using dotfuscator professional and flexnet installshield ... - SoftSummit

W H I T E P A P E RUSING DOTFUSCATOR PROFESSIONAL ANDFLEXNET INSTALLSHIELD TOGETHER INSIDEVISUAL STUDIO

TABLE OF CONTENTSStep 1 – Open the GettingStarted Solution with Visual Studio ...........2Step 2 – Creating a Dotfuscator Project .........................................2Step 3 – Building the Solution......................................................2Step 4 – Configuring the Project Properties ....................................2Step 5 – Configuring Obfuscation Settings......................................2Step 6 – Rebuilding the Solution...................................................5Step 7 – Browsing the Output ......................................................5Step 8 – Browsing the Reports .....................................................5Step 9 – Creating an InstallShield Project ......................................5Step 10 – Configuring the InstallShield Project ...............................6Step 11 – Rebuilding the solution with Setup .................................7Conclusion.................................................................................7About Macrovision ......................................................................7

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOUSING DOTFUSCATOR PROFESSIONAL AND FLEXNETINSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOMacrovision’s FLEXnet ® InstallShield ® provides softwarepublishers with the leading solution for authoring strong andreliable installations. PreEmptive’s Dotfuscator ® Professionalprovides software publishers with the leading solution forprotecting their .NET applications and making them as smalland efficient as possible. Both are key components of anypublisher’s efforts to maximize the value of their software.This white paper demonstrates how to use DotfuscatorProfessional Edition together with FLEXnet InstallShieldPremier Edition from within Visual Studio. You can theninclude obfuscation and installation as part of a single VisualStudio solution build. The Dotfuscator project can acceptinput files from one or more Visual Studio ® Projects (such asC# or VB.NET projects), or you can specify input assembliesdirectly from a file browse dialog. In turn, the InstallShieldproject accepts input directly from the Dotfuscator project.The latest version, FLEXnet InstallShield 12, supports VisualStudio 2005 and earlier editions.Step 1 – Open the GettingStarted Solution with VisualStudioThe GettingStarted solution comes with DotfuscatorProfessional Edition. It is a simple Windows Formsapplication written in C# and is installed in a subdirectory ofyour Dotfuscator installation folder. The folders mentioned inthe following steps assume that you chose the defaultlocations when installing Dotfuscator.• Within Visual Studio, click on "Open Solution", and browse to:C:\Program Files\PreEmptiveSolutions\Dotfuscator Professional Edition3.0\samples\cs\GettingStarted\GettingStarted.sln• The solution and project files are in Visual Studio 7.0format. If you are using a later version of Visual Studio, youwill be asked if it is OK for Visual Studio to upgrade thefiles. You should agree to the upgrade before continuing.• You should now see the GettingStarted C# project openedin Solution Explorer. This is a C# project that you can useto build the GettingStarted executable.Step 2 – Creating a Dotfuscator Project• From Visual Studio's File menu in the toolbar, click on"Add New Project".• In the Add New Project Dialog, click on "DotfuscatorProjects". Click on the "Dotfuscator Project" icon and namethe project "GetDotfuscated". Click OK to create the project• You should now see a new Dotfuscator project called"GetDotfuscated" in the Solution Explorer. You use theSolution Explorer as the starting point for configuringDotfuscator projects.• To specify the assembly to be obfuscated (the input file),we will tell Dotfuscator to use the output from theGettingStarted project. Right click on the top levelGetDotfuscated node and select "Add Project Output" fromthe context menu. This will bring up the "Add ProjectOutput" dialog.• On the "Add Project Output" dialog, select the"GettingStarted" project from the project drop down, thenselect "Primary Output" from the output groups list. ClickOK.• Under the Dotfuscator project's "Input Assemblies" nodewithin Solution Explorer, you should now see"GettingStarted.exe from GettingStarted (Active)"Step 3 – Building the SolutionThe solution is now ready to be built.• Right click on the "GetDotfuscated" project node in SolutionExplorer and select "Properties" from the context menu.This will bring up the property pages for your Dotfuscatorproject. Click on the Build properties. The Output Directoryis populated by default as: ${configdir}\Dotfuscated. Note:${configdir} is a variable that holds the path to yourDotfuscator configuration file. See figure 1. If you haveinstalled the samples to the default location, theobfuscated assembly will be written to:C:\Program Files\PreEmptiveSolutions\DotfuscatorProfessional Edition3.0\samples\cs\GettingStarted\GetDotfuscated\Debug\Dotfuscated2

