Dotfuscator - major flaw in Microsoft dotNET?

[Darren]

OK, I'm trying to understand the need for this. If I understand
correctly without this anyone can reverse engineer and obtain the
source code of my application - is this correct? And this tool will
prevent this?

Why isn't this tool automatically executed by default whenever I build
my apps?

My company is building corporate applications and don't want our
source code available to anyone. I assume there is a Dotfuscator that
comes with VS.NET Architect version? I have seen one and it's called
the Community Edition - but if I understand correctly there is a
professional version for $US 1,500 at www.preemptive.com? So even
through I have spent many thousands of dollars on development tools I
still need to spend another $1,500 to protect my source code????
Please tell me I have gotten this completely wrong and it's just a
matter of ticking a checkbox in my build configuration.

Thanks.

 

[Guest]

Darren,

Yes, you are correct, .NET code can easily be dissasembled.. In fact, VS.NET
comes with a tool called ILDasm..

This is not the real issue however, as any language can be dissasembled. So
really, no code is really safe..

Even code that has been run through an Obfuscator can be dissasembled, it's
just that the Variable Names, Propertie Names, Method Names, Class Names and
the like get renamed (this is a very basic example) but the code still has to
function. In .NET, that means the code is IL, from C++ is machine code, but
it is still structured code.

Having said all this, I think the real solution to protecting your code is
through legal measures, such as Licences, IP laws etc...

That's the way I see the world... Sorry if it's not what you wanted to hear.

Cheers

Eddie de Bear

 

[Gerald Hernandez]

Well, anything that can be done, can be undone.
dotNet code can be disassembled, like any other code, including C++.
It just so happens that IL (Intermediate Language) style languages like
dotNet are easier to both compile and disassemble. However, this is not a
dotNet flaw per se.
Java is also an IL type language and can be easily disassembled.
If someone disassembles your application, they don't necessarily get source
code. They get the IL that the source code compiled to. From this, if they
are very persistent, they could possibly reproduce the behaviour of your
application.
The Dotfuscator or (obfuscator) just dinks around with things to make it
more confusing to the person looking at the IL in hopes they will just give
up. However, if someone is persistent enough, they can still figure things
out. They can do this with C++, or even Assembly. NO application is immune
to this, no matter what platform or language.

All the pricey big name applications you see for "free" running around the
internet that have been cracked, are generally not due to lack of trying on
the developer's part. There are some very smart, crafty, persistent, and
sadly shady people out there that do this sort of thing. So if it is really
important to you and you think your application may be a target for these
type of people, then do what you can to make it difficult. But don't blame
the language or compiler, they all are vulnerable.

Gerald

 

[Guest]

is it possible to apply commercial protection to .net assemblies? eg:
securom, safedisc, starforce? ...yes these can be cracked and have been
cracked but very few people can and very few people will bother trying to
crack.

 

[Gerald Hernandez]

I have not researched this in any detail yet for dotNet, so cannot speak
with real authority.
However, I do know that many if not most of those types of applications do
not currently work with dotNet.
But most of these and more are actively developing versions that should work
with dotNet.
The only one of those listed that seems to mention anything specific about
dotNet is Securom. They anticipate dotNet support sometime next year.

Gerald

 

[Craig van Nieuwkerk]

Your code can easily be disassembled to readable code with something like
Relector http://www.aisto.com/roeder/dotnet.
I have always wondered why the big deal about hiding your source code
anyway. Unless you have some top secret algorithm that could be used to hack
into the government, who really cares. It's unlikely it could be used by
anyone anyway.

 

[Jonathan Henderson]

See below for reponse.
I hope this clarifies things for you.

Regards,
Jonathan Henderson

==========================
Jonathan Henderson
PreEmptive Solutions
26250 Euclid Avenue
Suite 503
Cleveland, Ohio 44132
(e-mail address removed)
==========================

OK, I'm trying to understand the need for this. If I >understand
correctly without this anyone can reverse engineer and >obtain the
source code of my application - is this correct?

Yes, this is true. There are free decompilers out there that can take a
.NET assembly and convert it back into source code such as .NET
Reflector.

