LANGUAGES: All .NET Languages
ASP.NET VERSIONS: 1.1
Obfuscation for .NET
By Ken McNamee
One of the many benefits that ASP.NET offers over classic ASP is the separation of the UI rendering code and the business logic code. Gone are the days where you must include your potentially proprietary business logic in the same file as your HTML. To prevent just anybody from being able to casually inspect their sensitive code, some developers chose to move that code into COM DLLs written in Visual Basic 6.0 or Visual C++. Although this was effective, it led to other problems, such as complicated deployment and the addition of another development tool and language.
Although ASP.NET solves some of those problems, it doesn't completely make your business logic safe from prying eyes. In fact, the .NET Framework includes a tool called ILDASM that makes it easy to view the contents of .NET assemblies - such as your Web application and its components. The problem lies in the fact that a .NET assembly contains all the metadata necessary to describe itself to any tool that knows how assemblies are structured. ILDASM can display all the namespace and type information, and even Intermediate Language (IL) contained in the assembly. Some tools can even decompile the IL into C# or Visual Basic.NET!
This might seem a little distressing for the previously unaware, but all is not lost. There are methods you can use to severely complicate the efforts of those who wish to view your code. One of these methods is obfuscation, which, in dictionary terms, means "To make so confused or opaque as to be difficult to perceive or understand." Strictly speaking, it isn't possible to prevent decompilation of your assemblies 100 percent of the time. Like decryption, the best you can hope for is to make the process so difficult and time-consuming as to be not worth undertaking in the first place.
Visual Studio.NET 2003 includes a tool that takes the first step in complicating the efforts of prying eyes: Dotfuscator Community Edition.
Microsoft has bundled Dotfuscator, a tool developed by PreEmptive Solutions, into the Community Edition (CE) of Visual Studio.NET 2003. There is a link under the Tools menu that launches Dotfuscator CE, as well as a shortcut from your Start menu. The first thing you'll notice is that it's a separate application, and not integrated into Visual Studio.NET. Understandably, PreEmptive Solutions would like you to buy their more full-featured Professional Edition; the Community Edition exists only to perform basic obfuscation and whet your appetite for more advanced capabilities.
The Dotfuscator CE IDE is fairly straightforward. You'll notice that many of the options are disabled and only accessible in the Standard or Professional editions. Dotfuscator uses XML configuration files to set up an obfuscation project from which you can operate on more than one assembly (which it calls a Trigger file). The simplest way to obfuscate an assembly is to add a path reference to it on the Trigger tab, set the destination directory on the Build tab, and click the Build button. Dotfuscator will run through all the methods and rename them, mostly to one-character names.
Figure 1 demonstrates an assembly opened in ILDASM before and after it has been obfuscated. The SuperSecretEncryption method has been renamed to simply "a", as have two other methods, and one has been renamed to "b". Anywhere that the SuperSecretEncryption method was referenced the casual observer will only find this simple one-character method call. This is a simple assembly, but you can imagine that a larger assembly with many more classes and methods would generate a very confusing mess of code once it has been obfuscated.
Figure 1A: Dotfuscator Community Edition takes your assemblies ...
Figure 1B: ... and renames the methods to confuse casual observers.
To be fair, Dotfuscator is not the only .NET obfuscation tool out there. There is also Spices.NET from 9rays.net and Demeanor from WiseOwl. There is even an open-source tool from Dan Appleman called QND-Obfuscator. I'm sure that others exist, but I will leave that research to you. It will definitely be worthwhile research if you distribute .NET assemblies to customers for a living.
Ken McNamee is a Senior Software Developer with Vertigo Software, Inc., a leading provider of software development and consulting services on the Microsoft platform. Prior to this, he led a team of developers in re-architecting the Home Shopping Network's e-commerce site, http://www.HSN.com, to 100% ASP.NET with C#. Readers can contact him at [email protected].
Demeanor for .NET, Enterprise Edition: http://www.wiseowl.com/products/DemeanorEnterprise.aspx