Announcing Obfuscar
drcf...@gmail.com
right, open source obfuscation. There's something deliciously ironic
about that.
The main project site is http://code.google.com/p/obfuscar/, and the
project is released under the MIT License.
Whether or not we agree with the idea behind obfuscation (security
through obscurity), the decision to use it is not always our call. I
wrestled with vendors for the last few years, always running into bugs
followed by poor technical support.
Rather than continue battling vendors, I decided to create my own. It
wouldn't have been possible without the Cecil library, or the C5
Generic Collections library.
Basically, what the tool does is scramble the metadata in a set of
assemblies. It renames everything to the minimal set of names that
can be used to identify them, given signatures and type information.
For example, for the following source (from the example included):
public ExampleUI( )
{
InitializeComponent( );
ClassX cx = new ClassX( "Some Text" );
displayText.Text = cx.DisplayText;
}
Can be decompiled (via Reflector) to:
public ExampleUI()
{
this.InitializeComponent();
this.displayText.Text = new ClassX("Some
Text").get_DisplayText();
}
After obfuscation, can be decompiled (via Reflector) to:
public A()
{
this.A();
this.a.Text = new A.A("Some Text").A();
}
It's a simple example, but it scales...For example, given a reasonably
sized code base, one could easily run into a class named 'A' (in the
namespace 'A') with 7 methods, 4 properties, and 5 fields named 'A',
with several more methods, properties, and fields named 'a'.
It makes debugging / reverse engineering very difficult, but wouldn't
stop someone who really wants to reverse engineer it. It would at
least slow them down, and would deter casual observers. It also
dramatically shrinks executable size.
The project isn't yet well documented, but it does work, and there is
a very basic example provided.