I plan to release one small, low priced utility. Since this is more hobby than business, I planned to use Dotfuscator Community Edition that is shipped with VS2008.
How good is it?
I could also use definition of “good enough obfuscator” – what features are missing from Dotfuscator Community Edition to make it good enough.
Edit:
I checked pricing on number of commercial obfuscators and they cost a lot. Is it worth it?
Are commercial versions that much better protecting from reverse engineering?
I’m not very afraid of my application being cracked (it will be disappointing if application is so bad that no one is interested in cracking it). It’s not heavily protected anyway, not overly complex serial key and licence checks on few places in code. It just bugs me that without obfuscation, somebody can easily get source code, rebrand it and sell it as its own.
Does this happens a lot?
Edit 2:
Can somebody recommend commercial obfuscator. I found lots of them, all of them are expensive, some even don’t have price listed on web site.
Feature wise, all products seem more or less similar.
What is minimal set of features obfuscator should have?
In a nutshell, the main difference between Dotfuscator Community Edition and the other “professional” editions is that Community Edition will only really obfuscate and change your namespaces, method names, and other “public” accessible aspects of your classes. It won’t delve into the functions themselves and obfuscate the “private” code within the function.
Also, the Community Edition doesn’t do anything to obfuscate such things as control flow within your application, nor will it “combine” code from multiple assemblies into one assembly. These are features that are available within the “professional” paid-for versions.
The best comparison between the Community Edition (the “free” version that comes with Visual Studio) and the “professional”, paid-for editions can be found by looking at the following two links:
Preemptive Dotfuscator Editions Comparison
Dotfuscator Community Edition 3.0 on MSDN
The MSDN link is slightly out of date, however, gives a much better explanation of the actual features that are available within the various editions of Dotfuscator.
EDIT:
Commercial obfuscators do cost a lot of money, and as to wether they are worth the money? Well, that’s a judgement call that really only you can make. Personally, I would say that it isn’t worth it in your scenario. Firstly, because you’re only wanting to protect one application (“I plan to release one small, low priced utility.”) and secondly, you say that you’re not overly concerned with the application being “cracked” (“I’m not very afraid of my application being cracked.”).
I understand how it can bug you that compiled .NET applications, without any obfuscation, can be easily reverse engineered to their original source code, and that someone may make use of this to steal your software and sell it as their own, however, the fact remains that software piracy does exist and you will probably never stop it.
Trying to stop software piracy has been debated ad-nausem both on here (Stack Overflow) and all over the internet.
The general consensus seems to be that you need to focus your time and energies more on making your product as great as it can be rather than using this same time trying to protect something that, given enough time/money, an “attacker” can “crack”/steal your software anyway, despite your best efforts to prevent him from doing so.
I would say that it probably happens a lot less than you think it does. Sure, software gets cracked, but I don’t think too many people actually steal other’s source code and completely re-brand it to sell as their own. I’m not saying it doesn’t, or hasn’t happened, but it’s certainly not a common occurrence.
To summarise, I’d say that your best bet would be to focus on making your utility as great as it can be and use the free Dotfuscator obfuscator, since it requires very little investment of time/money, to obfuscate your code from the most obvious prying eyes, but don’t lose any sleep over the fact that if someone wants to crack/steal your product/code badly enough, they will do.