how to use obfucation in .NET

Justin,
If you are referring to the Dotfuscator Community Edition that comes with
Visual Studio, it has an excellent help file with instructions.
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"JustinC" wrote:

Hello, I'm using VS.NET 2005 TFS and I want to start using the
obfuscator that comes with it. Does anyone know of a good tutorial for
how to obfuscate code in .NET? Thanks

"Peter Bromberg [C# MVP]" <pb*******@yahoo.nospammin.com> wrote in message
news:14**********************************@microsof t.com...

If you are referring to the Dotfuscator Community Edition that comes with
Visual Studio, it has an excellent help file with instructions.

Er, I guess maybe the OP forgot to install the help file, or something...

:-)

Yep...

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Mark Rae" wrote:

"Peter Bromberg [C# MVP]" <pb*******@yahoo.nospammin.com> wrote in message
news:14**********************************@microsof t.com...

If you are referring to the Dotfuscator Community Edition that comes with
Visual Studio, it has an excellent help file with instructions.

Er, I guess maybe the OP forgot to install the help file, or something...

:-)

Do your self a favor and forget about obfuscators, this technology in *most*
cases, is a waste of your time and doesn't really doesn't protect your code
that well. Unless you are trying to keep your Grandmother from reversing
your algorithms.

#1.
===
It is unlikely that you or the common developer
(myself included) that has discovered
an algorithm worthy of major protection.

#2.
===
It is unlikely that what-ever you are protecting
has been written well enough to be of value.

Not convinced?
Q. Why didn't Microsoft obfuscate the .NET framework?
A. Because the .NET framework relies on the Win32 API
and this code is in native PE format which is much harder
to reverse. Also Microsoft realizes that obfuscating the
..NET framework is a step in the wrong direction. This
is what a Managed language was designed to do.

Still not convinced?
Even if you use the very best obfusactor (which leaves
the meta-data). Myself and 1,000,000 other programmers
can reverse your algorithms in a very short time. All
the obfuscator does is renames variables. In fact if you
are a poor programmer, it is easier to reverse the
obfuscated version...

There are a few Obfuscators that remove all the
meta-data and save the .NET library as native
PE format (Google for RemoteSoft). There
are fewer people who can reverse native PE,
probably around 100,000 people. But this can
still be reversed.

In closing:
You simply can't protect your software easily.
Oh sure, you can slow them down. But if
what you have written is valuable enough,
*they* are going to get your algorithms.

Once again, don't waste your time on these things.
Spend your time becoming a better developer.

Russ M.



I personally have

"JustinC" <ju***********@gmail.com> wrote in message
news:11**********************@c74g2000cwc.googlegr oups.com...

Hello, I'm using VS.NET 2005 TFS and I want to start using the
obfuscator that comes with it. Does anyone know of a good tutorial for
how to obfuscate code in .NET? Thanks

" All the obfuscator does is renames variables. In fact if you are a poor
programmer, it is easier to reverse the
obfuscated version..."

Really? - I thought many of the better ones do a few other tricks too.

How does an obfuscated program that trips up the likes of reflector and
other commercial decompilers, and with what comes out having very similar
overloaded names become easier than looking at the original unobfuscated
assembly?

I'm not a fan of Obfuscators myself, but they do help to raise the bar some.

" It is unlikely that what-ever you are protecting has been written well
enough to be of value."

Well, if thats the case, then I doubt if the person would be selling many
licenses for the software either, but I would guess it is the revenue stream
the author is trying to get some sort of protection against, at least
bringing it back to native code levels again. - This is difficult to achive
in .net, but good obfuscators can help bring it nearer.

But if the person is really worried about things, I'd suggest going back to
native code compilation, or writing mixed mode assemblies, using .net for
only parts of the application.

Jim

"Russell Mangel" <ru*****@tymer.net> wrote in message
news:ug**************@TK2MSFTNGP02.phx.gbl...

Do your self a favor and forget about obfuscators, this technology in
*most* cases, is a waste of your time and doesn't really doesn't protect
your code that well. Unless you are trying to keep your Grandmother from
reversing your algorithms.

