-
Apr 18th, 2006, 09:32 AM
#1
[02/03] Obfuscation
Hello everyone!
I have searched just about every search engine out there for decent info on obfuscation, I have found some good sites.
I just want to know if anyone out there can help me with some good info on obfuscation, dotfuscator, reflector etc.
VB.NET MVP 2008 - Present
-
Apr 18th, 2006, 10:08 AM
#2
Re: [02/03] Obfuscation
There are two free obfuscators that I know of: Dotfuscator CE with VS and Aspose.Obfuscator. They are both relatively basic but will foil the casual cracker. you may as well use one as it will do no harm, although it adds an extra step between compiling your application and the setup project, if that's what you have. If you want to foil the determined cracker then you'll have to shell out for something a bit stronger. Is your source code really so revolutionary that that is required? Maybe, but probably not.
-
Apr 18th, 2006, 10:45 AM
#3
Addicted Member
Re: [02/03] Obfuscation
Im all for protecting source code , however, I think
obfuscation is not the right way to go about it.
Coming from the C world, they preach against obfuscation
and now to hear people suggest this as a way for source
code protection, well, I think theres a better way.
If protecting source code isnt such a big deal, then why all
the hooplah over Open Source...
Check out:
http://www.strongbit.com/execryptor.asp
Using Framework 1.1, VB.Net 2003 unless I
state otherwise
-
Apr 18th, 2006, 06:25 PM
#4
Re: [02/03] Obfuscation
Originally Posted by bgard68
Coming from the C world, they preach against obfuscation
and now to hear people suggest this as a way for source
code protection, well, I think theres a better way.
This is not a concern of C as it compiled into ASM. .Net languages compile to MSIL, which is easily readable in any kind of text editor. Not only that, but there are tons of tools (even included in the .Net framework) that can decompile your code and put it back into C# or VB.Net with even the same variable names.
Originally Posted by bgard68
If protecting source code isnt such a big deal, then why all
the hooplah over Open Source...
Big difference. Open source is free software and is designed to allow anyone to work on coding it. Commercial products, however; don't want others stealing their code, breaking their applications, and creating clones. Becuase of MSIL, it's extremely simple to re-create entire applications, parts, or just cracking it.
Originally Posted by bgard68
Not only does Execryptor obfusticate code, but it does not work with .Net languages (so no C#, VB.Net, J#, or managed C++).
-
Apr 19th, 2006, 01:08 AM
#5
Re: [02/03] Obfuscation
No, it's not for one of my projects. I'm doing research on the whole obfuscation issue, like the pros and the cons, why we should use it, why shouldn't we use it etc.
Any other comments would also be greatly appreciated
VB.NET MVP 2008 - Present
-
Apr 19th, 2006, 01:17 AM
#6
Re: [02/03] Obfuscation
Have you read this? I'm sure that the web sites of obfuscator authors would have more info, as would security-related sites.
-
Apr 19th, 2006, 01:55 AM
#7
Re: [02/03] Obfuscation
I believe you should protect your source code by at least obfusticating it if your selling your app. Also, if its a large app or one that will sell for decent $'s then it may be worth buying a higher end obfustication program.
If your not worried about someone stealing your source code then dont protect it or make it open source and beat anyone to the punch by getting a GNU General Public License.
VB/Office Guru™ (AKA: Gangsta Yoda™ ®)
I dont answer coding questions via PM. Please post a thread in the appropriate forum.
Microsoft MVP 2006-2011
Office Development FAQ (C#, VB.NET, VB 6, VBA)
Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
If a post has helped you then Please Rate it!
• Reps & Rating Posts • VS.NET on Vista • Multiple .NET Framework Versions • Office Primary Interop Assemblies • VB/Office Guru™ Word SpellChecker™.NET • VB/Office Guru™ Word SpellChecker™ VB6 • VB.NET Attributes Ex. • Outlook Global Address List • API Viewer utility • .NET API Viewer Utility •
System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6
-
Apr 19th, 2006, 07:57 AM
#8
Addicted Member
Re: [02/03] Obfuscation
Kasracer:
Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.
Also, I know the difference between OpenSource and Commercial software.
Ive worked on both.
Again, I was stating that I think there is a better way of protecting your
source code other than obfuscation.
With obfuscation, people can still see your source code and a good hacker
will be able to reconstruct the code!
Last edited by bgard68; Apr 19th, 2006 at 08:01 AM.
Using Framework 1.1, VB.Net 2003 unless I
state otherwise
-
Apr 19th, 2006, 08:38 AM
#9
Re: [02/03] Obfuscation
I obfuscate my code not because I think its so good that people will want to steal the source.. but mostly just to keep the average "guy who thinks he knows what is doing" away from trying to exploit the software
-
Apr 19th, 2006, 09:13 AM
#10
Re: [02/03] Obfuscation
Firstly thanx for all the answers and advice!
This is exactly what I was afraid of, The bad things and good things from everybody's point of view.
I honestly can't say that I particularly like the whole idea of obfuscation - I know it's to protect code (pruning etc.). But still I don't know whether it is worth it or not.
