This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
.Net Obfuscation
Alternative for Obfuscation in the .NET world
Just a few minutes ago, I read that there are a number of tools, many free, that allow you to convert a C# .exe back to a VB solution. This means that my proprietary code can be viewed, edited, and recompiled/redistributed. Is there a way to prevent this?
In short you need to use Obfuscation. To name a few.
Dotfuscator
Obfuscator
Skater (Freeware)
DeployLX CodeVeil
Plus Visual Studio comes with a light version of Dotfuscator.
You can read this MSDN article that has advice on how to obfuscate your code.
You can use an Obfuscator.. Salamander is one such tool for .NET...
Confuser is another free obfuscator for .NET. It is developed in C# and using Mono
You can use mono to compile it to a native binary, just google it up.
You could also code the sensitive functions/components into native C++, wrap it in C++/CLI and use with .NET in addition to obfuscating your .NET assemblies.
Even with obfuscation the JIT compiler will need to see the IL code eventually, you are just making it more difficult to decompile.
An obfuscator is a good bet, as it increases a person's effort to view, edit, redistribute, etc. the code.
While these don't protect your code physically they could prevent the behavior of decompiling your code: legal mechanisms such as patents, copyrights, and licenses.
Decompiling or reverse engineering is a battle of economic efforts. Is it worth it for you to obfuscate your code (potentially running afoul of reflection "gotchas") vs. is it worth it for someone to reverse engineer (with little context) instead of emulating or rewriting?
A comment on this answer, https://stackoverflow.com/a/1988467/64348, with which several agree, indicates that obfuscation does not prevent getting back to the original (or some close enough version of the original) code. Obfuscation is just a stand-in to a reversible translation with no real key needed except some useful context.
Related
I have written a program in c# with Vistual studio 2008.
I've compiled and build it and got a .EXE file. My question is this - if I give someone else this .EXE file can he in any way see the source code? functions, variables, calls, stack states, anything? I wish to keep those as discreet as possible.
They can use a tool like Reflector to decompile the executable, this will not be identical to your code, but they will be able to see most of what you wrote. It is a free tool, so you can download it to see what it can do with your exe.
You will need to obfuscate your code if you want to keep others from seeing it easily (though even that can be overcome with enough time and determination). A tool you can use for this is dotfuscator.
According to this SO post, one can reverse engineer a given executable and obtain the code that was used to build it. This msdn blog shows some ways you can make the process of reverse engineering a bit tougher, mainly through the use of obfuscation.
The exact same source code as you have written it no. But he could use tools like Reflector to disassemble it. In order to make the disassembled code difficult to read you could obfuscate it.
Yes.
You can use reflector to decompile any .net assembly.
http://www.red-gate.com/products/dotnet-development/reflector/
There are tools that will obfuscate your code. But it will still be visible. Security by obscurity does not work anyway.
As all have said - it's easy to decompile an assembly. Obfuscation offers very little real protection unless you're using some of the really high end commercial tools. The key things to really watch out for is if you have things like encryption keys or security tokens/credentials in your source code these are pretty easy to find.
There are a range of products available that will allow you to compile a .net app to native code which offers much greater protection.
I have a desktop(winforms) application, and I'm looking for .net linker that links the assembly to assembler level(lower than IL) in order to prevent reverse engineering. another solution might be acceptable as well.
does anyone know of such a linker?
What you're looking for is an obfuscator. It jumbles up the compiled code so that it still does what it is supposed to do, but if you decompile it, it is incomprehensible to most.
Note that any attempt to make it 100% safe is guaranteed to fail, all you can strive for is making it as hard as possible.
There's many solutions that will do this in various ways:
Dotfuscator
Remotesoft Salamander Protector
Spoon Studio
Note, the last one isn't an obfuscator, it virtualizes out your application. Some of the benefits of that is that it is a bit harder to get to the underlying code, but it is primarily a product that solves different problems, namely the need to separate out the application from the rest of the applications installed (ie. no need for .NET to be installed, no conflicting registry settings, etc.)
You may want to have a look at the The Mono AOT (Ahead of Time) Compiler :
Ahead of Time Compilation
Mono Ahead Of Time Compiler
There are some limitations though: you obviously can't compile an assembly that uses CLR dynamic features, reflection, etc.
