0

I am planning on using Smart Assembly 7+ for obfuscating my .NET C# library. But when I look through some forums I came across that there are even programs to deobfuscate DLLs protected with Smart Assembly, particularly programs like de4dot.

So I tried to deobfuscate my program using de4dot, and I got most of my logic decompiled successfully to my surprise. But thankfully the strings were not decompiled.

They were in the form of Class24.getString_0(5050)

If the strings cannot be decompiled properly by any deobfuscator, then it is enough to protect my core logic. But I am paranoid that maybe I did not use the deobfuscator properly and there are ways to deobfuscate strings even(but I tried running the deobfuscator commands for strings, as stated in the repo wiki).

Basically my question is, can I be certain that strings obfuscated by the SmartAssembly cannot be decompiled by any deobfuscator program in the market.

Also, any good suggestions for obfuscating the .NET libraries are also welcomed.

Thank You All!

TheLastStark
  • 770
  • 5
  • 18
  • Even if no existing tool can deobfuscate your code, it will have to execute to be meaningful at some point. And if that's on a machine that's not under your control, then they can just debug it (either using "proper" debugging mechanisms or something more covert like running it in a VM). Don't depend on secret strings embedded in binaries shipped to your customers to remain unknown to them, that's not going to work very well. – Joachim Sauer Aug 29 '20 at 09:19
  • Hi, thanks for the reply. So basically there is no way to protect programs against decompiling? I shouldn't even try? – TheLastStark Aug 29 '20 at 09:20
  • 1
    It depends. What are you trying to achieve with obfuscation? There are *some* goals where it's useful (mostly if you don't require 100% security). For something like keeping an encryption key secret it's a terrible tool (if you need it to remain secret, don't send it to others, even in an obfuscated form). – Joachim Sauer Aug 29 '20 at 09:22
  • 1
    The closest analogy I can think of is a fence: It's not a great physical barrier and it won't stop anyone with intent and criminal energy, but it might keep random people from walking through your garden. Just don't think of it as a bomb-proof shelter. – Joachim Sauer Aug 29 '20 at 09:24
  • Good one! Understood. I always think about that when I lock the gates at night too, why even do this, anyone can jump over but I lock it nonetheless. Thank you very much for your time and help! – TheLastStark Aug 29 '20 at 09:26

1 Answers1

2

In order for your code to run, the computer must understand it. There is no way around that. If the CLR can understand your code, there is no reason that a de-obfuscator cannot understand your code either.

Plus, computers are much stupider than humans. If a computer can understand your code, then a human definitely can.

The typical approaches to protecting your code, are:

  • Don't give the customers your code. Run it on your own computer and give them access to it. (That's the "Google approach".)

  • Give the customers a computer that you control 100% with your code pre-installed. (That's the "PlayStation approach".)

  • Don't do business with criminals. Copying your code is illegal pretty much everywhere. Circumventing protections in your code is illegal in several countries, including some of the biggest markets (e.g. the US). Reverse engineering your code may be legal, but only under very strict circumstances. (E.g. in the EU, reverse engineering is only legal for purposes of interoperability, and only if you refuse to make the information required for interoperability available under reasonable and non-discriminatory terms.)

  • Offer your customers extra services that your competitors, even if they were stealing your code, don't or cannot offer. For a lot of companies, the mere fact of "having someone they can sue" is already reason enough to buy the original software from the original vendor. Criminals are lazy, that's why they are criminals. They will never understand the problem domain as deeply as you do, simply because they are too lazy to put in the work, so they will never be able to provide enhancements, consulting, support, or bug fixes as well, as fast, and as precise as you can.

Jörg W Mittag
  • 363,080
  • 75
  • 446
  • 653
  • Note: the comments about criminals are obviously using the rhetorical device of *hyperbole* to make a point. Please don't take them at face value. I do not believe, for example, that people who resist fascist governments are lazy. – Jörg W Mittag Aug 29 '20 at 12:24
  • Apologies for the delay Jörg – TheLastStark Feb 03 '21 at 08:17