General Questions
Licensing Questions
Spices.Obfuscator
Localization Questions
TOP
General Questions
What versions of .Net Framework Spices.Net supports?
Spices.Net supports 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5 versions of .Net Framework.
TOP
What is obfuscation?
Obfuscation is a term that comes from the latin word obfuscare, which means to darken or to make dark. This is a technology that allows one to hide the meaning of code from research, analysis and making it easy to read and understand. Obfuscation enables one to irreversibly alter code in such a way that it becomes meaningless and hard to understand, while its structure becomes completely undecipherable. The main purpose of the obfuscator is to keep the original logic of code while irreversibly transforming it in such a way that it becomes almost impossible to research and analyze, even with the use of automatic methods.
The specific nature of the obfuscation of .Net products boils down to protecting code from decompilers and ILDASM/ILASM roundtrip (when the code can be disassembled by the ILDASM tool and then altered and assembled by the ILASM tool). Protection from roundtrip makes it possible to prevent code forgery.
TOP
What risks are prevented by obfuscation?
- Reverse engineering/Decompilation
- Protect sensitive and proprietary information
- Roundtrip
- Tampering-spoofing
TOP
Why is obfuscation necessary?
The main problem with .Net code is that is can easily be reverse engineered. .Net programs are comprised of code in the intermediate-compiled format (Intermediate Language, IL), which is more advanced language than native processor code, whose instructions are easier to understand and are more informative. The code is convenient and understandable for research, analysis, disassembly and decompilation.
In this case, one can use ILDASM or a decompiler such as Spices.Decompiler to generate the source code from a program very similar to an original code. When using the roundtrip ILDASM/ILASM, one has the ability to forge code by eliminating verifying, licensing or other information, and can thus compile a fully functioning version of the original program, devoid of its initial protection. One can also analyze code to uncover necessary "sensitive" information, such as passwords.
Enterprises and developers that are concerned with the protection of their intellectual property must understand that obfuscation, as a solution, enables one to maximally complicate reverse engineering and roundtrip, and can also hide "sensitive" information. If obfuscation is carried out correctly, it can not only protect code, but it can inhibit decompilation and prevent the theft and forgery of code and "sensitive" information.
TOP
What is cross-obfuscation (cross-assembly obfuscation)?
Modern obfuscators enable one to obfuscate not only single assembly, but packages of projects and libraries, obfuscating not only inner, but also public code and data that is used by several applications and libraries. An obfuscator needs to obfuscate references for this particular code and the data in the applications and libraries that are referring to it. Cross-obfuscation prevents code from being cracked, as it protects the integrity of the code when a separate library or application will not work correctly with out the rest.
TOP
What types of assemblies must be obfuscated?
Any .Net assembly that has publicly inaccessible source code or contains "sensitive" information. The significance of obfuscation should not be underestimated, as even code that is restricted to only being used within one company, can be stolen or become public. Code that includes information about database requests, references to particular resources and services, passwords and names of the users, etc. must be obfuscated to protect it from competitors and thieves.
TOP
Why is optimization needed?
In the process of obfuscation, a detailed analysis of one's assembly takes place, including the possibility of elimination of information and code that are unused and have ceased to be useful to the correct execution of application. The optimization process can eliminate this data from an assembly, which can in turn generate a more compact file. This process can significantly decrease the size of an assembly, which makes the code perform better, as compact code loads quicker and needs less memory.
TOP
What is Software Watermarking?
Software watermarking can be used to an additional hidden identification or marking a given application with specific information, such as its buyer and copyright. This information can help reveal a forgery of an application and identify its owner, the distribution region, the OEM distributor and the serial number.
A watermark is incorporated into an assembly in such a way that it disappears with the application after decompilation and disassembly.
TOP
What is StringEncryption?