.Net Reactor is what you are looking for I guess (it is hackable - but way harder than classic obfuscation).
XenoCode has a cool tool that will help you do that:
http://www.xenocode.com
Checkout Code Projection by Xeno, its effective.
Obfuscation is may be good for your needs. But it still hackable.
I don't know any programs and utilities that you asking for but I have an advice for you.
If you need to protect not all application code but only critical sections, you can implement this sections in C++/C and use Platform Invoke to interop with unmanaged code.
Jeffrey Richter recommended this approach.
It's a standard practice to decompile and reverse engineer .net assemblies.
I'd like to release some plugin assemblies that will add to existing applications, but I don't want them to be utilized by others.
What are some ways I can hide the source of these assemblies?
It's theoretically impossible to achieve 100% protection unless you control the target hardware. If the CPU is able to execute it, given enough time and knowledge, a human being can read it too. This is not even limited to C# (although it's usually easier to do in managed languages). You can use an obfuscator like Dotfuscator or XenoCode to make it harder to understand the decompiled code. If you're really concerned, you should move to a server-based application.
You can use an obfuscator tool, it will help but reverse engineering will still be very possible.
Your users' computer needs to know what it needs to do, so you have to tell it. The owner of the computer has total control over it, and can therefore know himself what you told the computer to do, and he can tell it to do something else.
There is a way to hide the data, its called steganography. There's an author of a number of articles covered on CodeProject, who wrote a framework for doing exactly this. The title of the articles were 'Steganography ' in a series from 1 up to 12 I think. This is the website that is affiliated with the author.
There is a also a obfuscator called 'Phoenix Protector', found here, which can obfuscate the .NET code, personally, I have not tried it but it sounds good.
Hope this helps,
Best regards,
Tom.
It's software; anything is possible. You can encrypt your binaries, and then decrypt all or part of them into your application at runtime. It's not foolproof, but it's up to you to decide how draconian you want to be.
You can write an app that will host CLR using the CLR COM api, that way you can first load and decode the assembly at the native code level. If you reinforce the native loader using several anti-reverse engeneering techniques, you can achieve good enough security.
At the very least, you should obfuscate your dlls to prevent hackers & competitors from viewing and making sense of your code. Obfuscation is not 100% foolproof, but it presents a big enough obstacle in their path.
Some obfuscators such as Crypto Obfuscator have a feature of embedding all dlls in the main exe so your dlls are not explicitly visible and available on disk to open in reverse-engineering tools such as Reflector.
I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe from reverse engineering?
You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.
It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.
Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)
You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.
Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.
If you have secrets in your code (like passwords), you're doing it wrong.
If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.
At our company we evaluated several different obfuscation technologies, but they all had problems. The biggest problem was that we rely a lot on reflection, e.g. to dynamically create grids based upon property names.
So all of the obfuscators rename things, you can disable it of course, but then you lose a lot of the benefit of obfuscation.
Also, in our code we have a lot of NUnit tests which rely on a lot more of the methods and properties being public, this prevented some of the obfuscators from being able to obfuscate those classes.
In the end we settled on a product called .NET Reactor
It works very well, and we don't have any of the problems associated with the other products.
"In contrast to obfuscators .NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code. In detail, .NET Reactor builds a native wall between potential hackers and your .NET code. The result is a standard Windows based, not MSIL compatible, file. The original .NET code remains intact, well protected by native code and invisible for prying eyes. The original .NET code is not copied on harddisk at any time. There is no tool which is able to decompile .NET Reactor protected assemblies."
The fact that you actually can reverse engineer it does not make obfuscation useless. It does raise the bar significantly.
An unobfuscated .NET assembly will show you all the source, highlighted and all just by downloading the .NET Reflector. Add obfuscation to that and you'll reduce very significatively the amount of people who'll be able to modify the code.
It depends on you are you protecting yourself from. If you'll ship it unobfuscated, you might as well open source the application and benefit from marketing. Shipping it obfuscated will only allow people to relatively easily generate modified binaries through patches instead of being able to steal your code and create a direct competitor. Getting the actual source from obfuscated code is very hard, depending on the obfuscator, of course.
