Dana Epp's ramblings at the Sanctuary: Recommendations for an Obfuscator?


« SHA-0 Broken, MD5 Rumored Broken \| Main \| Microsoft Baseline Security Analyzer V1.2.1 Released » August 17, 2004 Recommendations for an Obfuscator? Can anyone out there in C# land give me some recommendations for a good Obfuscator for standalone C# apps under the following parameters? Must be able to be launched in an automated build environment (through nant) Should do String and Resource encryption/hiding Should just work. No weird complex profiling needed for apps Must defeat all known decompilers Must fit the pocket book of a small ISV The short list I have compiled so far include: Demeanor for .NET Deploy.NET Dotfuscator Professional Salamander .NET Obfuscator Semantic Designs: C# Source Code Obfuscator Spices.Net Thinstall XenoCode .NET Obfuscator and Optimizer Anyone have any real experience with any of these? I am currently using DotFuscator Community Edition which comes with Visual Studio .NET, and it blows as it needs Visual Studio to be open and running for it to work, which means it won't work in my automated build environment. I need something, but not sure what to turn to without having to either mortgage my house or live with half my stuff not being obfuscated. Advice and feedback welcomed! Posted by SilverStr at August 17, 2004 08:42 AM \| TrackBack Comments The one I always recommend is Brent Rector's obfuscator Demeanor for .NET (Enterprise Edition). I am biased, though, as I haven't worked with the others, except DotFuscator Community Edition which is a joke. In evaluating obfuscator, I like Brent's explanations here: http://www.franklins.net/fnetdotnetrocks/dotnetrocks.aspx?showid=35 and here: http://www.wintellect.com/resources/newsletters/2002/aug2002.aspx As Brent points out, no obfuscator is completely fool proof, but there are some features that a good obfuscator must include: You need an obfuscator that operates directly on the binary assembly produced by your .NET compiler. As such, it requires NO change [to] your source code and isn't restricted to those constructs supported by your language of choice. Many less functional obfuscators use ILDASM and ILASM to decompile an assembly into an IL source file, make a few text edits to the source file, then recompile back into a binary assembly. Unfortunately, not all assemblies survive this round-tripping process, for example, assemblies produced by the Microsoft C++ with Managed Extensions compiler. Choose an obfuscator that can obfuscate assemblies containing managed and unmanaged code, such as those produced by the Microsoft MC++, as well as assemblies produced by practically any .NET programming language. Robert Posted by: Robert Hurlbut at August 17, 2004 10:56 AM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

August 17, 2004

Recommendations for an Obfuscator?