DotFuscator by Preemptive Solutions
DotFuscator (PreEmptive Solutions, http://www.preemptive.com) is another ob-
fuscator that offers similar functionality to XenoCode. It supports symbol
renaming, control flow obfuscation and can block certain tools from dumping
and disassembling obfuscated executables. DotFuscator supports aggressive
symbol renaming features that eliminate namespaces and use overloaded
methods to add further confusion (this is their Overload-Induction feature).
Consider for example a class that has three separate methods: one that takes no
parameters, one that takes an integer, and another that takes a Boolean. The
beauty of Overload-Induction is that all three methods are likely to receive the
same name, and the specific method will be selected by the number and type
of parameters passed to it. This is highly confusing to reversers because it
becomes difficult to differentiate between the individual methods. Listing 12.7
shows an IL listing for our LinkedList::Dumpmethod from Listing 12.4.instance void a() cil managed
{
// Code size: 36 bytes
.maxstack 1
.locals init(class d V_0)IL_0000: ldarg.0
IL_0001: ldfld class d b::a
IL_0006: stloc.0
IL_0007: br.s IL_0009
IL_0009: ldloc.0
IL_000a: brtrue.s IL_0011
IL_000c: br IL_0023
IL_0011: ldloc.0
IL_0012: callvirt instance void d::a()IL_0017: ldloc.0
IL_0018: ldfld class d d::b
IL_001d: stloc.0
IL_001e: br IL_0009
IL_0023: ret
}//end of method b::aListing 12.7 DotFuscated version of the LinkedList::Dump method from Listing 12.4.The first distinctive feature about DotFuscator is those short, single-letter
names used for symbols. This can get extremely annoying, especially consid-
ering that every class has at least one method called a. If you try to follow the
control flow instructions in Listing 12.7, you’ll notice that they barely resemble448 Chapter 12