Any assembly uses strings to output, processing, examination and store various information, including "sensitive" information such as passwords, addresses, licensing and various string identifiers and constants. The IL-code format enables one to easily extract string information from .Net code and quickly analyze it to find the most interesting parts. String coding technology makes it possible to remove this information from the code and metadata, and safely encode it to hide and protect it from research and forgery.
TOP
What is TamperProofing?
Despite the fact that .Net assemblies can be protected from forgery with a digital signature (during the creation of strong-named applications), it is still possible to remove an original digital signature and resign with another. Anyone can use this method to forge (even obfuscated) code to remove the protection code or licensing check to obtain an operational application without this code. Protection from forgery solves the problem of vulnerability of strong-named applications, and as a result the counterfeited application becomes not operational after forgery.
TOP
What is Spices.CodeAnonymizer?
There is a problem exists that an obfuscator cannot solve even with cross-obfuscation and high level of obfuscation - the impossibility to hide the identification of system calls and other external references that are often used in code. Since these calls are part of the external code, obfuscators are forced to leave them unchanged. However, these calls provide enough information to understand the decompiled/ disassembled code because those references are well documented and public API. Technology Spices.CodeAnonymizer can decrease or even remove such calls from the code. This makes it much more difficult to decompile, as no significant information remains to be analyzed by the researcher.
Spices.CodeAnonymizer not only makes it possible to solve the problem with external references, but also hides the references to the internal methods and fields that have not been obfuscated.
Also masking and call optimization is used to hide obvious calls and creating fast and compact code.
The code anonymization technology provides a variety of ways to complicate the analysis of code and counteract decompilation. Our tests showed that this technology is considerably more effective than traditional code flow obfuscation, as today's decompilers easily recognize the code flow obfuscation.
One of the key features of this technology is increased internal integration of the code, so a hacker would not be able to use even a parts of it.
TOP
What is incremental obfuscation?
The method of software update via patching is fairly common among producers of software. In that case the client does not receive the entire set of files, but only a limited amount of updated files. A different method of obfuscation, called incremental obfuscation needs to be used for this practice, so that the references between assemblies and assembly members will not be disrupted.
TOP
Licensing Questions
What is included in the price of Spices.Net products?
A license is based on a year-long subscription, which includes tech support, updates and fixes for the entire year. A subscription can be extended for another year, in which case it will be 50% off the original full price.
TOP
How can one obtain the evaluation (trial) version of the program?
The evaluation (trial) version of the program is free and can be downloaded from 9Rays.Net website. There are no time restrictions placed on the use of this trial version.
TOP
Spices.Obfuscator
What is the difference between the full version and the evaluation version?
The evaluation version has the same amount of services and functions as the full version. There is only one difference between the two - the evaluation version marks the obfuscated assembly on a such way that inhibits the commercial use and the distribution of the code that is protected by Spices.Obfuscator.
TOP
Does Spices.Obfuscator need the source code of a program to function?
No, Spices.Obfuscator works with code that has been previously compiled into .NET, so the original source code is not needed.
TOP
Does Spices.Obfuscator require to include additional libraries with obfuscated programs?
No, Spices.Obfuscator does not add new dependencies to an obfuscated program.
TOP
Spices.Obfuscator offers a wide variety of ways to protect .NET assemblies, which range from traditional obfuscation to powerful complex solutions such as Spices.CodeAnonymizer and Tamper proofing (protection from forgery).
TamperProof technology is patent pending, CodeAnonymizer is patented (U.S. Patent #7,937,693) and provide unique and effective methods of protection that are not offered by other producers of obfuscators.
TOP
Does Spices.Obfuscator use/require ILDASM/ILASM to protect assemblies?
No. Spices.Obfuscator, unlike other producers of obfuscators, does not use these utilities, as they limit the quality of obfuscation, and increase the vulnerability of protected assemblies. Also, if an obfuscator uses ILASM/ILDASM roundtrip for protection of its assemblies, they can still be forged (tamper-proofing) since roundtrip can still be used.
Spices.Obfuscator uses its own engine to analyze, process and generate obfuscated assemblies. This engine provides much more ways to protect the code. As result raising quality of protection immensely, making products not only "extremely difficult to read", but their code becomes completely inaccessible for analysis, forging, decompilation and extraction parts of it for separate use.
TOP
What will happen if I try to use a decompiler on an assembly protected by Spices.Obfuscator?
With correct settings and using String Encryption, CodeAnonymizer, Optimizer, and resource protection technologies while protecting assemblies, resulting product can crush decompiler or make it produce meaningless code that cannot be used/compiled or understood. Even most recent decompilers, which are equipped with de-obfuscation features, do not make it possible to acquire useable code.
TOP
How does Spices.Obfuscator work with component libraries?
Spices.Obfuscator proposes a number of ways to protect products that require leaving public code un-obfuscated. There are two configurations exist which make it possible to work with this type of assemblies:
- Default - preserves inheritance and overriding of members of the protected assembly.
- DefaultImproved - does not preserve inheritance and overriding, but increases the quality of obfuscation.
TOP
Can Spices.Obfuscator be used with CompactFramework assemblies?
Yes, Spices.Obfuscator can protect CompactFramework assemblies.
TOP
Can Spices.Obfuscator be used with ASP.Net codebehind assemblies?
Yes, Spices.Obfuscator can bе used to protect this type of .Net assemblies.
TOP
Can Spices.Obfuscator be used with Windows.Forms assemblies?
Yes, Spices.Obfuscator works with all types of assemblies, including Windows.Forms.
TOP
How effective is AntiILDASM protection? What does it protect from?
This type of protection is designed to prevent the use of standard utility (supplied with .Net SDK) - ILDASM (Intermediate Language Disassembler). This utility enables one to obtain the complete listing of code from an assembly, which makes it possible to study it in detail. Such disassembled code can be used with the ILASM utility to obtain the operational application. AntiILDASM counteracts the loading of assemblies that are protected by these means in ILDASM preventing obtaining of the disassembled code. This tool also works against decompilers, which use system unmanaged interfaces to access metadata in assemblies.
TOP
What is Spices.Project?
This is an xml file with extension .iloprj. This is a collection of references to assemblies that will be obfuscated, as well as corresponding obfuscation settings. The settings in Spices.Project can be for individual assemblies as well as global, affecting whole process.
TOP
What is Spices.Solution?
This is an xml file with extension .ilosln, which is a collection of references to the Spices.Project files. Spices.Soultion enables the user to process several projects within one session of obfuscation. This is very helpful if you are arranging a number of projects to be released, and have prepared several collections of files for obfuscation, such as Light, Pro and Enterprise. For each collection there are different Obfuscation settings that can be defined in one Spices.Project. In this case you can generate Spices.Solution, include all Spices.Project collections in it and obfuscate all this in one session of obfuscation.
TOP
Can I use Spices.Obfuscator to link several assemblies into one?
First of all, linking several assemblies together worsens the performance of the entire assembly. If you are trying to complicate the code this way to protect it from decompilation, then this is not the best solution. Cross-obfuscation can be used to improve the overall quality of obfuscation. You can also use Spices.CodeAnonymizer, and still preserve good load balancing of assemblies, more efficient use of memory and higher performance of resulting assembly.
If it is absolutely necessary to combine assemblies, you can use ILASM, which can be used in ObfuscationEvents as one of the tasks in the process of obfuscation. You can use this utility to link assemblies and in more flexible obfuscation scenarios using Spices.Obfuscator engine.
TOP
What is the Spices.Obfuscator Engine?
In addition to Spices.Obfuscator, Spices.Obfuscator Console Edition we offer a more flexible solution - you can use the Spices.Obfuscator Engine which makes it possible to build in the process of obfuscation, as well as the tuning and management of Spices.Project/Spices.Solution in C # and Vb.Net scripts and scenarios. This makes it possible to build-in obfuscation process into nonstandard build-solutions and to integrate with nonstandard build-processes.
