• 0

Several questions on C# obfuscation (SmartAssembly, internal functions)


Question

Hello! We are caring experiments with several obfuscators. We want to protect our source code from using once more with somebody else. Our main task is to make exe (or dll) analysis for getting original source code structure as complicated as possible. In other words it must be easier to develop application on your own, than to use our sources restored from exe (or dll). At the moment we are testing SmartAssembly 6. We deobfuscate result exe and dll with de4dot. The result is evaluated in Reflector. Thereby we have several questions (It is implicated that analyzed exe (or dll) was obfuscated with SmartAssembly).


Questions:

1. Is there any method (deobfuscation, process dumping, debugging etc) to recover sources of internal and private functions (which are not called from public functions) without extensive and long work (I mean long time spent on recovering process)? If it is possible - please specify the method.

2. The same questions about internal and private function parameter names and local variable names.

3. Which obfuscator (protector etc) you think we should use instead of SmartAssembly to achieve our goals as best as possible (with license cost less than 200$)?


Several observations from our experiments:

1. De4dot does not recover local var names after SmartAssembly (just renames basing on var types to facilitate the analysis http://prntscr.com/78puxr ). But public function code structure and parameter names are recovered pretty good.

2. internal and private functions was not found with Reflector in De4dot recovered file http://prntscr.com/78pvh4 . Besides, their source cannot be found even if public functions is called from them (I mean from internal or private function source) http://prntscr.com/78pxcf .

3. However if private function is called by public one, it can be found with Reflector and its structure is easily recognized http://prntscr.com/78q5pm

1 answer to this question

Recommended Posts

  • 0
  On 26/05/2015 at 08:18, Molkan said:

Hello! We are caring experiments with several obfuscators. We want to protect our source code from using once more with somebody else. Our main task is to make exe (or dll) analysis for getting original source code structure as complicated as possible. In other words it must be easier to develop application on your own, than to use our sources restored from exe (or dll). At the moment we are testing SmartAssembly 6. We deobfuscate result exe and dll with de4dot. The result is evaluated in Reflector. Thereby we have several questions (It is implicated that analyzed exe (or dll) was obfuscated with SmartAssembly).

Questions:

1. Is there any method (deobfuscation, process dumping, debugging etc) to recover sources of internal and private functions (which are not called from public functions) without extensive and long work (I mean long time spent on recovering process)? If it is possible - please specify the method.

2. The same questions about internal and private function parameter names and local variable names.

3. Which obfuscator (protector etc) you think we should use instead of SmartAssembly to achieve our goals as best as possible (with license cost less than 200$)?

Several observations from our experiments:

1. De4dot does not recover local var names after SmartAssembly (just renames basing on var types to facilitate the analysis http://prntscr.com/78puxr ). But public function code structure and parameter names are recovered pretty good.

2. internal and private functions was not found with Reflector in De4dot recovered file http://prntscr.com/78pvh4 . Besides, their source cannot be found even if public functions is called from them (I mean from internal or private function source) http://prntscr.com/78pxcf .

3. However if private function is called by public one, it can be found with Reflector and its structure is easily recognized http://prntscr.com/78q5pm

 

Having spent inordinate amounts of time researching this in the past, your best options are:

 

  • Use a language that doesn't compile to CLR; for example use .NET Native to properly compile to binary, or use a proper native language like C++
  • Protect your IP (Intellectual Property); for example patent your innovation or use EULA's prohibiting disassembly.
  • Accept that your code can be reverse-engineered given enough effort regardless of what obfuscation technology you use.

Aside: The project I worked on went with the second option as this represented the best value proposition.

This topic is now closed to further replies.
  • Posts

    • Lots of people use it without having an angsty Gotterdammerung.
    • Why certain models only? It should be provided on all high end phones.
    • I don't use it too (only for shutdown/restart), but it's because I have pinned all my frequently apps directly in the taskbar. For search files, I use the PowerToys Run app. But, I understand that a place where ALL apps are listed and available is needed.
    • The M4 Mac Mini with 16GB of RAM gets a massive discount by Taras Buria If you want to try macOS without spending over a thousand bucks on a MacBook Air or MacBook Pro, the Mac mini is a perfect choice, especially with a new discount that brought the price to a new all-time low—as low as $469, which is a very tempting deal, considering what the M4 Mac mini offers. The M4 Mac mini is the first Mac mini redesign in quite a few years. This tiny desktop computer features two front-facing USB-C ports and a headphone jack, plus an Ethernet port, HDMI, and three Thunderbolt 4 Type-C ports on the back. The computer is powered by a 10-core Apple M4 processor with 10-core graphics, which is one of the most powerful ARM processors for modern computers. You also get 16GB of unified memory and 256GB of fast SSD. Apple claims that this Mac mini is up to 13 times faster than the fastest Intel-based Mac mini. The M4 Mac Mini supports Apple's latest macOS version, like the recently announced macOS 26 Tahoe and all of its features, including Apple Intelligence capabilities. It is also a great choice if you need a versatile desktop PC that can run both Windows on ARM and macOS. Another benefit of this tiny PC is that it draws very little power while offering a powerful processor and graphics. The best part is that it is now 22% off, which saves you $170 off the MSRP ($599). Apple 2024 Mac mini with M4 chip, 16GB RAM, 256GB SSD - $469 | 22% off on Amazon US This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
  • Recent Achievements

    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later
    • Week One Done
      Karan Khanna earned a badge
      Week One Done
    • First Post
      MikeK13 earned a badge
      First Post
    • Week One Done
      OHI Accounting earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      680
    2. 2
      ATLien_0
      276
    3. 3
      Michael Scrip
      208
    4. 4
      +FloatingFatMan
      172
    5. 5
      Steven P.
      143
  • Tell a friend

    Love Neowin? Tell a friend!