Certain programming languages like .NET and Java can very easily be decompiled to readable sources. There are a lot of definitions about the code obfuscation, but to explain it better we the code obfuscation is the process that makes your application binaries slightly harder to read with a decompiler. It is a very important tool to protect the intellectual property of your business.
Why Obfuscate Code?
Some compiled languages get converted directly to bytecode, for example C++. If you want to reverse engineer, the only way to work is with a disassembler, which is a complicated and arduous process. Though, it is not impossible, inferring high level app logic from a stream of assembly language is quite difficult.
On the other side, languages like Java and C# are not compiled for any particular OS. They are more complied to an intermediary language, such as MSIL from .NET’s. This intermediary language is very similar to assembly, but it’s very easily converted back into the source code. So this does mean that in case you have a executable or public Dynamic-link library (DLL), anyone who possesses a copy of your executable are able to open it up in, let’s say dotPeek (.NET decompiler), and directly read your source code, and copy it as well.
Any .NET DLL can be plugged into a decompiler, so code obfuscation cannot prevent this process. But what obfuscation does is use a number of things in order to make the source code very annoying to read and debug.
Renaming is the simplest form of this entity. It is a very common practice to properly name all of the methods, variables, parameters and classes according to what function they do. But of course you don’t have to do that, so there is nothing that is really stopping you from naming them with lowercase L’s and I, or random similar combinations of unicode characters, just to make the code very hard to read and debug. For the computer it is all the same, but to a human is very difficult to distinguish.
It could look something like this:
(neat, right?)
This process will be handled automatically by a basic obfuscator, taking the output from the build and then converting it to something that is really, really hard to read. By doing this there is no performance decrease to non-obfuscated code.
There are types of advanced obfuscators that can make it possible to change the structure of the source code. This means it can replace control structures with identical syntax but it looks more complicated.
It can also embed a code that doesn’t do anything, but it would make it harder to read for the decompiler. This means the source would look like ‘spaghetti code’ – which means it would annoy anyone who tries to read the code.
Hiding strings – is one of the common things. In this way, string obfuscation can replace strings with encoded messages – which are also decrypted, and it makes it difficult to search for them from a decompiler.
There are lots of options for obfuscators, it depends on the language the obfuscators are using. For example, Obfuscar, ProGuard, Javascript-obfuscator. etc.
Another option: You can convert to a Compiled Language
Actually, you can convert one programming language to another one, isn’t that a hard or crazy idea. It is an effective way to secure games from cracking, and it is an important step to do when protecting from piracy and cheaters. For example, Unity uses an IL2CPP converter to transform .NET code into C++ bytecode.
Is it necessary to Obfuscate?
Untrusted environments exist – so if you are using a code, and you want to secure it, it is important to use an obfuscator to make decompiling hard.
Securing your code is a must. Using an obfuscator is a must. If you don’t want anybody to decompile your app, you should try switching to a language that doesn’t have these problems.