Vikas Gonti References https://www.preemptive.com/products/dotfuscator https://www.youtube.com/watch?v=dqjYSF-7Q1A What is Obfuscation? Dictionary Meaning: To confuse, to make obscure a problem with extraneous information or to darken. -www.dictionary.com In Terms of Technology: Obfuscated code is source or machine code that has been made difficult to understand. Programmers may deliberately obfuscate code to conceal its purpose or its logic to prevent tampering, deter reverse engineering. What is Obfuscation? Obfuscation in .NET: - Technology of shrouding the facts. - Technology that makes .NET assemblies more difficult to decompile and impedes reverse engineering efforts. What is an Obfuscator? An obfuscator: An algorithm O, such that for any program P, O(P) is a program such that O(P) has the same functionality as P O(P) is infeasible to analyze/”reverse-engineer” .NET Software Development Lifecycle 2 1 4 Design Develop and Build Deploy Test 3 Protect Why Obfuscation? .NET Programs compiled in MSIL, which is at a higher level than binary machine code. So .NET Programs are easy to reverse engineer using decompilation. Attackers can use a .NET decompiler to easily reverse engineer code. The .NET framework ships with a tool (ILDASM) that can disassemble MSIL. Anyone can peruse the details of the software. Why Obfuscation ctd ..? Obfuscation reduces the size of an executable. Obfuscation improves the application performance at runtime. Properly applied obfuscation increases protection against decompilation Goal of Obfuscation? The goal of obfuscation is to create confusion. It says nothing about altering the executable logic, but represents it incomprehensibly. When an obfuscator tool goes to work on readable program instructions, a side effect is the output will confuse a human interpreter and break the decompiler the human interpreter was using. Dotfuscator – Obfuscator Tool Dotfuscator is a post-development recompilation system for .NET applications. It analyzes applications and makes them smaller, faster, and harder to reverse-engineer. In short, it makes them better. Enhanced Code Security. Decreased size of .NET Programs. Improved Run- Time Performance. Dotfuscator – Obfuscator Tool Obfuscation is applied to MSIL and not source code. Obfuscated code is functionally equivalent to traditional MSIL. It executes on CLR with similar results. Dotfuscator features Renaming Control Flow Obfuscation String Encryption Pruning Linking Watermarking Dotfuscator features Renaming : Uses a patented Overload-Induction renaming system that Renames as many methods as possible to a same name. Saves space as short names used for renaming. Several Options exist for class renaming. For example, Specify classes to be renamed while keeping their namespace membership (keepnamespace). Rename namespace names while preserving namespace hierarchy (keephierarchy) Rename completely, removing the namespace.(default) 1. Renaming Options (keepnamespace) This methodology is an excellent way to hide the names of your classes while maintaining namespace hierarchy. An example of this type of renaming is: Renaming Options (keephierarchy) It preserves the namespace hierarchy while renaming the namespace and class names. Renaming Options (default) The default methodology renames the class and namespace name to a new, smaller name. Overload Induction Method Renaming Dotfuscator implements patented technology for method renaming called Overload-Induction. The underlying idea being that the algorithm attempts to rename as many methods as possible to exactly the same name. After this deep obfuscation, the logic, while not destroyed, is beyond comprehension. The following simple example illustrates the power of the Overload Induction technique: Original Source Code Before Obfuscation private void CalcPayroll(SpecialList employeeGroup) { while (employeeGroup.HasMore()) { employee = employeeGroup.GetNext(true); employee.UpdateSalary(); DistributeCheck(employee); } } Overload Induction Method Renaming Reverse-Engineered Source Code private void a(a b) { while (b.a()) { a = b.a(true); a.a(); a(a); } } Renaming makes decompiled output difficult to understand. Since overload-induction tends to use the same letter more often, it reaches into longer length names more slowly (e.g. aa, aaa, etc.). This also saves space. Dotfuscator features ctd .. 2. String Encryption: Crackers will frequently search for specific strings in an application to locate strategic logic. For example, someone looking to bypass a registration and verification process can search for the string displayed when the program asks the user for a serial number. When the attacker finds the string, he can look for instructions near it and alter the logic. String Encryption String Encryption makes this much more difficult to do, because the attacker's search will come up empty. The original string is nowhere to be found in the code. Only its encrypted version is present. No strings are encrypted unless you specifically include a method that uses the string. The intention is that you will only want to encrypt strings in the sensitive parts of your application. Dotfuscator features ctd .. 3. Control Flow Obfuscation: Traditional control flow obfuscation Introduces false conditions and other misleading constructs in order to confuse and break decompilers. It destroys the code patterns. The end result is semantically equivalent to original. Control flow obfuscation Original Source Code Before Obfuscation public int CompareTo(Object o) { int n = occurrences – ((WordOccurrence)o).occurrences; if (n == 0) { n = String.Compare(word, ((WordOccurrence)o).word); } return(n); } After Control Flow Obfuscation public virtual int _a(Object A_0) { int local0; int local1; local0 = this.a – (c) A_0.a; if (local0 != 0) goto i0; goto i1; while (true) { return local1; i0: local1 = local0;} i1: local0 = System.String.Compare(this.b, (c) A_0.b); goto i0; } Dotfuscator features ctd .. 4. Pruning: Determines unused types, methods and fields. It extracts exactly the pieces you need for any given application. Helps reduce size of the assembly. The static analysis works by traversing your code, starting at a set of methods called “triggers”. (Application Entry Points) In standalone application, the Main method would be defined as a trigger. As it traverse each trigger method’s code, it notes which fields, methods, types are being used. Pruning Conditional Inclusion: It allows you to specify types, methods, and/or fields that you wish to be definitely included (i.e. Not pruned) in your final application. Removal Report: It generates a removal report in XML format that lists all input assemblies and how each was pruned. The report includes pruning status of: types, methods, fields, properties, and managed resources. If a type was pruned, then obviously all its members are pruned. Constructors are named .ctor, while static constructors are named .cctor. Dotfuscator features ctd .. 5. Assembly Linking: Also called merging, Links multiple assemblies into one or more output assemblies. The only rule is that you can't link the same input assembly into multiple output assemblies. The linking feature is fully integrated. Prime Assemblies: When you set up linking, you must specify one of the input assemblies as the prime assembly. Assembly Linking Name Mangling: When the linker is merging assemblies, the linker sometimes encounters situations where a name needs to be changed in order to prevent a naming collision. For example, if two of the input assemblies contain private classes with identical names then the linker must change one of the names in order to merge the assemblies. Dotfuscator features ctd .. 6. Watermarking: Used to Embed data (copyright info/unique nos.) into applications, making them unique. This is one method that can be used to track unauthorized copies of your software back to the source. To watermark an application Select the assemblies to watermark. Select whether the watermark string is to be encrypted and provide a passphrase if so. Provide a string and an encoding that will be the watermark. Select how Dotfuscator will behave if the watermark string is too large to fit in a selected assembly. Drawbacks Maintaining and Troubleshooting becomes difficult. Can break code that depends on reflection, serialization or remoting. Hampers the debugging process, as obfuscation alters MSIL. Conclusion & References Obfuscation is not 100 percent protection. If a hacker is perseverant enough, they can find the meaning of your code. The goal of obfuscation is to make the reverse engineering process extremely time consuming and painful so that it not worth the effort. References Professional Visual Studio 2005 – Andrew Parsons and Nick Randolph. http://aspnet.4guysfromrolla.com http://www.preemptive.com http://msdn2.microsoft.com/enus/library/ms227295(VS.80).aspx