search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.85k stars 4.62k forks source link

NativeAOT Protect #96543

Closed dadavadd closed 7 months ago

dadavadd commented 7 months ago

Hello. You've probably heard about software for obfuscation of method and class names for IL2CPP Unity? (Beebyte) Will it be possible to create the same obfuscators for NativeAOT? For example, for string obfuscation.

ghost commented 7 months ago

Tagging subscribers to this area: @agocke, @MichalStrehovsky, @jkotas See info in area-owners.md if you want to be subscribed.

Issue Details
Hello. You've probably heard about software for obfuscation of method and class names for IL2CPP Unity? (Beebyte) Will it be possible to create the same obfuscators for NativeAOT? For example, for string obfuscation.
Author: dadavadd
Assignees: -
Labels: `area-NativeAOT-coreclr`
Milestone: -
Symbai commented 7 months ago

You can already use (.NET) obfuscators with NativeAOT (at least those which obfuscate during build). But the main reason for obfuscation in .NET is that people don't load your assembly in dnSpy and get the full source code back. With nativeAOT this becomes obsolete.

If you want further protection especially at runtime you should use other protectors made for native code in first place. Like Enigma, Themida, VMProtect etc. Unlike with IL they work very well with nativeaot now.

But string obfuscation in .NET is pretty useless, no matter if IL or native code because a simple memory dump at runtime will reveal the plain text.

jkotas commented 7 months ago

NativeAOT does not preclude use of IL obfuscators.

Note that IL obfuscators tend to introduce number of issues, including performance regressions or hard to debug crashes. It is not unusual for .NET runtime support requests that involve obfuscated code to be closed as a problem introduced by the IL obfluscator. This is the case with native AOT as much as it is with all other runtime flavors.

charlesroddie commented 7 months ago

Hello. You've probably heard about software for obfuscation of methods for IL2CPP Unity? (Beebyte) Will it be possible to create the same obfuscators for NativeAOT? For example, for string obfuscation.

In NativeAOT you can use the little-known feature <StackTraceSupport>false</StackTraceSupport> to remove names of methods. See https://github.com/dotnet/runtime/issues/96339#issuecomment-1870926307 .