Overview obfuscators for .NET
I dare to believe,% username%, that you know what obfuscation is, why it is needed in the .NET world and what is the difference between control flow obfuscation and MSIL encryption.
It is also assumed that you have seen .NET Reflector and is familiar with any symbolic debugger, I will give examples on WinDbg.
I have been working on the topic of obfuscators for a long time, but recently I did have to update knowledge
Not so long ago, I was faced with the task of choosing a good obfuscator for .NET4. After reviewing a bunch of software, I made a small review where I tried to include the most famous obfuscators.
')
Under the cut more about each.
Entries in the plate are in alphabetical order, so as not to offend anyone.
Encrypts code with NecroBit (the name of their technology), there are rumors in forums that NecroBit has successfully croaked. Maybe I just did not find it, because special effort is not applied. The code could not be parsed, WinDbg did not find anything either.
Reflector:
Something can be learned with WinDbg, but the IL code of the methods is not given.
He recently bought the company RedGate. Honestly, I did not understand the choice of RedGate, {sa} does not even know how to encrypt MSIL. After sitting with the debugger, you can understand the code. I do not recommend using this obfuscator, the price of $ 750 is clearly not consistent with the quality.
All that this obfuscator with code does is obfuscate the control flow in approximately this form:
Reflector in C # does not parse the code (although it is easy to do it), but in IL it’s great:
I downloaded a super-example from their site. They promised that Reflector will not open. Reflector, in fact, cursed, but opened:
Products of one class, I think, are very suitable if protection of the code from further refactoring and excessive curiosity is required.
Babel:
However, WinDbg successfully showed that inside the assembly made by Babel (probably because I had the community version; unfortunately, I did not check the full version):
They write on the site that they work with the source code, and this results in a source code that is buggy. Very interesting approach, but unfortunately, you cannot download the obfuscator itself. Minus - with this approach it is impossible to encrypt MSIL and incorrect instructions.
The previous version of this obfuscator had a lot of cracks that appeared very quickly. That says that hackers know how this obfuscator works. I did not see the latest version of the crack, but there are bad problems:
You can use it, but wait for surprises.
The build turned out to be quite good, but an ambush waited for me - with the build, 4 MB of DLL-ek came from this obfuscator:
A very famous product, I was surprised that the resulting applications are so easy to hack:
The reflector does not open the assembly, it is encrypted. The jamb is that the assembly is encrypted completely, and it is decrypted after the application starts. After decrypting no protection in memory:
Obfuscator free. It's a shame that only simple rename can do it. What can please (personally I am more interested in the console or MSBuild versions) is a fairly simple process of obfuscation, it all comes down to dragging the assembly file. Here’s what comes out of it.
Obfuscators are built according to a similar principle, they can execute code by embedding precompiled .NET assemblies into the application, which eliminates the possibility of intercepting JIT compilation calls.
The resulting applications can run even without installed .NET on the machine. The size of the resulting application is 10..50 MB, depending on which libraries you will use.
These solutions are very expensive. But, unfortunately, there are quacks at PostBuild (even the last one). Probably, in famous circles there are ready unpackers.
An unequivocal answer to this question is not to give, it all depends on what you value in the code:
None of the above. I use my own obfuscator. This is assembly-specific encryption of the assembly bit by bit, like the .NET Reactor.
The cost of creating it cost about $ 3000- $ 5000. Yes, it is no better than the existing ones, but there is one thing but - the principle of obfuscation is not publicly announced, it’s impossible to feel it. To hack it, you just need to spend more time.
As they say, think for yourself, decide for yourself ...
It is also assumed that you have seen .NET Reflector and is familiar with any symbolic debugger, I will give examples on WinDbg.
I have been working on the topic of obfuscators for a long time, but recently I did have to update knowledge
Not so long ago, I was faced with the task of choosing a good obfuscator for .NET4. After reviewing a bunch of software, I made a small review where I tried to include the most famous obfuscators.
