Figure 12.3 The ILDasm error message displayed when trying to open an obfuscated
assembly.
There are two general strategies for preventing disassembly and decompila-
tion in .NET assemblies. When aiming specifically at disrupting ILDasm, there
are some undocumented metadata entries that are checked by ILDasm when
an assembly is loaded. These entries are modified by obfuscators in a way that
makes ILDasm display the copyright message from Figure 12.3.
Another approach is to simply “corrupt” the assembly’s metadata in some
way that would not prevent the CLR from running it, but would break pro-
grams that load the assembly into memory and scan its metadata. Corrupting
the metadata can be done by inserting bogus references to nonexistent strings,
fields, or methods. Some programs don’t properly deal with such broken links
and simply crash when loading the assembly. This is not a pretty approach for
obfuscation, and I would generally recommend against it, especially consider-
ing how easy it is for developers of decompilers or disassemblers to work
around these kinds of tricks.
Reversing Obfuscated Code
The following sections demonstrate some of the effects caused by the popular
.NET obfuscators, and attempt to evaluate their effectiveness against reverse
engineering. For those looking for an accurate measurement of the impact of
obfuscators on the complexity of the reverse-engineering process, there is cur-
rently no such measurement. Traditional software metrics approaches such as
the McCabe software complexity metric [McCabe] don’t tell the whole story
because they only deal with the structural complexityof the program, while
completely ignoring the representation of the program. In fact, most of the .NET
obfuscators I have tested would probably have no effect on something like the
McCabe metric, because they primarily alter the representation of the pro-
gram, not its structure. Sure, control-flow obfuscation techniques can increase
the complexity of a program’s control-flow graph somewhat, but that’s really
just one part of the picture.
Let’s examine the impact of some of the popular .NET obfuscators on the
linked-list example and try to determine how effective these programs are
against decompilation and against manual analysis of the IL code.
Reversing .NET 445