TOP
How can I add an additional tasks into the process of obfuscation?
Spices.Project and Spices.Solution have additional settings that make it possible to add external processes and tasks. The large collection of Spices.Project.ObfuscationEvents and Spices.Solution.Obfuscation.Events makes obfuscation process very flexible by presenting the ability to add additional tasks into the process.
TOP
What is MixDictionary feature and why is it needed?
MixDictionary makes it possible to make each obfuscation session unique, producing non repeatable, unique product (by using a unique collection of names of the members of assemblies). The uniqueness of these assemblies makes it possible to avoid situations such as when a criminal attempts "to combine" assemblies of older versions of programs with new ones. If their names coincide, this it is possible to achieve, but among unique assemblies, the references between them are also unique.
TOP
How can I add obfuscation tasks to Visual Studio 2005?
It is possible using Spices.VSIP.Obfuscator - it includes Visual Studio Integration Pack and MsBuild Integration. With this tool you can use VSIP features of Spices.Obfuscator, or add tasks using MSBuild integration into Visual Studio 2005 projects or MSBuild scenarios.
TOP
Can I debug applications that have been obfuscated by Spices.Obfuscator?
Yes, with Spices.VSIP.Obfuscator, you can integrate obfuscation into the build-process, and debug applications in Visual Studio immediately after obfuscation if you set the StripDebugInfo option to False for complete support of the code.
TOP
Can Spices.Obfuscator be used in NAnt?
Yes, Spices.Obfuscator includes the library of tasks for the integration of Spices.Obfuscator into NAnt.
TOP
Is there a way to exclude assembly members from obfuscation?
Yes, you can use the special assembly NineRays.ObfuscationAttributes.dll which can be found in SDK\Obfuscation Attributes catalog. All you have to do is to include it into your project and use the attributes from this assembly to mark the members with the NotObfuscate attribute. There is no need to include this assembly to distributed packages since the utilized attributes are for reference only.
TOP
Is there a more convenient way to exclude assembly members from obfuscation?
Yes, there is. You can use the ExclusionPatterns feature in Spices.Project, which is a collection of regular expressions into which you can add other regular expressions to exclude members of assembly based on some conditions . For example, the expression SomeNamespace.* will exclude whole classes and their members from obfuscation, but the SomeNamespace.SomeClass.* - will only exclude fields, methods and properties of the SomeNamespace.SomeClass class. If you add the following expression SomeNamespace.SomeClass * (without the dot) - the name of the class will not be obfuscated.
TOP
Can PInvoke (platform invoke) methods be obfuscated?
Yes, this is possible if the PInvoke method is completely described.
For example in case of this code:
[DllImport("Gdi32.dll")]
internal static extern int CombineRgn(IntPtr dest, IntPtr src1, IntPtr src2, int flags);
The method will not be obfuscated.
If the method is completely described (so that the name of method is present in the EntryPoint declaration of the DllImport):
[DllImport("Gdi32.dll", EntryPoint = "CombineRgn", CharSet=CharSet.Auto)]
internal static extern int CombineRegion(IntPtr dest, IntPtr src1, IntPtr src2, int flags);
TOP
What advice can you give concerning the obfuscation of code that uses Reflection/Serialization/Remoting?
The problem with obfuscation of the code that uses Reflection/Serialization/Remoting is that it references assembly members by name. In the situation when an obfuscator changes names, this method of referencing members of an assembly may not work, since the name of an assembly member can be changed during obfuscation. For these situations we recommend the following:
- When designing an assembly, be prepared to the possibility of obfuscation and mark the assembly members that are used in Reflection /Serialization/Remoting to exclude them from obfuscation.
- Separate the code that is used in serialization from the one that isn't. Since code that is used in Remoting/Serialization/Reflection must not be obfuscated, it can be stolen and analysed.
