Results 1 to 30 of 30

Thread: [02/03] Obfuscation

  1. #1

    Thread Starter
    Frenzied Member HanneSThEGreaT's Avatar
    Join Date
    Nov 2003
    Location
    Vereeniging, South Africa
    Posts
    1,492

    Question [02/03] Obfuscation

    Hello everyone!

    I have searched just about every search engine out there for decent info on obfuscation, I have found some good sites.
    I just want to know if anyone out there can help me with some good info on obfuscation, dotfuscator, reflector etc.
    VB.NET MVP 2008 - Present

  2. #2
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,297

    Re: [02/03] Obfuscation

    There are two free obfuscators that I know of: Dotfuscator CE with VS and Aspose.Obfuscator. They are both relatively basic but will foil the casual cracker. you may as well use one as it will do no harm, although it adds an extra step between compiling your application and the setup project, if that's what you have. If you want to foil the determined cracker then you'll have to shell out for something a bit stronger. Is your source code really so revolutionary that that is required? Maybe, but probably not.

  3. #3
    Addicted Member bgard68's Avatar
    Join Date
    Mar 2006
    Location
    Arkansas
    Posts
    164

    Re: [02/03] Obfuscation

    Im all for protecting source code , however, I think
    obfuscation is not the right way to go about it.

    Coming from the C world, they preach against obfuscation
    and now to hear people suggest this as a way for source
    code protection, well, I think theres a better way.

    If protecting source code isnt such a big deal, then why all
    the hooplah over Open Source...

    Check out:
    http://www.strongbit.com/execryptor.asp
    Using Framework 1.1, VB.Net 2003 unless I
    state otherwise

  4. #4
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: [02/03] Obfuscation

    Quote Originally Posted by bgard68
    Coming from the C world, they preach against obfuscation
    and now to hear people suggest this as a way for source
    code protection, well, I think theres a better way.
    This is not a concern of C as it compiled into ASM. .Net languages compile to MSIL, which is easily readable in any kind of text editor. Not only that, but there are tons of tools (even included in the .Net framework) that can decompile your code and put it back into C# or VB.Net with even the same variable names.
    Quote Originally Posted by bgard68
    If protecting source code isnt such a big deal, then why all
    the hooplah over Open Source...
    Big difference. Open source is free software and is designed to allow anyone to work on coding it. Commercial products, however; don't want others stealing their code, breaking their applications, and creating clones. Becuase of MSIL, it's extremely simple to re-create entire applications, parts, or just cracking it.
    Quote Originally Posted by bgard68
    Not only does Execryptor obfusticate code, but it does not work with .Net languages (so no C#, VB.Net, J#, or managed C++).
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  5. #5

    Thread Starter
    Frenzied Member HanneSThEGreaT's Avatar
    Join Date
    Nov 2003
    Location
    Vereeniging, South Africa
    Posts
    1,492

    Re: [02/03] Obfuscation

    No, it's not for one of my projects. I'm doing research on the whole obfuscation issue, like the pros and the cons, why we should use it, why shouldn't we use it etc.

    Any other comments would also be greatly appreciated
    VB.NET MVP 2008 - Present

  6. #6
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,297

    Re: [02/03] Obfuscation

    Have you read this? I'm sure that the web sites of obfuscator authors would have more info, as would security-related sites.

  7. #7
    Ex-Super Mod RobDog888's Avatar
    Join Date
    Apr 2001
    Location
    LA, Calif. Raiders #1 AKA:Gangsta Yoda™
    Posts
    60,710

    Re: [02/03] Obfuscation

    I believe you should protect your source code by at least obfusticating it if your selling your app. Also, if its a large app or one that will sell for decent $'s then it may be worth buying a higher end obfustication program.

    If your not worried about someone stealing your source code then dont protect it or make it open source and beat anyone to the punch by getting a GNU General Public License.
    VB/Office Guru™ (AKA: Gangsta Yoda®)
    I dont answer coding questions via PM. Please post a thread in the appropriate forum.

    Microsoft MVP 2006-2011
    Office Development FAQ (C#, VB.NET, VB 6, VBA)
    Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
    If a post has helped you then Please Rate it!
    Reps & Rating PostsVS.NET on Vista Multiple .NET Framework Versions Office Primary Interop AssembliesVB/Office Guru™ Word SpellChecker™.NETVB/Office Guru™ Word SpellChecker™ VB6VB.NET Attributes Ex.Outlook Global Address ListAPI Viewer utility.NET API Viewer Utility
    System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6

  8. #8
    Addicted Member bgard68's Avatar
    Join Date
    Mar 2006
    Location
    Arkansas
    Posts
    164

    Re: [02/03] Obfuscation

    Kasracer:

    Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.

    Also, I know the difference between OpenSource and Commercial software.
    Ive worked on both.

    Again, I was stating that I think there is a better way of protecting your
    source code other than obfuscation.

    With obfuscation, people can still see your source code and a good hacker
    will be able to reconstruct the code!
    Last edited by bgard68; Apr 19th, 2006 at 08:01 AM.
    Using Framework 1.1, VB.Net 2003 unless I
    state otherwise

  9. #9
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [02/03] Obfuscation

    I obfuscate my code not because I think its so good that people will want to steal the source.. but mostly just to keep the average "guy who thinks he knows what is doing" away from trying to exploit the software

  10. #10

    Thread Starter
    Frenzied Member HanneSThEGreaT's Avatar
    Join Date
    Nov 2003
    Location
    Vereeniging, South Africa
    Posts
    1,492

    Re: [02/03] Obfuscation

    Firstly thanx for all the answers and advice!

    This is exactly what I was afraid of, The bad things and good things from everybody's point of view.

    I honestly can't say that I particularly like the whole idea of obfuscation - I know it's to protect code (pruning etc.). But still I don't know whether it is worth it or not.
    I was planning to write an article about obfuscation for CG, but the more I did research, the more I'm not convinced that I should. I have written a FAQ for CG, about obfuscation some time ago, and I think that's as far as I would go with obfuscation; unless somebody else can convince me that obfuscation is worth it.
    VB.NET MVP 2008 - Present

  11. #11
    Ex-Super Mod RobDog888's Avatar
    Join Date
    Apr 2001
    Location
    LA, Calif. Raiders #1 AKA:Gangsta Yoda™
    Posts
    60,710

    Re: [02/03] Obfuscation

    Maybe create a poll so you can get an actual vote on if members who are in the professional industry are using it or not.
    VB/Office Guru™ (AKA: Gangsta Yoda®)
    I dont answer coding questions via PM. Please post a thread in the appropriate forum.

    Microsoft MVP 2006-2011
    Office Development FAQ (C#, VB.NET, VB 6, VBA)
    Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
    If a post has helped you then Please Rate it!
    Reps & Rating PostsVS.NET on Vista Multiple .NET Framework Versions Office Primary Interop AssembliesVB/Office Guru™ Word SpellChecker™.NETVB/Office Guru™ Word SpellChecker™ VB6VB.NET Attributes Ex.Outlook Global Address ListAPI Viewer utility.NET API Viewer Utility
    System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6

  12. #12
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [02/03] Obfuscation

    what is the downside to using it on compiled IL exes? It doesn't make it slower.. it just renames all the methods...

  13. #13
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: [02/03] Obfuscation

    Quote Originally Posted by bgard68
    Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.
    ...from their own website. They didn't say their application worked with .Net, but listed just about every other language.
    Quote Originally Posted by bgard68
    Also, I know the difference between OpenSource and Commercial software.
    Ive worked on both.
    You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question...
    Quote Originally Posted by bgard68
    Again, I was stating that I think there is a better way of protecting your
    source code other than obfuscation.

    With obfuscation, people can still see your source code and a good hacker
    will be able to reconstruct the code!
    Of course, no one was ever arguing with that. Obfustication helps to hide the intent of your source code so it protects against some of the script kiddies. Also, since your variable names are still compiled into MSIL, obfustication can sometimes make your app smaller by making variable names 1-2 letters long.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  14. #14

    Thread Starter
    Frenzied Member HanneSThEGreaT's Avatar
    Join Date
    Nov 2003
    Location
    Vereeniging, South Africa
    Posts
    1,492

    Re: [02/03] Obfuscation

    Thanx!
    How do you guys feel about cryptography (SHA 1, MD 5 etc.) ¿
    Can I use it in the same sentence of obfuscation (if you get what I mean) ¿
    Then, Which Would you prefer, obfuscation or cryptography ¿
    VB.NET MVP 2008 - Present

  15. #15
    Frenzied Member conipto's Avatar
    Join Date
    Jun 2005
    Location
    Chicago
    Posts
    1,175

    Re: [02/03] Obfuscation

    Quote Originally Posted by bgard68
    Kasracer:

    Ive tested ExeCryptor against .Net executables and it does work, so Im not sure what source of info your getting that from.
    With a framework 2.0 app it did not work for me. Sure, it encrypted it, but I got an application failed to initialize error on run.

