Sign in to follow this  
smc

Thoughts on obfuscation of managed languages

Recommended Posts

I was reading the details of the IOTD (nice app), and the person was considering releasing the project if they could find a good .Net obfuscater. Being a java programmer for some time I know of the reasons why people want to obfuscate their code. Over time most of the reasons I have used in the past have become mute points. This has nothing to do with the IOTD or his/her personal reasons to obfuscate. It simply made me think about my prior reasons to obfuscate and how they have changed over the years. I am also comming from a Java perspective. It is quite possible a obfuscated C# program is easier to get at an error. 1. Protect code from being readable when reverse engineered. If anyone has ever had to support a class/method/variable obfuscated java project then they know how hard it is to track a bug when they get a stack trace with something like this as the offending code. NullPointerException in: a.c.ff.m() Even method/variable obfuscation can become difficult. The only way around this is to make sure you have accounted for every possible error in your code, and you provide descriptive output into a error log. Every programmer makes sure they write descriptive error messages right! If someone wants to learn about a cool new algorithm you put in your code, then it does not matter if you compile it to machine language... they will figure it out. Only patents provide protection from algorithm theft. Even if you obfuscate all the way up to class level, the program can still be reverse engineered and recompiled. Changes may be harder, but not impossible. By using heavy obfuscation you usually increase the difficulty on the support end and on the hacking end. As a side note: I used Jad to reverse engineer a heavily obfuscated audio codec from IBM embedded in the Java Media API (No source available at the time). I then used this code for a personal project. 2. Reduce code size. This is the only reason I still use a obfuscater. Lately I have been obfuscating private classs functions/members, and some trivial classes. Any class and/or method level obfuscation, I make damm sure I have descriptive error log entries. If I can take my 10mb project down to 6mb and still retain a good level of error descriptiveness, then it is worth it. 3. Make it 'harder' to crack protection algos If people can crack software that requires a hardware dongle, they are going to crack your software protection scheme. In my opinion the only reason to obfuscate code is to reduce it's size.

Share this post


Link to post
Share on other sites
Quote:
Original post by smc
If anyone has ever had to support a class/method/variable obfuscated java project then they know how hard it is to track a bug when they get a stack trace with something like this as the offending code.

NullPointerException in: a.c.ff.m()

Even method/variable obfuscation can become difficult.

Any decent obfuscator can output a name mapping table to make stack traces debuggable. A few even offer integrated debugging (IMHO unnecessary, but a cool feature).

Share this post


Link to post
Share on other sites
Quote:
Original post by Sneftel
Quote:
Original post by smc
If anyone has ever had to support a class/method/variable obfuscated java project then they know how hard it is to track a bug when they get a stack trace with something like this as the offending code.

NullPointerException in: a.c.ff.m()

Even method/variable obfuscation can become difficult.

Any decent obfuscator can output a name mapping table to make stack traces debuggable. A few even offer integrated debugging (IMHO unnecessary, but a cool feature).


I forgot about that. I am still using a command line obfuscator (retroguard) that does output the mapping to a text file. I guess it would not be to much more work to just scan through this file to find the mapping.

This was a quick write up. I should have thought about it a bit more before posting. Mainly I just don't see code protection as being a valid reason for obfuscation.

Share this post


Link to post
Share on other sites
If not for code protection, what is obfuscation really good for? I can't exactly buy into the size reduction idea, as I've never had any results like you state.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this