Applications developed and compiled on the .NET platform are vulnerable to reverse engineering due to the nature of .NET code compilation. When .NET applications are distributed as assemblies and executables, they easily can be decompiled by using the right tools to view the entire source code just as if you are viewing it in an IDE. There are a number of tools available that accomplish just that with relative ease. I would like to share what I found when I put my applications to the test. I am hoping that this knowledge-sharing article will benefit developers to secure their applications from reverse engineering.
Tic-Tac-Toe is a game I developed on .NET platform using the C# language. Like every other .NET application, it too is vulnerable to reverse engineering unless some kind of protection is included in it to deter reverse engineering. Fortunately, though, there also are some tools that offer protection from reverse engineering. These tools are called obfuscators.
An obfuscator is essentially a tool that scrambles, or obfuscates, the MSIL code in such a way that it becomes impossible to comprehend and reverse engineer the compiled code to the original source code. I researched and read about those protection tools and I chose to test one such popular Obfuscator tool, namely Crypto Obfuscator developed by LogicNP Software. In my test, I used Crypto Obfuscator to obfuscate my application to verify the level of protection it can offer. My application uses classes, methods, strings, resources, and other .NET concepts extensively and it is a good, real life, independent candidate to test with Crypto Obfuscator. The result was that Crypto Obfuscator performed very well, completely shutting out some decompiler tools and making the code impossible to understand in other decompiler tools. I will demonstrate the Crypto Obfuscator results by comparing the original source code and the obfuscated code.
First, let us look at the Crypto Obfuscator application interface. Needless to say, the application is very user friendly, with a simple user interface and contextual help that was useful to me in quickly understanding the purpose and meaning of each obfuscation function. I used maximum obfuscation settings, as shown in Figure 1.
Figure 1: The Crypto Obfuscator application interface
Now, let us look at the obfuscation and how well Crypto Obfuscator protects the code from reverse engineering.
One of the first protection schemes in Crypto Obfuscator is to scramble or rename all classes, methods, variables, and so forth in such a way that they are unrecognizable, confusing, and unprintable. This makes it extremely difficult to understand and reverse engineer to the source code. The following figures show the original compiled code and obfuscated code and it is evident by comparing them the difficulty in comprehending the class and method names and the application components. Figures 2 and 3, for obfuscated code, include just a snapshot of all the obfuscated symbols.
|Figure 2: Before Obfuscation||Figure 3: After Obfuscation|
Here is the obfuscated class. It can be seen clearly from Figures 4 and 5 that the obfuscation completely obscures the program logic and control flow.
Figure 4: Before Obfuscation
Figure 5: After Obfuscation
It was very difficult for me to correlate the obfuscated code with the original code, and it is because of the strong obfuscation of Crypto Obfuscator. Figures 6 and 7, demonstrating obfuscated code, show the impossible task of understanding the obfuscated code.
Figure 6: This is very difficult to read
Figure 7: This, too, is very difficult to read
My application uses significant resource files and they were also obfuscated so that they were unrecognizable in one of the decompiler tools, as can be seen in Figure 8.
Figure 8: Now, the file is obfuscated to the point of being unrecognizable
In summary, the obfuscation results were beyond satisfactory and, in fact, it also improved the performance of the application because Crypto Obfuscator reduced the footprint of the code. I also verified tamper detection, string encryption, metadata reduction, watermarking, and application control flow and all of these elements of coding that ordinarily would give away the application code were protected by Crypto Obfuscator. One last thing I verified was to try to debug the application; however, the obfuscation prevent debugging of the application.
I have to mention that I tested one other obfuscator after I wrapped up with Crypto Obfuscator and although it achieved some level of obfuscation, I was not totally satisfied with it because of two reasons: Some decompilers were able to show the original code presumably because the obfuscator did not obfuscate the entire application and secondly, the number of protection variables found in Crypto Obfuscator were simply not present in the other obfuscator. In my personal and professional opinion to the extent that I reviewed and researched other obfuscators and decompilers, Crypto Obfuscator offers by far the strongest and diverse code obfuscation and protection that I have seen. Most developers need to rely on obfuscation tools and I am hoping that this knowledge-sharing article will benefit developers to secure their applications from reverse engineering.