    Bill
    Hate Adobe Acrobat? My Codebank Sumbissions - Easy CodeDom Expression evaluator: (VB / C# ) -- C# Scrolling Text Display

    I Like to code when drunk. Don't say you weren't warned.

  16. #16
    Addicted Member bgard68's Avatar
    Join Date
    Mar 2006
    Location
    Arkansas
    Posts
    164

    Re: [02/03] Obfuscation

    kasracer:

    "You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question"

    Its called a rhetorical question....
    Using Framework 1.1, VB.Net 2003 unless I
    state otherwise

  17. #17
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Re: [02/03] Obfuscation

    Quote Originally Posted by bgard68
    kasracer:

    "You asked why protecting source was such a big deal because of the open-source "hoopla." If you know the difference, I don't understand why you'd even ask such a question"

    Its called a rhetorical question....
    I know it was a rhetorical question, but it makes absolutely no sense why you'd even say it as it's comparing apples to oranges. Again, the "rhetorical question" was asking "why protecting source was such a big deal because of the open-source "hoopla." It's comparing two different sectors working towards two different goals and it doesn't add to the thread (or even a positive point for your side).
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes

  18. #18
    New Member
    Join Date
    May 2006
    Posts
    6

    Re: [02/03] Obfuscation

    EXECryptor is not intended to protect .Net apps. However it strongly obfuscates the Win32 platform pros. I don't know if 'obfuscation' is right definition for execryptor technique. It tranforms code completely destoying its logic but the code remains working. Its strength is in that it does not decrypt the code when running unlike other protectors. So the code execution logic always remains hidden.

    See: http://www.strongbit.com/execryptor_inside.asp

  19. #19
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [02/03] Obfuscation

    the biggest issue I have seen with any type of obfuscation, is that it destroys any hard coded internal reflection logic you may use in your code. Since methods get renamed, if you use reflection in anyway (most commonly with things like enums) the names have been changed (to protect the innocent ) and it will cause errors.

    So if you obfuscate your application, you should test it before AND after. You may find the program bombs out after obfuscation, and will require you either don't obfuscate, or change some of the code to handle it

  20. #20
    New Member
    Join Date
    May 2006
    Posts
    6

    Re: [02/03] Obfuscation

    You're right it is not easy. Generally software protection challenges are not easy. So I think more complex is protection stronger it is.

  21. #21
    Your Ad Here! Edneeis's Avatar
    Join Date
    Feb 2000
    Location
    Moreno Valley, CA (SoCal)
    Posts
    7,339

    Re: [02/03] Obfuscation

    I have never worked in an environment where we obfuscated code, but I have mostly worked in Corporate America.

    On a personal level I don't see much of the point unless you have something really ground breaking. Generally speaking wouldn't the person running your code have already paid you for it? If so they I say mod away and do what you can with it.

    I like the apps I use to be highly configurable or hackable if functionality I need is not provided. That is my 2 cents anyway.

    I also use a lot of reflection so what kleinma mentioned really jacked me the one time I did try to use obfuscation. Definately test before and after if you do use it.

  22. #22
    PowerPoster
    Join Date
    Jul 2002
    Location
    Dublin, Ireland
    Posts
    2,148

    Re: [02/03] Obfuscation

    Be aware that obfuscating your code will reduce the usefulness of the stack trace type information that is returned should your application crash...I suppose this should be balanced against the threat of someone stealing your code, but I personally don't think obfuscation is an appropriate way of protecting intelectual property.

  23. #23
    Fanatic Member alexandros's Avatar
    Join Date
    Oct 2002
    Location
    Milky Way Galaxy
    Posts
    694

    Re: [02/03] Obfuscation

    I use RemoteSoft Protector. So far it is very good.
    It does not only obfuscate the code but it also compiles it into native code.
    They have created a compiler of .NET.
    So there is no MSIL at all and you cannot even theoretically see the MSIL code.
    Also it encrypts the native code.
    When you put the assembly in a decompiler the only code you get is the function name
    and a return Nothing. That's all .

