Dotfuscator Tutorial — Protect your .NET Desktop App

5 min readJan 7, 2021

If you missed the previous article about how to secure your .net desktop application, please check this link. There you will find why is so important to obfuscate your software.

Step by step

1 — Open your solution on Visual Studio or create a new one;

2 — Change the build solution to Release mode;

3 — Signs the assembly with a strong name;

Open project on Visual Studio;
Select the project, right-click and properties;
Go to the Signing tab;
Check Sign the assembly;
Select New;
Insert a key file name (do not insert a password, Dotfuscator do not use key files with password);

4 — Select the .snk created before for all projects from your solution;

5 — Rebuild solution;

6 — Go to the output folder, select the output library;

7 — Open with JustDecompile or ILSpy;

Visual studio (Assembly before compilation)

JustDecompile (Assembly after compilation)

In my case, I just have a dummy project for this tutorial. But as you can see, is possible to see everything, class name, methods, variables, etc.

Dotfuscator

For this tutorial, I am using a Dotfuscator Profissional, but you can do the same with Dotfuscator Community.

Dotfuscator Community

From Visual Studio, go to Tools and then PreEmptive Protection — Dotfuscator Community.

Principal disadvantages:

Sign assemblies need to be manual. Even if you sign them in your Visual Studio after running this software the assemblies need to be signed again. To have the assemblies signed is really important, please check in this tutorial.
Control Flow;
String Encryption;

At least these 3 for me are really important to keep the intellectual property of the software and avoid hackers from disassembly your project.

Dotfuscator Profissional

1 — Open Dotfuscator;

2 — Select tab Settings;

3 — Build Settings;

4 — Set Destination Directory (I created a folder in the output folder project);

8 — Select tab Signing and set the .snk files created before;

9 — Add .NET Core framework path to Assembly Load Path.

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETCore\v4.5\

Dotfuscator — User Defined Assembly Load Path

10 — Define Input checks.

Do not select Library check. Disabling this option will enable more aggressive renaming.

11 — Rename tab and check the following checks;

12 — Control Flow tab, Options, Control Flow Level: High;

13 — String Encryption tab, check Include items;

14 — Removal tab, check Include items; Same for Conditional Includes subtab;

15 — PreMark tab, check Include items;

Add Password and Watermark string;

Watermarking helps track unauthorized copies of your software back to the source by embedding data such as copyright information or unique identification numbers into a .NET application without impacting its runtime behavior. Dotfuscator’s watermarking algorithm does not increase the size of your application, nor does it introduce extra metadata that could break your application.

16 — Build project (button next to save button);

17 — Go to the output folder and open it with JustDecompile;

JustDecompile (Assembly after use Dotfuscator)

You can’t even see the classes names😊

18 — Check if Assembly is signed;

We are going to use CLI for it, please find sn.exe location path. Mine is located in the following path:

C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\

Verify if your assembly is sign

"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe" -vf WpfApp1.dll

Conclusion

.NET applications use MSIL (Microsoft Intermediate Language) and can be easily decompiled. Basically, programs written for .NET are easy to reverse engineer.

Use an obfuscator is important to protect your assemblies from being decompiled exposing licensing code, copy protection mechanisms, and proprietary business logic. They can do whatever they want, basically.

Using this, doesn’t mean that your code is bulletproof, probably someone can reverse engineer in the same way, but at least we are making life difficult for them.