Should you obfuscate a commercial .Net application?

Question

I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe

Answer 1

I am very confortable reading x86 assembly code, what about people that is working with assembly for more than 20 years ?

You will always find someone that only need a minute to see what your c# or c code is doing...

Answer 2

Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.

If you have secrets in your code (like passwords), you're doing it wrong.

If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.

Answer 3

The fact that you actually can reverse engineer it does not make obfuscation useless. It does raise the bar significantly.

An unobfuscated .NET assembly will show you all the source, highlighted and all just by downloading the .NET Reflector. Add obfuscation to that and you'll reduce very significatively the amount of people who'll be able to modify the code.

It depends on you are you protecting yourself from. If you'll ship it unobfuscated, you might as well open source the application and benefit from marketing. Shipping it obfuscated will only allow people to relatively easily generate modified binaries through patches instead of being able to steal your code and create a direct competitor. Getting the actual source from obfuscated code is very hard, depending on the obfuscator, of course.

Answer 4

...snip... these messages can become much more difficult to interpret

Yes, but the free community edition that comes with Visual Studio has a map functionality. With that you can back track the obfuscated method names to the original names.

Answer 5

It's quite simple to reverse engineer a .net app using .net reflector - since the app will generate VB, VC and C# code straight from the MSIL, and it's possible to pull out all kinds of useful gems.

Code obfuscators hide code quite well from most reverse engineering hacks, and would be a good idea to use on proprietary and competitive code that adds value to your app.

There's a pretty good article on obfuscation and it's workings here

Answer 6

Just a note to anyone else reading this years later - I just skimmed through the Dotfuscator Community Edition (that comes with VS2008) license a few hours ago, and I believe that you cannot use this version to distribute a commercial product, or to obfuscate code from a project that involves any developers other than yourself. So for commercial app developers, it's really just a trial version.