I think that it depends on the type of your product. If it is directed to be used by developers - obfuscation will hurt your customers. We've been using the ArcGIS products at work, and all the DLLs are obfuscated. It's making our job a lot harder, since we can't use Reflector to decipher weird behaviors. And we're buying customers who paid thousands of dollars for the product.
So please, don't obfuscate unless you really have to.
Things you should take into account:
Obfuscation does not protect your code or logic. It just makes it harder to read and understand.
Obfuscation does no one stop from reverse engineering. It just slows the process down.
Your intellectual property is protected by law in most countries. So if an competitor uses your code or specific implementation, you can sue him.
The one and only problem obfuscation can solve is that someone creates a 1:1 (or close to 1:1) copy of your specific implementation.
Also in an ideal world reverse engineering of an obfuscated application is economical unattractive.
But back to reality:
There exists no tool on this planet that stops someone from copying user interfaces, behaviors or results any application provide or produce. Obfuscation is in this situations 100% useless
The best obfuscator on the market cannot stop one from using some kind of disassembler or hex editor and for some geeks this is pretty good to look into the heart of an application. It's just harder than on an unobfuscated code.
So the reality is that you can make it harder and more time consuming to look into your application but you won't really get any reliable protection. Regardless if you use a free or an commercial product.
Advanced technologies like control flow obfuscation or code virtualization may help to make understanding of logic sometimes really hard but they can also cause a lot of funny and hard to debug or solve problems. So they are sometimes more like an additional problem than a solution.
From my point of view obfuscation is not worth the money some companies charge for their products. If you want to nag casual developers, open source obfuscators are good enough. If you want to make it as hard as possible to look into the heart of your applications, you need to use cryptographic containers with virtual execution environments and virtual filesystems but they also provide attack vectors and may also be a source for a bag full of problems.
Your intellectual property and your products are in most countries protected by law. So if there's one competitor analyzing and copying your code, you can sue him. If a bad guy or and hacker or cracker takes your application you are pranked - but an obfuscator does not make a difference.
So you should first think about your targets, your market and what you want to achieve with an obfuscator. As you can read here (and at other places) obfuscation does not really solve the problem of reverse engineering. It only makes it harder and more time consuming. But if this is what you want, you may have a look to open source obfuscators like e.g. sharpObfuscator or obfuscar which may be good enough to nag casual coders (a List can be found here: List of .NET Obfuscators on Wikipedia).
If it is possible in your scenario you might also be interested in SaaS-Concepts. This means that you provide access to your software but not the software itself. So the customer normally has no access to your assemblies. But depending on service level, security and user base it can be expensive, complex and difficult to realize a reliable, confident and performant SaaS-Service.
No, obfuscation has been proven that it does not prevent someone from being able to decipher the compiled code. It makes it more difficult to do so but not impossible.
I am very confortable reading x86 assembly code, what about people that is working with assembly for more than 20 years ?
You will always find someone that only need a minute to see what your c# or c code is doing...
Just a note to anyone else reading this years later - I just skimmed through the Dotfuscator Community Edition (that comes with VS2008) license a few hours ago, and I believe that you cannot use this version to distribute a commercial product, or to obfuscate code from a project that involves any developers other than yourself. So for commercial app developers, it's really just a trial version.
...snip...
these messages can become much more
difficult to interpret
Yes, but the free community edition that comes with Visual Studio has a map functionality.
With that you can back track the obfuscated method names to the original names.
I've had success putting the output from one free obfuscator into a different obfuscator. In Dotfuscator CE, only some of the obfuscation tricks are included, so using a second obfuscator that has different tricks makes it more obfuscated.
It's quite simple to reverse engineer a .net app using .net reflector - since the app will generate VB, VC and C# code straight from the MSIL, and it's possible to pull out all kinds of useful gems.
Code obfuscators hide code quite well from most reverse engineering hacks, and would be a good idea to use on proprietary and competitive code that adds value to your app.
There's a pretty good article on obfuscation and it's workings here
This post and the surrounding question have some discussion which might be of value. It isn't a yes-or-no issue.
Yes you definitely should. Not to protect it from a determined person, but to get some profit and have customers. By the way, if you reach a point here someone tries to crack your software, that means you sell a popular software.
