How to obfuscate your .NET app and why it's pointless
Vložit
- čas přidán 28. 11. 2021
- Become a Patreon and get source code access: / nickchapsas
Check out my courses: dometrain.com
Keep coding merch: keepcoding.shop
Hello everybody I'm Nick and in this video I will show you how you can obfuscate your .NET applications, explain a few concepts behind the process and help you understand why, even if you obfuscate your code, your app is still vulnerable.
Don't forget to comment, like and subscribe :)
Social Media:
Follow me on GitHub: bit.ly/ChapsasGitHub
Follow me on Twitter: bit.ly/ChapsasTwitter
Connect on LinkedIn: bit.ly/ChapsasLinkedIn
#csharp #dotnet #obfuscation
My code is so bad it's inherently obfuscated anyways.
I mean forget worrying about pirates understanding my code.. the fact that a compiler understands it is a miracle.
@Oddik Aro word! Spaghetti is my primary weapon against pirates. That's why they call me Dag the spaghetti monster. I'm a strong advocate for the goto keyword in every situation and also never shy away from some really really tight coupling.
lol
hahaha
lol
So alot of people mistakenly label obfuscation as "pointless" when in reality is very much not pointless. But I keep hearing it regardless. It's like saying that you shouldn't lock your door. The door keeps away casual intruders, but really anyone could bust it open through a variety of means. If an obfuscator makes it so that it is tedious and difficult to read or sift through, its purpose is fulfilled. It's not going to completely protect your source code, it's just going to make it difficult for people trying to get access, and that's absolutely something you should do instead of just letting it be seen in plain sight. There's also the question of, is your code worthwhile enough to sift through? It's similar to, who would really wanna look through your door if you are just another house on the street? Now if you had the door wide open, then maybe someone would take a peek. Someone's not gonna do that if the door is locked (or in this case the code is obfuscated).
As long as the obfuscator makes every class name, method name and variable name meaningless, it's all good, just so long as the debugger can reference back to the proper names.
You will never stop a determined hacker, but you can stop the casual guy stealing.
Exactly this. No matter how you try to obfuscate, everything can be de-obfuscated or atleast reverse-engineered. That's what many people don't understand. The sole purpose is to make the reverse engineering/deobfuscation so hard and time wasting that the reward is often (or should be) not worth the effort.
Exactly. Symbol names cannot be restored, even for de4dot. Making all the class name, method names meaningless makes the code so much more difficult to understand.
There's also string and control-flow obfuscation. If your program has some sort of authentication/licensing process that phones home, you really need to make sure those strings aren't easily readable (or locatable). Also, control flow obfuscation is enough to stop half of the determined attackers too.
Unobfuscated C# code can basically be decompiled right back into C#, same is true with Java, so these measures can help prevent source code leaks too.
Rewrite it in F# - should be enough
LOL 😆
Solid Gold Comment 👌
As F# dev, I disagree
@@trashhater9304 honest question, what do you use it for? I'm curious of the viability of it in an industry.
@@burnsy96 same reason why people write in sass instead of css: it's faster to write and easier to read. If working in a team, it's important that everyone is using the same language though. F# works in the exact way as C#, it's just written differently. This is possible as they are both in .NET framework.
I think you can expand on the topic, especially by commenting what de-obfuscaters do.
That's an awesome idea!
@@nickchapsas yes, and also maybe explain if reflection doesn't work and dotpeek doesnt work properly on obfuscates assembly, how is this assembly is not broken and it still works?
@@ArgeKumadan Some obfuscators have own VMs.
@@voidomable wow. Didn't know about that.
@@voidomable Yes quite a few of them have virtualization.
Before watching:
The point of obfuscation is to make it a little harder to reverse engineer and at least replace variable names with meaningless garbage. Control flow changes can help a bit, but the more advanced obfuscation probably hurts performance more than protecting your IP.
I don't want someone to be able to have almost as much understanding of my code as I do. My shipped apps should not be *almost* copy-paste-able and have meaning. I'll take the slightly lower debug-ability. From a security standpoint, it makes auditing harder, but as long as it isn't a birthday app, I think we're all fine 👌
If someone wants to reverse engineer something they will. Regardless of how much stuff you do.
"No matter what you do, things will be cracked"
This is true in so many levels.
Great video as always, keep it up.
Εκεί που ευχαριστείς στο τέλος, ακούγεσαι σαν τους αεροσυνοδούς της Ράιαναιρ πριν βγουν να πουλήσουν ξυστό! :P
Very interesting topic, I would like to see more about it in the future! Keep it up Nick!
