Dotfuscator CE

ToolKit

LANGUAGES: All .NETLanguages

ASP.NET VERSIONS:1.1

DotfuscatorCE

Obfuscationfor .NET

By KenMcNamee

One ofthe many benefits that ASP.NET offers over classic ASP is the separation of theUI rendering code and the business logic code. Gone are the days where you mustinclude your potentially proprietary business logic in the same file as yourHTML. To prevent just anybody from being able to casually inspect theirsensitive code, some developers chose to move that code into COM DLLs writtenin Visual Basic 6.0 or Visual C++. Although this was effective, it led to otherproblems, such as complicated deployment and the addition of anotherdevelopment tool and language.

AlthoughASP.NET solves some of those problems, it doesn't completely make your businesslogic safe from prying eyes. In fact, the .NET Framework includes a tool calledILDASM that makes it easy to view the contents of .NET assemblies - such asyour Web application and its components. The problem lies in the fact that a.NET assembly contains all the metadata necessary to describe itself to anytool that knows how assemblies are structured. ILDASM can display all thenamespace and type information, and even Intermediate Language (IL) containedin the assembly. Some tools can even decompile the IL into C# or VisualBasic.NET!

Thismight seem a little distressing for the previously unaware, but all is notlost. There are methods you can use to severely complicate the efforts of thosewho wish to view your code. One of these methods is obfuscation, which,in dictionary terms, means "To make so confused or opaque as to be difficult toperceive or understand." Strictly speaking, it isn't possible to preventdecompilation of your assemblies 100 percent of the time. Like decryption, thebest you can hope for is to make the process so difficult and time-consuming asto be not worth undertaking in the first place.

VisualStudio.NET 2003 includes a tool that takes the first step in complicating theefforts of prying eyes: Dotfuscator Community Edition.

Using Dotfuscator

Microsofthas bundled Dotfuscator, a tool developed by PreEmptive Solutions, into theCommunity Edition (CE) of Visual Studio.NET 2003. There is a link under the Tools menu that launches Dotfuscator CE, as well as a shortcut fromyour Start menu. The first thing you'llnotice is that it's a separate application, and not integrated into VisualStudio.NET. Understandably, PreEmptive Solutions would like you to buy theirmore full-featured Professional Edition; the Community Edition exists only toperform basic obfuscation and whet your appetite for more advancedcapabilities.

TheDotfuscator CE IDE is fairly straightforward. You'll notice that many of theoptions are disabled and only accessible in the Standard or Professional editions.Dotfuscator uses XML configuration files to set up an obfuscation project fromwhich you can operate on more than one assembly (which it calls a Triggerfile). The simplest way to obfuscate an assembly is to add a path reference toit on the Trigger tab, set the destination directory on the Build tab, andclick the Build button. Dotfuscator will runthrough all the methods and rename them, mostly to one-character names.

Figure 1demonstrates an assembly opened in ILDASM before and after it has been obfuscated.The SuperSecretEncryption method has been renamed to simply "a", as have twoother methods, and one has been renamed to "b". Anywhere that theSuperSecretEncryption method was referenced the casual observer will only findthis simple one-character method call. This is a simple assembly, but you canimagine that a larger assembly with many more classes and methods wouldgenerate a very confusing mess of code once it has been obfuscated.

Figure 1A: Dotfuscator Community Editiontakes your assemblies ...

Figure 1B: ... and renames the methods toconfuse casual observers.

Conclusion

To befair, Dotfuscator is not the only .NET obfuscation tool out there. There isalso Spices.NET from 9rays.net and Demeanor from WiseOwl. There is even anopen-source tool from Dan Appleman called QND-Obfuscator. I'm sure that othersexist, but I will leave that research to you. It will definitely be worthwhileresearch if you distribute .NET assemblies to customers for a living.

KenMcNamee is aSenior Software Developer with Vertigo Software, Inc., a leading provider ofsoftware development and consulting services on the Microsoft platform. Priorto this, he led a team of developers in re-architecting the Home ShoppingNetwork's e-commerce site, http://www.HSN.com,to 100% ASP.NET with C#. Readers can contact him at [email protected].

Obfuscation Resources

Dotfuscator: http://www.preemptive.com/products/dotfuscator/index.html

Obfuscation: http://www.simonrobinson.com/DotNET/Articles/Security/Obfuscation1.aspx

QND-Obfuscator: http://www.desaware.com/Ebook4L2.htm

Spices.NET: http://www.9rays.net/cgi-bin/components.cgi?act=1&cid=86

Demeanor for .NET, Enterprise Edition: http://www.wiseowl.com/products/DemeanorEnterprise.aspx