.NET Reactor encryption vs obfuscation

grinder22 picture grinder22 · Jun 14, 2017 · Viewed 7.3k times · Source

I have a requirement to protect our assemblies against reverse engineering, to lessen the risk of IP theft or license hacks. .NET Reactor looks powerful and we already have a license for it.

Reading through the documentation it seems there are several mechanisms for preventing decompilation other than obfuscation. I've read that obfuscation can foul up serialization, which a big part of our system, and I am hoping to avoid it completely.

I'm mainly interested in NecroBit, which claims to encrypt the CIL, making it "impossible to decompile/reverse engineer." It seems to me that if this is true, obfuscation or any other settings would be pointless.

Can any experienced .NET Reactor users give any more practical explanation of the various options and/or suggest a good permutation for a serialized system? What are some good tools for testing this software's claims?

Answer

grinder22 picture grinder22 · Jun 20, 2017

Hopefully this helps some other people using .NET Reactor or similar tools. I'm aware the limitations of any tool. The goal was to reduce the risk of licensing hacks as much as possible with minimal effort. My company has been burned before and the boss wanted it.

Our project in particular is a WPF desktop using Prism. I found when I tried to Merge my assemblies into a single fat exe, some of my interface registrations were failing to resolve in the Unity container. We decided it was ok to protect each dll individually rather than fight with this. Once I did that this tool worked nicely. I literally checked every protection option for the desktop.

Our services run SignalR hubs in a self-hosted OWIN process. In this case the Native EXE File option would not work. We got Bad Image Format exceptions when we ran the services. Otherwise all options checked.

Beyond that I ran into some spotty issues where we were using reflection in the form of Type.GetMethod(string). I had to exclude a few methods and classes with an ObfuscationAttribute.

I was anticipating issues with JSON serialization but didn't get any. Everything just worked :)