What do you use to protect your .NET code from reverse engineering? [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 7 years ago.

For a while we were using a tool called CodeVeil. I'm just wondering if there are better alternatives out there.

Edit: Before more people misunderstand the question, I'm aware that a determined cracker would probably be able to defeat any of these tools. I'm not too concerned about them though. These tools are just meant to stop the "casual cracker", and to stop people from stealing our company's IP. If they're good enough to get past a decent tool, they probably aren't interested in stealing our crappy code :-P

回答1:

I've had a lot of success with Xenocode Postbuild. The tool can obfuscate .NET assemblies, protect agaist Reflector disassembly, combine .NET assemblies into a single executable ("virtualization") and even compile .NET applications to standalone executables that do not need .NET runtime installed.

回答2:

I remain unconvinced by the value of these tools. None of the technology solutions prevent reverse engineering any better than legal guards such as licences, trademarks, patents, copyrights etc...

.NET really is large transparent source movement. It's much better that instead you frame terms of use around your IP such as licencing and copyright.

回答3:

Compiling your .NET application results in output assemblies that contain a great deal of meta information. This information makes it very easy to reconstruct something very close to the original code. An excellent free tool called .NET Reflector can be used to do exactly that and is a popular way to examine how the base class libraries work. Download and use that tool to view reconstructed C#/VB.NET versions of assembly contents.

If you're a commerical organization then you do not want people to find it easy to look at your expensive to produce code. A popular method is to use Obfuscation to scramble the contents in a way that does not alter how it runs but does make it hard to understand. Obfuscation uses techniques such as renaming variables and methods. Working out the purpose of methods 'a1', 'a2', 'a3' is much harder than the original 'GetName', 'UpdateInterestRate' and 'SetNewPassword'.

So using obfuscation makes it much harder for people to understand what you code is doing and the algorithms it uses. It does not however make it impossible. In the same way C++ code can still be understood by an assembler expert who is willing to spent time working through your binary, an MSIL expert can eventually work out your obfuscated code. But it increases the barrier to the point where few will bother trying.

回答4:

Honestly, there isn't a lot you can do besides some obfuscation with tools like you mentioned. .NET is just a step above scripting languages, except the script commands are binary and are called IL. That's a little over simplification, but it's not too far off reality. Any good program written using Reflection can be used to reverse engineer .NET applications, or if you have enough knowledge, a good hex editor.

回答5:

There are several popular tools for obfuscation, including Dotfuscation, which has a "light" version that ships with Visual Studio 2005 and 2008. They have a Pro version that does more than just variable and function name renaming. However, the code is still viewable, it is just scrambled a bit to make it harder to read and grok the logic flow of the software.

Another technique is to use other programs that will encrypt the program, and decrypt it at runtime. However, this is not a perfect solution either. In fact, there is no perfect solution that I am aware of that will prevent a determined engineer from reverse engineering the software, if enough time and effort is applied to it.

What it really comes down to is determining the level of protection that will make it sufficiently difficult to dissuade the casual hacker, and make it as expensive to reverse engineer as you can, so at least the reverse engineering comes at a cost in either time or money, or ideally, both. The more expensive the reverse engineering costs, the fewer number of individuals that will be willing to put in the effort. And that is the big point to obfuscation.

Some think that using a compiler like the C++ compiler that compiles to native code will prevent this sort of reverse engineering, but it doesn't. A good disassembler will allow even pure binary executables to be reverse engineered, so therefore, a perfect solution does not exist. If the computer can read it and execute it, then the memory the computer is using can be scanned and tracked, bypassing all attempts to encrypt, obfuscate, or any other means of keeping your code out of the hands of a determined engineer.

回答6:

Sorry to resurrect an old post, but I think Eziriz's .NET Reactor works brilliantly.

In fact I use it myself for all my .net apps and apparently there is no existing tool out there that can decompile a program protected with .net reactor. More details can be found on there info page, http://www.eziriz.com/dotnet_reactor.htm. Test it out with the trial version and .net reflector and you can see for yourself.

回答7:

DISCLAIMER: I don't work for RedGate the makers of SmartAssembly. I'm just a very happy customer who found a good, affordable solution.

The choice is very simple, choose SmartAssembly! Don't waste your time or money with the other obfuscators in the marketplace. I spent more money in terms of non-billable hours evaluating competing products. They all had fatal flaws and were next to impossible to debug. SmartAssembly is an easy-to-use, well documented, polished application with excellent support. Post a question on their forum and expect an answer reasonably fast by the actual developers.

SmartAssembly is more than an obsfuscator. It has a slew of features, including a built-in, highly customizable crash report generator that your customers can automatically email to you. You can view these reports on either your own server or on red-gates servers. I can't tell you how useful this is when you're beta testing or releasing the product to customers. It also generates debugger files so you can debug any post-release issues you may encounter with your obsfucated product.

If you are delivering a commercial application, it makes sense to spend the money on a decent obsfuscator. A bad choice here can compromise your intellectual property or worse lead you to days of gruesome debugging. What would this cost in comparison to what SmartAssembly costs?

回答8:

I've heard that Obfusticator is good; it's used on .Net Reflector.

回答9:

Another is Crypto Obfuscator - its more affordable than some others, and has various obfuscation and protection methods to hinder the causal and not-so-casual hackers.

来源：https://stackoverflow.com/questions/106794/what-do-you-use-to-protect-your-net-code-from-reverse-engineering