.Obfuscator

Ofcourse, de-compilers and code re-engineers are the most elegant names related to a Cracker. However, securing the software/website from a Cracker demands some tricky measures to protect the code. Well, it is from the code where it starts. Susceptable applications for cracking are those which are mostly composed of Intermediate Languages and the certainly .NET and JAVA falls in there, because of the IL feature which provides the same feature of ‘multi-languag-ability'(.NET only). The reason is that Intermediate code can be well read using a Dissassembler.

The Visual Studio pack has a disassembler with it. To access it, go to the Visual Studio Tools and choose the Command prompt. and type ildasm.exe

It will pop up a new window where you can add the .exe, .dll, module file etc. Choose the appropriate and it will show, a table hierarchy, which lists the different components, controls,classes etc. used for developing the application. As an example, the following is a sample code IL code shown by loading a ASP.NET dll(A published one.)


//The class component.

.class public auto ansi beforefieldinit _Default
 extends [System.Web]System.Web.UI.Page
 implements [System.Web]System.Web.SessionState.IRequiresSessionState
{
} // end of class _Default

//The page load method.

.method family hidebysig instance void  Page_Load(object sender,
 class [mscorlib]System.EventArgs e) cil managed
{
 // Code size       84 (0x54)
 .maxstack  3
 .locals init (string V_0,
 int32 V_1,
 class [System.Web]System.Web.UI.WebControls.Label V_2)
 IL_0000:  ldstr      "something"
 IL_0005:  stloc.0
 IL_0006:  ldc.i4.0
 IL_0007:  stloc.1
 IL_0008:  br.s       IL_004e
 IL_000a:  newobj     instance void [System.Web]System.Web.UI.WebControls.Label::.ctor()
 IL_000f:  stloc.2
 IL_0010:  ldarg.0
 IL_0011:  ldfld      class [System.Web]System.Web.UI.WebControls.Label _Default::NewLabel
 IL_0016:  ldloc.0
 IL_0017:  callvirt   instance void [System.Web]System.Web.UI.WebControls.Label::set_Text(string)
 IL_001c:  ldloc.2
 IL_001d:  ldstr      "Label"
 IL_0022:  ldloca.s   V_1
 IL_0024:  call       instance string [mscorlib]System.Int32::ToString()
 IL_0029:  call       string [mscorlib]System.String::Concat(string,
 string)
 IL_002e:  callvirt   instance void [System.Web]System.Web.UI.Control::set_ID(string)
 IL_0033:  ldloc.2
 IL_0034:  ldstr      "Label "
 IL_0039:  ldloca.s   V_1
 IL_003b:  call       instance string [mscorlib]System.Int32::ToString()
 IL_0040:  call       string [mscorlib]System.String::Concat(string,
 string)
 IL_0045:  callvirt   instance void [System.Web]System.Web.UI.WebControls.Label::set_Text(string)
 IL_004a:  ldloc.1
 IL_004b:  ldc.i4.1
 IL_004c:  add
 IL_004d:  stloc.1
 IL_004e:  ldloc.1
 IL_004f:  ldc.i4.s   10
 IL_0051:  blt.s      IL_000a
 IL_0053:  ret
} // end of method _Default::Page_Load

Check the above Intermediate Code, In the actual code I have initalized a string variable with a value ‘something’ this is revealed in the Intermiate code. However, the hardest challenge, is revalation of the actual code. This possible by using a Reflector. I have used the Red Gate’s .NET reflector to retrive the actual code. And it revealed my Page_Load event of the deault.aspx web page completely.

protected void Page_Load(object sender, EventArgs e)
{
 string str = "something";
 for (int i = 0; i < 10; i++)
 {
 Label label = new Label();
 this.NewLabel.Text = str;
 label.ID = "Label" + i.ToString();
 label.Text = "Label " + i.ToString();
 }
}

This is what the real challenge is, the code is completely readable and understandable and one can understand the underlying steps of what is happening. This is real issue, because, a modified dll, is a huge threat, for Instance, Considering an E-commerce website scenario where a web hacker can put his code component in between a code or make some modifications to code, to steal the credit card numbers of the web users.In such scenario’s the threat is so severe.

One of way to ensure the security is by using an obfuscator. The purpose of obfuscator is to change the code to an unreadable form. Using an obfuscator is a preventive measure to avoid a cracker to modify or to tamper the code. One of the major obfuscator for .NET is Dofuscator. The community edition of Dotfuscator is available for free with the Visual Studio. To obfuscate, Simply choose the binaries(.exe’s and dlls) and bulid it(Cntrl + B).

Renaming feature is one of the feature available in the community edition. Other features such as String Encryption, Control flow etc. are available in the PRO version only. This is the output of the obfuscated code generated by the Dotfuscator. This is the same Page_Load event, shown above. Note that the argurments names, and method names are changed.

protected void a(object A_0, EventArgs A_1)
{
 string str = "something";
 for (int i = 0; i < 10; i++)
 {
 Label label = new Label();
 this.a.Text = str;
 label.ID = "Label" + i.ToString();
 label.Text = "Label " + i.ToString();
 }
}
Unknown's avatar

Published by Tony Jose

I am a software engineer who is passionate about sharing my thoughts and ideas here. I was encouraged to blog by many fellow developers and by my mentors. You may notice that as years go by, my writing style, opinions of technologies, and coding styles have changed. I continue to evolve and try to learn and adapt to changes. I am incredibly thankful to all the great minds and programmers who gave me help and guidance to grow into what I am now. "If I have seen further it is by standing on the shoulders of Giants."

.NET, Security

, ,

Leave a comment

Blog at WordPress.com.

Up ↑