By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,171 Members | 1,181 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,171 IT Pros & Developers. It's quick & easy.

Security of Obfuscators

P: n/a
This isn't directly a C# question, so I apologize for being somewhat off
topic, but we have a project that is open source. When we release, the
actual release builds will be obfuscated using string encryption. This is
necessary because a non-open source component will include some encryption
code.

My question is, does anyone have any experience with obfuscators using
string encryption, and more importantly, because this is open source, people
will actually have access to the rest of the source code in the project. I
guess what I'm concerned about is, if you had on your left, the source code
and on your right, the obfuscated code, would it be fairly easy to match
them up in such a way that you'd be able easily determine which section is
the part that isn't open source?

And furthermore, how secure is the string encryption in these obfuscators?

Thanks.

Pete
Nov 16 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
considering that obfuscation is but a small barrier to a good reverse
engineer, I would venture to say that having the source code for much of the
project would probably reduce the obfuscation to a trivial impediment for
determined people.

also keep in mind that a good reverse engineer, who uses SoftICE and the
other tools of the trade well, doesn't have much problem reverse engineering
native code (which is certain more obfuscated than dotnet code with
metadata) and can even accomplish his task when fairly strong encryption has
been applied.

I don't know if this tool is applicable to your situation or not, but I've
heard that Salamander is one of the best tools...
http://www.remotesoft.com/linker/
"Pete Davis" <pd******@NOSPAM.hotmail.com> wrote in message
news:go********************@giganews.com...
This isn't directly a C# question, so I apologize for being somewhat off
topic, but we have a project that is open source. When we release, the
actual release builds will be obfuscated using string encryption. This is
necessary because a non-open source component will include some encryption
code.

My question is, does anyone have any experience with obfuscators using
string encryption, and more importantly, because this is open source, people will actually have access to the rest of the source code in the project. I
guess what I'm concerned about is, if you had on your left, the source code and on your right, the obfuscated code, would it be fairly easy to match
them up in such a way that you'd be able easily determine which section is
the part that isn't open source?

And furthermore, how secure is the string encryption in these obfuscators?

Thanks.

Pete

Nov 16 '05 #2

P: n/a
You have a good point. A really determined hacker will break it, and I'm not
too concerned about that. I mean, we're talkin about a game, not a bank
account or a list of credit card numbers. So I think there's going to be a
serious limit to the amount of determination someone is going to put into
hacking it.

I was reading about Salamander Protector on their site after I posted. It
looks really excellent. It's also a bit over my price range. I mean, this is
an open source project. I was actually willing to spend the $500 for an
obfuscator with string encryption, but $1900 is quite a different story.

Still trying to think of clever ways of handling this, but I'm running out
of ideas.

Pete
"Mr. Mountain" <mt*****@mediaone.net> wrote in message
news:5tOwd.213322$V41.196794@attbi_s52...
considering that obfuscation is but a small barrier to a good reverse
engineer, I would venture to say that having the source code for much of the project would probably reduce the obfuscation to a trivial impediment for
determined people.

also keep in mind that a good reverse engineer, who uses SoftICE and the
other tools of the trade well, doesn't have much problem reverse engineering native code (which is certain more obfuscated than dotnet code with
metadata) and can even accomplish his task when fairly strong encryption has been applied.

I don't know if this tool is applicable to your situation or not, but I've
heard that Salamander is one of the best tools...
http://www.remotesoft.com/linker/
"Pete Davis" <pd******@NOSPAM.hotmail.com> wrote in message
news:go********************@giganews.com...
This isn't directly a C# question, so I apologize for being somewhat off
topic, but we have a project that is open source. When we release, the
actual release builds will be obfuscated using string encryption. This is necessary because a non-open source component will include some encryption code.

My question is, does anyone have any experience with obfuscators using
string encryption, and more importantly, because this is open source,

people
will actually have access to the rest of the source code in the project. I guess what I'm concerned about is, if you had on your left, the source

code
and on your right, the obfuscated code, would it be fairly easy to match
them up in such a way that you'd be able easily determine which section is the part that isn't open source?

And furthermore, how secure is the string encryption in these obfuscators?
Thanks.

Pete


Nov 16 '05 #3

P: n/a
if you want ideas, try http://www.woodmann.com/crackz/
Maybe the author of this site will give you some good suggestions
"Pete Davis" <pd******@NOSPAM.hotmail.com> wrote in message
news:l5********************@giganews.com...
You have a good point. A really determined hacker will break it, and I'm not too concerned about that. I mean, we're talkin about a game, not a bank
account or a list of credit card numbers. So I think there's going to be a
serious limit to the amount of determination someone is going to put into
hacking it.

I was reading about Salamander Protector on their site after I posted. It
looks really excellent. It's also a bit over my price range. I mean, this is an open source project. I was actually willing to spend the $500 for an
obfuscator with string encryption, but $1900 is quite a different story.

Still trying to think of clever ways of handling this, but I'm running out
of ideas.

Pete
"Mr. Mountain" <mt*****@mediaone.net> wrote in message
news:5tOwd.213322$V41.196794@attbi_s52...
considering that obfuscation is but a small barrier to a good reverse
engineer, I would venture to say that having the source code for much of the
project would probably reduce the obfuscation to a trivial impediment for
determined people.

also keep in mind that a good reverse engineer, who uses SoftICE and the
other tools of the trade well, doesn't have much problem reverse

engineering
native code (which is certain more obfuscated than dotnet code with
metadata) and can even accomplish his task when fairly strong encryption

has
been applied.

I don't know if this tool is applicable to your situation or not, but I've heard that Salamander is one of the best tools...
http://www.remotesoft.com/linker/
"Pete Davis" <pd******@NOSPAM.hotmail.com> wrote in message
news:go********************@giganews.com...
This isn't directly a C# question, so I apologize for being somewhat off topic, but we have a project that is open source. When we release, the
actual release builds will be obfuscated using string encryption. This

is necessary because a non-open source component will include some encryption code.

My question is, does anyone have any experience with obfuscators using
string encryption, and more importantly, because this is open source,

people
will actually have access to the rest of the source code in the project. I
guess what I'm concerned about is, if you had on your left, the source code
and on your right, the obfuscated code, would it be fairly easy to
match them up in such a way that you'd be able easily determine which

section is the part that isn't open source?

And furthermore, how secure is the string encryption in these obfuscators?
Thanks.

Pete



Nov 16 '05 #4

P: n/a
Pete Davis wrote:
I was actually willing to spend the $500 for an
obfuscator with string encryption, but $1900 is quite a different story.


Pete,

Our obfuscation feature in our Decompiler.NET product includes string
encryption as well as some other advanced features like the ability to
factor out the bodies of public members so they can be obfuscated
without hiding their public APIs. It is also priced at your $500 price
point and we provide unlimited free support and upgrades. We use the
product on itself for each version we ship. The product includes both
full obfuscation and full decompilation capabilities. The decompiler
feature of the generates high level readable source code that also
compiles and runs correctly. You can download a free trial version and
try it out for yourself at http://www.junglecreatures.com/
email: su*****@junglecreatures.com

Jonathan Pierce
President
Jungle Creatures, Inc.
http://www.junglecreatures.com/

Nov 16 '05 #5

P: n/a

Pete Davis wrote:
I was actually willing to spend the $500 for an
obfuscator with string encryption, but $1900 is quite a different story.


Pete,

Our obfuscation feature in our Decompiler.NET product includes string
encryption as well as some other advanced features like the ability to
factor out the bodies of public members so they can be obfuscated
without hiding their public APIs. It is also priced at your $500 price
point and we provide unlimited free support and upgrades. We use the
product on itself for each version we ship. The product includes both
full obfuscation and full decompilation capabilities. The decompiler
feature of the generates high level readable source code that also
compiles and runs correctly. You can download a free trial version and
try it out for yourself at http://www.junglecreatures.com/
email: su*****@junglecreatures.com

Jonathan Pierce
President
Jungle Creatures, Inc.
http://www.junglecreatures.com/

Nov 16 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.