Here are other reasons why one might need to obfuscate.
<a
href="http://www.preemptive.com/documentation/NetHackerDemo.html">http:/

And this tool will prevent this?

Yes, the tool will prevent most who may try to reverse engineer your
application, obfuscation from any obfuscator does not guarantee 100%
protection. The idea of obfuscation is to make the goal of reverse
engineering your application compared to the effort it takes to reverse
engineer insignificant.

Why isn't this tool automatically executed by default >whenever I build
my apps?

Everyone's application differs in the code implementation that they use.
To have it automatically executed, would cause problems for others.

For example, some use dynamic class loading and reflection through the
use of strings. If such an application were to be obfuscated by renaming
all the identifers (i.e. class, method, and field names) then the type
that is called by reflection or dynamic class loading by string will
throw a NullReferenceException. Now such a tool could just change the
value of the string used in reflection or dynamic class loading, but to
the tool, how would it know the correct string. The string may have
another use elsewhere.

With Dotfuscator Professional Edition, it is integrated into Visual
Studio, so once you build your solution, Dotfuscator will perform
created your obfuscated assemblies.

My company is building corporate applications and don't >want our
source code available to anyone. I assume there is a >Dotfuscator that
comes with VS.NET Architect version? I have seen one and >it's called
the Community Edition - but if I understand correctly there >is a
professional version for $US 1,500 at www.preemptive.com?

Yes, as I mentioned before there is a professional version. This one has
the ability to integrate into Visual Studio .NET. The professional
version does a lot more than the community edition (which is bundled
with Visual Studio .NET)
such as synthesizing code within methods into spaghetti code, encrypting
strings, and removing unused types/methods/fields.

So even
through I have spent many thousands of dollars on >development tools I
still need to spend another $1,500 to protect my source >code????

In my opinion, if protecting the application's source code is your
company's concern, they should be the ones purchasing it (along with
VS.NET in my opinion) not you.

But before purchasing any obfuscator, try the community edition on your
Visual Studio. Since you bought VS.NET, it comes free.

You can also try to request an evaluation for the professional edition,
and try that out if you like.

Also when you get Dotfuscator Professional Edition (either evaluation or
the product itself) you also get first-rate support.

Please tell me I have gotten this completely wrong and it's >just a
matter of ticking a checkbox in my build configuration.

Thanks.

 

[Darren]

Thankyou to everybody who replied. My main concern is that you can get
the source code from the executable. I know everything can be reversed
engineered but there is a big difference between getting assembler
code with auto-generated labels and getting 'the source code' with
proper names.

I don't like the idea of tools renaming classes and methods like some
obfuscation tools.

One that looks promising is called "Salamander .NET Protector". Has
anybody had any experiences with this? It appears do to the same thing
that Microsoft have done to protect the .NET framework code (ie.
hiding intellectual code).

I will still protect my source code until the day Microsoft releases a
dotNet version of MS Office that can be completely disassembled.

Darren.

 

[Guest]

all you have to do is learn how to read ASM like a newspaper

 

[Jonathan Pierce]

there is a
professional version for $US 1,500 at www.preemptive.com?

We offer a less expensive obfuscation tool that includes afvanced
features like string encryption that preemptive does not include in
their comparably priced versions. Our obfuscator is is bundled with
our Decompiler.NET product that includes a browser user interface so
you can preview your obfuscated code. We use the product on itself for
each build to protect our own products. You can download a free fully
functional trial version at http;//www.junglecreatures.com/

I will still protect my source code until the day Microsoft releases a
dotNet version of MS Office that can be completely disassembled.

You many get your wish. Office 13 is managed code built with .NET and
you will be able to decompile it just like the .NET Framework code if
they don't decide to obfuscate it.

Jonathan Pierce
President
Jungle Creatures, Inc.
http://www.junglecreatures.com/

 

[Guest]

So the big question is: "Is dotnet obfuscator, community edition purposely
left out of Visual Studio 2003, version 7.1, that ships with Bisual
Basic.NET, Standard Edition? Or is it hiding somewhere?