Welcome to AddressOf.com Sign in | Join | Help

Living in a Land of Obfuscation

You know, I'm all for making some things available for free; but at the same time want to protect my “property” as much as possible.  With great tools such as Reflector being available; you really need to consider using obfuscation to at least make it a little more difficult to reverse engineer your code.  In addition, most professional obfuscators offer the ability to encrypt embedded strings; which allows for an added level of “security”.  I quote security since it's nearly impossible to 100% protect anything; all obfuscation does is raise the level of entry to reverse engineer and modify the value proposition for doing so.

OK, so it's important to obfuscate.  What kind of problems are you going to run into doing so?

Well, one of the biggest negatives is that you lose some of the *HUGE* benefits of reflection and debugging.  If your code is not obfuscated and an error occurs; it's really simple to see where the error occured thus allowing you to quickly identify the problem and get it resolved.  If all the class/method names are jumbled, you lose this benefit.

What else is there?

If you are utilizing serialization (and you might be and not even know it), you have to make sure that these classes/methods are not obfuscated (renamed); otherwise every time you compile and obfuscate, you could have newer names.  Even if you were using an obfuscator that could remember the names from one compile to another; your resulting xml file (or whatever target) would contain these jumbled names and not the original... removing one of the benefits of XML in the first place... human readability.

Is there anything else?

Yes.  Depending on the tool you are using, you might not have an integrated development experience within Visual Studio.  If you are lucky enough to have one that is integrated, you might experience bugs introduced by the manufacturer of the obfuscation tool that causes “other errors” such as not being able to add Web References.  I experienced this with a previous version of Dotfuscator and after chasing my tail in circles for a while, one of the things I tried caused Dotfuscator to notify me that there was a newer version available.  When I uninstalled the previous version getting ready to install the newer one (why I had to do this with such an expensive product is beyond me, but...); I figured I'd try the add web reference problem.  Sure enough, it was fixed.  Installing the newer version didn't break it either, so now I'm golden.

Surely there is more...

Of course there's more.  ClickOnce.

ClickOnce and Obfuscation don't have a great story at this stage of the game.  Visual Studio makes it really simple to utilize ClickOnce deployment from within the environment.  However, you can't integrated obfuscation as part of this process.  So if you want to use obfuscation, you aren't able to use the integrated tool. :-(

However, all is not lost.  There's a tool called MageUI.  This tool allows you to modify the manifest files associated with ClickOnce.  It's a manual process, but not too difficult to deal with once you get it initially setup.  I'll post a follow up on how to use MageUI.exe.

Published Monday, May 8, 2006 12:57 PM by CorySmith

Comments

# Interesting Finds

Tuesday, May 9, 2006 4:13 PM by Jason Haley
Anonymous comments are disabled