The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Obfuscation (.net) advice?

Anyone here do obfuscation for .net? I'm looking to add some extra protection to my key activation part of my program, as a co-worker was able to reverse-engineer a keygen in about an hour just using reflector...

Of course low cost is good :)

Anything I need to look out for while using one?

Steve Send private email
Thursday, January 24, 2008
I'm a big fan of Xenocode postbuild:

You can get it to obfuscate the code so that method names, properties, etc. look like random text in Reflector. Another thing it can do is change the compiled code so that it functions the same but it alters the code flow to make it more confusing for the determined reader.

You can additionally get Xenocode to modify the header of .NET executables so they can't be loaded in Reflector at all.

Things to look out for include remembering that crash reports containing call stacks (if your software gives the option to send them back to base) will be obfuscated so you'll want to hold onto the map file Xenocode generates to unmangle them.

Also if you use any form of serialisation or reflection in your code you may want to exclude certain classes from obfuscation (which you can easily do) as that can really mess things up.

It's also worth saying that anyone determined enough will be able to reverse engineer your code but to thwart the casual hacker it'll do a good job.
John C Send private email
Thursday, January 24, 2008
Check out .Net Reactor
It's got much better protection than overpriced obfuscators plus some additional nice features.

Friday, January 25, 2008
Wea re looking at .Net Reactor too.  One thing to look at for is that for a while they could not be loaded on a 64-bit OS at all.  Their app and anything protected with it would not run.  I reported this when I first had it, but I do not know if they have fixed it at all.
SteveM Send private email
Saturday, January 26, 2008
>> Anything I need to look out for while using one? <<

Yes. Using obfuscation on its own won't stop keygens - the pirates will just use a black box approach instead.

If you use public/private key encryption for your serial numbers, this will stop original keygens completely, regardless of access to any form of your source code. But note that you should also encrypt the public key stored in  your binary.

The easiest way around thus is for the pirate to replace the public key stored in your binary with his own public key. But this means that he has to create and host a patched binary, rather than just create a keygen. That's a significant extra overhead.
Mark Pearce Send private email
Saturday, January 26, 2008
I'm using the free obfuscar for all my projects.

Its nothing fancy, it just makes your code an abstract mess ;-) Fits my needs exactly. I just want the reflector kiddies not to have free code. And its free ;-)
Marc Jacobi Send private email
Thursday, January 31, 2008
Why don't you use .NET Encryption/Protection technique? Your .NET assembly will be encrypted then decrypted at run-time. A product that I would recommend to anyone to use is ElecKey 2.0
Lam Send private email
Saturday, February 16, 2008

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz