I first started writing software in .NET over ten years ago. Now as you know .NET software can be reverse compiled back to almost the original source code. The names for local variables will be replaced by unfriendly one letter equivalents, but the class and methods names will be intact. The ease of reverse compilation for code written in .NET was never seen for C/C++ when compiled into native machine code.
Back then I used a free obfuscator to rename all the class and method names into unfriendly single and two letter substitutes. For example a class called MyPowerAlgorithm would be renamed to Aa.
I wrote my own licensing system so that users would have to buy a license key from me in order to use the software. I looked around at the time and I didn’t want to pay 5% of my revenues to use a third party licensing system.
I put in some simple protection so that a hacker would not be able to reverse compile my code and re-sell it.
Well that didn’t work at all. Obfuscating the class and method names of a software application written in .NET only goes so far. You need extra protection and I found out the hard way.
One day I found a software application on the Internet rather similar to mine. In fact the user interface was different. It looked very much like some one had reverse compiled my code, changed a few constants and put a simple, crude new user interface on it. Rather annoyingly Google put the cracker’s website one above mine in search results!
At the time there was one bug in my software application. I checked the cracker’s application had the exact same obscure bug as mine. Plus the fact the reports it generated looked very similar to mine, with the exception of one string being changed.
I contacted the man responsible for stealing my software application and told him that I suspected him of stealing my code. I referred him to my website and said we both had applications that did the same thing. I asked him how he managed to do the same technical tricks as in my application. He didn’t have a clue how to answer my questions. In the end he kind of admitting stealing my code. He said that he had done the work to create a new website and from that he was entitled to some money! Ho Hum!
I contacted the website hosting company where the cracker’s website was. Fortunately they believed me and took his website down. Well a couple of days later, the cracker’s website was back up with my stolen code and with a different hosting account at the same company. Well after contacting them again, they took the new website down. After that he moved my stolen code to a new website with a new hosting company. I contacted them and they took his new website down.
I was lucky. The hosting companies took my word and didn’t say things like “Who can we believe?”. The proof would be in the possession of the real, unobfuscated source code, but really you don’t want to have to reveal that.
The take-home message is that you want your software application properly protected before you publish it, not aftewards. Obfuscating your application is not enough. You need to do more to protect it. You need technical means to protect your software. Legal means are too slow and too expensive and might not even work if the cracker is in a country far away.
Needless to say I added more protection to my software application after this event. In some ways I resent having to write code to do this, instead of code for more features.
Having thought about it, it is very simple to crack software applications only using obfuscation for class and method names.
I have found three obfuscators offering more functionality that the free one I used nearly a decade ago. They are listed below. Good luck using them!
PreEmptive Dotfuscator seems to be for more established software outfits, but that is just my opinion. ConfuserEx is a free Open Source application. BabelFor.NET looks very full-featured and powerful.
Kaira On Software 