« RSS vs. Necho | Main | CropMonkey 1.0 release »
Obfuscate your .NET code

If you've looked very closely at your compiled .NET assemblies, you've realized there's a lot of information readily available in the IL.. Tools like Anakrino and Lutz Roeder's Reflector allow anyone to decompile your assemblies into something very similar to your original code. If you want to protect your code, obfuscation is the solution.

Let me clear up one common misconception first: ngen does NOT protect your code, to be able to run ngen a user already has your original assembly! Ngen only generates a native image and installs it into the computer's native image cache so the assembly can load and execute more quickly.

A simple obfuscator will just rename all your symbols (classes, methods, variables, etc.) to gibberish strings that would make it very hard for someone to understand your code once decompiled. Smarter obfuscators will play tricks like inserting weird branches that don't ever get taken or change if statements into loops that only run once in the attempt to break decompilers and generally make your code such a mess that decompiling isn't worth the time it would take. Many obfuscators will also encrypt strings and remove unused code and metadata from the assembly.

I've used Dotfuscator Community Edition which is a free download and only does symbol renaming. A word to the wise: Take the 1.0 Framework and SDK out of your path and put 1.1 in your path before using Dotfuscator... Apparently Dotfuscator uses the ILDASM/ILASM utilities and the assembly attributes get corrupted when it uses the 1.0 versions of those utilities -- even when building 1.0 assemblies. Other than this fixable problem and the ugliest interface known to man, it works like a charm.

QNDObfuscator is an open source (Mozilla license) obfuscator that seems to do a better job with symbol renaming than Dotfuscator. In fact, decompiling with Reflector fails completely. I did run into a problem with the assembly attributes being corrupted... let me know if you have a solution to this problem. If you're not using anything like Application.ProductName which reads an assembly attribute then you have nothing to worry about.

Anyone have any other tips for protecting your code?

Posted by JoshC at July 19, 2003 12:37 AM
Trackbacks
TrackBack URL for this entry:
http://www.joshchristie.com/weblog/mt/mt-tb.cgi/10

Listed below are links to weblogs that reference 'Obfuscate your .NET code' from Josh Christie's Weblog.
Comments
Post a comment









Remember personal info?