Review: Remotesoft Obfuscator and Linker
By Peter A. Bromberg, Ph.D.

 Peter Bromberg

Back in December 2002, I did a review of the Remotesoft Decompiler and Obfuscator, and gave the products high marks at the time. Recently, I was "refreshed" by Dr. Luo of Remotesoft with their latest iteration of the Obfuscator, as well as their newest product, the Linker. The following is my updated review.



Before I begin, let me reiterate one important concept: Obfuscation of .NET assemblies is simply an exercise in deterrence, not 100% protection against theft of your intellectual property. If you provide me with an obfuscated assembly, that assembly contains IL (intermediate language) which is then JIT'ed by the runtime compiler and finally executed in memory as native code by the .NET runtime engine. The assembly itself, under normal circumstances, is not "hard compiled" in that we can use the ILDASM utility provided with the .NET Framework to diassemble out the IL into a text source file and any resources. This is an important concept to understand, because the obfuscation process in and of itself does not prevent one from doing this, all it does is "mangle" the code by making it more difficult to understand. I won't go into the details of exactly what the obfuscation process does, because at this point most developers are pretty familiar with the basics of what obfuscators do. And, there is an excellent competing product that has found its way into the Visual Studio.NET installation if you want to experiment further.

I have personally taken a commercially obfuscated assembly, disassembled it with ILDASM, removed the strong name key information, defeated the "licensing" scheme that requires a license key, and reassembled it with the companion utility, ILASM, into a fully working copy of the original, requiring no license at all. This process, while time-consuming, is not rocket science, and I don't have any particular "high-level" skills as a developer that make this possibility a rare likelihood at all. My point is, obfuscation is only a deterrent. I personally would not use this as a "way to get free software" because I believe in the Golden Rule, but the next developer might not be so noble. And, let's remember this is not even the main issue. It's one thing to lose a sale because somebody has defeated one's legitimate licensing scheme. It's a whole other ballgame when they steal your intellectual property and re-use it without paying you for your hard work.

Now, there is one further step that Remotesoft's obfuscator takes, and that is to add code that prevents the most popular decompilers and disassemblers (notably Remotesoft's own Salamander decompiler, Lutz Roeder's Reflector, and of course our previously mentioned ILDASM disassembler) from working properly. That, by itself, is a big step forward.

Remotesoft's Obfuscator offers the following what I call "unique to the product" features:

  • Protection against Remotesoft's own decompiler. Assemblies cannot be decompiled by Salamander decompiler.
  • protection against ILDASM and utilities using reflection APIs. It will crash ILDASM utility and Reflector from disassembling your .exe files.
  • More support for mixed images that contain both managed and unmanaged code. As far As I am aware, this obfuscator is the only one on the market offering this functionality. Almost every image produced by Visual C++.NET belongs to this category.
  • Debugging is made easy: the obfuscated image can be used to replace the original for debugging purpose, since it contains the same symbolic info of exceptions and line numbers, etc., which is impossible to achieve using ildasm-ilasm round trips. 
  • Symbol lookup by simply loading the original and obfuscated assemblies, no log file is required.

The additional feature list of the Remotesoft Obfuscator is extensive:

  • Changes all possible member names to meaningless and duplicate ones. Most methods and fields would have the same name, 'A', after obfuscation.
  • Removes all unnecessary data, including debug info, parameter names and certain metadata, etc.
  • Cross assembly obfuscation.
  • Incremental obfuscation.
  • Easy name lookup based on the original/obfuscated images, no log file needed.
  • Operates directly on executable files, images with native or mixed codes are supported, e.g., it supports assemblies from managed C++ that contains native code.
  • Extremely easy to use, the obfuscator takes one or more .exe and .dll files, and transform them into new format either in place or save as different file names as you would specify. No extra steps are involved. No third party tools (e.g. ilasm) are needed.
  • Up to 20% image size reduction.
  • Assemblies protected by the obfuscator will NOT be able to get decompiled by Remotesoft's own decompiler.
  • Allows full customization of the obfuscation process, obfuscation is controlled by custom attribute programming or a flexible XML config file.
  • Graphical user interface is provided to work with the obfuscator ("Remotesoft Explorer")
  • Integrates directly into the Visual Studio .NET IDE.
  • Uses massive overloading of method and field names for even higher security.
  • Generates only verifiable MSIL bytecode in full compliance with the Microsoft .NET Specification.
  • Updates the manifest in assembly using obfuscated names and automatically generated resource names.
  • Debugging made easy. You can use the obfuscated image for debugging purpose, the exceptions, line numbers, etc., are exactly same as the original. This is impossible to achieve with obfuscators that relies on ilasm-ildasm round trip.
  • Support for smart device applications built on Microsoft .NET Compact Framework.

Here is an example of the configurability of the Remotesoft Obfuscator, taken from the manual: 



// csc /r:Remotesoft.Obfuscator.dll ReflectionTest.cs

using System;
using System.Reflection;

class ReflectionTest
{
	[Remotesoft.ObfuscatorAttribute(false)]
	int which;

	[Remotesoft.ObfuscatorAttribute(MapTo="trash")]
	string name;
	
	ReflectionTest(int which)
	{
		this.which = which;
		name = "Christina Zhang";
	}

	public static void Main()
	{
		int data = 1234;

		ReflectionTest rt = new ReflectionTest(data);

		try {
			// use reflection to get the field value
			FieldInfo fi = 
 typeof(ReflectionTest).GetField("which", 
   BindingFlags.Public|BindingFlags.NonPublic|BindingFlags.Instance);
Console.WriteLine("You should see {0}, here: {1}", data, fi.GetValue(rt));
		} catch (Exception e) {
			Console.WriteLine(e.Message);
		}
		// display field directly
		Console.WriteLine("name = {0}", rt.name);
	}
}

The following image shows the obfuscated assembly; notice the which field is unchanged, and the name field is renamed to trash as specified by the ObfuscatorAttribute.

Custom Naming Convention

Remotesoft's obfuscator allows different naming schemes to be used. You can go to the UI, Tools > Options > Obfuscator, "Name Convention" section, where you can pick several different types of naming schemes, or make your own by defining a file with a simple XML grammar that is supplied in the manual.

Suffice to say that the latest Remotesoft Obfuscator is highly configurable, easy to use, and has an extensive manual with many examples of usage that would satisfy even the most demanding software developer. It is highly effective, and it may very well be the best commercial .NET obfuscator available on the market today.

Salamander .NET Linker and mini-deployment tool

This brings me to the high point of the review, the Linker and mini-deployment tool. When I tried this product, I was amazed, not only at how easy it is to use, but also at the new possibilities it opens up for efficient software distribution of .NET software. This tool allows you to link .NET assemblies together into a single file, and to deploy your application without installation of the Microsoft .NET Framework. The linker links MSIL code on demand, putting together only the required classes and methods, and it links in the Microsoft .NET Framework class libraries.

The mini-deployment tool then builds a minimum set of the Microsoft .NET runtime to ship with your application. This usually results in installation size of a few megabytes, rather than tens of megabytes, and the installation takes much less time without the requirement of rebooting. The mini-deployed application can be launched directly from a CD, absolutely without copying files or adding registry entries. You can use standard commercial installation tools such as a Winzip self-extractor for software installation, or possibly even a CAB file with the standar web -based <object ...> tag Active Install option, to deploy your product.

Link On Demand

The linker starts with the entry methods (which you can configure), and recursively walks the call graph to link only the required bits of MSIL code. Unused code is not linked into the final assembly. Therefore, your code becomes more efficient and its size becomes smaller.