Yes. Locking your door is also pointless. If a burglar wants to break into your home, he will do so despite the lock.
This isn't about locking your door. This is about making your house look like it was painted by Salvador Dalí
Yeah you're absolutely right.
@Nick Chapsas, the fact that the obfuscated code can still be reverse engineered or understood, is that something that you feel is more of an issue with C# than with C++ compiled binaries (assembly)? Is reverse engineering obfuscated code much easier than reverse engineering byte code?
Yes, by obfuscating, you basically just slow down the process of a reverse engineer, reverse engineering a c++ assembly is way harder than that. However i would like to point out that there are several really good paid .NET obfuscators that make your app nearly uncrackable (Agile, VMProtect)
@@grando888 Thanks. Any thoughts on Preemptive's Dotfuscator?
Would this change with .NET native AOT compilation? What to do when you DO want something to protect like a license check? Write it in C and DLLImport it?
So what are you protecting? In the past complete application would be deployed on customer machines. How much happens this still? In my opinion people can grab the UI code and do with it what they like, it shouldn't contain any IP. I never thought one second to obfuscate my assemblies. In early nineties I wrote some code to grab a dll (c/c++ modules) and pull the information from the file and generate assembly and/or Pascal code from it. Like Nick said if you think you're safe think again.
Would you advice using obfuscation on a Blazor WASM app?
Does this work with Blazor Wasm or would linker interfere with it ?
What's the performance hit for generating spaghetti code?
And if the obfuscator stores a file with the "name" -> obfuscated "name" list then logs can be de-obfuscated if things like "Class.Method' are logged.
Nice topic, though, I would've wished to see some open source obfuscators, names at least. I hope you'll do a follow-up vid 😘
Few of our products use the Sentinel SDK for protection. We cannot start the debugger if any protected dll is in use..
Also, I would mention that obfuscation adds tremendous problems during the development process. DevOps, debugging, logging, stacktraces decoding... nightmare crashes, and so on.
And all this stuff you do only for taking 10 minutes more on decompilation process by haker... Pretty useless...
You're completely wrong. I don't even have to explain.
I found a c# app once that I couldn't deobfuscate no matter how much I tried, i even found what they used to obfuscate it and found tools especially made for it but I think they made modifications to prevent common tools from working. The entire code was a long array (hundreds of thousands of entries) of numbers with a complicated function to interpret them
Was it VM Protect? If not it still could have been easily decompileable.
We use Dotfuscator, sure everything is crackable but the attacker needs to put alot of afford & time to decompile the code
That really depends on what they are cracking. Cracking a license for example is extremely easy. If you want to prevent them from getting the original source code and rebuilding it themselves, then yeah it makes sense.
@@nickchapsas But adding the whole code obfuscation does at least add some complexity to cracking said license.
Which is the best, SmartAssembly or .NET Reactor?
Thank you so much for addressing right off the bat that it's essentially pointless. It was equally possible in unmanaged code with utilities like the legendary SoftICE, but it wasn't nearly as easy.
Can you perhaps make a video of code signing the source code or protect code with a SSL certificate please
if I need to go back code to the normal code, is it possible if library has been obfuscate ?
If I may, some suggestions for future topics :
Gateway and service discovery: Ocelot, Eureka...
And maybe your thoughts on GraphQL for modern architectures
Thank you for the content and keep it up !!
Just asking out of general interest. Does it take more effort to reverse engineer a C++ dll (depends of course on a lot of factors)?
One factor being that C++ is generally harder to understand and another one being that people who specialize in C++ prefer doing shit on their own than copying someone else's code :P
Yes and no - there a de-compilers that will attempt to rebuild C++ code from the assembly. I don't know how well they work but it does typically require intimate knowledge of both assembly and C++.
@@richardhight4430 You're right. It is still not accurate, and all symbols will be wiped. You can also implement VMs in c++, though.
Well, for me the main issue that Java and C# is that they are so easy to reverse engineer. Don't get me wrong, we can use an obfuscator, but it is mostly the same easy process like when you obfuscate your app, to deobfuscate it..
Can you please make video about how to add license to blazor server application
Als looking at the exception’s stack trace in the log when it obfuscated makes me cry 😭
I like reverse engineering (because by knowing how to reverse your code then you can protect your code), in this video obfuscator method as long as the library doesn't call native runtime, you can trace on how to deobfuscate it, just need time and patience. there's another obfuscate method that remove CLI header, this obfuscate method change the library into native library but doesn't act like native library, so when you open native library debugger the debugger doesn't recognize it as native library, when open with reflector the reflector doesn't recognize it either. the obfuscator act like a wrapper when open with DASM, there's some operators that not related to the library source while the OPCODES become binary data (not operand). that kind of obfuscator is really pain in the b*tt to deobfuscate. but still, obfuscator is not always safe because once you break the obfuscator logic, any library that being obfuscated by that obfuscator will be have same deobfuscate logic.