#1.
===
It is unlikely that you or the common developer
(myself included) that has discovered
an algorithm worthy of major protection.

#2.
===
It is unlikely that what-ever you are protecting
has been written well enough to be of value.

Not convinced?
Q. Why didn't Microsoft obfuscate the .NET framework?
A. Because the .NET framework relies on the Win32 API
and this code is in native PE format which is much harder
to reverse. Also Microsoft realizes that obfuscating the
.NET framework is a step in the wrong direction. This
is what a Managed language was designed to do.

Still not convinced?
Even if you use the very best obfusactor (which leaves
the meta-data). Myself and 1,000,000 other programmers
can reverse your algorithms in a very short time. All
the obfuscator does is renames variables. In fact if you
are a poor programmer, it is easier to reverse the
obfuscated version...

There are a few Obfuscators that remove all the
meta-data and save the .NET library as native
PE format (Google for RemoteSoft). There
are fewer people who can reverse native PE,
probably around 100,000 people. But this can
still be reversed.

In closing:
You simply can't protect your software easily.
Oh sure, you can slow them down. But if
what you have written is valuable enough,
*they* are going to get your algorithms.

Once again, don't waste your time on these things.
Spend your time becoming a better developer.

Russ M.



I personally have

"JustinC" <ju***********@gmail.com> wrote in message
news:11**********************@c74g2000cwc.googlegr oups.com...

Hello, I'm using VS.NET 2005 TFS and I want to start using the
obfuscator that comes with it. Does anyone know of a good tutorial for
how to obfuscate code in .NET? Thanks

Russell,
Sorry, must disagree.

Good obfuscators ( with experienced users using them) make it extremely
difficult to reverse-engineer .NET libraries.

Your numbered comment points are highly subjective. They may apply to you,
but to make blanket statements like you do is an insult to the intelligence
of others.

Maybe your algorithms and code aren't worthy of obfuscation, but others'
are. Maybe with a little more study and a bit less self-service "Holier than
thou" criticism, you too can get to this level.
Peter
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Russell Mangel" wrote:

Do your self a favor and forget about obfuscators, this technology in *most*
cases, is a waste of your time and doesn't really doesn't protect your code
that well. Unless you are trying to keep your Grandmother from reversing
your algorithms.

#1.
===
It is unlikely that you or the common developer
(myself included) that has discovered
an algorithm worthy of major protection.

#2.
===
It is unlikely that what-ever you are protecting
has been written well enough to be of value.

Not convinced?
Q. Why didn't Microsoft obfuscate the .NET framework?
A. Because the .NET framework relies on the Win32 API
and this code is in native PE format which is much harder
to reverse. Also Microsoft realizes that obfuscating the
..NET framework is a step in the wrong direction. This
is what a Managed language was designed to do.

Still not convinced?
Even if you use the very best obfusactor (which leaves
the meta-data). Myself and 1,000,000 other programmers
can reverse your algorithms in a very short time. All
the obfuscator does is renames variables. In fact if you
are a poor programmer, it is easier to reverse the
obfuscated version...

There are a few Obfuscators that remove all the
meta-data and save the .NET library as native
PE format (Google for RemoteSoft). There
are fewer people who can reverse native PE,
probably around 100,000 people. But this can
still be reversed.

In closing:
You simply can't protect your software easily.
Oh sure, you can slow them down. But if
what you have written is valuable enough,
*they* are going to get your algorithms.

Once again, don't waste your time on these things.
Spend your time becoming a better developer.

Russ M.



I personally have

"JustinC" <ju***********@gmail.com> wrote in message
news:11**********************@c74g2000cwc.googlegr oups.com...

Hello, I'm using VS.NET 2005 TFS and I want to start using the
obfuscator that comes with it. Does anyone know of a good tutorial for
how to obfuscate code in .NET? Thanks

"Peter Bromberg [C# MVP]" <pb*******@yahoo.nospammin.com> wrote in message
news:FC**********************************@microsof t.com...

