locked
Which tool is best for obfuscation? RRS feed

  • Question

  • I have a .NET application that I need to obfuscate. Can you please advise what is the best tool for me to use?

    How is the visual-studio built-in Dotfuscator tool?

    Sunday, October 9, 2016 10:23 AM

Answers

  • Hi,

    the big question is, what you want to do and what you expect of the obfuscation.

    In my eyes you really have to think about the pros and cons - and my decision was in the past, that we do not do any obfuscation at all. Instead you might want to check the new possibilities to compile code to native binaries (.Net Native):
    https://msdn.microsoft.com/en-us/library/dn584397%28v=vs.110%29.aspx

    Maybe that new feature already offers enough options.

    If you think about using the Dotfuscator then just check the homepage of it to compare the different editions available. That is an easy way to see, which feature you might miss.

    I used .Net Reactor in the past which has an affordable price and offers a lot of features that I thought are important (and are not part of obfuscation). So you might want to have strings encrypted. Or you want the IL modified further so that the code cannot be read any longer and that makes sure that people cannot look at the code easily. (Core obfuscation is just some renaming - so the control flow is still fully available.)

    There are also a few free obfuscators that you might want to check out. Simply check your requirements with the offered features.

    Always be sure that you can fully support your application after modifying it! So with .Net Reactor I had did a few tests to make sure that I still get exception details that I could use to get a good, readable Stacktrace.

    So as a summary: I / We do not use any obfuscation tool. There are to many Cons and for a smaller team. (The main danger is that the idea behind an application is stolen - not the code itself! And everyone can look at the application and write it again.) So the Pros are simply to small and there are to many Cons (e.g. harder support). Check that the features available are really what you need. 

    With kind regards,

    Konrad

    Sunday, October 9, 2016 10:54 AM
  • >>Which tool is best for obfuscation?

    It depends on who you ask I guess. You will find different options here: http://stackoverflow.com/questions/59893/best-method-to-obfuscate-or-secure-net-assemblies

    ...and here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/3132d1c9-0c7a-4b46-9f11-f38165a1c792/which-is-the-best-tool-for-net-obfuscation-?forum=netfxsetup

    Here is yet another one: https://yck1509.github.io/ConfuserEx/

    I guess you will have to evaluate the tools for yourself to figure out which one hat works best for your specific case. There is no bullet-proof way of protecting your source code though.

    Configuring Visual Studio for Obfuscation: http://www.codeproject.com/Articles/1040107/Configuring-Visual-Studio-for-Obfuscation

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    Sunday, October 9, 2016 10:46 AM

All replies

  • >>Which tool is best for obfuscation?

    It depends on who you ask I guess. You will find different options here: http://stackoverflow.com/questions/59893/best-method-to-obfuscate-or-secure-net-assemblies

    ...and here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/3132d1c9-0c7a-4b46-9f11-f38165a1c792/which-is-the-best-tool-for-net-obfuscation-?forum=netfxsetup

    Here is yet another one: https://yck1509.github.io/ConfuserEx/

    I guess you will have to evaluate the tools for yourself to figure out which one hat works best for your specific case. There is no bullet-proof way of protecting your source code though.

    Configuring Visual Studio for Obfuscation: http://www.codeproject.com/Articles/1040107/Configuring-Visual-Studio-for-Obfuscation

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    Sunday, October 9, 2016 10:46 AM
  • Hi,

    the big question is, what you want to do and what you expect of the obfuscation.

    In my eyes you really have to think about the pros and cons - and my decision was in the past, that we do not do any obfuscation at all. Instead you might want to check the new possibilities to compile code to native binaries (.Net Native):
    https://msdn.microsoft.com/en-us/library/dn584397%28v=vs.110%29.aspx

    Maybe that new feature already offers enough options.

    If you think about using the Dotfuscator then just check the homepage of it to compare the different editions available. That is an easy way to see, which feature you might miss.

    I used .Net Reactor in the past which has an affordable price and offers a lot of features that I thought are important (and are not part of obfuscation). So you might want to have strings encrypted. Or you want the IL modified further so that the code cannot be read any longer and that makes sure that people cannot look at the code easily. (Core obfuscation is just some renaming - so the control flow is still fully available.)

    There are also a few free obfuscators that you might want to check out. Simply check your requirements with the offered features.

    Always be sure that you can fully support your application after modifying it! So with .Net Reactor I had did a few tests to make sure that I still get exception details that I could use to get a good, readable Stacktrace.

    So as a summary: I / We do not use any obfuscation tool. There are to many Cons and for a smaller team. (The main danger is that the idea behind an application is stolen - not the code itself! And everyone can look at the application and write it again.) So the Pros are simply to small and there are to many Cons (e.g. harder support). Check that the features available are really what you need. 

