Introduction

Code obfuscation is a form of software protection against unauthorized reverse-engineering. The chief functions of any software protection techniques are:

1. The detection of unauthorized attempts to decipher or tamper with the software.
2. Protect the software against such attempts and alteration
3. Ensure that if the protection fails the software’s functionality is restricted in an undetectable manner.

can be determined as detection of pirate attempts to decipher or tamper software, protection against such attempts and alteration of software to ensure that it functionality degrades in an undetectable manner if the protection fails .

Why obfuscate?

Unauthorized access to source code can offer a quick back entrance into your systems, business processes and revenue streams. Global piracy rate has increased 40% over the past years and nearly $11 billion is lost. This is definitely a clear threat for software producers and thus to the global economy. With more than half of million developers with access to .NET reengineering tools providing near instant access to source code from any .NET binary, organizations of all types rely on obfuscation to manage the risk of piracy. Over the years, several software protection techniques have been developed, and code obfuscation is amongst the most promising.

Skater .NET obfuscator

Skater .NET obfuscator performs the deciphering protection by various means that mainly concentrate on making assembly member names meaningless, encrypting string values, and including trick-commands that render disassembled code un-compilable.

Skater .NET obfuscator is a .NET code intellectual property protection tool that implements all known software protection techniques to completely protect your .NET apps. RustemSoft .NET Obfuscator is compatible with any .NET framework version and offers effective methods of protection against unauthorized reverse-engineering. Obviously you need the Skater .NET Obfuscator for the following reasons:

1. You have a clear understanding of obfuscation benefits and appropriate use cases.
2. You generally understand that obfuscation prevents source code extraction.
3. You have practical understanding of how and when obfuscation should be used.
4. Your organization has a consistent approach to assessing the risk of source code extraction.

Cardinal obfuscation techniques

Private and Public members names obfuscation

Scater.NET scrambles names of classes, methods, variables, and other assembly members. It makes assembly code reverse engineering much harder by obfuscating names. Some Skater settings allow you to generated names that will prevent recompilation.

Public members in dll libraries are advisedly reserved from obfuscation because they are intended to be used in external assembly code. If you are sure some of public members are not to be accessed from outside, you may want to obfuscate them.

For exe executables you may consider the assemblies to be self-contained and set obfuscation of all possible names very aggressively, including Public Members.

String encryption

The string encryption function allows you to select literal values of string data type to be encrypted. You may select all strings to be encrypted. Also you may mark some specific strings to obfuscate. You have the choice to apply a cryptography method for the string encryption. Only specified strings will be encrypted /obfuscated.

Since Strings can provide useful clues for anyone trying to reverse-engineer your code it makes sense to protect your string data from spying eyes. It will not prevent an absolute hacker from deciphering the conversion and seeing your data. However, for example, an attacker trying to break a licensing routine would first focus attention on Strings having to do with licensing to locate the appropriate spot of code. Skater can make this more difficult by encrypting the strings in your .NET assembly. This is done by inserting a decryption routine into the assembly and calling the decryption code at runtime to return the original Strings.

Control Flow obfuscation

The Control Flow obfuscation is intended to stop decompilers and deobfuscators from functioning correctly. Control Flow obfuscation subdues reverse engineering by scrambling .NET methods (functions and procedures) code. The Control Flow obfuscation algorithm distorts and reorders the IL code in the assembly, inserting bait branch instructions while preserving code semantics. This obfuscating essentially converts assembly method implementations into "spaghetti code", making interpretation by human hackers and decompiler tools much more difficult.

Actual Control Flow obfuscation involves the insertion of additional instructions. Applying of this feature increases the size of the output assembly. If a maximum level of code protection is not required for your assembly, you may want to consider disabling this feature to minimize your output executable code size.

Control Flow obfuscation discourages reverse engineering and malicious tampering of software codes by applying false conditional statements and other misleading constructs in order to confuse and break decompilers. Given the original source codes and desired obfuscation criteria, Control Flow obfuscation works by decomposing the source codes into fragments and then applying various transforms to the code fragments. As the Skater’s output, the transformed fragments are re-assembled and obfuscated with the designated obfuscation criteria. Moreover, since only Control Flows are obfuscated with a sequence of transformations that produce equivalent results of the original fragments, the final output preserve the same execution results as the original codes.

"Hello World!" obfuscation example

Let's try to write a simple command-line application and then obfuscate it. The following simple console programs are written in VB.NET and C#. It displays "Hello World!" and today's date and current time. We have added couple of private variables to see what happens when we obfuscate them.

