Reviews

Review: Dotfuscator

• By Mike Gunderloy
• January 23, 2004

Dotfuscator Professional Edition 2.0
$1495
PreEmptive Solutions
Cleveland, Ohio
(216) 732-5895
http://www.dotfuscator.com/dotfuscator/index.html

With new platforms come new opportunities - and new challenges. I've talked about the opportunities of .NET often enough. Now it's time to look at one of the challenges: protecting your intellectual property. The issue is simple: the .NET languages all compile down to Microsoft Intermediate Language (MSIL), and MSIL is trivially simple to decompile. Indeed, the .NET Framework SDK even includes its own tool, Ildasm, for showing exactly what's in an MSIL file. What you'll find is all of the identifiers from your application, every class and method name, all the literal strings, and the program logic, displayed for everyone to see.

In some cases, this is very helpful; for example, I've solved some problems with the built-in Framework classes by looking at the Framework assemblies themselves. But in others, you'd really rather not have your product's internals on display to the world. You might have a custom login routine, or business logic that's not known to your competitors, or undocumented functions that you don't care to support. That's where obfuscation comes in. A variety of programs exist to take your MSIL and munge it so that it still works perfectly well with the CLR, but is opaque to mere human beings.

Which brings me to today's review. Microsoft included a free Community Edition of Dotfuscator with Visual Studio .NET 2003. Now I've had some time to experiment with their high-end upgrade (there's also a Standard Edition for $395 that lacks some of the advanced features of the Professional Edition) and I'm favorably impressed. Offering both Visual Studio .NET integration and a variety of ways to obfuscate the code, this version did a very nice job of crunching the code that I turned it loose on, while preserving good ease of use.

Obfuscation takes a variety of forms. Here are some of the things that Dotfuscator can do to your code:

• Identifier Renaming: By changing the names of classes and members such as Download, Engine, and GetDownload to a, b, and c, Dotfuscator can make it very hard to guess what code does by looking for keywords. In addition, this change helps optimize execution times by cutting down the length of variable names.
• Method Overloading: .NET allows two methods to have the same name so long as they have different parameters. Dotfuscator can thus rename two methods to the same nonsense identifier, even if the two methods have nothing to do with one another, as long as they take different parameters.
• String Encryption: Encrypting hard-coded string constants can remove another layer of information from your compiled code.
• Control Flow Obfuscation: There's more than one way to write many bits of code. For example, you probably know that a For Each loop can be changed to a Do While loop with the introduction of a variable and a logical test. Dotfuscator will perform a variety of these transformations to turn your application into spaghetti code while maintaining the logic.
• Pruning: Dotfuscation will perform static code analysis and remove members that are never actually used by your application. This removes additional clues as to functionality and can reduce the size of the finished application as well.
• Ildasm protection: Dotfuscator can inject code sequences into your assemblies that will actually crash Ildasm.

In practice, it's very easy to use. Just add a Dotfuscator project to your solution and specify which assemblies it should handle (quite similar to adding an installer project). When you build your solution, Dotfuscator then turns around and builds you an obfuscated version.

There are other nice touches here as well. There's support for mapping to help out when you're debugging, so that stack traces from a crash in an obfuscated application aren't a complete mess. There's also support for incremental obfuscation without needing to rebuild everything, and good reporting both in the IDE and as an HTML report. You'll even find support for the .NET Compact Framework and for satellite DLLs. All in all, Dotfuscator does an excellent and trouble-free job of helping protect your code from prying eyes.