How to Obfuscate your code!
Posted: Fri Oct 30, 2020 2:12 pm
Anyone working with a .NET programming language (such as XSharp) should realize that the programming code is converted into so-called Intermediate Language (IL) which is the same for all .NET languages. This also means that with various decompilers such as ILSpy usually almost the entire source code of the program can be opened from the .exe file which is generated by the compiler. See https://ilspy.net/https://ilspy.net/ for the program. For the latest version 6x we are awaiting Fabrice's plugin, but for version 5 you can download the plugin from https://www.xsharp.eu/itm-downloads?fol ... %252FTools. It means that you can e.g. open a X# created .exe file and see how the individual methods would look in C# (although sometimes a specific X# method or function shows unchanged, preceded by the X# DLL where it is from). And of course you can see how method from a C# .exe would look in X#.
Programmers don't always realize that, or they don't care that this can be done. What I personally find particularly annoying is that if your program has access to external data, such as FTP sites or SQL databases, everyone can see which credentials you used to access these data. The same applies to algorithms to achieve security.
For those who find that a bothering idea, there are tools that edit the .exe (or .dlls) in such a way that it is not possible, or very difficult, to open that data in this way. It is called obfuscation. I found one via CodeProject on GitHub that hasn't been maintained for years, but a well-maintained current fork turned out to be recently maintained. See https://github.com/mkaring/ConfuserEx
This one worked immediately, and exactly how this should be done is explained step by step in this website: https://www.codeproject.com/articles/11 ... g-or-rever
In short:
1 Start ConfuserEx
2 In tab Project: Open the project directory (e.g. … Release) under Base Directory and for Output Directory you can make it e.g. … ReleaseConfused
3 Click on the + at the right side of the screen and select your files to be obfuscated, e.g. your exe file
4 Go to the Settings Tab, click on the Plus -you can do it globally and/or on the file(s) you selected, double click on the Rules where it says true. The 2nd window opens, click here twice on plus to add these 2 rules (or more):
anti ildasm
anti tamper
5 Click the tab Protect! followed by the button Protect! and use obfuscated exe from the Output directory
You can run this exe instead of the compiler generated exe. Open it in IlSpy and you will see the methods you used, but with the messages as in this image, instead of the source code, see the attached image. The .exe seems to work flawlessly to me, and was not bigger or slower as far as I could see.
I hope this helps some of you.
Dick
Programmers don't always realize that, or they don't care that this can be done. What I personally find particularly annoying is that if your program has access to external data, such as FTP sites or SQL databases, everyone can see which credentials you used to access these data. The same applies to algorithms to achieve security.
For those who find that a bothering idea, there are tools that edit the .exe (or .dlls) in such a way that it is not possible, or very difficult, to open that data in this way. It is called obfuscation. I found one via CodeProject on GitHub that hasn't been maintained for years, but a well-maintained current fork turned out to be recently maintained. See https://github.com/mkaring/ConfuserEx
This one worked immediately, and exactly how this should be done is explained step by step in this website: https://www.codeproject.com/articles/11 ... g-or-rever
In short:
1 Start ConfuserEx
2 In tab Project: Open the project directory (e.g. … Release) under Base Directory and for Output Directory you can make it e.g. … ReleaseConfused
3 Click on the + at the right side of the screen and select your files to be obfuscated, e.g. your exe file
4 Go to the Settings Tab, click on the Plus -you can do it globally and/or on the file(s) you selected, double click on the Rules where it says true. The 2nd window opens, click here twice on plus to add these 2 rules (or more):
anti ildasm
anti tamper
5 Click the tab Protect! followed by the button Protect! and use obfuscated exe from the Output directory
You can run this exe instead of the compiler generated exe. Open it in IlSpy and you will see the methods you used, but with the messages as in this image, instead of the source code, see the attached image. The .exe seems to work flawlessly to me, and was not bigger or slower as far as I could see.
I hope this helps some of you.
Dick