Best Obfuscation Tool for .NET Developers

BabelforNET

For professional .NET developers that are either running or trying to establish software businesses of their own, the dangers of losing a product and\or intellectual property to hackers and other unsavory personnel can be significant due to the easily disassembling of .NET MSIL components.

It is also true that no software developer selling his or her own products can be completely secure from the possible incursion of an intelligent code-breaker into the source of any given product. As software professionals the best any of us can do is make it difficult for such people to abuse our development efforts keeping piracy down to a hopeful minimum.

To that end there are several ways to encrypt or obfuscate your software. The most expensive and most reliable technique is that of being able to compile a .NET assembly or executable into native machine code. Unfortunately, there are very few tools that can actually generate native images for .NET MSIL output. The “Salamander” compiler has been one option but at a price tag of about $1250.00 USD it is a little expensive for most professional developers.

It is now just starting to be promoted with the new Visual Studio 2015 release from Microsoft that a native compiler called “.NET Native” is in the works with an early edition as part of the VS 2015 package. However, from what can be gathered from recent articles is that the first edition is somewhat limited in scope.

A second and far more affordable alternative is an “encryption\merge” tool, which not only encrypts .NET MSIL output but actually merges all dependent assemblies (not the .NET Framework) into a single executable module. In addition to the encryption\merged executable module, such software also adds to the final mix a memory decompression tool so that the module is decompressed within memory and then executed.

Black Falcon Software has tested one such product, which appears to be currently maintained and presented no issues when tested with Black Falcon Software’s primary product, “SQL Server Source Control for Developers”.

Like anything else, such software can cause issues depending on the environment its resulting modules attempt to execute in and since there are so many variables to our computing environments there is no way to adequately test for all such possibilities.

Nonetheless, the tool from Eziriz (http://www.eziriz.com/), “.NET Reactor”, appears to be a rather solid product and many have noted as such on technical news sites.

The third and most common software tool is that of obfuscation whereby the software literally scrambles the internals of .NET MSIL modules into unintelligable source-results so if successfully disassembled will be very difficult for the technician to understand in order to pirate the product.

Products of this type range in price from the very expensive to the verfy affordable and Black Falcon Software has tested quite a number of these tools. Surprisingly, the most expensive tested (around $750.00 USD), a product from Israel, produced assemblies that simply stopped working no matter how many times they were reproduced from the software. None of the obfuscator’s parameters had been changed for the production of the outputted module(s) but for whatever reason after having successful results initially, whatever was being produced after a point would simply fail to execute. And this last has been found to be an issue with a number of obfuscation tools.

Microsoft’s Visual Studio product has been offering its own third-party obfuscation tool for quite some time now in the form of “Dotfuscator Community Edition”. This add-on is completely free as well as just about completely worthless. If you look up the specifications for this edition you will find that it provides for the most limited form of obuscation possible, making it nothing more than a sales-teaser. Unfortunately, upgrading to the professional version is a very costly endeavor considering that pricing for this and the more advanced editions is not even listed at the product’s site.

One such obfuscation tool that has continously provided successful results is “Babelfor.NET” (http://babelfor.net/), which has two forms of using the software and a host of options for each.

“Babelfor.NET” provides both an extensive graphical interface as well as a complete command-line tool. And this is its only drawback. If you merely want to obfuscate a group of dependent assemblies, the graphical interface will be more than enough for your requirements.

However, if you want to obfuscate and merge your assemblies into a single executabel module than the command-line tool is required. Why this division of processes is a question that Black Falcon Software has yet to pose to the author of this tool as it seems from working with this software that the command-line capabilities could have been made a part of the graphical interface. Nonetheless, both tools work consistently as claimed.

With the amount of options available for the command-line tool, though a little more difficult to use, it is a recommendation that it be used for maximum protection of your product. If any of the command-line options you have provided do not process your particular modules correctly, you will be quickly informed with a listing of warning/error messages, which should be eliminated for your runs in order to guarantee that your outputted modules work correctly.

The documentation for both tools is quite extensive but if you have any problems working with either, the support is just as good as the products themselves. Sending in a query to the author should always provide you with a working answer within 24 hours. And if you are requesting help with the command-line tool and send him the actual parameters you were providing to it along with the warning\error messages that resulted, he will make the necessary corrections to your options list and return a suggested one that should work in your case.

The pricing for “Babelfor.NET” is quite affordable for developers given the necessity of protecting your products. There are several versions which are offered with different levels of pricing that should be acceptable to any budget. In the most advanced version, an additional software licensing package is also offered, which may be an additional consideration for some but it is a little pricey.

Since trial versions are available for both 32bit and 64bit machines there is no reason not to give this product a spin. You should be pleasantly surprised…

Advertisements

3 comments

    • When I was researching obfuscation tools I only knew of so many. ZEROIFY did not come up during my research, which was quite extensive. In addition, most developers use obfuscation tools for securing assemblies, not HTML, JavaScript, or CSS. As a result, my research emphasized these types of tools.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s