General conclusions and reasoning
- Free obfuscators are very weak and are suitable only for simple renaming. Only a few of them know about control flow;
- There are very good solutions (control flow, MSIL encryption) worth up to $ 500;
- Adult solutions cost around 5,000, but unfortunately for many of them there are unpackers. Some of them are cracked.
The obfuscator grunted - it means they understood his defense system. In the trash obfuscator. - There are solutions "against bydlohakerov" - the assembly is fully encrypted and decrypted on the fly. Hack a symbolic debugger such an assembly easier than ever.
')
Under the cut more about each.
Entries in the plate are in alphabetical order, so as not to offend anyone.
| Name and URL | Cost of | Control flow | MSIL Encryption | Details ... |
|---|---|---|---|---|
| .NET Reactor | $ 180 | + | + | Encrypts the code, it is quite difficult to break it, but it is possible that there is a unpacker |
| {SmartAssembly} | $ 795 | + | - | Used by RedGate. Grunt. |
| Aspose.Obfuscator | (-) | (-) | (-) | The project is no longer supported. |
| Assemblur | Free | - | - | Studio plug-in + console. Almost nothing obfuskatsya |
| Babel | $ 250 | + | ? | Something encrypts, but you can run DumlIL in runtime, perhaps the full version works well |
| Bithelmet | $ 250 | ? | ? | Fell down saying that .NET is missing |
| C # Source Code Obfuscator | ? | - | - | It seems to work with the source. NET. An interesting approach, but apart from the description and example, I did not find anything |
| Cilsecure | > $ 1000 | ? | ? | Paid obfuscator, even without trial. The cat in the bag. |
| CodeArmor | ? | ? | ? | Another paid obfuscator, very muddy and also without trial. Support did not respond. |
| Codeveil | $ 900 | + | + | Known for burning in antiviruses. Overall, good stuff. |
| Codewall | $ 400 | + | + | Sane obfuscator |
| Decompiler.NET | $ 550 | - | - | 3 years abandoned |
| Deepsea | $ 200 | ± | - | Inclined to do a lot of switch. In general, non-usable. |
| Desaware | $ 1500 | + | ? | No .NET 4.0 |
| DNGuard HVM | $ 900 | ? | ? | A buggy installation without half the buttons, the very first application fell |
| Dotfuscator | $ 1900 | + | ? | Community version is very meager, and Enterprise is expensive, but maybe it's worth it |
| dotNetProtector | $ 500 | + | + | Added to the project more than 4 MB of their DLLs |
| Eazfuscator.NET | Free | - | - | Simple rename |
| Goliath.NET | $ 115 | + | ± | Reflector assembly does not open, but in WinDbg you can see the entire source |
| Netorbiter | Free | - | - | Funny obfuscator. I made my prokt where I copied my exe-schnick completely and added something in addition. |
| Obfuscar | Free | - | - | Simple rename based on Mono.Cecil. .NET 4.0 does not support |
| Obfuscator.NET | $ 200 | ? | ? | The assembly made immediately fell. Even on .NET 3.5. |
| PCGuard for .NET | $ 400 | ? | ? | More focused on licensing than obfuscation. Trial not sent. It would be very interesting to watch. |
| Phoenix Protector | Free | (-) | (-) | Even .NET 3.5 does not hold |
| Salamander.NET | $ 800 | - | - | On the example given on the site, the reflector, of course, swears, suspecting an ambush, but disassembling with a bang |
| SharpObfuscator | Free | - | - | Apparently, the product has long been abandoned. |
| Skater.NET | $ 100 | - | - | Strange thing, renamed several methods + was looking for the old ILDASM. Probably abandoned. |
| Spices.NET | $ 400 | - | ± | Encrypts the entire assembly, which is bad |
| VMWare ThinApp | > $ 5000 | + | + | The resulting application can run even without .NET. Gizmo |
| Xenocode PostBuild | > $ 1000 | + | + | Himself obfuskator grunt that leads to not very good thoughts |
Read more about especially interesting individuals.
.NET Reactor
Encrypts code with NecroBit (the name of their technology), there are rumors in forums that NecroBit has successfully croaked. Maybe I just did not find it, because special effort is not applied. The code could not be parsed, WinDbg did not find anything either.