Russell,
Sorry, must disagree.

Good obfuscators ( with experienced users using them) make it extremely
difficult to reverse-engineer .NET libraries.
I think what you mean is: Difficult for *beginner* reversers. A seasoned
reverser will only be
inconvenienced.

Your numbered comment points are highly subjective. They may apply to you,
but to make blanket statements like you do is an insult to the
intelligence
of others.
I am simply being realistic, I realize that I am only one person, and
there is a limit to what one person can do, most do not realize this.
There are many people especially programmers who *think* that they can
create innovative
solutions/algorithms. But I will say to that person... Oh really! Compared
to who and what exactly? Of course there are exceptions to this rule, but
they would
be the minority. These types of people are "Unskilled and Unaware of it".
I suggest that they read:
http://www.apa.org/journals/features/psp7761121.pdf

Maybe your algorithms and code aren't worthy of obfuscation, but others'
are. Maybe with a little more study and a bit less self-service "Holier
than
thou" criticism, you too can get to this level.
Peter
Peter, what is your definition of "but others are"?
Who are these people? Dr. Rudolph Bayer (inventor of the B-Tree)?
If so, then then I must apologize. I was talking about the typical,
common, mortal developer.

Let me get this straight...
I said:

It is unlikely that you or the common developer
(myself included) that has discovered
an algorithm worthy of major protection.

Do you actually believe that the common developer
has worthy algorithms? You're kidding right?

No, you decided to reply to me because I appeared
to be picking on someone... To you I say this...

The world is full of people who try to encourage
other people in the wrong direction, with good intentions.
This is a very bad practive.

Example:
Your wife dies her hair *purple*, and she asks
you, "Honey, do you like my new hair color?"
You say. "Oh, its just beautiful", but you really
hated the color. Your wife will have the wrong
impression, and will be ignorant and unaware
because the rest of the world will also lie to her
to avoid the confrontation, again with good intentions.

The proper thing to do here, is to insult her
the second she asked you. Sure, you will
hurt her feelings, but at least she will have learned
that *purple* is not a good hair color. Later she
will come to her senses and thank you for your
honesty. You can then make it up to her.

More importantly she will not become ignorant and un-aware.

Russell Mangel.

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Russell Mangel" wrote:

Do your self a favor and forget about obfuscators, this technology in
*most*
cases, is a waste of your time and doesn't really doesn't protect your
code
that well. Unless you are trying to keep your Grandmother from reversing
your algorithms.

#1.
===
It is unlikely that you or the common developer
(myself included) that has discovered
an algorithm worthy of major protection.

#2.
===
It is unlikely that what-ever you are protecting
has been written well enough to be of value.

Not convinced?
Q. Why didn't Microsoft obfuscate the .NET framework?
A. Because the .NET framework relies on the Win32 API
and this code is in native PE format which is much harder
to reverse. Also Microsoft realizes that obfuscating the
..NET framework is a step in the wrong direction. This
is what a Managed language was designed to do.

Still not convinced?
Even if you use the very best obfusactor (which leaves
the meta-data). Myself and 1,000,000 other programmers
can reverse your algorithms in a very short time. All
the obfuscator does is renames variables. In fact if you
are a poor programmer, it is easier to reverse the
obfuscated version...

There are a few Obfuscators that remove all the
meta-data and save the .NET library as native
PE format (Google for RemoteSoft). There
are fewer people who can reverse native PE,
probably around 100,000 people. But this can
still be reversed.

In closing:
You simply can't protect your software easily.
Oh sure, you can slow them down. But if
what you have written is valuable enough,
*they* are going to get your algorithms.

Once again, don't waste your time on these things.
Spend your time becoming a better developer.

Russ M.



I personally have

"JustinC" <ju***********@gmail.com> wrote in message
news:11**********************@c74g2000cwc.googlegr oups.com...

