A Better Obfuscation, or How To Write Code That Will Make Someone Kill You

The following code is perfectly valid C#, and compiles without errors:

int _;
_ = 5;

If we take it a bit further, we can do something like this:

int _, __, ___, ____;

_ = 5; __ = 10; ___ = 15; ____ = 20;

_ = __ - _ * ____ / ___;

Now I feel like I'm playing Hangman. I feel I should be filling in the blanks.

I've never run into anything like this in real code, I'm glad to say. But if Dotfuscator or any other obfuscating tool want to make their obfuscated code even harder to read, they should stop using the easy-to-remember "a", "b" .. "aa", "ab" variable names and switch to underscores. It's horrible.

8 Comments

  • I used to work with someone who used to do this all the time. Nothing like trying to figure out if __x and ___x and ____x were the same :)

  • I dunno, it looks pretty easy to fix using a bit of regex in a text editor.

  • Ars_inveniendi: Now imagine that you don't only have _ as variable names, but have all your methods obfuscated into the same names with with overloaded parameters.

    Most obfuscators will use single letters for these overloaded methods, but single letters are relatively easy to remember, even when obfuscated. Underscores? Hell!

  • also refactor can fix it easily

  • PreEmptive's Dotfuscator Pro does provide several renaming schemes. One renames everything to unprintable characters which is actually better than underscores because every symbol shows up as a the same box character.

    Of course, don't forget this will make stack traces rather hard to read.

  • I once had a coworker who created asp function with 7 variables named s1 - s7. As you read through the code he used combinations like s5 = s2 + s3 and s7 = s4 + s3. Mix that up with functions declared in-line and you have some of the best obfuscation yet. He understood why I rewrote any code he asked me to troubleshoot as opposed to debugging it.

  • You can try chars replacing with ascii... it has been an old trick.

  • We have done it and we have been trying to find a way to obfuscate the code follow in our source code, but have not yet found.

Comments have been disabled for this content.