using dotfuscator professional and flexnet installshield

WHITEPAPER
USING DOTFUSCATOR PROFESSIONAL AND
FLEXNET INSTALLSHIELD TOGETHER INSIDE
VISUAL STUDIO
TABLE OF CONTENTS
Step 1 – Open the GettingStarted Solution with Visual Studio ...........2
Step 2 – Creating a Dotfuscator Project .........................................2
Step 3 – Building the Solution ......................................................2
Step 4 – Configuring the Project Properties ....................................2
Step 5 – Configuring Obfuscation Settings ......................................2
Step 6 – Rebuilding the Solution...................................................5
Step 7 – Browsing the Output ......................................................5
Step 8 – Browsing the Reports .....................................................5
Step 9 – Creating an InstallShield Project ......................................5
Step 10 – Configuring the InstallShield Project ...............................6
Step 11 – Rebuilding the solution with Setup .................................7
Conclusion .................................................................................7
About Macrovision ......................................................................7
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET
INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
Macrovision’s FLEXnet® InstallShield® provides software
publishers with the leading solution for authoring strong and
reliable installations. PreEmptive’s Dotfuscator® Professional
provides software publishers with the leading solution for
protecting their .NET applications and making them as small
and efficient as possible. Both are key components of any
publisher’s efforts to maximize the value of their software.
This white paper demonstrates how to use Dotfuscator
Professional Edition together with FLEXnet InstallShield
Premier Edition from within Visual Studio. You can then
include obfuscation and installation as part of a single Visual
Studio solution build. The Dotfuscator project can accept
input files from one or more Visual Studio® Projects (such as
C# or VB.NET projects), or you can specify input assemblies
directly from a file browse dialog. In turn, the InstallShield
project accepts input directly from the Dotfuscator project.
The latest version, FLEXnet InstallShield 12, supports Visual
Studio 2005 and earlier editions.
Step 1 – Open the GettingStarted Solution with Visual
Studio
The GettingStarted solution comes with Dotfuscator
Professional Edition. It is a simple Windows Forms
application written in C# and is installed in a subdirectory of
your Dotfuscator installation folder. The folders mentioned in
the following steps assume that you chose the default
locations when installing Dotfuscator.
• Within Visual Studio, click on "Open Solution", and browse to:
C:\Program Files\PreEmptive
Solutions\Dotfuscator Professional Edition
3.0\samples\cs\GettingStarted\
GettingStarted.sln
• The solution and project files are in Visual Studio 7.0
format. If you are using a later version of Visual Studio, you
will be asked if it is OK for Visual Studio to upgrade the
files. You should agree to the upgrade before continuing.
• You should now see the GettingStarted C# project opened
in Solution Explorer. This is a C# project that you can use
to build the GettingStarted executable.
2
Step 2 – Creating a Dotfuscator Project
• From Visual Studio's File menu in the toolbar, click on
"Add à New Project".
• In the Add New Project Dialog, click on "Dotfuscator
Projects". Click on the "Dotfuscator Project" icon and name
the project "GetDotfuscated". Click OK to create the project
• You should now see a new Dotfuscator project called
"GetDotfuscated" in the Solution Explorer. You use the
Solution Explorer as the starting point for configuring
Dotfuscator projects.
• To specify the assembly to be obfuscated (the input file),
we will tell Dotfuscator to use the output from the
GettingStarted project. Right click on the top level
GetDotfuscated node and select "Add Project Output" from
the context menu. This will bring up the "Add Project
Output" dialog.
• On the "Add Project Output" dialog, select the
"GettingStarted" project from the project drop down, then
select "Primary Output" from the output groups list. Click
OK.
• Under the Dotfuscator project's "Input Assemblies" node
within Solution Explorer, you should now see
"GettingStarted.exe from GettingStarted (Active)"
Step 3 – Building the Solution
The solution is now ready to be built.
• Right click on the "GetDotfuscated" project node in Solution
Explorer and select "Properties" from the context menu.
This will bring up the property pages for your Dotfuscator
project. Click on the Build properties. The Output Directory
is populated by default as: ${configdir}\Dotfuscated. Note:
${configdir} is a variable that holds the path to your
Dotfuscator configuration file. See figure 1. If you have
installed the samples to the default location, the
obfuscated assembly will be written to:
C:\Program Files\PreEmptive
Solutions\DotfuscatorProfessional Edition
3.0\samples\cs\GettingStarted\GetDotfuscated
\Debug\Dotfuscated
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
The PDB files are placed in the output directory along with
the output assemblies. See Figure 2 below.
Figure 1: Viewing Dotfuscator Properties.
• Select "Build Solution" from the build menu. The C#
project will build first, then the Dotfuscator project. You
will see Dotfuscator's output in Visual Studio's output
window.
• Within Solution Explorer, you can bring up Dotfuscator's
Output Browser by double clicking the "Output" node in the
GetDotfuscated project. Here you can see the original and
new names that Dotfuscator applied.
• Next, with a little more configuration, we can use some of
Dotfuscator's more powerful features.
Step 4 – Configuring the Project Properties
• Right click on the "GetDotfuscated" project node in Solution
Explorer and select "Properties" from the context menu
• Select “Configuration Properties -> Global Options” from
the left tree. This will bring up the property sheet for your
Dotfuscator project’s global options.
• Set the values for “Disable Renaming”, “Disable Control
Flow”, “Disable String Encryption”, “Disable Removal”, and
“Disable PreMark” to “No”. You have fine grained control
over which transforms Dotfuscator will apply to your
assemblies; these are the features we will configure and
use in the next steps.
• Set the "Build Progress" property to "Verbose". This will
cause Dotfuscator to provide additional information in the
Visual Studio output window during builds.
• Set the "Emit Debug Symbols" property to "Yes" (this is the
default for Debug project configurations). Setting this
option tells Dotfuscator to create a symbol file in PDB
format for each output assembly. Debuggers can then use
these files to provide useful information in a debugging
session. Typically, they contain information like line
numbers, source file names, and local variable names.
Figure 2: Setting Dotfuscator’s Global Options.
Step 5 – Configuring Obfuscation Settings
• In Solution Explorer, expand the "Configuration Options"
folder in the Dotfuscator Project. Here you will see a node
for each configurable obfuscation setting. A node is “grayed
out” if the feature is disabled. To enable or disable a
feature, you can either right click on its node and check (or
uncheck) the “Disabled” menu item, or you can set it using
the Global Properties sheet as described in step 4. In this
section, we are going to use renaming, control flow
obfuscation, string encryption, removal and watermarking.
• Double click the Renaming node. This will show the
renaming editor. Renaming will obscure code by renaming
methods and fields to names that are not understandable.
It is turned on by default and items must be selected to be
excluded from the renaming process. For this application,
you do not need to exclude anything.
• In the renaming editor, click the Options sub tab. Check
"Use Enhanced Overload Induction". This feature can allow
up to 15 percent more redundancy in method and field
renames. Since overloading on method return type or field
type is typically not allowed in source languages (including
C# and VB), this further hinders decompilers.
• Note that the "Map Output File" text box has defaulted to:
${configdir}\Dotfuscated\Map.xml.
As previously mentioned, ${configdir} is a variable that
Dotfuscator replaces with the path of its configuration file.
• Check "Output as HTML" to get a useful report containing
renaming information and statistics on your application.
This report will output into the same directory as the map
file. The default location is:
${configdir}\Dotfuscated\Map.html.
• Double click the Control Flow node. This will show the
3
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
Figure 3: Setting Dotfuscator’s Renaming Options.
•
•
•
•
•
control flow editor. Control Flow obfuscation synthesizes
branching, conditional, and iterative constructs (such as if,
for, and while) that produce valid forward (executable)
logic, but yield non-deterministic semantic results when
decompilation is attempted. In other words, the code runs
as before, but decompilers cannot reproduce the original
code.
In the Control Flow editor, click the Options sub tab. The
level of control flow obfuscation may be set to one of three
values: “low”, “medium”, or “high”. These levels
correspond to the aggressiveness of Dotfuscator’s control
flow obfuscation algorithms. A higher level will generally
result in stronger obfuscation at the cost of increased code
size and slightly degraded performance. This is because
more aggressive control flow obfuscation tends to involve
adding more branch instructions to the code. Control Flow
should be apply to methods involved in license checking,
database communication or containing proprietary
algorithms. Performance critical methods may be excluded
by selecting them in the Exclude sub tab.
Double click the String Encryption node. This will show the
string encryption editor. String Encryption will scramble the
strings in your application. For example, someone looking
to bypass your registration and verification process can
search for the string where your program asks the user for
a serial number. When they find the string, they can look
for instructions near it and alter the logic. String Encryption
makes this much more difficult to do, because their search
will come up empty.
String encryption is inclusion based, so you must mark the
assembly's checkbox at the root of the tree shown in the
left pane to include all methods in the input assembly.
Double click the Removal node. This will show the removal
editor. Removal instructs Dotfuscator to detect and remove
unused types, methods, and fields. This can potentially
save significant space in the final application.
For removal to work, Dotfuscator needs to know what the
entry points to the application are. In this case, the entry
point is the standard "Main" method, and Dotfuscator is
able to determine this without extra configuration.
