Observing and Understanding Obfuscated Output
Step 1 – Using a Disassembler
The .NET Framework SDK ships with a disassembler utility called ildasm that allows you to decompile .NET assemblies into IL Assembly Language statements. To start ildasm, make sure that the .NET Framework SDK is installed and in your path. Type
ildasm on the command line.
Note: If this does not work and Visual Studio is installed, you can make sure that ildasm is in your path by executing the Developer Command Prompt for VS20xx shortcut in your start menu (or Visual Studio Command Prompt (20xx) for older versions of Visual Studio). Type
- Click File | Open and browse to:
C:\Program Files (x86)\PreEmptive Solutions\Dotfuscator Professional Edition 4.x\samples\GettingStarted\bin\Debug
- Select GettingStarted.exe.
- Click Open. A view of the disassembled assembly displays:
- To compare the currently shown, un-obfuscated HelloWorld application to the obfuscated version, start another copy of ildasm. This time browse to:
C:\Program Files (x86)\PreEmptive Solutions\Dotfuscator Professional Edition 4.x\samples\GettingStarted\Dotfuscated
- Select GettingStarted.exe.
- Click Open.
- Place each ildasm window side-by-side. Compare and contrast both figures.
Notice that the un-obfuscated disassembly contains names of methods that are fairly understandable. For example, it is safe to assume that the
ConverseButton_Click: void (object, class [mscorlib]System.EventArgs) method is called when the Converse button is clicked. Now look at the obfuscated version. Which method is called when the converse button is clicked? It is hard to tell.
Also notice the missing
SaySomething method. It was removed because the method wasn't being used anywhere in the code.
Double-click the methods
SayHello:string() from the original assembly and
a:string() from the obfuscated assembly. These two methods are the same; however, when examining the disassembled IL code further, notice that the strings have been encrypted in the obfuscated version to make the code difficult to read.
For example, locate the following line in the un-obfuscated version:
IL_0000: ldstr "Hello, my name is "
Now view the obfuscated version, and try to find the above string. If you’re having trouble finding it, it’s because it’s encrypted and looks like the following:
IL_0000: ldstr bytearray (09 42 26 44 29 46 2B 48 26 4A 67 4C 6D 4E 22 50 28 52 73 54 3B 56 36 58 34 5A 3E 5C 7D 5E 36 60 12 62 43 64 )
You can imagine how confusing this can be for attackers who are trying to reverse-engineer the code, especially with more complex applications.
Step 2 – Decompiling
Decompilation isn't just limited to a small circle of technical folks who know IL Assembly Language. You can take it a step further and actually recreate the source code from an application by using a decompiler. These utilities can decompile a .NET assembly directly back to a high level language like C#, VB .NET, or Managed C++.
With Dotfuscator, however, running a tool such as Reflector for .NET against the obfuscated GettingStarted.exe file and trying to examine a method such as
a() displays the following:
This item appears to be obfuscated and can not be translated.
Thus, Dotfuscator successfully prevented a major decompiler from reverse engineering your obfuscated code.