7 Replies - 16265 Views - Last Post: 11 November 2012 - 10:45 AM

#1 LilGhost  Icon User is offline

  • D.I.C Head

Reputation: 8
  • View blog
  • Posts: 98
  • Joined: 12-October 12

Obfuscation

Post icon  Posted 31 October 2012 - 01:12 PM

So, I find myself at a loss. I've been working on a project for months and I don't want to see it cracked. I know the people who use it, for the most part, will be computer savvy. However, I wouldn't like the software to be decompiled, edited a little, then recompiled and resold. I know code doesn't really need obfuscation to be secure, but it seems with the releases I've made already I've just been dodging bullets :gun_bandana: . I took it upon myself to do my best to cipher strings, taskkill a list a of packet sniffers and add useless subs so crackers would have to sit and go through pages of useless code before finding anything remotely useful. However, I want to know that the code is even more secure by using a good obfuscator. I've used skater.net (free edition) but I can't say I've been too impressed.

So, finally for the question ;) , as of October, 2012, what is the best obfuscator?

Please don't respond with a list of obfuscators but please answer with what has worked best for you. I'm sure there are millions of threads asking this around here and different forums but most have the typical reply of just a list of obfuscators. Also, please don't reply and say "You don't need an obfuscator if you code your program right." As great as that is, it's not overly helpful.

Best Regards,
LilGhost

This post has been edited by AdamSpeight2008: 31 October 2012 - 03:41 PM


Is This A Good Question/Topic? 3
  • +

Replies To: Obfuscation

#2 tlhIn`toq  Icon User is offline

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5529
  • View blog
  • Posts: 11,846
  • Joined: 02-June 10

Re: Obfuscation

Posted 31 October 2012 - 05:38 PM

We've been very happy with the results from Dotfuscator.

Of course doing some work on your part never hurts. When people name their methods "GetResults()" and "CheckLicenseValidation()" it makes it pretty easy for the reverse engineers. Keep in mind that hiding variable names and method names must extend to any DLL's you make. By their very nature the method names for a DLL must remain readable to any application - That's how the DLL gets used. So its up to you to internally map the DLL method "YogiBear(int a, string e)" to a call that does something meaningful like "GetAge(UserID, LastName)"

Are you using decompilers to examine your deliverable code? If you want to thwart the gnomes you have to become them. Do you best to decompile your code and make something of it.

We also use a hardware security dongle. So all the code is Dotfuscator'ed, DLL's are as well plus given nonsensical method names, code shuts down if a debugger is attached, and requires a hardware security dongle that has code on its memory. So the application can confirm the permissions on the dongle as well as call a function on the dongle to do some work. All together it has proven to be some pretty good armor.

This post has been edited by tlhIn`toq: 31 October 2012 - 05:39 PM

Was This Post Helpful? 2
  • +
  • -

#3 lucky3  Icon User is offline

  • Friend lucky3 As IHelpable
  • member icon

Reputation: 231
  • View blog
  • Posts: 765
  • Joined: 19-October 11

Re: Obfuscation

Posted 31 October 2012 - 11:57 PM

tlhIn`toq would you go in more detail on:
  • code shuts down if a debugger is attached
  • requires a hardware security dongle that has code on its memory

How are you checking for attached debugger? How you identify, if it's a debugger? By hardware security dongle, you probably mean USB key?

What are your thoughts on having server/client sort of solution, where some of functionality and validation is server based (besides the drawback, that it needs internet connection to work)?

P.S. I hope I'm not hijacking the thread here. My questions are not obfuscator oriented, but more in general, how to protect your intellectual property from cracking.
Was This Post Helpful? 0
  • +
  • -

#4 X@MPP  Icon User is offline

  • 僕わ馬鹿ですね?
  • member icon

Reputation: 36
  • View blog
  • Posts: 1,014
  • Joined: 20-February 09

Re: Obfuscation

Posted 01 November 2012 - 01:30 AM

Funny you mention this, although its not VB.net specificity I've been researching MSIL deobfuscation and disassembly. With things like CCI and Mono.Cecil it becomes stupidly easy to disassemble the IL then from there just some basic code cleanup is needed that can be provided by the lovely de4dot after that, if its just pure .NET then you are kinda hosed if you are just relying on pure obfuscation. Things like p/invokes to un-managed code such as C/C++ or ASM just make it harder not impossible. Then as mentioned before killing the debugger or decompiler, that will work but only if the developer of the debugger or decompiler is not expecting that to happen, as for a custom tool the same can not be said. the only issue with the Hardware dongle is that if someone sneaks it out and makes an image of it, then that will be bound to fail as well.

And that's just talking about Attacking on disk, if the application is in memory then you have another set of challenges to face.

But as for a good obfuscator, I heard SmartAssembly was good, not unbreakable, but good.

**EDIT**

As for what worked best for me I cant say, all my projects have been instinctively open source.

**EDIT 2**

View Postlucky3, on 01 November 2012 - 07:57 AM, said:

What are your thoughts on having server/client sort of solution, where some of functionality and validation is server based (besides the drawback, that it needs internet connection to work)?


The Server Client has the issue of packet replay if done incorrectly and even if done correctly if you can get in there and find this bits of code that do that then forcibly rip them out by the scalp then that's not going to work ether.

