Applications developed and compiled on .NET platform are vulnerable to reverse engineering due to the nature of .NET code compilation. When .NET applications are distributed as assemblies and executables they can be easily decompiled using the right tools to view the entire source code just as if you are viewing it in an IDE. There are a number of tools available that accomplish just that with relative ease. I would like to share what I found about it when I put my applications to the test and I am hoping that this knowledge sharing article will benefit developers to secure their applications from reverse engineering
Tic-Tac-Toe is a game I developed in .NET platform using C# language and like every other .NET application, it too is vulnerable to reverse engineering unless some kind of protection is included in it to deter reverse engineering. Fortunately though there are also some tools that offer protection from reverse engineering. These tools are called Obfuscators.
Obfuscator is essentially a tool that scrambles or obfuscates the MSIL code in such a way that it becomes impossible to comprehend and reverse engineer the compiled code to the original source code. I researched and read about those protection tools and I chose to test one such popular Obfuscator tool namely Crypto Obfuscator developed by LogicNP Software. In my test, I used Crypto Obfuscator to obfuscate my application to verify the level of protection it can offer. My application uses classes, methods, strings, resources, and other .NET concepts extensively and it is a good, real life, independent candidate to test with Crypto Obfuscator. The result was Crypto Obfuscator performed very well, completely shutting out some decompiler tools and making the code impossible to understand in other decompiler tools. I will demonstrate the Crypto Obfuscator results by comparing the original source code and the obfuscated code.
First, let us look at Crypto Obfuscator application interface. Needless to say, the application is very user friendly with simple user interface and contextual help that was useful to me in quickly understanding the purpose and meaning of each obfuscation function. I used maximum obfuscation settings as shown in the picture below.
Now let us look at the obfuscation and how well Crypto Obfuscator protects the code from reverse engineering.
One of the first protection schemes in Crypto Obfuscator is to scramble or rename all classes, methods, variables, etc. in such a way that they are unrecognizable, confusing, and unprintable. This makes it extremely difficult to understand and reverse engineer to the source code. The pictures below show the original compiled code and obfuscated code and it is evident by comparing them the difficulty in comprehending the class and method names and the application components. The picture below for obfuscated code includes just a snapshot of all the obfuscated symbols.
Here is the obfuscated class and it can be seen clearly from the pictures below that the obfuscation completely obscures the program logic and control flow.
It was very difficult for me to correlate the obfuscated code with the original code and it is because of the strong obfuscation of Crypto Obfuscator. The pictures below of obfuscated code show how the impossible task of understanding the obfuscated code.
In summary, the obfuscation results were beyond satisfactory and in fact, it also improved the performance of the application because Crypto Obfuscator reduced the footprint of the code. I also verified tamper detection, string encryption, metadata reduction, watermarking, and application control flow and all of these elements of coding that ordinarily would give away the application code were protected by Crypto Obfuscator. One last thing I verified was to try to debug the application, however, the obfuscation prevent debugging of the application. I have to mention that I tested one other obfuscator after I wrapped up with Crypto Obfuscator and although it achieved some level of obfuscation, I was not totally satisfied with it because of two reasons: Some decompilers were able to show the original code presumably because the obfuscator did not obfuscate the entire application and secondly, the number of protection variables found in Crypto Obfuscator were simply not present in the other obfuscator. In my personal and professional opinion to the extent that I reviewed and researched other obfuscators and decompilers, Crypto Obfuscator offers by far the strongest and diverse code obfuscation and protection that I have seen. Most of the developers would need to rely on Obfuscation tools and I am hoping that this knowledge sharing article will benefit developers to secure their applications from reverse engineering.