10

I'm currently developing an application where it's rather crucial to keep the user from decompiling the code. Now, I'm aware of the fact that most .exes are decompilable if executed by an experienced programmer. However, my goal is simply to keep it safe from the "regular" user with basic programming knowledge.

I've come across several obfuscators, and the one I'm using right now is Codeplex Confuser, which you can find here. Since I'm no obfuscation guru, or that experienced within programming of any high level, I'm asking you if you know anything about the safety of this obfuscator.

Kara
  • 6,115
  • 16
  • 50
  • 57
Fredrik
  • 764
  • 1
  • 6
  • 22
  • So how would you suggest I make some code of the software unreachable? Such as where I define the methods shuffling encryptions, and hiding information in certain files. – Fredrik Aug 28 '12 at 00:30
  • 1
    Why do you want to hide information? If you're worried about tamper-proofing, look into [public-key cryptography](http://en.wikipedia.org/wiki/Public-key_cryptography) (asymmetric ciphers) and [digital signatures](http://en.wikipedia.org/wiki/Digital_signature). – obataku Aug 28 '12 at 00:32
  • Check out this question: http://stackoverflow.com/questions/2478230/how-can-i-protect-my-net-assemblies-from-decompilation – niaher Aug 28 '12 at 00:38
  • 2
    Just my two cents but obfuscators aren't worth the bytes they are written on. If you have data that needs to be kept secret or code that is highly proprietary you're barking up the wrong tree if you want to keep it secure. – Maxim Gershkovich Aug 28 '12 at 00:38
  • .fuscator not an option? – Cole Tobin Aug 28 '12 at 00:51
  • [This is the better way](http://www.remotesoft.com/salamander/protector.html) – Jeremy Thompson Aug 28 '12 at 01:46
  • 12
    Yes confuser is safe imo and will do want you want. Ignore everyone that whinges "why bother obsfucsating your code it can still be cracked". Do you lock your car? Yes? Why, a skilled theif can still get in. Do you lock your front door? Yes? Well a thief can break the window. obsfucating your code is the same. It is to keep honest people honest and make it that little bit harder for the skilled thief. – Martin Dec 19 '13 at 15:43

2 Answers2

9

From my experience Confuser is one of the hardest (free) obfuscators to reverse at this moment. At least by 1-click tools.

Personally I had a few issues with it, namely, a few false positives when using max settings and a few cases that made my .exe's unable to run.

Keep in mind that regardless if it's a bit harder to reverse than other free alternatives it's still very possible for someone to do so if he devotes a bit of time.

denied66
  • 644
  • 7
  • 18
  • Is this what is used by .NET reflector (go figure)? Because opening it in reflector gives me random unicode function names and such – Cole Tobin Aug 28 '12 at 00:52
  • Doubtful, since using a free obfuscator for a program of that magnitude will cause them only problems. Have you tried using a different program to open reflector ? ILSpy is a good alternative. – denied66 Aug 28 '12 at 00:58
  • Yes, I tried ILSpy and IDA. Both give me random (not random, but accented characters, symbols, etc.) function and varialbe names like they are just random byte data (but consistent through loads so it is the true variable name. like this: `call ...::Reflector.&` – Cole Tobin Aug 28 '12 at 02:43
  • Downloaded the trial version just to check it out. Seems like they are using SmartAssembly which I don't really recommend since because it's quite popular there are numerous of tools that can reserve it. Not to mention they even made a tool just for SA (Dumbassembly) – denied66 Aug 28 '12 at 02:56
  • @ColeJohnson Reflector uses a commercial obfuscator, SmartAssembly (made by the same company, Red Gate, which now develops Reflector). – cdel Aug 28 '12 at 13:17
  • @cdel DumbAssembly still doesn't unscramble the function names. – Cole Tobin Aug 28 '12 at 21:43
5

Using an obfuscator will make it a lot harder to decompile the code, but it's still not safe.

The only way to keep your code safe is to keep it out of the hands of the users. You can put critical code in a web service, and let the application call it. Unless the user can actually hack the server and get to the code, it's completely safe from decompiling.

Guffa
  • 687,336
  • 108
  • 737
  • 1,005
  • 2
    True, but OP said "However, my goal is simply to keep it safe from the "regular" user with basic programming knowledge." in which case obfuscation fits the bill perfectly – Martin Dec 19 '13 at 15:44
  • 1
    @Martin: Yes, but he also said that it was eather crucial to keep the user from decompiling the code. Most regular programmers could use tools that are freely available and have a chance to grasp enough of the code for it to be a problem. – Guffa Dec 19 '13 at 16:06