obfuscator
s .iothe obfuscation resource
Overview
A compiled .NET assembly contains
Intermediate Language (CIL) instructions, resources and metadata
describing the types, methods, properties, fields and events in the
assembly. This metadata makes it possible to understand the assembly
structure and the method instructions. This way decompiler like ILSpy are
able to generate high level code which looks similar to the original
source code.
Obfuscation is the process of modifying an assembly (especially the
metadata) in a way that extracted information are harder to understand. At
the same time the original program output should not be affected. There
are several techniques that can be used which are described below.
The list below includes most of the solutions available in market today
and should be up to date. However, this list doesn't claim to be complete
or correct. Furthermore not all possible techniques are covered. As
always, do your own research, testing and validation. The list is followed
by a brief explanation of some features on which the comparison
is based on.
Comparison
Name |
Price |
Last Release |
Name Obfuscation |
Tamper Defense |
Anti Decompiler |
String Encryption |
Control Flow Obfuscation |
Method Call Redirection |
Compression |
Code Encryption |
Code Virtualization |
Resource Encryption |
Debug Symbols |
Assembly Merging |
Assembly Embedding |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| .NET Reactor | 199$ - 299$ | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Agile.NET | 795$ - 990$ | 2019 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Appfuscator | 520$ /year | 2017 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Babel Obfuscator | 245$ - 1250$ | 2021 |
|
|
|
|
|
|
|
? | ? |
|
|
|
|
|
| ConfuserEx | Free | 2016 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Crypto Obfuscator | 399$ - 559$ | 2019 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Dotfuscator Community | Free | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Dotfuscator Professional | 1495$ - ? | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| DotNet Patcher | Free | 2019 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Eazfuscator.NET | 399$ - 1699$ | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ILProtector | 149$ - 499$ | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NETGuard.io | 550$ /year | ? |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Obfuscar | Free | 2019 |
|
|
? | ? |
|
|
|
|
|
|
|
|
|
|
| SeeUnsharp | 332$ - 616$ | ? |
|
|
|
|
|
|
|
|
|
|
|
|
? | |
| Skater | 299$ - 1709$ | 2021 |
|
|
? |
|
|
|
|
|
|
|
|
|
|
|
| Smart Assembly | 1050$ - ? | 2021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Spices | 610$ - 4300$ | 2021 |
|
|
|
|
|
? |
|
|
|
|
|
|
|
Techniques
Name Obfuscation
String Encryption
Control Flow Obfuscation
Method Call Redirection
Code Encryption
Code Virtualization
Symbol files
Name Obfuscation
Name obfuscation changes the name of types and members. Name obfuscation makes the decompiled source harder to understand but the overall flow of the code is not obscured. The new names can follow different schemes like "a", "b", "c", or numbers, characters from non-Latin scripts, unprintable characters or invisible characters. Names may be used multiple times in a scope by using overloading. While proper names are technically not required to execute the assembly, the resulting assembly would be unverifiable.
Name obfuscation is the most basic technique that is used by every .NET obfuscator solution.
String Encryption
In a managed assembly all strings are clearly identifiable and readable. Even when methods are renamed, strings used in a method may give clues about the purpose of the method. This includes messages (especially error messages) that are displayed to the user. Those strings can be tracked down to the code that uses them. String encryption works by modifying all strings in the assembly and restore their original value at runtime. Since the string data must be restored automatically at runtime, usually without the user providing a decryption key, the data cannot actually be encrypted but only encoded. The algorithm that decodes the data is always included in the obfuscated assembly. This process may affect the runtime performance of the program, either once at startup or for every string usage.
Control Flow Obfuscation
Control flow obfuscation is about modifying the program so that it yields the same result when run, but is impossible to decompile into a well-structured source code and is more difficult to understand. Most code obfuscators would replace CIL instructions produced by a .NET compiler with gotos and other instructions that may not be decompiled into a valid source code. This process may affect the runtime performance of a method.
Method Call Redirection
The way CIL instructions work references to external types and methods are clearly visible and will be unaffected by name obfuscation and control flow obfuscation. Even without reasonable names, the fact that a method makes use of certain framework classes like I/O, networking or cryptography can draw attention to it. Calls to suspicious methods can be redirected through a generated method that only wraps the original call. This wrapper method can be renamed and the called method's name will no longer appear in the obfuscated method body. The Just-In-Time compiler (JIT) will normally inline such short wrapper methods so that it does not affect runtime performance.
Code Encryption
Code encryption protects the CIL instructions by encrypting them and stripping the original instructions from the assembly. The encrypted instructions are kept in a separate storage. When the assembly is loaded a native runtime executive assumes control of portions of the .NET runtime and manages decrypting the CIL as needed. If the native code is involved, the application may not run on different platforms anymore.
