Protecting Your Code - Obfuscation

Previous page
Table of content
Next page


Protecting Your Code—Obfuscation

As a measure to help make it more difficult for others to reverse-engineer your application, you should consider obfuscating your code before you release it. To obfuscate is to make obscure. When applied to a built application, obfuscation changes the names of your functions and variables, reorganizes your code, and masks your constants to make it extremely difficult for someone who decompiles your built application to figure out how it was designed and written. The ultimate goal of an obfuscator is to confuse a decompiler utility to the point that it is unable to decompile the code.

Visual Basic .NET 2003 ships with an obfuscation utility named Dotfuscator, which was developed by PreEmptive Solutions. The Dotfuscator offers basic-level obfuscation services such as renaming of variables and private methods. If you have a function named CalculateTax, which takes a parameter of type Decimal named Income, the Dotfuscator will change the name of the function to a and the name of the parameter to A_0, making it difficult for someone to determine what the function is intended to do.

For example, Dotfuscator will change the Visual Basic .NET code

Private Function CalculateTax(ByVal Income As Decimal) As Decimal
End Function

to this:

Private Function a(ByVal A_0 As Decimal) As Decimal
End Function

PreEmptive Solutions offers up-sale versions of the Dotfuscator that include more advanced features, such as reorganization of your application’s execution logic in a way that makes it extremely difficult to reverse-engineer.

An obfuscation utility works well for Visual Basic .NET applications that have a large number of internal—friend or private—functions that perform most of the work for the application. It also helps if the application’s internal functions use as few Visual Basic .NET or .NET Framework classes as possible—although this is usually an unreasonable requirement since a Visual Basic .NET application usually calls numerous Visual Basic .NET and .NET Framework functions to get its work done. The reason is that an obfuscating utility generally can’t completely obfuscate public classes and functions contained in your application because the name of the class and function must be preserved for any external application to find it. In addition, if your code uses Visual Basic .NET classes, all calls to those functions will normally be left as is because the function being called can’t be renamed by the obfuscating utility, although more advanced obfuscating utilities could generate code to mask the name of the function being called.

Obscurity <> Security

Obfuscation does little to make your application more secure. After you obfuscate your application, it will run exactly the same as it did before obfuscation and will be susceptible to the same security issues as it was before obfuscation. This is not to say that no security is derived from obfuscating your application. If you can prevent someone from reverse-engineering your application, you can in effect prevent the hacker from stealing your source code. However, you should also take other preventive measures to ensure that your source code and related documents are not stolen by keeping both stored on secure servers accessible only to those whom you trust and who require access to the source.

Run Dotfuscator

Dotfuscator isn’t the most user-friendly application in the world. The tool isn’t integrated into Visual Studio .NET, and the user interface isn’t very intuitive. The following steps demonstrate how to run Dotfuscator:

  1. Build your application.

  2. Select Dotfuscator Community Edition from the Tools menu.

  3. If you want to continue, select Yes to agree to the license; you’ll be prompted to register the product with PreEmptive Solutions.

  4. When prompted for the project type, select Create New Project.

    The main window defaults to the Setup tab, which doesn’t provide anything useful for our purposes.

  5. Choose the policy level to deploy.

  6. Click the Trigger tab, click the Browse button, and locate the built Visual Basic .NET application binary .EXE or .DLL you want to obfuscate. These are normally located in your application’s Bin directory.

  7. If you’re building a class library or a user control project, click the Options tab and choose the Library option. Doing so prevents Dotfuscator from changing the names of Public classes and methods exposed by your component.

  8. Select the Build Tab, and enter a location where the obfuscated file will be placed. For example, specify a location in your application directory named obfuscated, such as C:\MyApp\Obfuscated.

  9. Click the Build button. You’ll be prompted to save the obfuscator project.

  10. Carefully check the build output window—you’ll need to manually scroll to the end—to make sure no build errors occurred.

Your obfuscated application will be located in the directory you chose earlier. Anytime you rebuild your application, you’ll need to run the obfuscator again. Fortunately, it saves the build settings, and you can just click the build button to reobfuscate it.


Previous page
Table of content
Next page
Security for Microsoft Visual Basic .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Interprocess Communications in Linux: The Nooks and Crannies
Qshell for iSeries
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy