Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-15-2011, 07:23 PM
munchoa munchoa is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Default "Wise Owl" .NET protector review

Hi everyone!

This is my first post (as I remember) in this forum. I've been interested for some time on how to protect my application from reverse engineering (and not necessarily copy protection).

I've evaluated a few .NET protectors - SmartAssembly.NET and a few others. I want a pure .NET solution and I think the best protection is good obfuscation - especially control-flow obfuscation. After all this is the only reliable IP protection.

I saw a few posts over the Internet that the Wise Owl protector (http://www.wiseowl.com/) is suppose to be quite good (or even the best), but no one has ever tested it. Probably because you must send an e-mail from a corporate e-mail server to get a trial version.

Well, I decided that I must test it. I always strive for the best you know

Wise Owl is a command line tool (well - we all like GUI, but that's not a big deal) and have a very limited set of command line options (you can see the complete list of options here - http://www.wiseowl.com/Support/ReadMe.htm).
Having a small set of options is not bad actually if they are enough for your needs. There is no need to make things more complex than they should be

The options I liked the most are:
/cc (compiler controlled private scope - having methods with exactly the same signature within the same type - cool )
/names:Unicode (I like Unicode - it makes the assembly much more difficult to understand in reflector; even gibberish like "aH56sD" is a LOT better than the Unicode's square box)
/application (haven't used it but I like the idea)
/config:<configFile> (incremental obfuscation - could be very useful)
/encryptstrings (always better than plain text)
/flow:<level> (control-flow obfuscation is a must)

First, I tried the /cc option and I liked the result. Very good (and fairly standard) name obfuscation.

Then, I tried /cc, /encryptstrings and /flow:advanced on a single assembly.

The encrypted strings were just Unicode - fairly standard. The important part would be if the encryption method is good. But I did not check that. I went for the control-flow. Of course C# in .NET Reflector just crashes. In IL the code did not seem very obfuscated excluding the two "br.s" instructions at the beginning of the method. Well, I assumed the obfuscation is so good that it even does not use the usual "br.s". There might be some really good obfuscation that uses complex instructions to make the code "undecipherable mess" (daydreamer).
So I used a new tool that I just have found out about - ILSpy (http://wiki.sharpdevelop.net/ilspy.ashx). And it did not crash on obfuscated methods.
What a surprise! My methods stood in plain text within a construct like
Code:
if (1 != 0) { 
    A: 
    ///... my code here ... 
} 
goto A;
It was pretty obvious that there was NO control-flow obfuscation whatsoever except for the simple if statement that made .NET reflector crash. So I decided to use the /flow:maximum option in hope that obfuscation will improve. Nope. I found no differences in code.

I also immediately located the super simple string decryption function that does not depend on anything but its input Unicode string. I remember SmartAssembly doing some assembly tampering checks on string decryption. Nothing similar here.

So the conclusion is that apart from its nice member name obfuscation there is nothing else in this obfuscator. And the $800 for the enterprise version are simply not worth it. I can find a free obfuscator to do the same or even write one myself.

So if anyone is interested in a crackme I'll be happy to make one (or two). However, I think that a deobsucator will be fairly easy to make.

Wish you best.
Reply With Quote
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.