What is the advantage of merging+obfuscating over embedding with encryption

Hi,
we are using Smart Assembly for some time with a large WPF desktop application that comprises several DLLs. So far, we have always merged and obfuscated the assemblies. However, we have spent a lot of time figuring out the right settings that would not break any functionality at runtime, eventually excluding a lot of stuff from obfuscation (both certain types and namespaces as well as all WPF projects).
In the end, opening the assembly with any decent decompiler reveals a lot more about the internals than I had wished.
Furthermore, we recently found that the merged assembly has issues regarding a decreased performance and increasing memory usage over the original assembly.

Looking for a solution, I have found that embedding and encrypting all dependent assemblies works a lot easier, no need to fine-tune the obfuscation and all performance and memory issues are gone.

Also, trying to look into the resulting assembly with decompilers only shows the internals of our entry project, which is not critical in our case, as it is just a "Shell"-Wrapper around the several application modules that now reside in embedded and encrypted assemblies. All these embedded assemblies are not accessible from any decompiler I tried, which is a good thing!

So my question is, what is the disadvantage of "only" embedding and encrypting? I understand that once loaded and unencrypted at runtime, the original content of the assemblies resides in memory. But I could live with that, if opening the .exe with any decompiler does not easily reveal the internals and all performance and memory issues can be resolved like that.
I have also read in a 2012 thread that error reporting only works for merged DLL, but from my tests the change to embedding did not break the error reporting functionality. Did that change since then?

Thanks in advance!
Christoph
Tagged:

Comments

  • Hi Christoph,

    Thanks for your post!

    There are a few advantages of merging:
    - It's easier to obfuscate merged dependencies since you can obfuscate them as part of your project for the main assembly. With embedding, however, you'd need to obfuscate the dependencies separately before embedding.
    - SmartAssembly does not obfuscate public members of dlls. When you merge dll dependencies, however, many types that were public can become internal and SmartAssembly can then obfuscate them. This can help protect more code and can also make calls to dependencies quicker.

    That said though, embedding has a benefit as well: dependencies keep their integrity and so you will likely spend less time on adding exclusions, if any are needed. Potential hackers may try to extract the assembly code from memory, but if important types are private so that they are obfuscated, then this may not be a concern.

    Regarding error reporting, I vaguely recall that there may be an issue with using pdb files on embedded dependencies and I'm wondering if this may be what the post was regarding. Do you mind pointing me to the forum link so that I can look into this?

    Thank you!

    Jessica Ramos | Product Support Engineer | Redgate Software

    Have you visited our Help Center?


Sign In or Register to comment.