If you are a .NET developer, how would you feel if your original C# or VB source code was published on the Web for the world to see? That’s exactly what happens if you release your .NET software without obfuscation.

What is Obfuscation?

Obfuscation is the process of scrambling and encrypting your .NET software so that it cannot be easily reverse-engineered. The goal is to stop all casual hackers and as many serious hackers as possible from trying inspect and crack your code.

Obfuscation often includes the following processes:

  • Rename symbolic metadata–such as class, field, event, and method names–into meaningless characters
  • Convert compiled IL code into “spaghetti code,” inserting decoy branches and re-ordering instructions to confuse hackers and crash decompilers
  • Encrypt text strings
  • Strip all debugging information and PDB symbol references from your assembly

Why Obfuscate?

To protect your valuable intellectual property.

Programs written for .NET can be reverse-engineered quite easily. Anyone with a decompiler such as the free .NET Reflector can look at your application or component assemblies and literally see almost your entire original source code, including names, logic and flow. Your copy protection mechanisms, proprietary business logic, and any embedded license keys or passwords are available for all to see. Anyone can inspect your software to find and exploit security flaws, steal unique ideas and license keys, or to pirate your application. To plug this massive security hole and protect your software, you should obfuscate it.

Obfuscation Costs

There are some downsides to obfuscating your software:

  • Can break code that depends on reflection, serialization, or remoting
  • Can make it more difficult to diagnose and debug problems in your code
  • Adds another step and potential error source to your build process
  • Increases your assembly size, from 2K-200K or more depending on your original assembly size and the level of obfuscation that you use
  • Good obfuscation tools are expensive

How to Obfuscate

Microsoft Visual Studio .NET includes a free community edition of one of the popular commercial obfuscators. Unfortunately, this version does not encrypt text strings and has other limitations. You get what you pay for, so you probably don’t want to skimp when it comes to protecting your valuable intellectual property.

There are many good commercial obfuscators, but you will find them to be quite expensive, ranging from $400-$2000. We use Xenocode at Mini-Tools and are quite happy with it. For a list of .NET obfuscators, be sure to check out this amazing How-To Select Guide for Obfuscators. Software distributor SharpToolbox also lists many popular obfuscators.

Seeing is Believing

The following example shows how .NET applications are like an open book without obfuscation.

Consider this simple method that returns a specified number of characters from the start of a text string. Here is the original C# source code:

/// <summary>
/// Returns the specified number of characters from the start of a string.
/// </summary>
/// <param name="s">Any string. OK if null.</param>
/// <param name="count">Number of characters to get. Ignored if zero or less.</param>
static public string Left( string s, int count )
{
    string left = null;
    if (s != null && count > 0)
    {
        if (count > s.Length)
            count = s.Length;
        left = s.Substring( 0, count );
    }
    return left;
}

When the application is compiled into an executable file–but is not obfuscated–this is what the method looks like in Reflector. Note that the only thing missing from this reverse-engineered code are the comments:

public static string Left(string s, int count)
{
    if ((s == null) || (count <= 0))
    {
        return null;
    }
    if (count > s.Length)
    {
        count = s.Length;
    }
    return s.Substring(0, count);
}

And here is what the method looks like after it has been obfuscated:

public static string x72d92bd1aff02e37(string xe4115acdf4fbfccc, int x673be0868c5231b1)
{
    // This item is obfuscated and can not be translated.
}

Notice a difference? As you can see, obfuscation is essential to protect your original source code.