A good .net obfuscator

[Ben]

Hi,

We're looking for a good obfuscation tool in our company.
We thought about using some company's one which looked promising,
but they gave us hard times with their licensing stuff.
Anybody knows a good tool to get the job done (effectively) ?

 

[Arne Vajhøj]

We're looking for a good obfuscation tool in our company.
We thought about using some company's one which looked promising,
but they gave us hard times with their licensing stuff.
Anybody knows a good tool to get the job done (effectively) ?

Are there any point ?

If the algorithm is really valuable, then it will be
reverse engineered and misused even with obfuscation. If
it is just ordinary code, then it will not be reverse
engineered and misused.

Arne

 

[Ben]

Well, I sure hope that what we're doing is of some value
And yes, I know that anything can be reverse engineered, but
it's better than nothing, and in the end we could not say we didn't try.

Ben.

 

[Rad [Visual C# MVP]]

Hi,

We're looking for a good obfuscation tool in our company.
We thought about using some company's one which looked promising,
but they gave us hard times with their licensing stuff.
Anybody knows a good tool to get the job done (effectively) ?

There are a couple you could look at
- Dotfuscatpr
- Xenocode
- SmartAsembly
- Species.NET

 

[Arne Vajhøj]

Well, I sure hope that what we're doing is of some value


And yes, I know that anything can be reverse engineered, but
it's better than nothing, and in the end we could not say we didn't try.

But what is it you want to protect ?

If it is the secret code that will enable criminals to steal
all the gold in Fort Knox, then they will break the obfuscation.

If it is just some usual boring business code, then decompiling
your code and have programmers understand how the code work, add
comments and write design documents cost more than it will take
the same programmers to write the code based on specifications.

Arne

 

[Ben]

Well, I guess all what you're saying is is legitimate,
but I still think I should give it a try.
I have no idea whether someone will be willing to go through all the pain of
reverse engineering our product or not, but it sure would be a whole lot
easier for them if we don't protect our intelectual property somehow.
So, if you have any experience with such tools,
any help would be much appreciated.

Thanks,
Ben

 

[Ben]

I've been wondering...
What if I use Ngen.exe?

 

[proxyuser]

Hi,

We're looking for a good obfuscation tool in our company.
We thought about using some company's one which looked promising,
but they gave us hard times with their licensing stuff.
Anybody knows a good tool to get the job done (effectively) ?

For all the "haters" in this thread, you're overlooking a very simple and
pragmatic point. In addition to wanting to have "tried", as the OP pointed
out and which is valid from an employment perspective, there is also the
fact that obfuscating your code makes it very clear you want it protected.
This is a significant point.

To use an example, let's say you want people not to trespass on your land or
steal something from a warehouse there. So you put up No Trespassing signs,
and a chain link fence around the building. Are signs and fences going to
stop someone intent on stealing from your building? No of course not. But
the point is they have to go to enough trouble to do it that it makes their
crime more obvious, clearcut and prosecutable. It does, in fact, offer you
more protection than not obfuscating.

 

[proxyuser]

And keeping in mind that someone who does lift your intellectual property
wholesale is likely to be liable for copyright violations. That is, if
there actually is a theft, there's legal recourse for those situations
where it's significant enough (I'm reminded of the Stacker/DoubleSpace
lawsuit, for example).

Which is exactly the scenario where you would have wanted your code to be
obfuscated.

 

[proxyuser]

That simply isn't the case.

If I steal something from your house, am I not quite as guilty if you left
the door open so that I didn't have to force entry...?

If you don't put up the No Trespassing signs, does that mean it's OK for
me to walk into your warehouse and take something which I know isn't
mine...?

It IS the case, your questions notwithstanding.

If you steal something from my house with the door open, you are "as guilty"
but that is not the point. The points are:
1) you are guilty of something different (i.e. breaking and entering now, in
addition to simple theft)
2) a judge/jury would find me partially responsible for not adequately
protecting my property (and especially the insurance company would find this
to be so when it comes time to get my claim, if the guilty party hasn't been
caught)
3) speaking of finding the guilty party, if he has broken and entered, you
are much more likely to find the guilty party than if you left the door
open, because you are much more likely to have more clues to go by
4) the theft is more likely to be successful than if the door was left open
(a determined burglar will still get in, but there is always the chance it
slows him down enough, then some cars or people come by, he deems it too
risky and leaves, or it just takes him too long)

If I don't put up a No Trespassing sign, it's not OK to steal anything,
obviously. The sign makes it easier to prosecute and less easy for the
guilty party to make excuses and get off easy.