If its requiring a internet connection to ping a certain server then the modification of the host file to direct the ping to localhost will provide the false sense of internet. But just as there are flaws in the implementation of security there are flaws in the ability to bypass it. So its just a basic game of weight your options and pick the one that best fits your need, or just give up on the obfuscation, that's what Microsoft did.

This post has been edited by X@MPP: 01 November 2012 - 01:41 AM

Was This Post Helpful? 0
  • +
  • -

#5 tlhIn`toq  Icon User is offline

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5529
  • View blog
  • Posts: 11,846
  • Joined: 02-June 10

Re: Obfuscation

Posted 01 November 2012 - 07:51 AM

It depends on the hardware dongle as to how hard it is to duplicate. Some are easier to make a software version of than others. The ones we use aren't something you can just make an image of. They have their own driver that requires the use of developer ID codes just to read the data correctly; a form of encryption.

Simply pinging a web server isn't going to be much use as you said. But if you send a special piece of information and expect a special reply in return it helps. For example, if you send "apple" and have to have "orange" reply to keep going, then only the server and your application know the code book of acceptable replies to prompts.

But yeah, its a cat and mouse game. Our company business is as much about on-line fulfillment as it is the program itself. So duplicating the program doesn't magically get someone the money making revenue stream. But if someone is trying to sell the next great calculator application for $4.99... You don't so much worry about the every man user duplicating it because its not worth 100 hours to save $5. You're just worried about unscrupulous developers taking your code, rebranding it then reselling it. Its worth it to them to spend 50 hours to have an entire product to sell instead of 500 or 5,000 hours to develop their own.
Was This Post Helpful? 0
  • +
  • -

#6 marty617  Icon User is offline

  • New D.I.C Head

Reputation: 7
  • View blog
  • Posts: 33
  • Joined: 14-October 12

Re: Obfuscation

Posted 02 November 2012 - 05:03 AM

Keep in mind that you cannot hide your code, you can only confuse the reverse engineer long enough that you can change your technique of hiding with a new security release.
Was This Post Helpful? 0
  • +
  • -

#7 LilGhost  Icon User is offline

  • D.I.C Head

Reputation: 8
  • View blog
  • Posts: 98
  • Joined: 12-October 12

Re: Obfuscation

Posted 03 November 2012 - 06:24 AM

View PostX@MPP, on 01 November 2012 - 01:30 AM, said:

Funny you mention this, although its not VB.net specificity I've been researching MSIL deobfuscation and disassembly. With things like CCI and Mono.Cecil it becomes stupidly easy to disassemble the IL then from there just some basic code cleanup is needed that can be provided by the lovely de4dot after that, if its just pure .NET then you are kinda hosed if you are just relying on pure obfuscation. Things like p/invokes to un-managed code such as C/C++ or ASM just make it harder not impossible. Then as mentioned before killing the debugger or decompiler, that will work but only if the developer of the debugger or decompiler is not expecting that to happen, as for a custom tool the same can not be said. the only issue with the Hardware dongle is that if someone sneaks it out and makes an image of it, then that will be bound to fail as well.

And that's just talking about Attacking on disk, if the application is in memory then you have another set of challenges to face.

But as for a good obfuscator, I heard SmartAssembly was good, not unbreakable, but good.

**EDIT**

As for what worked best for me I cant say, all my projects have been instinctively open source.

**EDIT 2**

View Postlucky3, on 01 November 2012 - 07:57 AM, said:

What are your thoughts on having server/client sort of solution, where some of functionality and validation is server based (besides the drawback, that it needs internet connection to work)?


The Server Client has the issue of packet replay if done incorrectly and even if done correctly if you can get in there and find this bits of code that do that then forcibly rip them out by the scalp then that's not going to work ether.

If its requiring a internet connection to ping a certain server then the modification of the host file to direct the ping to localhost will provide the false sense of internet. But just as there are flaws in the implementation of security there are flaws in the ability to bypass it. So its just a basic game of weight your options and pick the one that best fits your need, or just give up on the obfuscation, that's what Microsoft did.

I actually looked into smartassembly, I had them quote me a price for 1 developer on 1 machine for a small business. They came back with $1200+ before November 16th. And if i purchased after November 16th i was informed the price would be $4000+. Probably needless to say, they're no longer in my consideration.

Also to answer a previous question, I wasn't at first till i heard that skater.net wasn't good. When i heard that i downloaded a decompiler & opened up me "obfuscated code". I noticed no changes in my code except "Rumsoft.Skater" was inserted into the code.

I've been looking into .NET Reactor. I got a trial & tested it, it seems to conceal the code excellently. Can anybody else say anything about .NET Reactor before i purchase it?
Was This Post Helpful? 0
  • +
  • -

#8 LilGhost  Icon User is offline

  • D.I.C Head

Reputation: 8
  • View blog
  • Posts: 98
  • Joined: 12-October 12

Re: Obfuscation

Posted 11 November 2012 - 10:45 AM

Seeings as this thread has received over 2,000 views I'd like to post some useful information. I went ahead and got .Net Reactor. The obfuscator is very easy to use and very effective. I found using the obfuscator, putting some junk code in my source (google if you don't know what junk code is) and sticking to my ciphered/xor'ed has made it so when i decompile my own program (making sure it's difficult to crack before releasing) I can't even find my own source. This software is definitely worth the money and is 27.65 times (no joke it's really 27.65 times cheaper) than dotFuscator. In all honesty, it probably does just as good of a job, if not a better job, than dotFuscator. I recommend spending the $179 and getting .Net Reactor.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1