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOThe PDB files are placed in the output directory along withthe output assemblies. See Figure 2 below.Figure 1: Viewing Dotfuscator Properties.Figure 2: Setting Dotfuscator’s Global Options.• Select "Build Solution" from the build menu. The C#project will build first, then the Dotfuscator project. Youwill see Dotfuscator's output in Visual Studio's outputwindow.• Within Solution Explorer, you can bring up Dotfuscator'sOutput Browser by double clicking the "Output" node in theGetDotfuscated project. Here you can see the original andnew names that Dotfuscator applied.• Next, with a little more configuration, we can use some ofDotfuscator's more powerful features.Step 4 – Configuring the Project Properties• Right click on the "GetDotfuscated" project node in SolutionExplorer and select "Properties" from the context menu• Select “Configuration Properties -> Global Options” fromthe left tree. This will bring up the property sheet for yourDotfuscator project’s global options.• Set the values for “Disable Renaming”, “Disable ControlFlow”, “Disable String Encryption”, “Disable Removal”, and“Disable PreMark” to “No”. You have fine grained controlover which transforms Dotfuscator will apply to yourassemblies; these are the features we will configure anduse in the next steps.• Set the "Build Progress" property to "Verbose". This willcause Dotfuscator to provide additional information in theVisual Studio output window during builds.• Set the "Emit Debug Symbols" property to "Yes" (this is thedefault for Debug project configurations). Setting thisoption tells Dotfuscator to create a symbol file in PDBformat for each output assembly. Debuggers can then usethese files to provide useful information in a debuggingsession. Typically, they contain information like linenumbers, source file names, and local variable names.Step 5 – Configuring Obfuscation Settings• In Solution Explorer, expand the "Configuration Options"folder in the Dotfuscator Project. Here you will see a nodefor each configurable obfuscation setting. A node is “grayedout” if the feature is disabled. To enable or disable afeature, you can either right click on its node and check (oruncheck) the “Disabled” menu item, or you can set it usingthe Global Properties sheet as described in step 4. In thissection, we are going to use renaming, control flowobfuscation, string encryption, removal and watermarking.• Double click the Renaming node. This will show therenaming editor. Renaming will obscure code by renamingmethods and fields to names that are not understandable.It is turned on by default and items must be selected to beexcluded from the renaming process. For this application,you do not need to exclude anything.• In the renaming editor, click the Options sub tab. Check"Use Enhanced Overload Induction". This feature can allowup to 15 percent more redundancy in method and fieldrenames. Since overloading on method return type or fieldtype is typically not allowed in source languages (includingC# and VB), this further hinders decompilers.• Note that the "Map Output File" text box has defaulted to:${configdir}\Dotfuscated\Map.xml.As previously mentioned, ${configdir} is a variable thatDotfuscator replaces with the path of its configuration file.• Check "Output as HTML" to get a useful report containingrenaming information and statistics on your application.This report will output into the same directory as the mapfile. The default location is:${configdir}\Dotfuscated\Map.html.• Double click the Control Flow node. This will show the3

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOFigure 3: Setting Dotfuscator’s Renaming Options.control flow editor. Control Flow obfuscation synthesizesbranching, conditional, and iterative constructs (such as if,for, and while) that produce valid forward (executable)logic, but yield non-deterministic semantic results whendecompilation is attempted. In other words, the code runsas before, but decompilers cannot reproduce the originalcode.• In the Control Flow editor, click the Options sub tab. Thelevel of control flow obfuscation may be set to one of threevalues: “low”, “medium”, or “high”. These levelscorrespond to the aggressiveness of Dotfuscator’s controlflow obfuscation algorithms. A higher level will generallyresult in stronger obfuscation at the cost of increased codesize and slightly degraded performance. This is becausemore aggressive control flow obfuscation tends to involveadding more branch instructions to the code. Control Flowshould be apply to methods involved in license checking,database communication or containing proprietaryalgorithms. Performance critical methods may be excludedby selecting them in the Exclude sub tab.• Double click the String Encryption node. This will show thestring encryption editor. String Encryption will scramble thestrings in your application. For example, someone lookingto bypass your registration and verification process cansearch for the string where your program asks the user fora serial number. When they find the string, they can lookfor instructions near it and alter the logic. String Encryptionmakes this much more difficult to do, because their searchwill come up empty.• String encryption is inclusion based, so you must mark theassembly's checkbox at the root of the tree shown in theleft pane to include all methods in the input assembly.• Double click the Removal node. This will show the removaleditor. Removal instructs Dotfuscator to detect and removeunused types, methods, and fields. This can potentiallysave significant space in the final application.• For removal to work, Dotfuscator needs to know what theentry points to the application are. In this case, the entrypoint is the standard "Main" method, and Dotfuscator isable to determine this without extra configuration.• In the removal editor, click the Options sub tab. Specify"${configdir}\Dotfuscated\removal.xml" for the"Removal Report File". Also, check "Output as HTML" to geta formatted report containing removal information andstatistics on your application. This report will output intothe same directory as the removal.xml file.• Double click the PreMark node. This will show thewatermarking editor. Software watermarking can be used tohide copyright information or customer identificationinformation into software applications, similar to how it canbe hidden in other digital content such as songs, moviesand images. A watermark can be used to identify owners ofthe software or track the origin of a pirated copy.• Mark the assembly's checkbox at the root of the tree shownin the left pane to place this watermark inside theassembly.• Select the appropriate Character Map (for example, if youwant lower case strings – choose 6 bit Alphanumeric) andenter whatever information you wish to hide.Figure 4: Adding a Watermark to an ApplicationTIP: Extracting your watermarkDotfuscator Professional ships with a command line toolcalled "premark" that accepts an assembly as input andoutputs the watermark if any. The tool is installed into thesame directory as Dotfuscator.4