Code Virtualization
Code virtualization converts the CIL code into virtual opcodes that will only be understood by a secure virtual machine. As opposed to protecting CIL code through encryption where the encrypted code must be decrypted back into CIL before it can be executed by the CLR, code virtualization uses a virtual machine which directly processes the protected code in the form of a virtual machine language. Code virtualization feature is by far the strongest protection method available in code protection arena today as it implements a one-way code transformation. The code is never translated back to its original form, instead, the virtual machine emulates the original code behavior. Code virtualization can significantly degrade performance and make debugging very difficult.
Symbol files
Symbol files are .pdb files for Visual Studio applications that show how the compiler converted source code into machine code. They contain mappings from CIL elements and method body offsets to the original source code files. These symbol files are required to use a debugger on the assembly. The obfuscated assembly is a modified version of the original assembly and the original assembly's symbol files do not match the obfuscated one. The obfuscator software must, therefore, write the corresponding debug symbols for the obfuscated assembly. This file should not be deployed with the application (as it would defeat the purpose of obfuscation) but it can be used by the developer to analyze issues in the obfuscated assembly.
Name obfuscation changes the name of types and members. Name obfuscation makes the decompiled source harder to understand but the overall flow of the code is not obscured. The new names can follow different schemes like "a", "b", "c", or numbers, characters from non-Latin scripts, unprintable characters or invisible characters. Names may be used multiple times in a scope by using overloading. While proper names are technically not required to execute the assembly, the resulting assembly would be unverifiable.
Name obfuscation is the most basic technique that is used by every .NET obfuscator solution.
String Encryption
In a managed assembly all strings are clearly identifiable and readable. Even when methods are renamed, strings used in a method may give clues about the purpose of the method. This includes messages (especially error messages) that are displayed to the user. Those strings can be tracked down to the code that uses them. String encryption works by modifying all strings in the assembly and restore their original value at runtime. Since the string data must be restored automatically at runtime, usually without the user providing a decryption key, the data cannot actually be encrypted but only encoded. The algorithm that decodes the data is always included in the obfuscated assembly. This process may affect the runtime performance of the program, either once at startup or for every string usage.
Control Flow Obfuscation
Control flow obfuscation is about modifying the program so that it yields the same result when run, but is impossible to decompile into a well-structured source code and is more difficult to understand. Most code obfuscators would replace CIL instructions produced by a .NET compiler with gotos and other instructions that may not be decompiled into a valid source code. This process may affect the runtime performance of a method.
Method Call Redirection
The way CIL instructions work references to external types and methods are clearly visible and will be unaffected by name obfuscation and control flow obfuscation. Even without reasonable names, the fact that a method makes use of certain framework classes like I/O, networking or cryptography can draw attention to it. Calls to suspicious methods can be redirected through a generated method that only wraps the original call. This wrapper method can be renamed and the called method's name will no longer appear in the obfuscated method body. The Just-In-Time compiler (JIT) will normally inline such short wrapper methods so that it does not affect runtime performance.
Code Encryption
Code encryption protects the CIL instructions by encrypting them and stripping the original instructions from the assembly. The encrypted instructions are kept in a separate storage. When the assembly is loaded a native runtime executive assumes control of portions of the .NET runtime and manages decrypting the CIL as needed. If the native code is involved, the application may not run on different platforms anymore.
Code Virtualization
Code virtualization converts the CIL code into virtual opcodes that will only be understood by a secure virtual machine. As opposed to protecting CIL code through encryption where the encrypted code must be decrypted back into CIL before it can be executed by the CLR, code virtualization uses a virtual machine which directly processes the protected code in the form of a virtual machine language. Code virtualization feature is by far the strongest protection method available in code protection arena today as it implements a one-way code transformation. The code is never translated back to its original form, instead, the virtual machine emulates the original code behavior. Code virtualization can significantly degrade performance and make debugging very difficult.
Symbol files
Symbol files are .pdb files for Visual Studio applications that show how the compiler converted source code into machine code. They contain mappings from CIL elements and method body offsets to the original source code files. These symbol files are required to use a debugger on the assembly. The obfuscated assembly is a modified version of the original assembly and the original assembly's symbol files do not match the obfuscated one. The obfuscator software must, therefore, write the corresponding debug symbols for the obfuscated assembly. This file should not be deployed with the application (as it would defeat the purpose of obfuscation) but it can be used by the developer to analyze issues in the obfuscated assembly.
About This Site
This website is still under construction. When finished it will contain resources and online obfuscation tools for various languages (JavaScript, PHP...) and runtimes (.NET, Java...). Currently there is only a comparison list for .NET.