VB.NET:

Imports System
Module Module1
  Private str As String = "Hello World! Today is:"
  Private today As Date = Now
  Sub Main()
    Console.WriteLine(str + CStr(today))
  End Sub
End Module

C#:

using System;
class Module1
{
  private string str = "Hello World! Today is:";
  private System.DateTime today = Now;
  void Main()
  {
    Console.WriteLine(str + System.Convert.ToString(today));
  }
}

As you can see there are four member names. Two are private variables names today and str. Module1 is the name of the class and Main is the name of the single method in the simple class.

Now we are ready to compile the simple code in the .NET environment. We may get ConsoleApplication1.exe executable file as a result of compilation. What is inside the executable? Why do people say we need to hide our .NET code? Software tools like: .NET reflection, ILDASM.exe, and .NET decompilers can easily show your .NET code, AKA your intellectual property.

The .NET Framework SDK ships with a disassembler utility called ILDasm that allows you to decompile .NET assemblies into IL (Intermediate Language) Assembly Language statements. To decompile the ConsoleApplication1.exe, start ILDasm on the command line. Take a look what we got after the decompilation:

.class private auto ansi sealed beforefieldinit 

Module1
extends [mscorlib]System.Object
{
.custom instance void [Microsoft.VisualBasic]Microsoft.
VisualBasic.CompilerServices.
StandardModuleAttribute::.ctor() = ( 01 00 00 00 )
.field private static string str
.field private static valuetype [mscorlib]System.DateTime today
.method private specialname rtspecialname static
void .cctor() cil managed
{
.maxstack 8
IL_0000: ldstr "Hello World! Today is:"
IL_0005: stsfld string ConsoleApplication1.Module1::str
IL_000a: call valuetype [mscorlib]System.DateTime 
[Microsoft.VisualBasic]Microsoft.VisualBasic.DateAndTime::get_Now()
IL_000f: stsfld valuetype [mscorlib]System.DateTime 
ConsoleApplication1.Module1::today
IL_0014: nop
IL_0015: ret
} // end of method Module1::.cctor
.method public static void Main() cil managed
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = 
( 01 00 00 00 )
.maxstack 8
IL_0000: nop
IL_0001: ldsfld string ConsoleApplication1.Module1::str
IL_0006: ldsfld valuetype [mscorlib]System.DateTime 
ConsoleApplication1.Module1::today
IL_000b: call string 
[Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::
FromDate(valuetype [mscorlib]System.DateTime)
IL_0010: call string [mscorlib]System.String::Concat(string,
string)
IL_0015: call void [mscorlib]System.Console::WriteLine(string)
IL_001a: nop
IL_001b: nop
IL_001c: ret
} // end of method Module1::Main
} // end of class Module1

Everything looks pretty obvious and understandable in the IL script. It is hard to figure out the IL code for us mere mortals. So if you are now guessing your .NET source code will be accessible only to a small circle of technical folks who actually know IL Assembly Language, think again. You can take this step further and actually recreate the source code by using some much sophisticated decompilers. These decompilation tools can decompile a .NET assembly directly back to a high level language like C#, VB .NET, or C++.

Figure 1: Before obfuscating the console application.

To obfuscate the sample ConsoleApplication1.exe executable using Skater .NET Obfuscator, open the exe file in Skater Obfuscator. In the Obfuscator interface go to the Options tab and select "Alpha-Numeric characters" under "Naming Conventions". Choose all Private and all Public members obfuscation mode.

Take a look what changed inside the simple program when we run the ILDasm.exe against the new obfuscated executable:

.class private auto ansi sealed beforefieldinit 

'0AAAA'
extends [mscorlib]System.Object
{
.custom instance void[Microsoft.VisualBasic]Microsoft.
VisualBasic.CompilerServices.
StandardModuleAttribute::.ctor() = ( 01 00 00 00 )
.field private static string '1AAA0'
.field private static valuetype [mscorlib]System.DateTime '2AAAA'
.method private specialname rtspecialname static
void .cctor() cil managed
{
.maxstack 8
IL_0000: ldstr "Hello World! Today is:"
IL_0005: stsfld string ConsoleApplication1.'0AAAA'::'1AAA0'
IL_000a: call valuetype [mscorlib]System.DateTime 
[Microsoft.VisualBasic]Microsoft.VisualBasic.DateAndTime::get_Now()
IL_000f: stsfld valuetype [mscorlib]System.DateTime 
ConsoleApplication1.'0AAAA'::'2AAAA'
IL_0014: nop
IL_0015: ret
} // end of method '0AAAA'::.cctor
.method public static void '1AAAA'() cil managed
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = 
( 01 00 00 00 )
.maxstack 8
IL_0000: nop
IL_0001: ldsfld string ConsoleApplication1.'0AAAA'::'1AAA0'
IL_0006: ldsfld valuetype [mscorlib]System.DateTime 
ConsoleApplication1.'0AAAA'::'2AAAA'
IL_000b: call string 
[Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::
FromDate(valuetype [mscorlib]System.DateTime)
IL_0010: call string [mscorlib]System.String::Concat(string,
string)
IL_0015: call void [mscorlib]System.Console::WriteLine(string)
IL_001a: nop
IL_001b: nop
IL_001c: ret
} // end of method '0AAAA'::'1AAAA'
} // end of class '0AAAA'

