Is obfuscation only about garbling the names of non-public variables/members? If so, would it not be possible to write an application that would at least change these names more readible ones like "variable1", etc, and then extract the whole code that can still be compiled?
2
-
1Of course its possible. Usually its called reverse engineering/deassemble/decompile etc (if you are looking for a tool).stefan– stefan2011-03-08 20:12:32 +00:00Commented Mar 8, 2011 at 20:12
-
For an example of such a tool, see de4dot.comgregmac– gregmac2017-01-17 18:35:14 +00:00Commented Jan 17, 2017 at 18:35
Add a comment
|
5 Answers
No, it is about a lot more, especially with more sophisticated obfuscators. They can produce IL that cannot be expressed in most languages, and where the logic flow is horribly tangled to befuddle the best of tools. With lots of time you can do it (probably lots by hand), and there is certainly an arms race between the obfuscators and deobfuscators - but you vastly underestimate the technology here.
Also, note that many obfuscators look at an entire application (not just one assembly), so they can change the public API too.
15 Comments
Marc Gravell
@Joan - you can usually tell it explicitly to ignore particular types, but in general at the application level there is no public API; but if you are obfuscating a library, then yes - it has to preserve that. Re slow-down; not really - the CLI doesn't care if the IL is spaghetti.
stefan
@Marc Gravell control obfuscation can probably brake shit loads of optimizations in a JIT, why would it NOT? Youre links are still not on topic.
stefan
@Marc Gravell string encryptions etc are not a matter for me. Iam only thinking about the code flow, and yes I strongly believe the penalties speed wise will vary alot depending where and how you obfuscate. After all theres a reason why we want global optimizations :)
Marc Gravell
@Joan indeed - reflector can show the il, but not decompile to any language; it isn't obfuscated per se; is just uses IL tricks that you can't write in code. Fully obfuscated code usually struggles to load at all into reflector. re interning; that isn't a compiler feature, but a JIT/CLI on the ldstr opcode, but indeed: it may perform differently. My understanding is that the obfuscators work hard to minimise negative effects of this.
Marc Gravell
@Joan - my reasons have nothing to do with obfuscation; it is some OSS serialization code that uses meta-programming to write the most appropriate serialization code at runtime, which can be quite... gnarly. Simply, at points in that the most appropriate IL happens to be stuff that makes no sense in terms of languages.
|
That is certainly the start of an obfuscator. Though some obfuscators will also encrypt strings and other such tricks to make it very difficult to reverse engineer the assembly.
Of course, since the runtime needs to run the assembly after all of this, it is possible for a determined hacker to reverse engineer it :)
Comments
There are 'deobfuscator' tools to undo several obfuscation techniques like Decrypt strings, Remove proxy methods, Devirtualize virtualized code, Remove anti-debug code, Remove junk classes, Restore the types of method parameters and fields and more...
One very powerful tool is de4dot.
But there are more.
Comments
Obfuscation is about changing meaningful names like accountBalance to meaningless ones like a1.
The application will obviously still work, but it will be more difficult to understand the algorithms inside it.
1 Comment
stefan
That is one (stupid) way of obfuscation yup. Imagine being high on LSD and still making the stuff work. Thats a good obfuscation.
It's depend upon the obfuscation technology used. Obsfucating variable name is only one part of the issue. A lot of obfuscation tools perform some kind of program flow obfuscation at the same time, which will complicate further code comprehension. At the end, the obfuscated IL won't be expressible easily (if at all) in most programming languages.
Renaming the variables and fields won't help you much either, as having a lot of variable1, variable2.. won't help you to understand what you read.
