Defining code obfuscation is difficult; it's different from encryption or sheer mangling of code. Code obfuscation is the generation of code, which is still understandable by the compiler, but is very difficult for humans to comprehend. From a computer science point of view it's merely a translation. Computer scientist and software developer Gregory Wroblewski considers it to be a one-way translation but with proper code changes and logging. Professional obfuscation software exists which can un-obfuscate or even help by re-obfuscating. There are three generalized methods for source code protection.
Code Authentication and Verification
Server Side Invocation
Source Code Obfuscation
More specifically, source code obfuscation can be further classified into more transformations:
Layout i.e. source or binary structure obfuscation.
Data Obfuscation i.e. the string and hard coded representation.
Control Obfuscation i.e. changing the control hierarchy with logic preservation.
Preventive Obfuscation i.e. focused protection against decompilers and reverse engineering tools.
Renaming metadata to gibberish or less obvious identifiers is one of several defense mechanisms. It's obvious that a function definition called InsterestRatesCalcuator () will give any cracker a leading edge over various functions called x(). As you'll see in the example below and as they stated, "Typically, an overload-induced project will have up to 35 percent of the methods renamed to 'a'", it's an effective obfuscation strategy. Similarly, some of the obfuscation techniques which DotFuscator uses include removing nonessential metadata, control flow obfuscation, string encryption, incremental obfuscation, and size reduction -- all different ways to make decompilation and disassembling produce incomprehensible output. Some generic techniques used by other obfuscation utilities include reordering the instantiation and methods, manipulating inheritance relationships, variable scope modification, mapping unboxed scalars (int, byte, etc) to corresponding object types, etc. However, its very important to keep into consideration that obfuscation shouldn't end up changing a program's logic or flow, as its purpose is to protect and not deform.
DotFuscator Community Edition
PreEmptive's Dotfuscator is a source code obfuscator for Microsoft's .NET platform. The community edition is available with Visual Studio .NET
Dotfuscator provides increamental, control flow, and string obfuscation facilities. Further details on its techniques can be found in its FAQ's section. Dotfuscator is highly customizable and can be configured for different purposes. Below is an example of how it protects the code from being disassembled. In this sample Chess program, I have an abstract class called piece which has members moveCount, boardXPOS, boardYPOS and two abstract methods movePiece and isLegalMove(). I'll use ILDASM to disassemble it before and after running dotFuscator on it.
All the members were disclosed in their entirety and any intelligent cracker can reconstruct my code easily. Now I ran Dotfuscator Community Edition from Visual Studio.NET IDE .
As mentioned before, dotfuscator is highly customizable; therefore, you can choose renaming, control flow, string encryption and various other options.
Now click on trigger after setting the directories, and Dotfuscator will start obfuscating the assembly. Assembly will change its shape and representation but will be the exact logical equivalent of what we had before.
In the figure above, Dotfuscator is making the assembly source more difficult to understand. Therefore, running ILDASM over the obfuscated version is quite difficult. Various members are named 'a' and much shorter code is enough to keep a reverse engineer busy for days before they gain any
information about the source code. The compiler's output log can be seen below.
Assembling
'C:\Documents and Settings\Adnan Masood\My Documents\Visual Studio
Projects\dotNetChess\bin\Debug\dotNetChess.exe.il' , no listing file, to EXE
--> 'C:\Documents and Settings\Adnan Masood\My Documents\Visual Studio
Projects\dotNetChess\bin\Debug\Obfuscated\dotNetChess.exe'
Source
file is UTF-8
Assembled
method b::.ctor
Assembled
method b::a
Assembled
method b::a
Assembled
method b::Main
Assembled
method b::a
Assembled
method a::.ctor
Assembled
method a::a
Assembled
method a::b
Assembled
method DotfuscatorAttribute::.ctor
Assembled
method DotfuscatorAttribute::a
Creating
PE file
Emitting
members:
Global
Class 1Fields: 9;Methods:
5;
Class 2Fields: 3;Methods:
3;
Class 3Fields: 1;Methods:
2;Props: 1;
Method
Implementations (total): 1
Resolving
member refs: 37 -> 37 defs, 0 refs
Writing
PE file
Operation
completed successfully
Build Finished.