  24. #24
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,297

    Re: [02/03] Obfuscation

    I use RemoteSoft Protector. So far it is very good.
    It does not only obfuscate the code but it also compiles it into native code.
    They have created a compiler of .NET.
    So there is no MSIL at all and you cannot even theoretically see the MSIL code.
    Also it encrypts the native code.
    When you put the assembly in a decompiler the only code you get is the function name
    and a return Nothing. That's all .
    Let's not forget that Salamander is US$1900, which is a bit out of reach for many. It also breaks any link that your app has to the Framework so you lose any advantages that managed code provides. It's a possible solution, although not a panacea and not cheap.

  25. #25
    New Member
    Join Date
    May 2006
    Posts
    6

    Re: [02/03] Obfuscation

    Quote Originally Posted by Edneeis
    I have never worked in an environment where we obfuscated code, but I have mostly worked in Corporate America.

    On a personal level I don't see much of the point unless you have something really ground breaking. Generally speaking wouldn't the person running your code have already paid you for it? If so they I say mod away and do what you can with it.

    I like the apps I use to be highly configurable or hackable if functionality I need is not provided. That is my 2 cents anyway.
    I agree it will be more handy to a user if he can modify purchased program.
    So far ExeCryptor is a flexible and universal tool.

    In such case for software author would be better to protect trial version so it cannot be cracked and turned to the full one and after registration provide customers with unwrapped app.

  26. #26
    Frenzied Member MrGTI's Avatar
    Join Date
    Oct 2000
    Location
    Ontario, Canada
    Posts
    1,277

    Wink Re: [02/03] Obfuscation

    Quote Originally Posted by kleinma
    the biggest issue I have seen with any type of obfuscation, is that it destroys any hard coded internal reflection logic you may use in your code. Since methods get renamed, if you use reflection in anyway (most commonly with things like enums) the names have been changed ... and it will cause errors.
    Yes, i've seen that happen as well. I thought maybe there was a way to stop Dotfuscator CE from altering the enums, but i've never bothered to sit down and reasearch it.

    I obfuscate all the apps i make at work - even though they sit on tightly protected and locked down servers. I figure if something ever happened, at least i did my part to keep the database username and password protected from prying eyes.
    ~Peter


  27. #27
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [02/03] Obfuscation

    Quote Originally Posted by MrGTI
    Yes, i've seen that happen as well. I thought maybe there was a way to stop Dotfuscator CE from altering the enums, but i've never bothered to sit down and reasearch it.

    I obfuscate all the apps i make at work - even though they sit on tightly protected and locked down servers. I figure if something ever happened, at least i did my part to keep the database username and password protected from prying eyes.
    yeah you can, but its pretty tedious work...

    I think in the future, perhaps the next release of VS, we will see some enhancements to code security.. I mean if MS expects big software companies to take .NET seriously, they need to deliver the security out of the box, not tell you to use some 3rd party sorta works obfuscation tool...

  28. #28
    Fanatic Member alexandros's Avatar
    Join Date
    Oct 2002
    Location
    Milky Way Galaxy
    Posts
    694

    Re: [02/03] Obfuscation

    i agree with kleinma. anyway ,what we are selling is code so why should everyone
    be able to steal what we are selling and make a second application that copies code from us ?
    i am not against open source at all but the problem is that we live in an imperfect world
    and we should somehow ask for money for the profession we are doing.

  29. #29
    New Member
    Join Date
    May 2006
    Posts
    6

    Re: [02/03] Obfuscation

    Quote Originally Posted by alexandros
    i am not against open source at all but the problem is that we live in an imperfect world
    and we should somehow ask for money for the profession we are doing.
    My point of view is a little different that confirms my developer/author experience. Having well protected my app I no more loose money on cracked versions. And I have now much more 'honest' users.

  30. #30
    New Member
    Join Date
    May 2006
    Posts
    6

    Re: [02/03] Obfuscation

    Quote Originally Posted by HanneSThEGreaT
    Thanx!
    How do you guys feel about cryptography (SHA 1, MD 5 etc.) ¿
    Can I use it in the same sentence of obfuscation (if you get what I mean) ¿
    Then, Which Would you prefer, obfuscation or cryptography ¿
    If your question is relqted to app protection commonly the encryption method is enough weak there. The encrtyption based protections decrypt the app code when it runs. Then the app may be analysed by an intrusion. The code obfuscation (I know also Code morphing) is stronger because the code is executed in a "garbage" state.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width