4
• In the removal editor, click the Options sub tab. Specify
"${configdir}\Dotfuscated\removal.xml" for the
"Removal Report File". Also, check "Output as HTML" to get
a formatted report containing removal information and
statistics on your application. This report will output into
the same directory as the removal.xml file.
• Double click the PreMark node. This will show the
watermarking editor. Software watermarking can be used to
hide copyright information or customer identification
information into software applications, similar to how it can
be hidden in other digital content such as songs, movies
and images. A watermark can be used to identify owners of
the software or track the origin of a pirated copy.
• Mark the assembly's checkbox at the root of the tree shown
in the left pane to place this watermark inside the
assembly.
• Select the appropriate Character Map (for example, if you
want lower case strings – choose 6 bit Alphanumeric) and
enter whatever information you wish to hide.
Figure 4: Adding a Watermark to an Application
TIP: Extracting your watermark
Dotfuscator Professional ships with a command line tool
called "premark" that accepts an assembly as input and
outputs the watermark if any. The tool is installed into the
same directory as Dotfuscator.
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
Step 6 – Rebuilding the Solution
Step 8 – Browsing the Reports
• Build the solution again. As before, the obfuscated
assembly is stored in:
• Select the GetDotfuscated Project node in Solution Explorer
and then click on Visual Studio’s View Menu and then
select Dotfuscator. There are two menu items here that are
enabled whenever there are HTML versions of the map and
removal reports available for viewing. Clicking on them will
bring up the reports in your default browser. Figure 6 below
shows the renaming report for our project.
C:\Program Files\PreEmptive
Solutions\Dotfuscator Professional Edition
3.0\samples\cs\GettingStarted\GetDotfuscated
\Debug\Dotfuscated
Step 7 – Browsing the Output
• Double click the Output node in the Dotfuscator project.
You can now navigate a tree that shows how Dotfuscator
obfuscated your code.
• Expand the root tree and all sub-trees. Notice the blue
diamond shaped icons. These are the renamed methods
and fields. The parents of each of these icons display their
original names. Dotfuscator has renamed each method and
field to make it almost impossible to decipher the purpose
of each method. This can severely impact the process of
reverse engineering the code.
• Notice the currently highlighted SaySomething and
set_Name methods, as well as the Name property.
Dotfuscator has detected that these items are not being
used in this application. As a result, Dotfuscator's Pruning
feature is able to remove them, resulting in a more
compact application.
Figure 6: Browsing a Renaming Report
Now that you have successfully obfuscated an application
inside of Visual Studio.NET, let's show how we can
seamlessly use InstallShield to create an installable version of
our Dotfuscated GettingStarted application.
Step 9 – Creating an InstallShield Project
With full .NET integration and support, InstallShield 12 gives
you everything you need to efficiently author reliable .NET
software installations. You have the option of creating
installations directly within the Visual Studio interface or
using the intuitive InstallShield design environment. You can
also link the primary outputs of your .NET projects to your
installs, scan C# and .NET projects for file dependencies,
configure .NET custom actions, distribute the .NET
Framework or .NET Compact Framework, and much more.
Figure 5: Browsing the Output.
• Click on "Add New Project" from Visual Studio's File menu.
• In the Add New Project Dialog, click on "InstallShield 12
Projects." Click on the "Basic MSI Project" icon and name
the project "Setup". Click OK to create the project.
• This is now a new InstallShield project called "Setup" in the
Solution Explorer.
5
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
Figure 9: Specify Your Application Information
Figure 7: FLEXnet InstallShield 12 – Interactive Project Assistant
• Use the Project Assistant (above) to quickly and easily
build a basic installation project or the Installation Designer
(below) to add more complex and powerful elements to
your installation project.
• Under “Specify your application name,” type
“GettingStarted” in the Application Name field. The value
in the Application Name field will appear on dialogs that
will be displayed to the end-user and on the user’s
Add/Remove Programs panel as a display name for the
GettingStarted application.
• Under “Would you like to automatically notify your end
users when you create updates to your application?” select
“Yes.” By selecting yes, you are choosing to take
advantage of the Update Service functionality, which
quickly and easily notifies your end users of available
updates, patches, and marketing messages after your
application has been installed.
• At the bottom of the Project Assistant, click on the
Installation Requirements Icon. This will display the
Installation Requirements page where you can set
installation requirements for the target system.
Figure 8: FLEXnet InstallShield 12 – Installation Designer
Step 10 – Configuring the InstallShield Project
• In the Solution Explorer, under the project “Setup,” double
click on the Project Assistant. This will display the Project
Assistant. At the bottom of the Project Assistant, click on
the Application Information Icon. This shows you the
Application Information page where you specify general
information about the application your project will install.
