A different question, i.e. Best .NET obfuscation tools/strategy, asks whether obfuscation is easy to implement using tools.
My question though is, is obfuscation effective? In a comment replying to this answer, someone said that “if you’re worried about source theft … obfuscation is almost trivial to a real cracker“.
I’ve looked at the output from the Community Edition of Dotfuscator: and it looks obfuscated to me! I wouldn’t want to maintain that!
I understand that simply ‘cracking’ obfuscated software might be relatively easy: because you only need to find whichever location in the software implements whatever it is you want to crack (typically the license protection), and add a jump to skip that.
If the worry is more than just cracking by an end-user or a ‘pirate’ though: if the worry is “source theft” i.e. if you’re a software vendor, and your worry is another vendor (a potential competitor) reverse-engineering your source, which they could then use in or add to their own product … to what extent is simple obfuscation an adequate or inadequate protection against that risk?
The code in question is about 20 KLOC which runs on end-user machines (a user control, not a remote service).
If obfuscation really is “almost trivial to a real cracker“, I’d like some insight into why it’s ineffective (and not just “how much” it’s not effective).
I’m not worried about someone’s reversing the algorithm: more worried about their repurposing the actual implementation of the algorithm (i.e. the source code) into their own product.
Figuring that 20 KLOC is several month’s work to develop, would it take more or less than this (several months) to deobfuscate it all?
Is it even necessary to deobfuscate something in order to ‘steal’ it: or might a sane competitor simply incorporate it wholesale into their product while still obfuscated, accept that as-is it’s a maintenance nightmare, and hope that it needs little maintenance? If this scenario is a possibility then is obfuscated .Net code any more vulnerable to this than compiled machine code is?
Is most of the obfuscation “arms race” aimed mostly at preventing people people from even ‘cracking’ something (e.g. finding and deleting the code fragment which implements licensing protection/enforcement), more than at preventing ‘source theft’?