11

I have a Visual Studio 2008 solution with number of DLLs and web application uses them as a main project. It's a commercial banking and accounting software (thin client) and I don't want a client getting access to the source in circumvention of mine.

I want to obfuscate all resulting assemblies before publishing them onto a web server via menu Publish.

How can I do that? How to insert obfuscating step before building and publishing? Using msbuild?

Edit: Thanks to everybody for answering! But my question is more about concrete task (obfuscating in VS on publishing) than about obfuscating in general.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
  • correct me if im wrong but you obfuscating the resulting assemblies not the source code.. – Peter Mar 10 '10 at 12:50
  • @Petoj: Yea, sure, thanks. I qualified my post. But in fact there is an existent term: obfuscated code http://en.wikipedia.org/wiki/Obfuscated_code – abatishchev Mar 10 '10 at 12:54
  • You won't want to wait until the last minute to obfuscate (if you decide to) ... you'll want to start obfuscating and testing the results early in your cycle. I've been through the process of just thinking I could do it when the code was done ... but it usually breaks something - now I recommend designing for it to get the maximum effect. – Jason Haley Mar 10 '10 at 22:18

6 Answers6

5

There are several obfuscation products out there.

Visual Studio even ships with one - DotFuscator, though there are others.

Here is some DotFuscator documentation.

However, even with obfuscation a determined hacker will be able to reverse engineer your code.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
  • 6
    +1 - I would add that not only will it not stop a determined hacker, it'll only marginally slow them down. I'v had to see how things work before to actually fix third-party bugs, once you get used to looking at it, obfuscated code isn't that much slower to crawl through than normal code with really bad variable/function names. – Nick Craver Mar 10 '10 at 13:03
1

where do expect hijacking from? from users or from hoster? First you shouldn't put source codes on site, just compiled assemblies, second you should put assemblies in folders where users can't access them. If you are afraid of hoster you should use obfuscator, just google them there are a lot of in the market.

Andrey
  • 59,039
  • 12
  • 119
  • 163
  • @Andrey: Because I'm using C# even compiled assemblies could be easily be read. So I want to provide them to a client (publish on his server) but in obfuscated form. – abatishchev Mar 10 '10 at 13:00
1

Never send anything to the client that you don't trust them with. Ever. If the language you are using requires sending trusted information to non-trusted clients, it is being stupid.

Williham Totland
  • 28,471
  • 6
  • 52
  • 68
1

See this post: Protect .NET code from reverse engineering?

Effectively, there's nothing you can do to completely protect your code from reverse-engineering. The best you can do is use a tool like Dotfuscator.

If your code works, the chances an honest client will try to re-write it or tamper with it are small. If the client is not honest, there's little you can do that will be effective.

Instead of worrying about this, worry about producing quality products that honest clients will pay for.

Community
  • 1
  • 1
David
  • 72,686
  • 18
  • 132
  • 173
1

I agree with the above points, in the sense that you shouldn't release code to an untrusted party. Obfuscation simply makes it difficult for your code to be understood, but there are ways and means around it.

Having said that, if you really want to obfuscate your code, you could try Easfuscator.NET.

Jamie Chapman
  • 4,229
  • 5
  • 29
  • 47
1

Some obfuscators will support performing the obfuscation as part of the build process so that the published app is already obfuscated.

Crypto Obfuscator is one such tool - it supports integration with MSBuild which enables performing the obfuscation step as part of publishing or ClickOnce.

logicnp
  • 5,796
  • 1
  • 28
  • 32