Using Dotfuscator to protect your .NET applications

Posted by: Suprotim Agarwal , on 5/11/2010, in Category .NET Framework
Views: 117138
Abstract: This article demonstrates how to use Dotfuscator which is shipped freely with Visual Studio 2010 to protect .NET assemblies and making the process of reverse engineering difficult.
I have often been asked questions from my readers - How do I obfuscate my application? Or how do I protect my assemblies from being disassembled? Or how do I stop my code from being reverse engineered?..and so on.
The answer to all these questions is Obfuscation. One thing to remember is that Obfuscation does not guarantee that your code cannot be reverse engineered. It makes the process of reverse engineering harder.
Note: There are a couple of free and paid obfuscator tools in the market. How efficient an Obfuscator tool is, also depends on the complexity of your code. Before investing money in such a tool, make sure you invest time in trying out these products and test their efficiency.
The Dotfuscator is a third-party tool from Preemptive Solutions shipped freely with Visual Studio 2010 which obfuscates .NET applications. To use this tool, launch Visual Studio 2010. Go to Tools > Dotfuscator Software Services
If you are using this tool for the first time, you will be presented with a License agreement. After accepting the license agreement, you can also register this product to get access to free updates and online support.
On the Dotfuscator UI, right click on the project and click ‘Add Assemblies’ and add an assembly of the project you have created
Dotfuscator
Note: If you observe, options like Control Flow, String Encryption, Removal, Linking and PreMark are grayed out. That is because they are available in the Professional edition. The Instrumentation option is available but you have to manually enable it.
Once the assembly is selected, hit ‘Ctrl + B’ or go to Build > Build Project
Click on the Results tab and expand the root tree and the sub-trees. The blue diamond shaped icons indicates that they are renamed methods and fields.
Methods_fields
Once the obfuscation process is completed, you can examine the obfuscated assembly using ILDASM. ILDASM is a disassembler utility which comes with the .NET Framework SDK and allows you to decompile .NET assemblies into IL Assembly Language statements. To start ILDASM, go to Visual Studio Command Prompt and type ildasm. Then select the assembly to browse. Here’s a comparison of the same assembly, before obfuscation and after obfuscation
Before_Obfuscation_After
Note: The obfuscated assembly got created in the Dofuscated folder.
Observe how the method and property names are obfuscated. The obfuscated version makes it difficult to understand what a method or property is doing. You can even open a method to view the IL code. Here’s a comparison of the IL before and after the obfuscation:
Obfuscation_Comparision
As you can observe, Dotfuscator renamed the methods and properties and made it difficult to find out the purpose of each method using a disassembler. You can also explore the different Configuration Options to control the renaming of members or to exclude members you do not want to obfuscate. 
I hope this article was useful and I thank you for viewing it.

This article has been editorially reviewed by Suprotim Agarwal.

Absolutely Awesome Book on C# and .NET

C# and .NET have been around for a very long time, but their constant growth means there’s always more to learn.

We at DotNetCurry are very excited to announce The Absolutely Awesome Book on C# and .NET. This is a 500 pages concise technical eBook available in PDF, ePub (iPad), and Mobi (Kindle).

Organized around concepts, this Book aims to provide a concise, yet solid foundation in C# and .NET, covering C# 6.0, C# 7.0 and .NET Core, with chapters on the latest .NET Core 3.0, .NET Standard and C# 8.0 (final release) too. Use these concepts to deepen your existing knowledge of C# and .NET, to have a solid grasp of the latest in C# and .NET OR to crack your next .NET Interview.

Click here to Explore the Table of Contents or Download Sample Chapters!

What Others Are Reading!
Was this article worth reading? Share it with fellow developers too. Thanks!
Share on LinkedIn
Share on Google+

Author
Suprotim Agarwal, MCSD, MCAD, MCDBA, MCSE, is the founder of DotNetCurry, DNC Magazine for Developers, SQLServerCurry and DevCurry. He has also authored a couple of books 51 Recipes using jQuery with ASP.NET Controls and The Absolutely Awesome jQuery CookBook.

Suprotim has received the prestigious Microsoft MVP award for Sixteen consecutive years. In a professional capacity, he is the CEO of A2Z Knowledge Visuals Pvt Ltd, a digital group that offers Digital Marketing and Branding services to businesses, both in a start-up and enterprise environment.

Get in touch with him on Twitter @suprotimagarwal or at LinkedIn



Page copy protected against web site content infringement 	by Copyscape




Feedback - Leave us some adulation, criticism and everything in between!
Comment posted by sebastian on Tuesday, May 11, 2010 1:23 PM
This is a good intro to obfuscation in vs2010 - but the really ground-breaking aspect of the Community Edition (CE) in VS2010 is the instrumentation, tamper, and shelf life functionality (this is all new in vs2010 versus vs2003-vs2008 where CE can also be found). For a MSFT video tutorial on the new functionality, visit http://msdn.microsoft.com/en-us/vbasic/ff608195.aspx
Comment posted by Martin Mararikulam on Friday, May 14, 2010 3:57 AM
How can I protect my asp.net website project?(not web application) Could you please provide a detailed answer?
Comment posted by roei bar on Saturday, May 15, 2010 10:56 AM
this is a ince article, only problem with obduscation is that its ment to be broken.
once u try to protect something, you will just make somebody angry enough to build the deobfuscation tool.
sometimes the best defence is a week defence, one such that wont be belived to protect a good app.
about ASP.Net website, there are many ways to defend it, you can read this amazing article on how to

http://en.csharp-online.net/ASP.NET_Security_Hacks

you can use antiXSS library to secure client calls to your server.
and many more.
Comment posted by Brandon Zandec on Tuesday, May 18, 2010 12:19 PM
Nice article! I completely agree when you say "How efficient an Obfuscator tool is, also depends on the complexity of your code. Before investing money in such a tool, make sure you invest time in trying out these products and test their efficiency". I will try Dotfuscator this weekend and share my thoughts here.
Comment posted by Amy Nai on Thursday, May 20, 2010 10:34 PM
i had no idea such a product exists thanks for the intro.
Comment posted by Pushkar on Wednesday, February 2, 2011 3:32 AM
Hello Big-Brother !!
Thanks for posting nice articles and double thanks for ASP.Net security article.

I completely agree with you for third party <paid> tool "Dotfuscator" but can you assist us for <free> "Eazfuscator.NET" [http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx] tool ?
Comment posted by Swapna on Friday, September 9, 2011 6:58 AM
Hi.... Can anybody tell me, "How to write our own obfuscation module?". I am interested to write my own obfuscation logic, but, no idea where to start.
Comment posted by dmitriy on Saturday, March 17, 2012 5:12 AM
You can try ILProtector. In this case level of code protection increases manyfold compared to obfuscation.
http://www.vgrsoft.com/en/products/ilp
Comment posted by LogicNP on Tuesday, July 31, 2012 3:06 AM
Good info. Another product which does this (and lots more) is Crypto Obfuscator ( http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm )- it has advanced obfuscations like Method Encryption (hides MSIL code in your methods), string/constant encryption, etc