Reflector:
Something can be learned with WinDbg, but the IL code of the methods is not given.
{SmartAssembly}
He recently bought the company RedGate. Honestly, I did not understand the choice of RedGate, {sa} does not even know how to encrypt MSIL. After sitting with the debugger, you can understand the code. I do not recommend using this obfuscator, the price of $ 750 is clearly not consistent with the quality.
All that this obfuscator with code does is obfuscate the control flow in approximately this form:
L_1 br.s L_4
L_2 br.s L_3
L_3 ret
L_4 push
L_5 ldc.i4.1
L_6 br.s L_2
Reflector in C # does not parse the code (although it is easy to do it), but in IL it’s great:
Salamander.NET
I downloaded a super-example from their site. They promised that Reflector will not open. Reflector, in fact, cursed, but opened:
Babel (the one that is not free), CodeWall, dotNetProtector
Products of one class, I think, are very suitable if protection of the code from further refactoring and excessive curiosity is required.
Babel:
However, WinDbg successfully showed that inside the assembly made by Babel (probably because I had the community version; unfortunately, I did not check the full version):
C # Source Code Obfuscator
They write on the site that they work with the source code, and this results in a source code that is buggy. Very interesting approach, but unfortunately, you cannot download the obfuscator itself. Minus - with this approach it is impossible to encrypt MSIL and incorrect instructions.
XHEO CodeVeil
The previous version of this obfuscator had a lot of cracks that appeared very quickly. That says that hackers know how this obfuscator works. I did not see the latest version of the crack, but there are bad problems:
- Applications do not like the antivirus, obfuscator encrypts the assembly and writes to itself (which pleases, the assembly is encrypted in pieces)
- After this obfuscator, applications should be tested very well, bugs can fall in the most unexpected places.
You can use it, but wait for surprises.
dotNetProtector
The build turned out to be quite good, but an ambush waited for me - with the build, 4 MB of DLL-ek came from this obfuscator:
Spices.NET
A very famous product, I was surprised that the resulting applications are so easy to hack:
Goliath.NET
The reflector does not open the assembly, it is encrypted. The jamb is that the assembly is encrypted completely, and it is decrypted after the application starts. After decrypting no protection in memory:
Eazfuscator.Net
Obfuscator free. It's a shame that only simple rename can do it. What can please (personally I am more interested in the console or MSBuild versions) is a fairly simple process of obfuscation, it all comes down to dragging the assembly file. Here’s what comes out of it.
VMWare ThinApp, Xenocode PostBuild
Obfuscators are built according to a similar principle, they can execute code by embedding precompiled .NET assemblies into the application, which eliminates the possibility of intercepting JIT compilation calls.
The resulting applications can run even without installed .NET on the machine. The size of the resulting application is 10..50 MB, depending on which libraries you will use.
These solutions are very expensive. But, unfortunately, there are quacks at PostBuild (even the last one). Probably, in famous circles there are ready unpackers.
What do you choose,% username%?
An unequivocal answer to this question is not to give, it all depends on what you value in the code:
- All the code in the aggregate - not one “keychain” in the code is important, but the code completely. Encrypt the code with some simple obfuscator, it is better to encrypt MSIL. If all the code is really important, deciphering it completely will be harder to write again, and no one will do it;
- Separate "fishechka" - for example, checking the key. I would advise not to give such code at all in public, it is better to cut the functionality in the trial version. In the full version, the key must be checked, but the risk of theft is less. Nevertheless, I would advise using a more obfuscator.
What do I use?
None of the above. I use my own obfuscator. This is assembly-specific encryption of the assembly bit by bit, like the .NET Reactor.
The cost of creating it cost about $ 3000- $ 5000. Yes, it is no better than the existing ones, but there is one thing but - the principle of obfuscation is not publicly announced, it’s impossible to feel it. To hack it, you just need to spend more time.
As they say, think for yourself, decide for yourself ...
Source: https://habr.com/ru/post/97062/
All Articles