Dotfuscator Professional Edition 2.0
With new platforms come new opportunities - and new challenges. I've
talked about the opportunities of .NET often enough. Now it's time to
look at one of the challenges: protecting your intellectual property.
The issue is simple: the .NET languages all compile down to Microsoft
Intermediate Language (MSIL), and MSIL is trivially simple to decompile.
Indeed, the .NET Framework SDK even includes its own tool, Ildasm, for
showing exactly what's in an MSIL file. What you'll find is all of the
identifiers from your application, every class and method name, all the
literal strings, and the program logic, displayed for everyone to see.
In some cases, this is very helpful; for example, I've solved some
problems with the built-in Framework classes by looking at the Framework
assemblies themselves. But in others, you'd really rather not have your
product's internals on display to the world. You might have a custom
login routine, or business logic that's not known to your competitors,
or undocumented functions that you don't care to support. That's where
obfuscation comes in. A variety of programs exist to take your MSIL and
munge it so that it still works perfectly well with the CLR, but is
opaque to mere human beings.
Which brings me to today's review. Microsoft included a free Community
Edition of Dotfuscator with Visual Studio .NET 2003. Now I've had some
time to experiment with their high-end upgrade (there's also a Standard
Edition for $395 that lacks some of the advanced features of the
Professional Edition) and I'm favorably impressed. Offering both Visual
Studio .NET integration and a variety of ways to obfuscate the code,
this version did a very nice job of crunching the code that I turned it
loose on, while preserving good ease of use.
Obfuscation takes a variety of forms. Here are some of the things that
Dotfuscator can do to your code:
- Identifier Renaming: By changing the names of classes and members
such as Download, Engine, and GetDownload to a, b, and c, Dotfuscator
can make it very hard to guess what code does by looking for keywords.
In addition, this change helps optimize execution times by cutting down
the length of variable names.
- Method Overloading: .NET allows two methods to have the same name so
long as they have different parameters. Dotfuscator can thus rename two
methods to the same nonsense identifier, even if the two methods have
nothing to do with one another, as long as they take different
- String Encryption: Encrypting hard-coded string constants can remove
another layer of information from your compiled code.
- Control Flow Obfuscation: There's more than one way to write many bits
of code. For example, you probably know that a For Each loop can be
changed to a Do While loop with the introduction of a variable and a
logical test. Dotfuscator will perform a variety of these
transformations to turn your application into spaghetti code while
maintaining the logic.
- Pruning: Dotfuscation will perform static code analysis and remove
members that are never actually used by your application. This removes
additional clues as to functionality and can reduce the size of the
finished application as well.
- Ildasm protection: Dotfuscator can inject code sequences into your
assemblies that will actually crash Ildasm.
In practice, it's very easy to use. Just add a Dotfuscator project to
your solution and specify which assemblies it should handle (quite
similar to adding an installer project). When you build your solution,
Dotfuscator then turns around and builds you an obfuscated version.
There are other nice touches here as well. There's support for mapping
to help out when you're debugging, so that stack traces from a crash in
an obfuscated application aren't a complete mess. There's also support
for incremental obfuscation without needing to rebuild everything, and
good reporting both in the IDE and as an HTML report. You'll even find
support for the .NET Compact Framework and for satellite DLLs. All in
all, Dotfuscator does an excellent and trouble-free job of helping
protect your code from prying eyes.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.