Simon Harriyott

Obfuscation's what you need (if you want to be a Reflector breaker, yeah)

Cool bananas. I just had a crazy idea (to file under cheeky hacks), and it works. I've been trying to obfuscate MatchMatix so I can start sending out evaluation versions, without the licensing code being visible. A couple of weeks ago, I tried Dotfuscator Community Edition (CE), as it comes with Visual Studio. For the uninitiated, obfuscated code is harder to read in Lutz Roeder's Red Gate's Reflector, so people can't nick your secrets (as easily).

I was fairly pleased with what it produced, in that the class names were renamed to a, b, c, ... ab, ac, ad etc. The method names also followed this convention, and there seems to be method overloading too, where differently-named methods with different signatures are obfuscated as methods with the same name. Cunning.

The problem was that the code in these methods was still visible. This is because the CE version is "Limited to simple renaming". The other problem is that the Professional version costs more than a laptop, and it's my policy not to pay more for software than it costs to buy a laptop (at least until I've bought a new laptop, anyway). Actually, even then, I'd rather buy something far more interesting than obfuscation tools for that much.

I tried a couple of other free obfuscators (I really hate that word now), but without any success, and I ran out of time, and haven't thought about it since.

Until today, upon seeing a link to the new (and free!) Babel Obfuscator on the most excellent Morning Brew. (Hey nice photo, by the way. I like the "CEO-casual" look.)

It seems as though Alberto Ferrazzoli, the obfuscreator (see what I did there?) had similar issues to me:

I wrote this obfuscator because I need it for one of my early project. I try to use some readymade freeware obfuscators unsuccessfully. There are several professional obfuscators on the market but they are not cheap.

However, Alberto is more enterprising than me:

I know that writing an obfuscator is not an easy task but two weeks ago I came across an article about Microsoft Phoenix SDK so I realized that should be possible to write this obfuscator.

Good man! I just gave up, but you went right ahead and wrote your own. Marvellous. And it's only 34Kb to download. Brilliant. Ah, hang on, I need this Phoenix thingy. 104Mb. What? Oh well.

This is all command line, unlike Dotfuscator CE, so that's a good start. Not only does it obfuscate mangle (OK, that's the last time I'm typing obfuscate. er..) the code, but it also does MSIL control flow obfuscation (I pasted that one), which adds meaningless IL code that can't be translated back to C# code, so Reflector can't understand it.

So I ran it, and not only was the source code hidden, it crashed Reflector! Wickid! 10 points to Alberto. The downside was that the class names weren't mangled, so it was really easy to find my licensing class. So what to do? Do I go for mangled classes, but visible code, or visible classes and mangled code?

So here comes the crazy idea, so crazy that it might just work. What if I could have both? By using both manglers? Would it really work? (OK, you know it does, because I said so earlier, but I'm trying to build some suspense). Could I daisy-chain them together? Pass the output from one mangler as the input to the other? Well, YES! Sometimes I amaze even myself.

So, now Reflector shows me mangled class names, and mangled code (it doesn't crash Reflector any more though. Boo). Here's and example method from the a9 class:

protected StringBuilder c(a8 A_0)
// This item is obfuscated and can not be translated.

Ten pounds says you can't tell me what this method did originally.
8 September 2008