How good is Dotfuscator Community Edition? What is “good enough obfuscator”? [closed]

Answer 1

I think Dotfuscator Community Edition shipped with Visual Studio is quite a naive solution. It provides only symbol renaming and does not obfuscate control flow at all. And if someone decides to stole your code it will only need to refactor back all names, which is quite easy with small amount of classes.

Also you can rely on not so perfect decompilation provided by Reflector (it usually messes switch blocks, makes lots of gotos, mismatch if-else blocks, etc.).

But I suggest you try Eziriz .NET Reactor. It costs only $179 (AFAIK best price/features ratio). It provides standard obfuscation techniques such as symbol renaming, string encryption, control flow obfuscation. As a good bonus it creates native launcher for you app, which will contain your main assembly and all third party references encrypted and loaded on demand. Plus it provides some licensing capabilities.

Anyway reversing .NET application is not so hard, I did it for fun and can say that it's only matter of time and money (and of course common sense) how fast your application will be cracked or reversed.

Answer 2

Another way to get around reverse engineering code is where you place your dll's if you cannot really afford obfuscators which do add support. And in your assembies before deployment tell the compiler where to look for them which was an old practice to hinder reverse engineering. But like it was already said, concentrate mostly on developing an excellent product and good coding practices, then you will be able to afford a nice obfuscator application in the future. Also, try not to worry to much about others cracking your code because most hackers crack code just find a way to use the product without paying for it and not to steal code or to learn from for beginning programmer. Yeah, I wish JIT only supported c# and vb.net which would have really cut down on reverse engineering but since jit can read many due to .net being really language friendly that is the price. So code away and make some money, buy some additional securities.

Answer 3

In a nutshell, the main difference between Dotfuscator Community Edition and the other "professional" editions is that Community Edition will only really obfuscate and change your namespaces, method names, and other "public" accessible aspects of your classes. It won't delve into the functions themselves and obfuscate the "private" code within the function.

Also, the Community Edition doesn't do anything to obfuscate such things as control flow within your application, nor will it "combine" code from multiple assemblies into one assembly. These are features that are available within the "professional" paid-for versions.

The best comparison between the Community Edition (the "free" version that comes with Visual Studio) and the "professional", paid-for editions can be found by looking at the following two links:

Preemptive Dotfuscator Editions Comparison

Dotfuscator Community Edition 3.0 on MSDN

The MSDN link is slightly out of date, however, gives a much better explanation of the actual features that are available within the various editions of Dotfuscator.

EDIT:

Commercial obfuscators do cost a lot of money, and as to wether they are worth the money? Well, that's a judgement call that really only you can make. Personally, I would say that it isn't worth it in your scenario. Firstly, because you're only wanting to protect one application ("I plan to release one small, low priced utility.") and secondly, you say that you're not overly concerned with the application being "cracked" ("I'm not very afraid of my application being cracked.").

I understand how it can bug you that compiled .NET applications, without any obfuscation, can be easily reverse engineered to their original source code, and that someone may make use of this to steal your software and sell it as their own, however, the fact remains that software piracy does exist and you will probably never stop it.

Trying to stop software piracy has been debated ad-nausem both on here (Stack Overflow) and all over the internet.

The general consensus seems to be that you need to focus your time and energies more on making your product as great as it can be rather than using this same time trying to protect something that, given enough time/money, an "attacker" can "crack"/steal your software anyway, despite your best efforts to prevent him from doing so.

Does this happens a lot?

I would say that it probably happens a lot less than you think it does. Sure, software gets cracked, but I don't think too many people actually steal other's source code and completely re-brand it to sell as their own. I'm not saying it doesn't, or hasn't happened, but it's certainly not a common occurrence.

To summarise, I'd say that your best bet would be to focus on making your utility as great as it can be and use the free Dotfuscator obfuscator, since it requires very little investment of time/money, to obfuscate your code from the most obvious prying eyes, but don't lose any sleep over the fact that if someone wants to crack/steal your product/code badly enough, they will do.

Answer 4

At a minimum, an obfuscator should have:

1. String encryption
2. Symbol renaming
3. Control flow obfuscation

Good to have features are:

1. Resource protection
2. Assembly merging/embedding
3. External method call hiding
4. Ability to auto-sign obfuscated assemblies
5. Support for satellite assemblies
6. Dead-code elimination
7. Meta-data reduction
8. Anti-decompiler (Reflector)
9. Anti-tamper
10. Anti-Debugging

Take a look at our Crypto Obfuscator product which supports all of these.