Obfuscators

• Overview
• Sponsor: Obfusc PHP

Languages

• ASP
• Assembler
• C/C++
• C# and .net
• Email
• Flash
• java
• JavaScript
• Perl
• PHP

.Net Obfuscators

The .NET architecture benefits of a large degree of power and flexibility. Unfortunately, that design inherently produces a problem for those trying to hide their program.s intellectual property. One of the consequences of the architecture of .NET is that a great deal of information about an assembly is kept with the assembly in a part of the file called the Manifest. This information makes it remarkably easy to not just recompile the assembly, but to decompile it, make modifications, then recompile it.

One of the key features of Microsoft .NET is that all its languages generate assemblies containing CPU-independent instructions, or so called Microsoft Intermediate Language instructions. .NET assemblies also include metadata that describe types, members, and code references from other assemblies. At program runtime, these instructions are converted to CPU-specific language by the just-in-time compiler.

This architecture provides developers for several benefits: it makes possible easy interoperability for code written in differing languages, and simplifies assemblies interlinks. However, there is one major drawback as well: the data contained in assemblies provide enough information to recover the original code. This makes it difficult to protect the intellectual property in an application, which source code source code can be read by anyone. Developers who have spent months or years working on complex algorithms or workarounds for bugs, often prefer to have their methods remain secret from others.

This is where obfuscation can help. Its purpose is to transform a .NET assembly without affecting its functionality, so that it becomes difficult or impossible to be decomplied. Code obfuscation of .NET assemblies helps achieve two main goals:

The obfuscator works with .NET CF. It obfuscates .NET CF assemblies and the obfuscated image can be then deployed to WinCE devices. The obfuscated image can be used to replace the original assembly for debug, since it contains exactly the same information on exceptions, line numbers and other symbolic info.

A .NET code protection tool offers sophisticated technologies to protect the .NET code and intellectual properties. The obfuscator transforms the .NET assemblies (in C#, VB.NET, C++.NET, J#, MSIL, etc.) in such a way that decompilation of the new format would result in source code that is extremely difficult to understand, and virtually impossible to be recompiled.

Obfuscator features:

• Obfuscate all .NET assemblies - C#, VB, MC++, even the Framework

• Removes unnecessary symbols producing maximal obfuscation and compression

• Removes unnecessary metadata preventing decompilation to the original source

• Encrypts string literals

• Scrambles class names, method names, field names etc.

• Obfuscates multi-module assemblies

• Obfuscates satellite resource assemblies automatically

• Supports incremental obfuscation of one or more assemblies

• Multiple obfuscation vectors designed to confuse both human and automated reverse engineering

• Uses XML configuration and reporting files allowing easy integration with other tools

• Visual Studio .NET integration allowing product building and obfuscation directly from the IDE

• Command line tool for use in the batch build environment

• Prohibits reverse engineering

• Obfuscated application usually is not recompilable

• Processes any .NET application, executable or assembly

• Compatible with any .NET framework

• Control flow obfuscation stops decompilers and deobfuscators

• Implements assemblies linking; linkage unites .NET assemblies into a single dll or exe.

The .NET obfuscation process renames all possible symbols (class, interface, field and method identifiers) to render them meaningless, and strips all unnecessary information (local variable, method parameter names, debug information and some metadata) from the .NET assemblies. A benefit to obfuscation is a substantial reduction in the size of the code, due to the removal of unnecessary information and the replacement of large, human-readable identifiers with small machine generated names. This size reduction is beneficial as it leads to a faster startup for the programs.

The risk with tampering is that strong name of the assembly can be cracked and resigned by another key. The technology allows generating assemblies protected from a recently emerged spoofing technique: modifying or removing strong-names. The assembly won't work correctly with a modified strong-name even if the new strong-name is recognized by .net loader as a valid one.

The assembly won't work correctly neither if not signed at all, nor if signed by a strong-name key, which differs from the assembly originator's one. If the assembly does not contain any string information, the assembly validity can be checked by performing an easy testing procedure for any of the used strings. Tamper-proof technology encrypts string and binary resources (user strings, binary arrays used in the code) to protect and secure resources from prying eyes and provide tamper-proof mechanisms that prevent assembly from tampering and spoofing.

Multiple .NET assemblies are specified as inputs in the building process, and some public interfaces are to be exported to the outside while the rest are internal and thus to be obfuscated as much as possible. The input assemblies may depend on each other, and the obfuscator automatically analyses the inter-dependency, then performs the obfuscation as a whole.

Incremental obfuscation allows to obfuscate new assemblies based on the previous obfuscation results, and therefore hot fixes can be performed by distributing small patches to customers. The obfuscator does not rely on any logs, instead it simply utilizes the original and obfuscated pair of images, and thus it is extremely easy to perform incremental obfuscation.

String protection applies to literal strings encryption during obfuscation and decryption at runtime. Since obfuscators must embed the decrypt method into the same assembly, it is very easy to recover the original strings. A decompiler can remove any string protections injected added by obfuscators. A protector can offer string and resource protection.

Control flow obfuscation mutates the control flow structure of the code to make it harder for a decompiler to construct readable loop statement. Obfuscation breaks down structures that make programs modular, surprisingly reducing program code size in many cases.

An obfuscator should be robust. Regardless the complexity of the application and the .NET programming language used the obfuscator should always work. Protection against ILDASM and utilities using reflection APIs should be provided along with support for mixed images that contain both managed and unmanaged code as well.

Obfuscation Tools:

• Salamander .NET Obfuscator

• .NET Obfuscator - Dotfuscator

• Spices.Obfuscator

• Skater .NET Obfuscator

• {smartassembly}

• Decompiler.NET

• Deploy.NET

• Thinstall

• Demeanor for .NET

• Xenocode Postbuild 2006

• .NET Reactor

• Goliath .NET Obfuscator 2.0

• Dynu .NET Obfuscator