❔ Obfuscation
I know this isn't a topic that's liked in this server, but I am looking for C# / .NET code obfuscation for my application. To put it simply, I know that IL code can be deobfuscated very easily, but I am still going to try and protect my code. My main code isn't in C#, it's in C++, and there is communication between the 2 applications, but I still have user data that is going to be uploaded via an api, and registration / login via api. So yes, I am using an api, and taking other security measures other than obfuscation.
But yes, any recommendations are good! As cheap as possible (that's reasonable of course)
Thanks!
109 Replies
$obfuscation
"Then finally, there is that question of code privacy. This is a lost cause. There is no transformation that will keep a determined hacker from understanding your program. This turns out to be true for all programs in all languages, it is just more obviously true with JavaScript because it is delivered in source form. The privacy benefit provided by obfuscation is an illusion. If you don’t want people to see your programs, unplug your server."
- Douglas Crockford
https://softwareengineering.stackexchange.com/a/155133
* Spend your effort on putting proprietary things in your api, and keeping the distributed code as empty as possible
* Use AuthN/AuthZ to control who/what/when/etc...
* Free obfuscation is worth the amount your paid for it -- it's already broken and most decompilers out there can make sense of it.
* Paid ofbuscation will bankrupt you unless you have a very strong revenue stream and can justify the additional cost with gained sales
* The "threat" of someone hijacking your UI and shimming it to make it provide them money is not a real threat. If this is legitimate software, you can ruin their business with lawsuits
- Cisien
Software Engineering Stack Exchange
Is it important to obfuscate C++ application code?
In the Java world, sometimes it seems to be a problem, but what about C++? Are there different solutions?
I was thinking about the fact that someone can replace the C++ library of a specific OS wit...
license it properly
Unity is a plain C++ compiled engine and is only protected by its license which companies pay in the hundred thousands money to be able to view the sauce
Thanks
I have authentication hosted, with secure and encrypted responses using PGP (Pretty good privacy),
I am using basic sockets to send the input user data to the C++ app, and it awaits for a response
this has nothing to do with it
license as in what sorry?
license as in legal protection from people decompiling/modifying/reusing your code
obfuscation in general won't stop anyone who actually wants your code, especially cheap obfuscation
Oh right, well i'm not looking to go commercial yet, due to it just being a private project - but was thinking for the future, so I shall take this in mind
True, but there are some good solutions, like DNGuard - In which converts the IL code into Psuedo code with their HVM Technology
I'm thinking as in a little layer to ensure security
obfuscation isn't security, don't confuse it
My mistake, just a layer then
it's just a roadblock to someone reading your code, it doesn't inherently make it more secure
for example one fork of stride engine is licensed under "this code is MIT licensed but if you earn money with it you need to pay 4% of your revenue else you are prohibited to use this engine"
there are many companies out there who just wait for someone to break the license and lawsuit the one who broke it
microsoft has a massive amount of closed source licenses which you can use
if anyone breaks it, lawsuits will come in almost immediate
atleast when oracle is involved ...
So are they paid, or?
Sorry for stupid questions, I am quite new to all this legal stuff
many different tempaltes for license models
a license can be whatever you want
like wireshark
which 80% of linux users have per default
this is a legal license tho ( wording must be more accurate i think )... you describe what is allowed and what is forbidden
everything is completely encrypted and sent upon runtime, and it's decrypted at the server using the private key, so that's not an issue
Oh okay, I shall take a look. Thank you!
Also, not sure if this matters, but just to say, my application is Cloud File Storage, I'm working on the application, because it's more efficient for the user in my opinion
How much will it roughly be?
Oh okay, no problem
Thanks though! Much help from all of you
put your copyright into the license
out of EU you will have to say it especially
I don't have a copyright either, this is completely a new project
in EU you have the copyright the moment you do it, in america you can sell a copyright
Yeah, i'm from England
ofc you have
the moment you pressed the button on the keyboard its under your copyright
if it meets the terms for being "big enough"
a hello world cant be copyrighted
or a standard if statement
if you wrote an entire program then you have the copyright the moment you created it
and you cant lose or sell it
no matter what
Oh okay, so I can copyright anything made by myself? That's cool! So i'd just need a legal license to ensure people do not use it?
in USA you can sell it, like sun sold copyright to oracle for java
Copyright (C) Bobby McBOb - All Rights Reserved
means you have the copyright , and you dont grant anyone else any rights
which also means you cant sell it with this license as the user is not allowed to do anythign with it
👀I cannot sell the product under the copyright?
i mean, they can do whatever they want until you pursue them legally
if you're going to sell the product your license should include language that allows the intended use of the software
but none of us are lawyers and you'd really want to get one involved if you want to do it right
Yeah, the product itself is free, like for example 100GB Storage for free, and the user pays for more
a copyright is a ful license..but you dont grant anyone the right to use it or other stuff.. which means your license would include the rights what to do , and when ( for example after paying )
this is why lots of applications have terms of service that are 3 miles long
and are pretty accurate and horrible to read
so you get an accountant or whatever to make it for you
or license manager
anyone in IT will tell you to pick either
1. a license template that is well known
2. get a license from a proffessional
but the "well known" licenses like gpl , MIT , freebsd are mostly for the use of "i dont care"
especially if this is an online service you'll want to specifically list out what is approved and unapproved usage of your service so you're protected from people abusing it
so get an proffessional
especially since it's cloud storage, what happens if someone uploads something illegal?