    With kind regards,

    Konrad

    Sunday, October 9, 2016 10:54 AM
  • Have you used Zeroify.com before? Although its primary purpose is to obfuscate html, javascript, and css code - it also has been designed to obfuscate c# code for .net applications

    Thursday, June 8, 2017 7:48 PM
  • I believed the best  C# Obfuscator is Babel , you can check it out at babelfor.NET

    Babel provides good variables and values renaming, string encryption, method encryption and convoluted control flows which is impossible to trace. This simply the best and its product support is fast and efficient

    I have tested out quite  number of obfuscators and the results are as follows:

    Skater , Spices   -- can be easily broken into and decompiled using ILSpy and telerik but

                                  provide simple  renaming of variables , poor product support

     

    Crypto Obfuscator -->  complex renaming of variables (this is good) hard to
                                   trace as the variable names are very long. some obfuscated
                                   C# statements but mainly readable.  Not much entropy

                                    cost $149   poor  support response and obfuscated code sometimes don't work

     Eazfuscator  --> simple renaming of all variables but can easily be decerned
                                 and traceable , variable names are very short
                                  some obfuscated C# statements - and readable and can
                                  be easily rebuilt from the decompiled source.
                                  Virtualization of functions -- totally dubious and fake
                                  just a marketing ploy.   Not much entropy  generated
                                     Also the GUI does not allow  changes on the degree
                                   of entropy , trashgen, obfuscations
                                     cost $390 -- NOT recommended


     NetWinProtect    -->  renaming of variables , but  C# statements are easily
                                       seen   ( NOT good)   NO entropy -- don't use

     Net reactor 5  --> worst as everything is decompiled and everything can
                                     be read with little or NO obfuscation --> there is very little
                                     renaming of variables  ( NOT good)  NO entropy

                                   No product update since 2016, and no response to phone or email queries

    Friday, September 8, 2017 3:28 AM
  • Hello, 

    We do not provide our customers with the "poor product support" as it mentioned above. Please read Skater's users testimonials: 

     Skater .NET Obfuscator reviews

    Skater now protects .NET Core DLLs. Also we started to implement algorithms to prevent deobfuscator's efforts (de4dot and so on). If you are our long-time customer and you need a free upgrade for the latest Skater ver8.7 please contact us directly.

    Support Team Rustemsoft LLC

    Saturday, January 13, 2018 6:00 PM
  • Hi,

    I checked 4-5 obfuscator today. The main purpose of an obfuscator should not be hide your license code, but instead to protect your software / algorithm from being written easily by a programmer just by seeing the code. Because if any software like Windows, SQL Server, Adobe etc. can be easily hacked then there is no chance that you can hide your license code. In my case, I have developed a few software in C# that can be easily replicated if someone has access to its code inside the button click events. So, I tested a few obfuscators that implement "Code Flow Obfuscation" that makes it really hard to understand the execution flow / algorithm of the code. In fact when I did "Code Flow Obfuscation" on my software, I was not able to understand my code itself, let alone what others could understand.

    Just image you spent a few weeks in developing an algorithm that can do a certain task like: you can fetch airline tickets from all websites and show in the software. If someone can see the code of it, he/she can simply create the same software in a day. So, its better to jumble the algorithm in suc a way that it becomes very hard for anyone to understand.

    I tried: Dotfuscator, Eziriz .NET Reactor and Crypto Obfuscator and rustemsoft Skater .NET Obfuscator. (And a few others)

    The following were my results:

    1. All string / variable / function encryptions by all obfuscators were easily de-obfuscated by de4dot de-obfuscator. So, there is no point in encrypting strings / variables / functions.
    2. I used maximum level of "Code Flow Obfuscation" for all 3. I could not use rustemsoft Skater .NET because its software was hanging a lot and the user interface was confusing for me. And the free / evaluation version did not have "Code Flow Obfuscation" enabled to evaluate. So, Dotfuscator did the best srabling of code. And then .NET Reactor and Crypto Obfuscator were of same level but their obfuscation was much inferior to Dotfuscator.
    3. You can try to virtualize the software using a Virtualization software that should prevent direct de-obfuscating using de4dot, but again the exe can be easily unpacked using any good unpacker and then the extracted Assembly can be de-obfuscated using de4dot. A virtualization software is used to pack the main exe, dll and other resources in one big exe so that you do not have to create a setup file etc. and run the exe directly on any computer. So, in this case, you can ecrypt the .NET assembly in a single encrypted exe. But, like I said it can be easily unpacked. There are many videos on YouTube on this topic. It does not do "control flow obfuscation" which was my main purpose.

    So, finally what I did was:

    1. Obfuscate control flow using Dotfuscator, then again "control flow" obfuscate the obfuscated exe using .NET Reactor or Crypto Obfuscator. After this if I de-obfuscate the exe, the code can not be understood by any intermediate level programmer.

    Hope it helps.
    • Proposed as answer by Juvilnoz Wednesday, August 26, 2020 11:29 AM
    • Unproposed as answer by Juvilnoz Wednesday, August 26, 2020 11:29 AM
    Sunday, June 23, 2019 4:40 PM
  • Thanks for your testing. Reading your results were very interesting. Have you any experience using encryption techniques encoding assemblies?

    Friday, September 13, 2019 5:13 PM
  • Don't forget to mention how you want to make people pay for your Skater program over and over and over to make them your personal bank account.
    • Edited by Tekware Software Friday, September 20, 2019 1:23 PM Forgot program name.
    Friday, September 20, 2019 12:49 PM