- Instead of Type.GetType("MyType") expressions, use typeof(MyType).
- Do not forget about the strong aspects of declarative programming, and use these attributes to declare the members of assemblies. This will help avoid the use of reflection and some problems with obfuscation:
- This code:
MethodBase mb = someType.GetMethod("MyMethod");
Can be substituted for the search of a method marked with a special attribute.
- You can declare to a specific class for use in code when it is enough to acquire the necessary attribute and the necessary class from it.
- If you use LateBinding or InvokeMember, you should not search for an assembly member by name, instead use delegates in the following situations:
Invoke(new MyDelegate(MyMethod, new object[]{1,2, "some string"});
Or you can use attributes to mark or declare specific methods.
TOP
What advice can you give concerning obfuscation of codebehind code in Asp.Net pages and classes?
If code is properly designed, i.e., the public visibility is assigned to the code used in aspx-files, then it is sufficient to use ObfuscationOptions.Members = DefaultMode to obfuscate codebehind- code. The main idea here is the same as to avoid Reflection/Serialization issues - the members of assemblies that are used in aspx- files must not be obfuscated.
TOP
How can I protect my resources?
To do this, enable the option of ResourceProtection. In this case, Spices.Obfuscator will encrypt names of resources and remove the connections between the resources associated with specific classes and it will be much more difficult to decompile and find the appropriate resource in an assembly.
TOP
How about protecting mixed code and managed c++ assemblies?
Yes, as opposed to most obfuscator providers, Spices.Obfuscator fully supports mixed code and knows how to deal with the architecture of such assemblies, while presenting a complete set of means for protecting mixed-code.
TOP
Does Spices.Obfuscator produce verifiable code?
There are two levels of code verification. The first level - you can verify the code and the metadata using peverify utility and obtain the list of verification errors and warnings. The second level of verification - (not as strong) the assembly passes before being executed.
Spices.Obfuscator produces code that is completely verifiable on the second level. If you want to have verifiability of code at the first level, you will have to forego some protection methods used by CodeAnonymizer. (KeepParameters/KeepReturns - these properties help to hide the real types of parameters and protect your assembly from roundtrip. Leave these properties on (true) for the verifiability of your assemblies.
TOP
Why can't I use the NGen tool to produce pre-jitted code and thus avoid the risk of disassembly and forgery?
Pre-jitted code will not provide protection, as the .Net runtime requires the inclusion of the complete set of metadata and MSIL-code in the assembly before executing it. Moreover your assembly will lose several advantages, such as: platform and processor independence, security of the code and data protected by a strong-name. Ngen- code is more dependent and fragile, as it is necessary to recompile it with every change of the environment, which is why MSIL and metadata are essential.
TOP
Why can't assemblies be protected by using a tool to turn them into native-processor code and then by encrypting this code?
These tools do make your assembly's code impossible to disassemble and decompile. These tools create a native processor wrapper around your assembly, which seems reliable at first, but then it becomes obvious that this protection is flawed, as the wrapper must decode and execute the assemblies within it. Frequently decrypted assemblies are recorded in a file, where they become accessible for analysis. Even if these assemblies are decrypted into memory, it is fairly easy to obtain a memory dump, and thus, the assembly itself. Even the distributors of this protection recommend the obfuscation of assemblies before creating a wrapper-a. Such applications are inferior to obfuscated ones in terms of effective memory use, as they have problems with antivirus software and OS security (such programs can easily be classified as viruses or harmful code).
TOP
Localization Questions
Can I localize my application using Spices.Obfuscator?
Yes, for this it is necessary to create localization files with the help of Spices.Localizer, which is supplied with Spices.Obfuscator and Spices.VSIP.Obfuscator packages. Data extracted from assemblies that were analyzed by Spices.Localizer can be localized, and the LocalizationInfo property must be set for every Spices.Project assembly (if it must be localized). After obfuscation you will obtain a protected and localized application.
TOP