as service host you are the baddy if someone fails
we have md5 hash checks, aswell as people cannot directly upload executables, .scr files, .dll files, .com files without confirmation - but honestly, i do not mind, but it might be against something. But overall, my goal is for people to upload anything to backup, like asuswebstorage.com
i'm talking about illegal content
child porn videos
illegal such as gore, child pornography?
as example
yeah
I didn't think about that
I was thinking about malware / cheats
yeah you really don't want to be on the legal hook for that
yeah not wrong
so you put that into the license
that its not allowed
okay, no problem, can I specify that malware is aloud?
for example oracle enterprise manager, if you press the wrong button they sue you the day you pressed it
well... they revooke your license as its illegal in the EU to have such a license... but out side EU its an immediate lawsuit
generally you'll want to ask an actual lawyer all these things
Oh okay
i don't know all the legal details, i just know i wouldn't want to be implicated in distributing illegal content that someone else uploaded
not illegal either.. they would lose in every court as its not fulfilling EU laws...
its complicated
This law stuff is so confusing
thats why there are high paid dudes who know that shit
ive always used MIT license as its the only one that i fully understand
Sorry to ask, but what's that?
I do see it alot with things on github
it's an open source license that basically grants anyone the right to do whatever they want with the software/source code
do whatever you want with it but let me in peace and mention me as copyright holder with that license
"let me in peace" .. it states that you cant sue me when you get problems with it
or make me responsible
Encrypting packets + HTTPs?
@turkishtobacco Licenses won't protect your application, no one cares about them. It will just prevent companies from using your application and not paying what you deserve, that is, if they get audited.
It's sad but you can't make a safe client-side app using .NET, not in a way that it makes it uncrackable or impossible to get your source code.
you cant make it with other languages either
I'd like to see you try to get the full source code of a golang app
what about NativeAOT?
That's for the future to decide
You can give Eazfuscator a try. I've heard that their VM has not yet been introspected
But that's for the paid license only
I'm using that currently actually haha
no difference, can be decompiled
That aswell as VMProtect
But I will give the license a go
you need anyway a license else you cant sell it
VMProtect will be useless for C#
But as people said in here
You won't be 100% safe, if a really good reverse engineer attempts to crack your app, he probably will succeed
But Eazfuscator is good enough to keep 90% of the script kiddies away
and sue him and then get more money from the lawsuit than you could ever from your app
Not entirely in my experience
Exactly this
EAZFuscator licensing is $400 a personal license I believe
also microsoft has an obfuscator and afaik for free
Yes it is really expensive
oh
I meant that EAZFuscator is expensive
I wish mooseous was here
he would probably know more about this
Dotfuscator Community+
Ohh, yeah their obfuscator is terrible 😂
imo
join the reverse engineering discord
for being free its good enough
Take a look at DNGuard if you think EAZ is expensive
Which one?
Not wrong
I quite like KoiVM as a free obfuscator / virtualizer
There are plenty of devirtualizers for KoiVM
there is also a decompiler for unitys IL2CPP
The only public good obfuscator/virtualizer right now is for Mono sadly
Like oldrod, etc - but even so, KoiVM is a good base, VMProtect for .NET uses KoiVM / Simular techniques, aswell as StrongVM which is 80% KoiVM
iirc KoiVM doesn't really work properly for .net 5+
no?
Yeah, exactly, like il2cpp dumper
Possibly, I use .net 4.7
and IL2CPP was known as "almost impossible" to reverse engineer
didnt take a year...
If there is investment there will be reversing
BeeByte seems okay, it's very very simple, basic renaming of types, methods, and it has string encryption + junk code - but alot of people can never unpack it fully
^ For unity
Just look at Node.js for example
Your application will be safer with V8 bytecode than it is with IL
obfuscation through obscurity is a different thing...
Because there is no investment in making a tool to reverse v8 bytecode
is discord terrible today or is it my connection
oh you mean after obfuscation... i thought you meant the pure code 
It's bad today, my messages aren't sending 50% of the time
terrible today, messages get red
You know what, there isn't much point in doing all of this obfuscation for a file uploader, just the license, because 90% of the code is in C++
and I could also just make libraries for most of the imporant stuff
Sorry for the dumb question, but why do you need to obfuscate a file uploader?
Even if someone tries to reverse engineer the client app, it shouldn't give then any advantage
Yes, but they can still access the api directly - and see which type of encryption is used even, anything like that
And in general, I think it's quite unprofessional if an application is vulnerable
It's not a vulnerability to allow the users to see the api calls
I mean...discord the service we are using is exactly like that
Yes, but even so, there are (d)dos attacks that could be started, or anything like that
Let me introduce you to Telerik Fiddler that shows you every single call every single app makes on your PC: https://www.telerik.com/fiddler
Or wireshark, or procmon 😅
Yeah I know, but they are encrypted, and decrypted using the PGP Private key on the web server
I still don't understand the benefit of obfuscating the client tbh
😅
no, i'm using a basic xor cipher aswell I guess but that still needs a decryption key
also base64
What's being encrypted the payload?
A base64 string is no different than a regular string
^ base64 is not encyption, it's just an encoding scheme
I know, but it's something
yes
No it really isn't
It's like turning a decimal number into a hexadecimal one
Well I personally don't see any reason to obfuscate the code, but it's your project and you understand what it needs more 
👍
Thank you for understanding
certificate pinning go brrr
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.