Log file of Dotfuscator Build.
After processing the source code from Dotfuscator, I ran ILDASM to see the results.
Assembly exploration no longer tells us much about the original code. Most of the members are now named using a deducing functional logic. The figure below shows the Hex Editor comparing the two executables.
Dotnetchess.exe is now quite different from the way it was before. The difference in metadata and reduced assembly size are evidence enough of functioning obfuscation and how it makes
decompilation difficult. Before closing I'll briefly discuss open source and NMI, a decompiler for Java.
Open Source advocates have often claimed Closed Source systems to be
evil (and visa versa), and they have their own reasons. Discussion wouldn't
be complete without showing the other side of coin. So I've included a short
subsection on Open Source fundamentals.
Built around the Microsoft CryptoAPI, AspEncrypt helps you harness all major encryption and hashing algorithms such as DES, Triple-DES, RC2, RC4, RSA, MD5 and SHA1 in just a few lines of code. The component can be used in tandem with AspEmail to send encrypted and signed mail in the industry-standard S/MIME format, or with AspUpload to encrypt files as they are being uploaded. AspEncrypt can also be used to issue and manage X.509 digital certificates.
AspPDF is an ASP/ASP.NET component which enables generation and management of documents in PDF format. Features include advanced text formatting, font embedding, form fill-in, images, tables, content and page extraction, document stitching, encryption, digital signatures, and more.
In many web applications it is desirable for both intranet users and external parties to be able to seamlessly log onto the system. The problem this raises is that it is not easy to allow intranet users to log in via Windows integrated authentication while also allowing external parties to log in to the same application using standard forms authentication. This article will show you one way to achieve the best of both worlds when it comes to authentication. [Read This Article][Top]
In this article, Michele Leroux Bustamante discusses authentication, authorization and role-based security in .NET. Along the way, he provides some best practices for implementing role-based security in some typical .NET application scenarios including rich clients, Web applications, and Web services. [Read This Article][Top]
When implementing custom components that require access to restricted resources, implicit impersonation must be used. Jay Nathan shows how to create a class that makes using .NET Impersonation a snap. [Read This Article][Top]
Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article][Top]
Businesses that utilize encrypted e-mail may find Secure Multipurpose Internet Mail Extensions (S/MIME) to be somewhat restrictive. This article shows how to use security features in PDF as an alternative to S/MIME. [Read This Article][Top]
Bill Gates, in a recent interview, predicted the end of spam by 2006. One of the methods he mentioned involved a challenge only a real live person could handle. Adnan Masood shows how to use AI and .NET to create a user verification scheme that incorporates similar concepts Gates alluded to. [Read This Article][Top]
Code Access Security (CAS) is the .NET Framework security model that grants
code permission to resources based on "evidence" pertaining to the
encapsulating assembly. In this article, David Myers examines CAS
and explains different configuration methods. [Read This Article][Top]
Zhenlei Cai combines an open source C++ encryption library with SQL Server
extended stored procedures to create a platform neutral, transparent
encryption solution that resides at the database layer. [Read This Article][Top]
Christopher Spann offers a .NET configuration tip that should help ease system administrators' fears of security compromise and thus assuage growing developer demand for a .NET environment. [Read This Article][Top]
You don't have to be a cryptography expert or spend lots of money on third-party components to secure sensitive data in .NET. In this article, Wayne Plourde shows just how easy it is to encrypt cookie data using encryption classes in the .NET System.Security.Cryptography namespace. [Read This Article][Top]
Mailing List Want to receive email when the next article is published? Just Click Here to sign up.
