ProblemYou've written a pretty cool application, and you'd like to sell it to customers. But you also know that the Intermediate Language (IL) code generated by the Visual Basic compiler can easily be read and turned back into reasonable source code by ne'er-do-wells intent on reaping ill-gotten rewards from your hard effort. SolutionUse an obfuscator to alter the compiled application, making futile any attempt to reverse-engineer the application back into understandable source code. There are several third-party obfuscators on the market that target .NET-compiled applications. These programs work with any compiled .NET application, whether they were written in Visual Basic, C#, or some other .NET-enabled language. Visual Studio 2005 also includes an obfuscator you can use with your own applications. It's called Dotfuscator Community Edition, and although it comes with Visual Studio, it's actually developed by a separate company named PreEmptive Solutions. It's pretty easy to perform a basic obfuscation using Dotfuscator. First, make sure you have built your application to an EXE executable (or DLL, if relevant). From Visual Studio, select the Tools Dotfuscator Community Edition menu command. Once you get past some advertising, you will be prompted to create a new project. This is not a Visual Studio project, but a Dotfuscator project. A new project appears via the main Dotfuscator form, as shown in Figure 2-5. Figure 2-5. A new Dotfuscator projectOn the Input tab, use the left-most icon (the Open Folder icon) to locate your EXE assembly. Use the other tabs to fine-tune the obfuscation, if desired. Then use the File Build menu command to generate an obfuscated version of the project. Youll be prompted to save the settings for this project. Once generated, the obfuscated version of the project appears in a directory named Dotfuscated in the same directory where you saved the settings. DiscussionWe obfuscated a simple Windows Forms application that contained (1) a mostly empty form, (2) a static label on that form, and (3) a Click event handler for the label that just displays a message box. We used Microsoft's IL Disassembler (ildasm.exe, one of the tools included with the .NET Framework SDK installed with Visual Studio) to view the internals of the "before" (Figure 2-6) and "after" (Figure 2-7) assemblies. Figure 2-6. Before obfuscationFigure 2-7. After obfuscationClearly, the obfuscation process did make some changes, but in a simple program like this, it's not too difficult to see what it did. It's interesting that the old set_Label1 property component was renamed to a, but the related get_Label1 was renamed b; that's obfuscation in action. Local variables and even embedded strings go through some of the same scrambling procedures. The goal is to scramble the code enough to keep it safe from prying eyes but keep it stable enough to work exactly as it did before obfuscation. Dotfuscator Community Edition contains basic obfuscation functionality. If you want something more stringent, you will have to upgrade to one of PreEmptive's more advanced versions (for a fee) or find another obfuscation product from a different vendor. Be aware that obfuscation is not for all applications, at least according to the warning label on the Dotfuscator product. It implies that the product is safe to use as long as your application:
See AlsoSome of the recipes in Chapter 16 will help you obfuscatethat is, encryptthe data used by your application. |