You seem to have completely failed to understand the points in my OP at all.
Again, putting up certain safeguards makes crime more obvious, clearcut, and
prosecutable. It does, in fact, offer you more protection.

 

[Mel Weaver]

I completely disagree with your point. In my opinion "this is hog wash",
but I will say one thing, you sure are open to other people's opinion.

 

[Arne Vajhøj]

For all the "haters" in this thread, you're overlooking a very simple and
pragmatic point. In addition to wanting to have "tried", as the OP pointed
out and which is valid from an employment perspective, there is also the
fact that obfuscating your code makes it very clear you want it protected.
This is a significant point.

To use an example, let's say you want people not to trespass on your land or
steal something from a warehouse there. So you put up No Trespassing signs,
and a chain link fence around the building. Are signs and fences going to
stop someone intent on stealing from your building? No of course not. But
the point is they have to go to enough trouble to do it that it makes their
crime more obvious, clearcut and prosecutable. It does, in fact, offer you
more protection than not obfuscating.

I have never heard that it should be necessary to protect your stuff
against copying to keep your copyright.

If that were the case then I could see some huge legal problem
enforcing copyright on web pages ...



The law does not work that way.

Arne

 

[proxyuser]

That's a borderline tautological statement. In particular, it argues in
favor of obfuscation by assuming at the outset that obfuscation is
effective.

No it does not. Or at least probably not in the way you mean it.

For example, are laws effective? Not to the people who are going to do
whatever they want anyway. Does that mean we don't have laws? No, it
doesn't.

What you might _really_ want is for your code to be unexaminable by your
attacker. But obfuscation doesn't actually do that, in spite of what the
proponents say.

In fact, obfuscation can make winning a copyright violation case _much_
harder, because you force the attacker to do a much more thorough
reverse-engineer of your code. You effectively create a "clean room"
situation where they have no direct access to the original code, but
rather just a "specification" of sorts (in this case, the obfuscated code,
and whatever high level description of the algorithm/implementation they
might come up with).

In that case, it's a lot less likely that the copied code will appear
similar enough to the original for it to be proven in court that copying
of the original was done.

Pretty weak argument. Anyone who can unobfuscate code can obviously change
code enough if it isn't obfuscated.

 

[proxyuser]

It's not.

I don't think the comparison to property theft is compelling in any case.
But your analysis is flawed on a number of points. Not the least of which
being that a burglary is a random event

??? nonsense

Anyway, it wasn't my analogy, and the "analysis" such that it was was right
on the money. Not that it's very relevant to obfuscation.

Beyond that, you have several other errors...


No. "Breaking and entering" does not require going through a locked door.

He said "forced entry". Whatever.

Again, not true. Failing to lock a door does not impart on to you any
particular _legal_ responsibility for a theft.

I didn't say it gave you legal responsibility for a theft. When the
courtroom decides on a punishment, why do you think there is a range of
punishment for each crime? It's because of extenuating circumstances and
details. And, as I mentioned, especially the insurance claim is an issue.

A broken lock isn't in any way going to provide information leading to an
arrest.
Nonsense.


See above. The biggest difference between "open door" and "locked door"
to a burglar is in making the choice of which house to burgle.

Yes, but not just that necessarily. If you seriously can't think of how a
locked door might be in your favor even when a burglar has decided to burgle
your house, then you're just not thinking.

No, it doesn't. Having a sign, or even a locked door, does not in any way
change the legalities of the person who broke in and stole something.

Wrong. See different punishments I mentioned above. It can show to what
extent the guilty party planned the crime, was motivated to commit the
crime, etc. You don't seem to understand much about the legal process.

You're just arguing, not thinking.

 

[proxyuser]

I have never heard that it should be necessary to protect your stuff
against copying to keep your copyright.

You didn't hear it in my post either. Then again, if you really think
things are cut and dry, you don't understand legal processes very well.

 

[Rad [Visual C# MVP]]

[5 quoted lines suppressed]

Or even four... ;-)

Well ... a couple couple

 

[LogicNP]

I too agree that obfuscation is a must - small companies cannot waste time and money in working the law. Prevention is better than cure!
Take a look at Crypto Obfuscator for protection of your code.