• Under Under “Specify your company name,” type
“GettingStartedCo” in the Company Name field. This will
automatically update the information in the Web Address
field.
6
Figure 9: Specify Your Installation Requirements
• Since the application runs on the .NET Framework, under
“Does your application require any specific operating
systems?” select “Yes” and select only Windows 2000,
USING DOTFUSCATOR PROFESSIONAL AND FLEXNET INSTALLSHIELD TOGETHER INSIDE VISUAL STUDIO
Windows XP, and Windows 2003 Server.
• Under “Does your application require any software to be
installed on your machine?” leave as “No”
• At the bottom of the Project Assistant, click on the
Application Files icon. This will display the Application
Files page where you specify the directory where your
application will be installed.
• Click on the Add Projects Output button. This will bring up
the Visual Studio Output Selector. Under the
“GetDotfuscated” node, select “Primary Output” and click
OK. You should now see the project output in the right
pane listed as “GetDotfuscated.Primary Output."
NOTE: The Trialware feature can only be used with projects
that use unmanaged code. Additional FLEXnet InstallShield
10.5 .NETfunctionality includes the ability to:
• Extend your installation's functionality to include custom
logic, user interfaces, system interrogation routines, and
more
• View and manage .NET assembly installation information
in the same manner as other component information
• Easily enable .NET assemblies to interoperate with existing
COM components
• Create installations for J# applications and distribute the
J# runtime engine
• Download and install the .NET runtime
• Automatically extract .NET information and identify
dependencies
• FLEXnet InstallShield 12 also has the ability to create
installations that target the current beta of Microsoft
Windows Vista. This is useful for organizations who want
to “Get Ready for Vista” with FLEXnet InstallShield 12’s
support for key installation-related capabilities found in the
current beta of Microsoft Windows Vista.
“ESRI uses the respective market leaders in the field of
software installation and software code protection. For our
software installation packages we make use of FLEXnet
InstallShield from Macrovision and for the purpose of protecting
our .NET code investment we employ the use of Dotfuscator.
We find that both products work well and fulfill our requirements.
We also find that both solutions integrate very well together and
provide us with the ability to maintain a single integrated build
procedure”
Ronan Gray,
Head of Software Development, ESRI
Step 11 – Rebuilding the solution with Setup
• This time rebuilding the solution will build the InstallShield
project. The resulting MSI file is located in:
C:\Program Files\PreEmptive
Solutions\Dotfuscator Professional Edition
3.0\samples\cs\Setup\Default
Configuration\Debug\DiskImages\DISK1
Conclusion
Installation and obfuscation are destined to be regular steps
in your future .NET build processes. And the two leading
products in this space—FLEXnet InstallShield and
Dotfuscator—have full Visual Studio Integration to make
these processes as easy and efficient as possible. Use
FLEXnet InstallShield and Dotfuscator together inside Visual
Studio 2005 to get reliable installations and code protection.
About Macrovision
Macrovision Corporation (Nasdaq:MVSN) provides
distribution, commerce and consumption solutions for
software, entertainment and information content to the
home video, PC games, music, cable/satellite, consumer
software, enterprise software and publication industries.
Analysts recognize Macrovision as the clear market leader,
and it's estimated that the company sells more softwarebased licensing solutions than all its competitors combined.
Macrovision holds approximately 236 issued or pending
United States patents and 1,239 issued or pending
international patents, and continues to increase its patent
portfolio with new and innovative technologies in related
fields. Macrovision is headquartered in Santa Clara,
California, with other offices across the United States and
worldwide. For more information about Macrovision visit
www.macrovision.com.
About PreEmptive Solutions
PreEmptive Solutions, LLC. is a firm that helps
businesses reduce risk. Many companies take steps to
protect their data, but forget to protect their business
logic. PreEmptive products and services for Java and
.NET help organizations produce more secure, smaller,
and more efficient applications. Some of the largest
software development organizations in the world use
PreEmptive solutions for their projects to dramatically
and quantifiably protect and improve their software.
Further information can be found at
http://www.preemptive.com.
7
Macrovision Corporation
2830 De La Cruz Boulevard, Santa Clara, CA 95050
US +1 888-755-0861 Int'l +44 (0)870-873-6300
www.macrovision.com
ISPWP.0606
© 1990-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved. AdminStudio is registered trademarks or trademarks of Macrovision Corporation in the United States of America
and/or other countries. All other brand and product names mentioned herein are the trademarks and registered trademarks of their respective owners.