Options
Several questions on C# obfuscation (SmartAssembly)
Jonatann
Posts: 2
Hello! We are caring experiments with several obfuscators. We want to protect our source code from using once more with somebody else. Our main task is to make exe (or dll) analysis for getting original source code structure as complicated as possible. In other words it must be easier to develop application on your own, than to use our sources restored from exe (or dll). At the moment we are testing SmartAssembly 6. We deobfuscate result exe and dll with de4dot. The result is evaluated in Reflector. Thereby we have several questions (It is implicated that analyzed exe (or dll) was obfuscated with SmartAssembly).
Questions:
1. Is there any method (deobfuscation, process dumping, debugging etc) to recover sources of internal and private functions (which are not called from public functions) without extensive and long work (I mean long time spent on recovering process)? If it is possible - please specify the method.
2. The same questions about internal and private function parameter names and local variable names.
3. Which obfuscator (protector etc) you think we should use instead of SmartAssembly to achieve our goals as best as possible (with license cost less than 200$)?
Several observations from our experiments:
1. De4dot does not recover local var names after SmartAssembly (just renames basing on var types to facilitate the analysis http://prntscr.com/78puxr ). But public function code structure and parameter names are recovered pretty good.
2. internal and private functions was not found with Reflector in De4dot recovered file http://prntscr.com/78pvh4 . Besides, their source cannot be found even if public functions is called from them (I mean from internal or private function source) http://prntscr.com/78pxcf .
3. However if private function is called by public one, it can be found with Reflector and its structure is easily recognized http://prntscr.com/78q5pm
Questions:
1. Is there any method (deobfuscation, process dumping, debugging etc) to recover sources of internal and private functions (which are not called from public functions) without extensive and long work (I mean long time spent on recovering process)? If it is possible - please specify the method.
2. The same questions about internal and private function parameter names and local variable names.
3. Which obfuscator (protector etc) you think we should use instead of SmartAssembly to achieve our goals as best as possible (with license cost less than 200$)?
Several observations from our experiments:
1. De4dot does not recover local var names after SmartAssembly (just renames basing on var types to facilitate the analysis http://prntscr.com/78puxr ). But public function code structure and parameter names are recovered pretty good.
2. internal and private functions was not found with Reflector in De4dot recovered file http://prntscr.com/78pvh4 . Besides, their source cannot be found even if public functions is called from them (I mean from internal or private function source) http://prntscr.com/78pxcf .
3. However if private function is called by public one, it can be found with Reflector and its structure is easily recognized http://prntscr.com/78q5pm
Comments
>> 1. Is there any method (deobfuscation, process dumping, debugging etc) to recover sources of internal and private functions (which are not called from public functions) without extensive and long work (I mean long time spent on recovering process)? If it is possible - please specify the method.
I am not aware of any other methods myself but if any other users do, please do add your feedback!
>> 2. The same questions about internal and private function parameter names and local variable names.
As far as I'm aware, it's impossible to restore original parameter names if pruning has been applied, nor local variable names unless the pdb file is available -- parameter names are actually stored in an assembly's metadata which can be removed from the assembly via Pruning, while local variable names are actually contained in pdb files and will not be shown in a decompiler unless the pdb files are available. (though the de4dot site says it can recover the parameter types)
>>3. Which obfuscator (protector etc) you think we should use instead of SmartAssembly to achieve our goals as best as possible (with license cost less than 200$)?
I don't know much about them, but the other popular obfuscators I know of are Dotfuscator and .NET Reactor which both seem to offer editions in that price range, as well as CryptoObfuscator which doesn't show the pricing on its site. I can't speak on how strong these are or how well they stand against de4dot (on de4dot's site, it looks like it can also undo some features of those obfuscators)- as it sounds like you know, it's important to remember that because .NET code must remain as valid IL, obfuscation regardless of the tool used is unfortunately always reversible to some extent.
Jessica Ramos | Product Support Engineer | Redgate Software
Have you visited our Help Center?