Nick, what happened to your 2 players snake game video? It was interesting!
Super useful, thank you.
amazing video, thanks again for the amazing content nick
can it help to evade windows defender ?
I think Microsoft should take the response for code encryption and protection. At least it should provide the simple option that you want to share the code or not. Msft never tells that your code can be easily decompiled at the beginning.
Microsoft should first take response for Windows encryption, that thing is close to a joke for someone that knows what they are doing and, unlike the .Net framework, that product is for paying customers.
Saying obfuscation pointless is similar to saying that cryptography is pointless. Both can have drawbacks and can be broken with skill and time, but it all depends on the use cases. In my situation, obfuscation was the only protection against my product being cracked since it relied on a server to verify ownership. Without obfuscation, the community I worked around would have immediately compromised the product and ruined sales; however, using .NET Reactor with proper settings and code that prevents most scanning exploits was the only reason I was able to keep security on the application.
Obfuscation and cryptography are so different they might as well be playing in different leagues. Cryptography, if done correctly, can lead to effectively impossible to decrypt status. Obfuscation will always be easily crackable no matter what. It doesnt' make your app more secure and it doesn't protect your code.
@@nickchapsas I still don't think obfuscation is completely pointless. In terms of security it did enough in my case that it was worthless to waste the time trying to de-obfuscate it or crack. In terms of protecting code you could de-spaghettify and trace what every function does eventually but they can never recover the structure or naming of the code that make it easy to work with and modify. There are many drawbacks that make it impractical for most commercial applications it just happened to work well for me. It's not that I think obfuscation is the golden standard of application level security but it is the only option I know of.
Tried Eazobfuscator, obfuscar, confuserex,Neo confuserex, confuserex1.6.dotNet Reactor after all of that I found out %60 of obfuscators break your code... And without obfuscator mapping files you cant even debug Application even if you do have mapping file debugging will be a nightmare! So I decided to go releasing my app without any obfuscation except my HID based licensing system. It is better to focus on customer happiness rather than protecting your Application from reverse engineer teams... They will break it no matter how much effort you put in! Thanks for clarification
My previous employer was convinced that wrapping code in a Docker container will make it permanently inaccessible to the customer, lol.
HAHAHAHAHAHAHHAHAHAHAHHAA
YOU MADE ME LAUGH SO HARD WHEN U REACTED AT THE OBFUSCATED CODE ROFL "Again, bunch of bunkers" :D:D: thank you man
Can't attacker just go straight to the IL code and get everything from there?
no
I always assumed only AOT compiled machine code is shipped if the source needs protecting.
Doesn't help and I could argue is worse, the metadata are all still there and the code is still retrievable on the same level if not more.
@@stefsot2 how is machine code more hackable than pcode?
@@matthewblott because usually is left as is without any protections because of the mentality that "c++" is more secure which absolutely is not true, also like I said AOT includes so much metadata that reconstructing the original code is easy. Using net obfuscators is better than AOT.
usefull video, thanks
it seems you are not right.....I have some dll obfuscated that I can not deobfuscate.........from my side its impossible....so kindly if you tell me how to do it I will be happy to listen to you Regards
Hey nick! can you include on your next video on how or what is SCRUM or AGILE? Thanks :)
It's like a lot of things, you can protect yourself from the average person, but you're wasting your time against professionals :)
After watching:
I like to at least not expose my variable names and that's pretty much all I care about. Who knows what words might be offensive in the future 😢
I'd hope no one actually believes obfuscation will make their code indestructible, but hopefully it will make them skilled at war 😁
This
So, yeah, this is wrong. Yes, ultimately things can be cracked. The reason to obfuscate code is to make it too expensive for someone to steal what you're doing for profit, and make stealing it more expensive.
Getting cracked, can cause way more damage to profits than getting recompiled and sold as a new product for 2 reasons. First, getting cracked and shared as a torrent is practically impossible to crack down on so there is nothing you can really do. Second, if someone uses your licensed copyrighted product, do build theirs, then you have every right to go after them legally, and since something needs to be sold under some entity, it is way easier to pinpoint and crack down on. If you're obfuscating to prevent people from stealing your work then you're simply adding a false sense of security to your project.