Link into Framework APIs

The Remotesoft linker is so powerful that even the Microsoft .NET Framework assemblies, such as System.Windows.Forms.dll, can be linked into your own .NET assemblies. Since it links on demand, only the required portion will be linked. This is very useful for protecting your code, for simple application deployment, and for troubleshooting by debugging into the framework code itself. I found the Linker extremely easy to use from the provided GUI, and also customizable if you desire to "tweak" the output, through various command line switches, many of which are available from the GUI.

Fast Deployment without full Microsoft .NET Framework Installation

The mini-deployment tool puts together the minimum set of CLR runtime files and dependent assemblies that can be simply copied to a single folder on a target machine, and your application runs as if the whole framework is installed. Since the installation is isolated into a single folder, there are no conflicts with future .NET installation. When linking is used for the dependent assemblies,this further reduce the file size.

Direct Launching from CD with no Installation Required

The mini-deployed package contains all the files and registries so that it can be launched directly from a CD without any installation to the client machine. There is no need to copy files to system directories, or to modify registry entries. Therefore, the client machine can be kept intact. This is extremely useful for creating demo and other CDs for .NET applications.

Code Protection   

There is one problem that no current obfuscators address: no matter how good the obfuscation is, there are system library calls and other external references scattered over your code. Since these calls are external references, obfuscators must leave them unchanged. However, these references help a lot to understand the decompiled code, because they are well-documented and public APIs. The linker removes or reduces such public APIs by linking the framework APIs right into your own code, and thus makes your code much more difficult to decompile after obfuscation.


The above images show the obfuscated code after the linked Scribble.exe sample app is obfuscated. Since external references (System.Windows.Forms) APIs are also defined in the same module, they are no different from your own code, and you can obfuscate them at will. Those public APIs are not visible at all. No other method can achieve this level of protection. Looking into the decompiled code, it is much harder to understand than "plain obfuscated" code.

Sample Distribution

For those curious enough to download and try one of these "100% self-contained" .NET applications, I've prepared what is called a Remotesoft "mini-deploy" of my QuoteMinder Tray Icon app. This is a .NET executable that sits on the system tray and provides balloon-tip displays from Yahoo finance of your favorite stock quotes. The full install is in a simple ZIP file, is only about 5.73 MB, and you can download it here. Simply unzip this in the folder of your choice, run the executable "quoteminder.exe" and it will function perfectly, whether or not .NET is installed on the machine! The mini deploy even has its own "registry", although any new settings your application writes will be place in the normal Windows Registry.

Protector

Salamander .NET Protector is a technology that offers real protection for your .NET code. In contrast to an obfuscator that makes decompilation more difficult by symbol renaming, the protector completely stops MSIL disassembly and decompilation . Pprotector is not an obfuscator, instead it converts the decompilable Microsoft Intermediate Language code (MSIL or CIL) of your assemblies into native format while keeping all .NET metadata intact, and thus it provides the same level of protection as native C/C++ code. Furthermore, it offers code, string and resource encryption, and therefore provides even better protection than native C/C++ code.

Pricing

Currently, these products are sold in "packages" along with the Remotesoft Explorer, a Gui that looks and works a lot like Windows Explorer. They also "plug in" to the Visual Studio.NET IDE, and can be set up to work as pre- and post build steps in the VS.NET Build Configuration editor. Package pricing runs from $499 up to $3399 depending on product selection and number of developer licenses. All results of the products' output may be freely distributed with no licensing restrictions. While these products are not cheap, they go a lot farther toward protecting intellectual property rights than anything else I have seen on the market. Recommended. For more information or evaluations, I refer you to Remotesoft.

 

 
 

Peter Bromberg is a C# MVP, MCP, and .NET consultant who has worked in the banking and financial industry for 20 years. He has architected and developed web - based corporate distributed application solutions since 1995, and focuses exclusively on the .NET Platform. Pete's samples at GotDotNet.com have been downloaded over 41,000 times. You can read Peter's UnBlog Here.  --><--NOTE: Post QUESTIONS on FORUMS!
Do you have a question or comment about this article? Have a programming problem you need to solve? Post it at eggheadcafe.com forums and receive immediate email notification of responses.