The problem is what tool to choose for the job. Check out my experience with commercial obfuscators: https://stackoverflow.com/questions/337134/what-is-the-best-net-obfuscator-on-the-market/2356575#2356575
Yes, we do. We use BitHelmet obfuscator. It's new, but it works really well.
But is it really worth the effort to select, buy and use such a tool?
I found Eazfuscator cheap (free), and easy to use: took about a day.
I already had extensive automated tests (good coverage), so I reckon I could find any bugs that are/were introduced by obfuscation.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
The community reviewed whether to reopen this question 7 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I maintain an old PC-only application written in Delphi 7. Although Delphi has served me very well in the past I now only use it for this one application and find my skills with the language diminishing. Its syntax is too different from my 'day job' languages of Java/Ruby so it takes me longer to get into the groove of writing new code, plus it is so old I have not used many interfaces so the code is not managed which seems ancient to me now!
Many of my users are moving to Vista which may run the app in compatibility mode or may have GPF problems depending on how their PC is configured by their IT department, so I have to do some maintenance on the application. I'm wondering if I should jump to a more familiar stack.
Is there an automated tool that will do the legwork of converting the code base to C#, leaving me to concentrate on the conversion on any non-standard components? I'm using an embedded database component called AbsoluteDatabase which is BDE compatible and using standard SQL throughout, and a native Delphi HTML browser component which can be swapped out with something from the Microsoft world.
How good are these conversion tools?
I am not aware of any automated tools for making that conversion. Personally I would suggest you stick with Delphi, maybe just upgrade to a new version. I have seen a couple code DOM's that attempt to convert from Delphi to C#, but that doesn't address the library issue.
CodeGear (formally Borland) has a tool for going from C# to Delphi that works OK. I would assume the tools that go the other direction will work the same (requiring a lot of editing). Here is a Swedish tool that works on the same CodeDOM principle to go from Delphi to C# (and a number of other languages). There are others, I just can't find them right now.
Another option would be to upgrade to a more resent version of Delphi for .NET and port your code to .NET that way. Once you get it working in Delphi for .NET (which will be pretty easy, except for the embedded DB, unless they have a .NET version) you can use .NET Reflector and File Disassembler reverse the IL to C#. You will still be using the VCL, but you can use C# instead of Object pascal.
Another similar solution would be to port it to Oxygene by RemObjects. I believe they have a Delphi Win32 migration path to WinForms. Then use .NET Reflector and File Disassembler reverse the IL to C#.
In short, no easy answers. Language migration is easier then library migration. A lot of it depends on what 3rd party components you used (beyond AbsoluteDatabase) and if you made any Windows API calls directly in your application.
Another completely different option would be too look for an off shore team to maintain the application. They can probably do so cheaply. You could find someone domestically, but it would cost you more no doubt (although with the sagging dollar and poor job market you never know . . . )
Good luck!
There has been a scientific report of a successfull transformation of a 1.5 million line Delphi Project to C# by John Brant. He wrote a Delphi parser, a C# generator and lots of transformation rules on the AST. Gradually extending the set of rules, doing a daily build, lots of unit tests, and some rewriting of difficult Delphi parts allowed him with a team of 4, among which some of the original developers, with deep Delphi & C# knowledge, to migrate the software in 18 months. John Brant being the original developer of the refactoring browser and the SmaCC compiler construction kit, you are unlikely to be able to go that fast
Many of my users are moving to Vista
which may run the app in compatibility
mode or may have GPF problems
depending on how their PC is
configured by their IT department, so
I have to do some maintenance on the
application. I'm wondering if I should
jump to a more familiar stack.
Unless you are doing something non standard, D7 applications should run fine in Vista.
As for conversion to C#, I would think that most conversion tools would be a waste of time. A better approach may be to rewrite the application from scratch.
There is no easy answer, but bear in mind that the Delphi.net variant of the language targets the .net runtime, and that different languages on .net can interoperate closely.
You could try getting it to compile in Delphi.Net, factoring into different assemblies and then converting the assemblies by hand one by one. Reflector could help be reverse-engineering compiled code into a skeleton of C# code - equivalent but without comments, internal variable names etc.
On the other hand, Delphi.net may be good enough (TM) for this project.
But unless you have a good test suite (I'm guessing probably not, given the state of the art in Delphi 7) you're going to introduce bugs.