! But i think msft should do something , even a little do make .NET exes safe from usual crackers ! :-\
Dan Suthar wrote:
this is how computers are designed!
This has nothing to do with computers, but (meta-)algorithms for analysis and transformation of algorithms. For sure, opportunities for obfuscation are limited. Still, a "generic tool" means that every equivalent implementation of an algorithm can be automatically transformed into a "readable" one. That's certainly a feat.
Agh! Reality! My Archnemesis![^]
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
IMHO, people are expecting too much when it comes to obfuscation. Yes, it may be useful to deter a casual amateur hacker from reverse-engineering an application, but that's it. If a skilled and determined person wants to see the internals of an application, they will eventually attach a debugger to it and see the assembly code - there is nothing you can do to prevent it if you are shipping binaries to customers.
Nemanja Trifunovic wrote:
IMHO, people are expecting too much when it comes to obfuscation.
I think this is a commonly held misconception. I would be utterly surprised if there was anyone using an obfuscator in a commercial app who really thought that it was bulletproof. On the contrary I think those of us using obfuscation know it's limitations and use them accordingly.
There is no failure only feedback
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997People seem to think that because it's easy to de-obfuscate that it's crazy to obfuscate in the first place. This is just plain wrong. For example it's easy to break into a vehicle, any one of us could do it, does that mean none of us should ever lock our doors? It's all a matter of degrees, obviously nothing is going to stop a career criminal, but it will certainly keep honest people honest. It's a form of insurance and peace of mind and it's cheap and easy to do and I guarantee you that for a large complex app it's more work to recreate a working app from a properly obfuscated copy than it is to simply write it over again from scratch. That's all I care about, that and semi protection of our licensing code. Beyond that I doubt there are really any truly new ground breaking algorithms in computer science that need protecting, despite all the patent claims to the contrary.
There is no failure only feedback
-
http://jcooney.net/post/2010/06/06/The-sad-(but-inevitable)-state-of-NET-Obfuscation.aspx[^]
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
Dan Suthar wrote:
this is how computers are designed!
This has nothing to do with computers, but (meta-)algorithms for analysis and transformation of algorithms. For sure, opportunities for obfuscation are limited. Still, a "generic tool" means that every equivalent implementation of an algorithm can be automatically transformed into a "readable" one. That's certainly a feat.
Agh! Reality! My Archnemesis![^]
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchyIf you're trying to protect algorithms, then try patenting. They are good legal protection.