> Hello, I'm using VS.NET 2005 TFS and I want to start using the
> obfuscator that comes with it. Does anyone know of a good tutorial for
> how to obfuscate code in .NET? Thanks
>

On Mon, 26 Jun 2006 02:16:23 -0700, "Russell Mangel"
<ru*****@tymer.net> wrote:

The world is full of people who try to encourage
other people in the wrong direction, with good intentions.
This is a very bad practive.

Example:
Your wife dies her hair *purple*, and she asks
you, "Honey, do you like my new hair color?" The proper thing to do here, is to insult her
the second she asked you. Sure, you will
hurt her feelings, but at least she will have learned
that *purple* is not a good hair color.
More importantly she will not become ignorant and un-aware.

Russell Mangel.

Wow. Did you make her dye her hair another color, or did you have to
shave her?

"Jim" <no****@noSpam.comSpam> wrote in message
news:Cg*********************@fe1.news.blueyonder.c o.uk...

" All the obfuscator does is renames variables. In fact if you are a poor
programmer, it is easier to reverse the
obfuscated version..."

Really? - I thought many of the better ones do a few other tricks too.
Sure they do, and they think they have created something *cool* and
inovative. I suppose that if you look at the obfuscated code "literally"
it does look tricky. People that are not accustomed to reversing
obfuscated code will be lost. Because they lack the skills
to understand the essence of reversing. Which is why they are
using a de-compiler in the first place. They wanted to know
something about the code.
How does an obfuscated program that trips up the likes of reflector and
other commercial decompilers, and with what comes out having very similar
overloaded names become easier than looking at the original unobfuscated
assembly?
My original statement on this had two meanings. First, I was being a cynical
aimed at poor developers who use terrible variable naming. Forget about
that.
What I really meant was that, most of the time when you are reversing,
you don't really care about the variable/class names. If you try to read
obfuscated
code in this way, it means that you don't understand how to properly
reverse obfuscated code. So I suppose this is why the vendors of obfuscators
think
they have value as they have stopped the *copy/paste* thief.

The analogy that comes to mind is:
Remember the famous story about the Unix administrator who thought it was
funny that people were downloading the encrypted password file....
The administrator was laughing about how stupid these people were,
as surely everyone knew it was impossible to reverse the encrypted
password file. Technically he was right, but once he learned what the
hackers where doing with the encrypted password. He didn't think it
was so funny. They simply ran a dictionary attack and discovered
weak passwords. Major security hole!

If you are really interested in reversing, let me know and I will post more
info.

I'm not a fan of Obfuscators myself, but they do help to raise the bar
some.

" It is unlikely that what-ever you are protecting has been written well
enough to be of value."

Well, if thats the case, then I doubt if the person would be selling many
licenses for the software either, but I would guess it is the revenue
stream the author is trying to get some sort of protection against, at
least bringing it back to native code levels again. - This is difficult to
achive in .net, but good obfuscators can help bring it nearer.

To be clear, my comments were directed at a person, which I assumed
to be a single person developer, not a corporate development team, with a
professionally written software product.
But if the person is really worried about things, I'd suggest going back
to native code compilation, or writing mixed mode assemblies, using .net
for only parts of the application.

Technically you are correct. But would now greatly increase your product's
release date. In my opinion, you are better off loosing some revenue and
getting the product delivered.

In closing.

Take notice to one Software Company, which I really think has a great
business model. http://www.devexpress.com/
Developer Express is really smart.
1. They offer an excellant product.
2. They sell the software with the source code for $1299.00.
3. It has been engineered by some very bright people. I know cus I looked at
the source code.

Notice what they have done.
They completely eliminated the threat of reverse engineering, and gave you
the source code.
No way could anyone reverse-engineer this software for $1299.00.

They also release frequently to make the previous source-code irrelevant...
Who want's buggy software?

Russell Mangel

"Which is why they are using a de-compiler in the first place. They wanted
to know
something about the code."

So the fact that people are buying Decompliers, and using other means to
look at obfuscated files, then there must be some other people writing
software that must "be of some value".

