Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-15-2011, 07:23 PM
munchoa munchoa is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Default "Wise Owl" .NET protector review

Hi everyone!

This is my first post (as I remember) in this forum. I've been interested for some time on how to protect my application from reverse engineering (and not necessarily copy protection).

I've evaluated a few .NET protectors - SmartAssembly.NET and a few others. I want a pure .NET solution and I think the best protection is good obfuscation - especially control-flow obfuscation. After all this is the only reliable IP protection.

I saw a few posts over the Internet that the Wise Owl protector (http://www.wiseowl.com/) is suppose to be quite good (or even the best), but no one has ever tested it. Probably because you must send an e-mail from a corporate e-mail server to get a trial version.

Well, I decided that I must test it. I always strive for the best you know

Wise Owl is a command line tool (well - we all like GUI, but that's not a big deal) and have a very limited set of command line options (you can see the complete list of options here - http://www.wiseowl.com/Support/ReadMe.htm).
Having a small set of options is not bad actually if they are enough for your needs. There is no need to make things more complex than they should be

The options I liked the most are:
/cc (compiler controlled private scope - having methods with exactly the same signature within the same type - cool )
/names:Unicode (I like Unicode - it makes the assembly much more difficult to understand in reflector; even gibberish like "aH56sD" is a LOT better than the Unicode's square box)
/application (haven't used it but I like the idea)
/config:<configFile> (incremental obfuscation - could be very useful)
/encryptstrings (always better than plain text)
/flow:<level> (control-flow obfuscation is a must)

First, I tried the /cc option and I liked the result. Very good (and fairly standard) name obfuscation.

Then, I tried /cc, /encryptstrings and /flow:advanced on a single assembly.

The encrypted strings were just Unicode - fairly standard. The important part would be if the encryption method is good. But I did not check that. I went for the control-flow. Of course C# in .NET Reflector just crashes. In IL the code did not seem very obfuscated excluding the two "br.s" instructions at the beginning of the method. Well, I assumed the obfuscation is so good that it even does not use the usual "br.s". There might be some really good obfuscation that uses complex instructions to make the code "undecipherable mess" (daydreamer).
So I used a new tool that I just have found out about - ILSpy (http://wiki.sharpdevelop.net/ilspy.ashx). And it did not crash on obfuscated methods.
What a surprise! My methods stood in plain text within a construct like
Code:
if (1 != 0) { 
    A: 
    ///... my code here ... 
} 
goto A;
It was pretty obvious that there was NO control-flow obfuscation whatsoever except for the simple if statement that made .NET reflector crash. So I decided to use the /flow:maximum option in hope that obfuscation will improve. Nope. I found no differences in code.

I also immediately located the super simple string decryption function that does not depend on anything but its input Unicode string. I remember SmartAssembly doing some assembly tampering checks on string decryption. Nothing similar here.

So the conclusion is that apart from its nice member name obfuscation there is nothing else in this obfuscator. And the $800 for the enterprise version are simply not worth it. I can find a free obfuscator to do the same or even write one myself.

So if anyone is interested in a crackme I'll be happy to make one (or two). However, I think that a deobsucator will be fairly easy to make.

Wish you best.
Reply With Quote
  #2  
Old 04-16-2011, 05:00 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Nice review! Few notes:
  • Borland/Embarcadero ship "Wise Owl Demeanor for .NET Personal Edition" with Delphi. I was able to find 3.0 and 4.0 versions on DVDs, but not v5.0. Which version were you testing?
  • Any technical differences in Personal vs. Enterprise? Any improvements in 5.x compared to 4.x?
  • They use XHEO Licensing (fail! ) in Personal Edition, is it the same in Enterprise?

Cheers,
kao.
Reply With Quote
  #3  
Old 04-16-2011, 05:51 AM
munchoa munchoa is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Default

Hi Kao,

Quote:
Borland/Embarcadero ship "Wise Owl Demeanor for .NET Personal Edition" with Delphi. I was able to find 3.0 and 4.0 versions on DVDs, but not v5.0. Which version were you testing?
I tested v5.0.

You are safe using the personal edition only. There is no price for this edition on the Wise Owl's site so I do not known how much does it cost.
The enterprise edition brings you cross-assembly obfuscation, incremental obfuscation, the non-existent control-flow obfuscation, and the simple string "encryption". I think a general deobfuscator might be able to remove the string encryption and may be the control-flow. I can even write one but I don't think its worth it.

Quote:
Any technical differences in Personal vs. Enterprise? Any improvements in 5.x compared to 4.x?
As far as I know the only differences between the editions is the set of command-line options you can use.

I have not used v4.0 so I cannot tell of any improvements. For me, the only valuable stuff in this obfuscator is its member name obfuscation which is fairly standard anyway.

Quote:
They use XHEO Licensing (fail! ) in Personal Edition, is it the same in Enterprise?
I have no idea what kind of licensing does it use. However I looked at the code with ILSpy. It seems that Demeandor itself has been used to protect the assembly since the control-flow obfuscation and the string encryption are the same. I noticed a bunch of p/invoke methods calling various driver, registry and other API Windows functions which I think is the protection you mention.

Regards,
muncho
Reply With Quote
  #4  
Old 07-18-2011, 04:13 AM
Joshia Joshia is offline
Junior Member
 
Join Date: Jul 2011
Posts: 1
Default

Hello.
I have the Dyamar Protector. It has the best properties of protection file from copy and you can use it to create a wide range of protection schemes, including: file compression, protection against reverse-engineering, licensing, and providing trial versions to your customers. This software supports multi-language activation. This enables you to deploy your software in most countries and allows your end users to easily activate it.
I am very Happy. The most information you van find here Copy Protection
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.