I played with this today and made a nice little info HTML if anyone might be interested.

.NET apps can't really be "protected" perse'.

This is a small reversing of the Salamander .NET obfuscator, it has an anti-ILDASM feature, so I wanted to learn how it crashes ILDASM. Here's what I found. This may have been found before somewhere out there on the net but we don't have much .NET info here so I decided to post it.

This is good old hand reversing.

Also, for .NET 2 good books to grab are:

SAMS - .NET Common Language Runtime Unleashed
MSPress - Inside Microsoft .NET IL Assembler

These two books will be invaluable for RCE'er's of the future..you can find both of these on the web if you look hard enough (emule).

Also, these protector authors are high on crack, the other day (last week) Their price was $799 for 1-5 devs, now I see it's $1399. Who the heck is going to pay that I don't know..

-nt20

M-m-m. Question. It is just that trivial? Only header modification? Does it add something other? Does it obscure .NET asm?

No, the obfuscator screws the header like above, then it also randomizes any object strings. For example, a Form's name would go from something like "MyForm1" to "A", which would make no contextual sense then to anyone reverse engineering the program.

The real problem is that you must leave all system object references in place, or the program just won't run. For example, you can't rename the string "System.Windows.Forms.Form". So even though the form name is changed, you still know it's a form ! Because the disasm will still show it inherits from a Form !

Mind you, I am talking simply about the obfuscator, not the "protector". The protector converts the IL code to machine code (which the JIT compiler does normally anyway), to help "hide" what's going on from any .NET disams. Of course once it does this it's open to normal disasms !

I still think this tool is somewhat pointless because .NET SDK comes with a tool to convert your IL program to machine code. It's called NGEN: here is a quote from the book:



-nt20

Cool, thanks for the upload nt20.

Probably old news, but if you're interested in .NET stuff, then be sure to check out MONO (hxxp://www.go-mono.com) and Portable.NET (hxxp://www.dotgnu.org), which are opensource implementations of the CLR and class libs.

Obfusticators help curve piracy abit, unmanageled .net code is rediclously easy to crack in most cases. You maybe interested at looking at thinstall, it links a .NET exe and protects it so it can be run without the .net framework.

Don't you mean managed instead of unmanaged ?!


Managed = .NET code
Unmanaged = i386 code (or whatever processor you're targetting)

Hi nikolatesla20 !
Do you have ever try with other .NET obfuscator, ex: DotObfuscator installed with VS .NET 2003, WiseOWL...As I know, .NET obfuscators did not obscure IL code, and it replace method name, class name, variable name... with obscure name. Do you think a tool will named as Deobfuscator .NET is available ???
Regards

I have the .NET SDK but I for some reason wasn't able to find the DotObfuscator program that supposedly comes with it yet...

-nt20

g'day

Just to fill in some blanks..

The DotObfuscator Community Edition v1.2 is shipped with Visual Studio 2003 and not the sdk ...

From memory the community edition of dotobfuscator doesn't have the anti-ILDASM feature ...

The online version of remotesofts decompiler includes a string de-obfuscator ...

The method of inserting invalid meta data to disable decompiling only works for those decompiliers that use the refelection api to do their work.
Other decompiliers such as IDA (which are not based on the reflection api) will decompile the invalid meta data in the target without any problems.

Zac