Skater .NET Obfuscator replaced the member names with alpha-numeric combinations which makes it harder to understand the code. However you can easily replace the alpha-numeric combinations with some useful names. Moreover, by using ILasm.exe (one more .NET Framework SDK assembler utility that allows you to compile IL code back into an executable) you can easily recompile the obfuscated IL output and it will work without any problems.

Skater .NET Obfuscator can also generate non-recompilable executables. See the IL script below.

.class private auto ansi sealed beforefieldinit 

'?'
extends [mscorlib]System.Object
{
.custom instance void [Microsoft.VisualBasic]Microsoft.
VisualBasic.CompilerServices.
StandardModuleAttribute::.ctor() = ( 01 00 00 00 )
.field private static string '?'
.field private static valuetype [mscorlib]System.DateTime '?'
.method private specialname rtspecialname static
void .cctor() cil managed
{
.maxstack 8
IL_0000: ldstr "Hello World! Today is:"
IL_0005: stsfld string ConsoleApplication1.'?'::'?'
IL_000a: call valuetype [mscorlib]System.DateTime 
[Microsoft.VisualBasic]Microsoft.VisualBasic.DateAndTime::get_Now()
IL_000f: stsfld valuetype [mscorlib]System.DateTime ConsoleApplication1.'?'::'?'
IL_0014: nop
IL_0015: ret
} // end of method '?'::.cctor
.method public static void '?'() cil managed
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = 
( 01 00 00 00 )
.maxstack 8
IL_0000: nop
IL_0001: ldsfld string ConsoleApplication1.'?'::'?'
IL_0006: ldsfld valuetype [mscorlib]System.DateTime 
ConsoleApplication1.'?'::'?'
IL_000b: call string 
[Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::
FromDate(valuetype [mscorlib]System.DateTime)
IL_0010: call string [mscorlib]System.String::Concat(string, string)
IL_0015: call void [mscorlib]System.Console::WriteLine(string)
IL_001a: nop
IL_001b: nop
IL_001c: ret
} // end of method '?'::'?'
} // end of class '?'

The above presented IL code cannot be compiled or the compiled executable will not work well. As you can see all member names has the same single "?" character representation. You can get this result by going to the Options tab and select the "?" characters under "Naming Conventions".

The member names obfuscation is the very first essential step of .NET assembly obfuscation. You need to apply these methods and algorithms to secure your .NET code.

Summary

RustemSoft proposes Skater .NET obfuscator, an obfuscation tool for .NET code protection. It implements all known software protection techniques and obfuscation algorithms. If you would like to obfuscate your .NET products the Skater .NET Obfuscator is for you. RustemSoft is using the Skater for internal needs securing all RustemSoft .NET executables and assemblies. Its command-line version supports batch processing which is useful for your scheduled product updates. A GUI application allows you to configure Skater.NET which will be used by the command-line version.

References

Read Skater on-line documentation

Top Articles in this category Microsoft's CardSpace: Part 1 – Getting started This article is part one in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the setup of a high assurance certificate to give you an environment where a CardSpace application can be hosted. It assumes a basic knowledge of IIS and HTML. Hashing, MACs, and Digital Signatures in .NET This article covers what the differences are between hashing, MAC and digital signatures. It presumes a certain level of knowledge about encryption methods especially the difference between symmetric and asymmetric encryption. The article does not cover how to perform encryption or about key management. There are some code examples on how to perform each of the technologies using C# in .NET v2.0. Microsoft’s CardSpace: Part 3 – Using a Card This article is the final part in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the consuming a card that we created and accessing the details contained within the card. It assumes a good working knowledge of C# and ASP.NET. Microsoft's CardSpace: Part 2 - Creating and using your first identity card This article is part two in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the setup of a simple application that enabled users to select and submit identity cards. It assumes a basic knowledge of IIS and HTML. An inside look at Symmetric Encryption This article describes the internal workings of symmetric encryption; also known as secret key encryption. Concentrating mostly on the older DES encryption method this article doesn't contain any code examples and intends to cover the internals in a manner that isn't technology specific.

Top