Miscellaneous Debris

Avner Kashtan's Frustrations and Exultations

A Better Obfuscation, or How To Write Code That Will Make Someone Kill You

The following code is perfectly valid C#, and compiles without errors:

int _;
_ = 5;

If we take it a bit further, we can do something like this:

int _, __, ___, ____;

_ = 5; __ = 10; ___ = 15; ____ = 20;

_ = __ - _ * ____ / ___;

Now I feel like I'm playing Hangman. I feel I should be filling in the blanks.

I've never run into anything like this in real code, I'm glad to say. But if Dotfuscator or any other obfuscating tool want to make their obfuscated code even harder to read, they should stop using the easy-to-remember "a", "b" .. "aa", "ab" variable names and switch to underscores. It's horrible.
Posted: Jul 11 2006, 11:48 AM by AvnerK | with 9 comment(s)
Filed under: ,

Comments

Stan said:

Did you see this post by Scott Allen?

http://odetocode.com/Blogs/scott/archive/2005/12/29/2663.aspx

Underscores are freaky.

# July 11, 2006 8:13 AM

foobar said:

I used to work with someone who used to do this all the time.  Nothing like trying to figure out if __x and ___x and ____x were the same :)

# July 11, 2006 12:47 PM

Ars_inveniendi said:

I dunno, it looks pretty easy to fix using a bit of regex in a text editor.

# July 11, 2006 9:32 PM

AvnerK said:

Ars_inveniendi: Now imagine that you don't only have _ as variable names, but have all your methods obfuscated into the same names with with overloaded parameters.

Most obfuscators will use single letters for these overloaded methods, but single letters are relatively easy to remember, even when obfuscated. Underscores? Hell!

# July 12, 2006 4:45 AM

gozh2002 said:

also refactor can fix it easily

# July 12, 2006 5:02 AM

GT said:

PreEmptive's Dotfuscator Pro does provide several renaming schemes. One renames everything to unprintable characters which is actually better than underscores because every symbol shows up as a the same box character.

Of course, don't forget this will make stack traces rather hard to read. <grin>

# July 12, 2006 10:44 PM

Malcolm said:

I once had a coworker who created asp function with 7 variables named s1 - s7.  As you read through the code he used combinations like s5 = s2 + s3 and s7 = s4 + s3.  Mix that up with functions declared in-line and you have some of the best obfuscation yet.  He understood why I rewrote any code he asked me to troubleshoot as opposed to debugging it.

# July 20, 2006 3:28 PM

Sumit said:

You can try chars replacing with ascii... it has been an old trick.

# October 15, 2009 10:39 AM

JimmyO said:

We have done it and we have been trying to find a way to obfuscate the code follow in our source code, but have not yet found.

# July 4, 2010 9:32 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)