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOStep 6 – Rebuilding the SolutionStep 8 – Browsing the Reports• Build the solution again. As before, the obfuscatedassembly is stored in:C:\Program Files\PreEmptiveSolutions\Dotfuscator Professional Edition3.0\samples\cs\GettingStarted\GetDotfuscated\Debug\DotfuscatedStep 7 – Browsing the Output• Select the GetDotfuscated Project node in Solution Explorerand then click on Visual Studio’s View Menu and thenselect Dotfuscator. There are two menu items here that areenabled whenever there are HTML versions of the map andremoval reports available for viewing. Clicking on them willbring up the reports in your default browser. Figure 6 belowshows the renaming report for our project.• Double click the Output node in the Dotfuscator project.You can now navigate a tree that shows how Dotfuscatorobfuscated your code.• Expand the root tree and all sub-trees. Notice the bluediamond shaped icons. These are the renamed methodsand fields. The parents of each of these icons display theiroriginal names. Dotfuscator has renamed each method andfield to make it almost impossible to decipher the purposeof each method. This can severely impact the process ofreverse engineering the code.• Notice the currently highlighted SaySomething andset_Name methods, as well as the Name property.Dotfuscator has detected that these items are not beingused in this application. As a result, Dotfuscator's Pruningfeature is able to remove them, resulting in a morecompact application.Figure 6: Browsing a Renaming ReportNow that you have successfully obfuscated an applicationinside of Visual Studio.NET, let's show how we canseamlessly use InstallShield to create an installable version ofour Dotfuscated GettingStarted application.Step 9 – Creating an InstallShield ProjectWith full .NET integration and support, InstallShield 12 givesyou everything you need to efficiently author reliable .NETsoftware installations. You have the option of creatinginstallations directly within the Visual Studio interface orusing the intuitive InstallShield design environment. You canalso link the primary outputs of your .NET projects to yourinstalls, scan C# and .NET projects for file dependencies,configure .NET custom actions, distribute the .NETFramework or .NET Compact Framework, and much more.• Click on "Add New Project" from Visual Studio's File menu.• In the Add New Project Dialog, click on "InstallShield 12Projects." Click on the "Basic MSI Project" icon and namethe project "Setup". Click OK to create the project.• This is now a new InstallShield project called "Setup" in theSolution Explorer.Figure 5: Browsing the Output.5

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOFigure 9: Specify Your Application InformationFigure 7: FLEXnet InstallShield 12 – Interactive Project Assistant• Use the Project Assistant (above) to quickly and easilybuild a basic installation project or the Installation Designer(below) to add more complex and powerful elements toyour installation project.• Under “Specify your application name,” type“GettingStarted” in the Application Name field. The valuein the Application Name field will appear on dialogs thatwill be displayed to the end-user and on the user’sAdd/Remove Programs panel as a display name for theGettingStarted application.• Under “Would you like to automatically notify your endusers when you create updates to your application?” select“Yes.” By selecting yes, you are choosing to takeadvantage of the Update Service functionality, whichquickly and easily notifies your end users of availableupdates, patches, and marketing messages after yourapplication has been installed.• At the bottom of the Project Assistant, click on theInstallation Requirements Icon. This will display theInstallation Requirements page where you can setinstallation requirements for the target system.Figure 8: FLEXnet InstallShield 12 – Installation DesignerStep 10 – Configuring the InstallShield Project• In the Solution Explorer, under the project “Setup,” doubleclick on the Project Assistant. This will display the ProjectAssistant. At the bottom of the Project Assistant, click onthe Application Information Icon. This shows you theApplication Information page where you specify generalinformation about the application your project will install.• Under Under “Specify your company name,” type“GettingStartedCo” in the Company Name field. This willautomatically update the information in the Web Addressfield.Figure 9: Specify Your Installation Requirements• Since the application runs on the .NET Framework, under“Does your application require any specific operatingsystems?” select “Yes” and select only Windows 2000,6

USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIOWindows XP, and Windows 2003 Server.• Under “Does your application require any software to beinstalled on your machine?” leave as “No”• At the bottom of the Project Assistant, click on theApplication Files icon. This will display the ApplicationFiles page where you specify the directory where yourapplication will be installed.• Click on the Add Projects Output button. This will bring upthe Visual Studio Output Selector. Under the“GetDotfuscated” node, select “Primary Output” and clickOK. You should now see the project output in the rightpane listed as “GetDotfuscated.Primary Output."NOTE: The Trialware feature can only be used with projectsthat use unmanaged code. Additional FLEXnet InstallShield10.5 .NETfunctionality includes the ability to:• Extend your installation's functionality to include customlogic, user interfaces, system interrogation routines, andmore• View and manage .NET assembly installation informationin the same manner as other component information• Easily enable .NET assemblies to interoperate with existingCOM components• Create installations for J# applications and distribute theJ# runtime engine• Download and install the .NET runtime• Automatically extract .NET information and identifydependencies• FLEXnet InstallShield 12 also has the ability to createinstallations that target the current beta of MicrosoftWindows Vista. This is useful for organizations who wantto “Get Ready for Vista” with FLEXnet InstallShield 12’ssupport for key installation-related capabilities found in thecurrent beta of Microsoft Windows Vista.“ESRI uses the respective market leaders in the field ofsoftware installation and software code protection. For oursoftware installation packages we make use of FLEXnetInstallShield from Macrovision and for the purpose of protectingour .NET code investment we employ the use of Dotfuscator.We find that both products work well and fulfill our requirements.We also find that both solutions integrate very well together andprovide us with the ability to maintain a single integrated buildprocedure”Ronan Gray,Head of Software Development, ESRIStep 11 – Rebuilding the solution with Setup• This time rebuilding the solution will build the InstallShieldproject. The resulting MSI file is located in:C:\Program Files\PreEmptiveSolutions\Dotfuscator Professional Edition3.0\samples\cs\Setup\DefaultConfiguration\Debug\DiskImages\DISK1ConclusionInstallation and obfuscation are destined to be regular stepsin your future .NET build processes. And the two leadingproducts in this space—FLEXnet InstallShield andDotfuscator—have full Visual Studio Integration to makethese processes as easy and efficient as possible. UseFLEXnet InstallShield and Dotfuscator together inside VisualStudio 2005 to get reliable installations and code protection.About MacrovisionMacrovision Corporation (Nasdaq:MVSN) providesdistribution, commerce and consumption solutions forsoftware, entertainment and information content to thehome video, PC games, music, cable/satellite, consumersoftware, enterprise software and publication industries.Analysts recognize Macrovision as the clear market leader,and it's estimated that the company sells more softwarebasedlicensing solutions than all its competitors combined.Macrovision holds approximately 236 issued or pendingUnited States patents and 1,239 issued or pendinginternational patents, and continues to increase its patentportfolio with new and innovative technologies in relatedfields. Macrovision is headquartered in Santa Clara,California, with other offices across the United States andworldwide. For more information about Macrovision visitwww.macrovision.com.About PreEmptive SolutionsPreEmptive Solutions, LLC. is a firm that helpsbusinesses reduce risk. Many companies take steps toprotect their data, but forget to protect their businesslogic. PreEmptive products and services for Java and.NET help organizations produce more secure, smaller,and more efficient applications. Some of the largestsoftware development organizations in the world usePreEmptive solutions for their projects to dramaticallyand quantifiably protect and improve their software.Further information can be found athttp://www.preemptive.com.7

Macrovision Corporation2830 De La Cruz Boulevard, Santa Clara, CA 95050US +1 888-755-0861 Int'l +44 (0)870-873-6300www.macrovision.comISPWP.0606© 1990-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved. AdminStudio is registered trademarks or trademarks of Macrovision Corporation in the United States of Americaand/or other countries. All other brand and product names mentioned herein are the trademarks and registered trademarks of their respective owners.