( Incidentally, I've had a job trying to get some of the commercial
decompliers to reverse some strongly obfuscated assemblies I've created. But
still I would not have faith in these assemblies remaining obfuscated in the
future)

Its fine to give the DevExpress model as an example. But there are many
different types of software and niche markets that are forced to operate in
different ways. - I suspect, the reason many people would like to peek into
commercial assemblies is to look at how a certain function is being
performed, but more likely, to see if they can overcome any license control
the program may have.

I don't want to get into a flame with you over obfuscators. I can see where
you are coming from, particuarly with the extra points you added in the
second reply. And agree on certain points. But in order to give the original
poster a balanced view on how good obfuscators are, then I do feel that some
of your original remarks were a little excessive. - But hey we are all
entitled to our own views.

My own view on .net is that it does offer some good things for Windows
Application Developers. But the biggest let down is being how transparent
the application code is. But this is something developers will have to weigh
up. Obfuscators can help to make things harder for prying eyes to look at,
but may not be the total solution

Jim

"Russell Mangel" <ru*****@tymer.net> wrote in message
news:eO****************@TK2MSFTNGP02.phx.gbl...

"Jim" <no****@noSpam.comSpam> wrote in message
news:Cg*********************@fe1.news.blueyonder.c o.uk...

" All the obfuscator does is renames variables. In fact if you are a poor
programmer, it is easier to reverse the
obfuscated version..."

Really? - I thought many of the better ones do a few other tricks too.

Sure they do, and they think they have created something *cool* and
inovative. I suppose that if you look at the obfuscated code "literally"
it does look tricky. People that are not accustomed to reversing
obfuscated code will be lost. Because they lack the skills
to understand the essence of reversing. Which is why they are
using a de-compiler in the first place. They wanted to know
something about the code.

How does an obfuscated program that trips up the likes of reflector and
other commercial decompilers, and with what comes out having very similar
overloaded names become easier than looking at the original unobfuscated
assembly?

My original statement on this had two meanings. First, I was being a
cynical
aimed at poor developers who use terrible variable naming. Forget about
that.
What I really meant was that, most of the time when you are reversing,
you don't really care about the variable/class names. If you try to read
obfuscated
code in this way, it means that you don't understand how to properly
reverse obfuscated code. So I suppose this is why the vendors of
obfuscators think
they have value as they have stopped the *copy/paste* thief.

The analogy that comes to mind is:
Remember the famous story about the Unix administrator who thought it was
funny that people were downloading the encrypted password file....
The administrator was laughing about how stupid these people were,
as surely everyone knew it was impossible to reverse the encrypted
password file. Technically he was right, but once he learned what the
hackers where doing with the encrypted password. He didn't think it
was so funny. They simply ran a dictionary attack and discovered
weak passwords. Major security hole!

If you are really interested in reversing, let me know and I will post
more info.

I'm not a fan of Obfuscators myself, but they do help to raise the bar
some.

" It is unlikely that what-ever you are protecting has been written well
enough to be of value."

Well, if thats the case, then I doubt if the person would be selling many
licenses for the software either, but I would guess it is the revenue
stream the author is trying to get some sort of protection against, at
least bringing it back to native code levels again. - This is difficult
to achive in .net, but good obfuscators can help bring it nearer.

To be clear, my comments were directed at a person, which I assumed
to be a single person developer, not a corporate development team, with a
professionally written software product.

But if the person is really worried about things, I'd suggest going back
to native code compilation, or writing mixed mode assemblies, using .net
for only parts of the application.

Technically you are correct. But would now greatly increase your product's
release date. In my opinion, you are better off loosing some revenue and
getting the product delivered.

In closing.

Take notice to one Software Company, which I really think has a great
business model. http://www.devexpress.com/
Developer Express is really smart.
1. They offer an excellant product.
2. They sell the software with the source code for $1299.00.
3. It has been engineered by some very bright people. I know cus I looked
at the source code.

Notice what they have done.
They completely eliminated the threat of reverse engineering, and gave you
the source code.
No way could anyone reverse-engineer this software for $1299.00.

They also release frequently to make the previous source-code
irrelevant... Who want's buggy software?

Russell Mangel