I was planning to write an article about obfuscation for CG, but the more I did research, the more I'm not convinced that I should. I have written a FAQ for CG, about obfuscation some time ago, and I think that's as far as I would go with obfuscation; unless somebody else can convince me that obfuscation is worth it.
VB.NET MVP 2008 - Present
-
Apr 19th, 2006, 12:55 PM
#11
Re: [02/03] Obfuscation
Maybe create a poll so you can get an actual vote on if members who are in the professional industry are using it or not.
VB/Office Guru™ (AKA: Gangsta Yoda™ ®)
I dont answer coding questions via PM. Please post a thread in the appropriate forum.
Microsoft MVP 2006-2011
Office Development FAQ (C#, VB.NET, VB 6, VBA)
Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
If a post has helped you then Please Rate it!
• Reps & Rating Posts • VS.NET on Vista • Multiple .NET Framework Versions • Office Primary Interop Assemblies • VB/Office Guru™ Word SpellChecker™.NET • VB/Office Guru™ Word SpellChecker™ VB6 • VB.NET Attributes Ex. • Outlook Global Address List • API Viewer utility • .NET API Viewer Utility •
System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6
-
Apr 19th, 2006, 01:50 PM
#12
Re: [02/03] Obfuscation
what is the downside to using it on compiled IL exes? It doesn't make it slower.. it just renames all the methods...
-
Apr 19th, 2006, 06:17 PM
#13
Re: [02/03] Obfuscation
Originally Posted by bgard68
Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.
...from their own website. They didn't say their application worked with .Net, but listed just about every other language.
Originally Posted by bgard68
Also, I know the difference between OpenSource and Commercial software.
Ive worked on both.
You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question...
Originally Posted by bgard68
Again, I was stating that I think there is a better way of protecting your
source code other than obfuscation.
With obfuscation, people can still see your source code and a good hacker
will be able to reconstruct the code!
Of course, no one was ever arguing with that. Obfustication helps to hide the intent of your source code so it protects against some of the script kiddies. Also, since your variable names are still compiled into MSIL, obfustication can sometimes make your app smaller by making variable names 1-2 letters long.
-
Apr 20th, 2006, 01:12 AM
#14
Re: [02/03] Obfuscation
Thanx!
How do you guys feel about cryptography (SHA 1, MD 5 etc.) ¿
Can I use it in the same sentence of obfuscation (if you get what I mean) ¿
Then, Which Would you prefer, obfuscation or cryptography ¿
VB.NET MVP 2008 - Present
-
Apr 20th, 2006, 02:30 AM
#15
Re: [02/03] Obfuscation
Originally Posted by bgard68
Kasracer:
Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.
With a framework 2.0 app it did not work for me. Sure, it encrypted it, but I got an application failed to initialize error on run.
Bill
-
Apr 20th, 2006, 07:52 AM
#16
Addicted Member
Re: [02/03] Obfuscation
kasracer:
"You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question"
Its called a rhetorical question....
Using Framework 1.1, VB.Net 2003 unless I
state otherwise
-
Apr 20th, 2006, 09:13 AM
#17
Re: [02/03] Obfuscation
Originally Posted by bgard68
kasracer:
"You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question"
Its called a rhetorical question....
I know it was a rhetorical question, but it makes absolutely no sense why you'd even say it as it's comparing apples to oranges. Again, the "rhetorical question" was asking "why protecting source was such a big deal because of the open-source "hoopla." It's comparing two different sectors working towards two different goals and it doesn't add to the thread (or even a positive point for your side).
-
May 6th, 2006, 03:30 AM
#18
New Member
Re: [02/03] Obfuscation
EXECryptor is not intended to protect .Net apps. However it strongly obfuscates the Win32 platform pros. I don't know if 'obfuscation' is right definition for execryptor technique. It tranforms code completely destoying its logic but the code remains working. Its strength is in that it does not decrypt the code when running unlike other protectors. So the code execution logic always remains hidden.
See: http://www.strongbit.com/execryptor_inside.asp
-
May 6th, 2006, 12:05 PM
#19
Re: [02/03] Obfuscation
the biggest issue I have seen with any type of obfuscation, is that it destroys any hard coded internal reflection logic you may use in your code. Since methods get renamed, if you use reflection in anyway (most commonly with things like enums) the names have been changed (to protect the innocent ) and it will cause errors.
So if you obfuscate your application, you should test it before AND after. You may find the program bombs out after obfuscation, and will require you either don't obfuscate, or change some of the code to handle it
-
May 12th, 2006, 03:41 AM
#20
New Member
Re: [02/03] Obfuscation
You're right it is not easy. Generally software protection challenges are not easy. So I think more complex is protection stronger it is.
-
May 12th, 2006, 04:05 AM
#21
Re: [02/03] Obfuscation
I have never worked in an environment where we obfuscated code, but I have mostly worked in Corporate America.
On a personal level I don't see much of the point unless you have something really ground breaking. Generally speaking wouldn't the person running your code have already paid you for it? If so they I say mod away and do what you can with it.
I like the apps I use to be highly configurable or hackable if functionality I need is not provided. That is my 2 cents anyway.