@@nickchapsas I'm not sure about that. Obfuscation goes beyond just making your code unreadable. Proper anti tamper can definitely prevent cracks to a certain degree. But yes, obfuscation is not bullet proof, and it was never meant to be. It's a layer of protection that is more or less effective, depending on how you implement it, but not the ultimate solution to everything.
Why not just AOT compile? Thats gonna be way harder to crack than obfuscation eh?
Because it will not work on WPF/Forms/Reflection/etc.
For client app, its important
Obfuscation is for extremely light security by obscurity to the noobs. Don't ever actually rely on it for security though, the only thing it should be used for is protecting the code from being easily/quickly stolen and replicated. From a security standpoint, it does virtually nothing beneficial. The obfuscated code also degrades performance to some degree. Code virtualization does that to an even further extent and should be used very sparingly. I think the mistake here with this video is to imply that it's by any means protection against cracking. I can still debug an obfuscated binary and view the data quite easily. Obfuscation is the least of my worries.
The video does not imply that at all, in fact it's explicitly stated multiple times that obfuscation does not protect against cracking. "No matter what you do things will be cracked, so don't bet that even if you do this you're safe, you're not."
interesting as usual
What about themida?
I used it for a long time in the past. It did a good job of hiding things but antivirus made it a massive PITA and when e.g. the user had the wrong version of .net framework installed the errors were quite cryptic. I don't think these problems are specific to Themida, you're just using the same things that viruses use to hide, so you look like a virus.
@@georgehelyar Thanks bro
1:26, Blazor Server, baby
.net is xD easy to crack thats why i avoid it. obfuscation still nice "if" you have option to break de4dot.. and some custom de4dot. and dnlib..
use custom confuser x and that net reactor is trash
Yes you are right found out some months ago a reverse Engineer team has come up with a deobfuscator for DotNet Reactor.And they are still trying to sell it for $199 its crazy
👍🏽
great
I do this at my 9-5 just pass me the code.... not only do i obfuscate it, but i make it completely unusable. :)
just write wensites and api's. Easy stonks
friends don’t let friends obfuscate
I like deobfuscating things. I do it in my spare time.
Oh, i know some colleges who can do this just by typing code....
I am a security guy; obfuscation is a joke... it's only used by people who don't understand how it's easy to break with common tools.
in our company we do use obfuscation... it's not about security tho, it's about intellectual property, make the product more costly to copy
I bet you wouldnt be able to break my stuff :^ )
Right opportunity to make the point strongher, bet what? With everyone or only him? Why should he accept the bet, while he does that as a job? He usually get paid to try to break someone's code, and report on how well it's protected... Why should he do it for free... The bet must be very good.
@@LuigiTrabacchin and I can bet you he gets paid to analyze useless malware copy pasted all around, I used to do his "job" and I can promise you he hasnt seen a good protection/obfuscation and btw MY job is to protect stuff
Statistically speaking a good protection does not exist, everything get cracked within days... So... He sound more reasonable than you, even if he missed the whole point... We don't obfuscate to stop piracy, we obfuscate to stop intellectual robbery...
but how do these obfuscators actually work?
That is actually a great idea for a video!
@@nickchapsas I've always wondered how does manual obfuscation works and things like that so if you would like to explain it in a video that would be awesome
I like this video of yours, but I would also like to add:
Your encryption type, netrector 6.7, is already unpacked, so you shouldn't use it, because it's already unpacked by dragging and dropping.
I strongly disagree. Protecting your code is not pointless, when done right.
You never menshened how to deobfuscate it back.
The ONLY viable use case for obfuscation is your licensing library, or some special algorithm that must remain secret. In 90% of the cases, there is absolutely no point in obfuscation. It's not going to prevent disassembly or decompilation, it's only going to slow down the amateur code sleuth... And your code isn't nearly as special or precious as you think it is. It physically hurts me when VB6 rejects make grand claims about how .NET is insecure and shows your code to the world...
to be honest, you don't need to obfuscate it. JUST dont
NET Reactor is the worst obfuscator, ConfuserEx is open source and have a lot of features, you can also modify it so it cant be decompiled with public tools
It doesn’t matter. You can always work around obfuscation
@@nickchapsas You keep saying that like it’s sooo easy, but you never showed us in the vid like you said you were going to....
@@hxd9321 Yep thats bullshit. Using a bit of virtualization stops I say 95-99% of reversers. If someone wanna try I can send small binary protected with EAZ and try to hack it
nah i just make cheats and i dont want lil kids to SKID my code for their own menu
Or rewrite it in .ook
"Get ready to be blind, 3,2,1 boom" hahaah
I don’t know if you know about de4dot dnspy unpacking stuff lol