Code Obfuscation

[Alex Glass]

I'm concerned a commercial application I've completed could be stolen by
deobsfuscation. However it's not clear to me what information is gained
when my .net executable is deobsfuscated (decompiled?). Any insight on the
subject would be greatly appreciated.

-Alex

 

[Sean Hederman]

I'm concerned a commercial application I've completed could be stolen by
deobsfuscation. However it's not clear to me what information is gained
when my .net executable is deobsfuscated (decompiled?). Any insight on
the subject would be greatly appreciated.

I blogged a bit about this recurring concern here:
http://codingsanity.blogspot.com/2005/05/yawgan.html

 

[Jon Skeet [C# MVP]]

I'm concerned a commercial application I've completed could be stolen by
deobsfuscation. However it's not clear to me what information is gained
when my .net executable is deobsfuscated (decompiled?). Any insight on the
subject would be greatly appreciated.

Obfuscation and decompilation are separate things - obfuscation just
makes it harder to read the decompiled code.

The easiest way to find out what someone would see is to try it
yourself. Personally I think it's not too much of a problem for most
people - code is very hard to understand as a whole when you haven't
got local variable names or any comments.

I wouldn't worry about other comparnies stealing your code, unless
you've got an important algorithm in there (which most applications
don't - the IP is in the design, usually) but you might legitimately
worry about people getting round your licensing code (if you use a
licence key etc). However, the proportion of the population who can do
this is very small - so long as they don't distribute the cracked
version (which is something you might want to search for on a regular
basis) you shouldn't lose many sales.

 

[Lloyd Dupont]

beside sign your assembly.
it makes cracked version of your assembly less usable! (I believe...)

 

[Jon Skeet [C# MVP]]

beside sign your assembly.
it makes cracked version of your assembly less usable! (I believe...)

Not really. The cracker just needs to find all the things which depend
on the assembly being signed, and remove those dependencies. It makes
it a little bit harder, but not a lot.

Assembly signing is really there to allow the end user to prove that
the software came from you; it doesn't make sure that someone who
doesn't care about signatures can't run code.

 

[Alex Glass]

Yes john this is what I had assumed, my IP is in the design but I was still
concerned about whether or not people who deobfuscate would be able to
somehow recreate the code as it looks in my compiler.

Obfuscation and decompilation are separate things - obfuscation just

makes it harder to read the decompiled code.

The easiest way to find out what someone would see is to try it

yourself. Personally I think it's not too much of a problem for most

people - code is very hard to understand as a whole when you haven't

got local variable names or any comments.

I wouldn't worry about other comparnies stealing your code, unless

you've got an important algorithm in there (which most applications

don't - the IP is in the design, usually) but you might legitimately

worry about people getting round your licensing code (if you use a

licence key etc). However, the proportion of the population who can do

this is very small - so long as they don't distribute the cracked

version (which is something you might want to search for on a regular

basis) you shouldn't lose many sales.


Jon Skeet - <[email protected]>

If replying to the group, please do not mail me too

 

[Jon Skeet [C# MVP]]

Yes john this is what I had assumed, my IP is in the design but I was still
concerned about whether or not people who deobfuscate would be able to
somehow recreate the code as it looks in my compiler.

Well, if you were to give people a debug build (with the pdb), they'd
have pretty much your code minus the comments. If you give them a
release build (without a pdb) they'll have the code without comments or
local variables. If you obfuscate the code, that will remove as many
meaningful names as possible (within the bounds of implementing public
interfaces etc).