I also use a lot of reflection so what kleinma mentioned really jacked me the one time I did try to use obfuscation. Definately test before and after if you do use it.
-
May 12th, 2006, 04:15 AM
#22
Re: [02/03] Obfuscation
Be aware that obfuscating your code will reduce the usefulness of the stack trace type information that is returned should your application crash...I suppose this should be balanced against the threat of someone stealing your code, but I personally don't think obfuscation is an appropriate way of protecting intelectual property.
-
May 13th, 2006, 01:29 PM
#23
Fanatic Member
Re: [02/03] Obfuscation
I use RemoteSoft Protector. So far it is very good.
It does not only obfuscate the code but it also compiles it into native code.
They have created a compiler of .NET.
So there is no MSIL at all and you cannot even theoretically see the MSIL code.
Also it encrypts the native code.
When you put the assembly in a decompiler the only code you get is the function name
and a return Nothing. That's all .
-
May 13th, 2006, 07:16 PM
#24
Re: [02/03] Obfuscation
I use RemoteSoft Protector. So far it is very good.
It does not only obfuscate the code but it also compiles it into native code.
They have created a compiler of .NET.
So there is no MSIL at all and you cannot even theoretically see the MSIL code.
Also it encrypts the native code.
When you put the assembly in a decompiler the only code you get is the function name
and a return Nothing. That's all .
Let's not forget that Salamander is US$1900, which is a bit out of reach for many. It also breaks any link that your app has to the Framework so you lose any advantages that managed code provides. It's a possible solution, although not a panacea and not cheap.
-
Jun 1st, 2006, 05:52 AM
#25
New Member
Re: [02/03] Obfuscation
Originally Posted by Edneeis
I have never worked in an environment where we obfuscated code, but I have mostly worked in Corporate America.
On a personal level I don't see much of the point unless you have something really ground breaking. Generally speaking wouldn't the person running your code have already paid you for it? If so they I say mod away and do what you can with it.
I like the apps I use to be highly configurable or hackable if functionality I need is not provided. That is my 2 cents anyway.
I agree it will be more handy to a user if he can modify purchased program.
So far ExeCryptor is a flexible and universal tool.
In such case for software author would be better to protect trial version so it cannot be cracked and turned to the full one and after registration provide customers with unwrapped app.
-
Jun 1st, 2006, 10:14 AM
#26
Frenzied Member
Re: [02/03] Obfuscation
Originally Posted by kleinma
the biggest issue I have seen with any type of obfuscation, is that it destroys any hard coded internal reflection logic you may use in your code. Since methods get renamed, if you use reflection in anyway (most commonly with things like enums) the names have been changed ... and it will cause errors.
Yes, i've seen that happen as well. I thought maybe there was a way to stop Dotfuscator CE from altering the enums, but i've never bothered to sit down and reasearch it.
I obfuscate all the apps i make at work - even though they sit on tightly protected and locked down servers. I figure if something ever happened, at least i did my part to keep the database username and password protected from prying eyes.
~Peter
-
Jun 1st, 2006, 10:16 AM
#27
Re: [02/03] Obfuscation
Originally Posted by MrGTI
Yes, i've seen that happen as well. I thought maybe there was a way to stop Dotfuscator CE from altering the enums, but i've never bothered to sit down and reasearch it.
I obfuscate all the apps i make at work - even though they sit on tightly protected and locked down servers. I figure if something ever happened, at least i did my part to keep the database username and password protected from prying eyes.
yeah you can, but its pretty tedious work...
I think in the future, perhaps the next release of VS, we will see some enhancements to code security.. I mean if MS expects big software companies to take .NET seriously, they need to deliver the security out of the box, not tell you to use some 3rd party sorta works obfuscation tool...
-
Jun 7th, 2006, 09:55 AM
#28
Fanatic Member
Re: [02/03] Obfuscation
i agree with kleinma. anyway ,what we are selling is code so why should everyone
be able to steal what we are selling and make a second application that copies code from us ?
i am not against open source at all but the problem is that we live in an imperfect world
and we should somehow ask for money for the profession we are doing.
-
Oct 5th, 2006, 03:49 AM
#29
New Member
Re: [02/03] Obfuscation
Originally Posted by alexandros
i am not against open source at all but the problem is that we live in an imperfect world
and we should somehow ask for money for the profession we are doing.
My point of view is a little different that confirms my developer/author experience. Having well protected my app I no more loose money on cracked versions. And I have now much more 'honest' users.
-
Oct 9th, 2006, 07:59 AM
#30
New Member
Re: [02/03] Obfuscation
Originally Posted by HanneSThEGreaT
Thanx!
How do you guys feel about cryptography (SHA 1, MD 5 etc.) ¿
Can I use it in the same sentence of obfuscation (if you get what I mean) ¿
Then, Which Would you prefer, obfuscation or cryptography ¿
If your question is relqted to app protection commonly the encryption method is enough weak there. The encrtyption based protections decrypt the app code when it runs. Then the app may be analysed by an intrusion. The code obfuscation (I know also Code morphing) is stronger because the code is executed in a "garbage" state.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|