Comments
1 comment
-
The mentioned attribute is the easiest way to detect that it was obfuscated by SA. I think that there will be always some footprint that can track down which obfuscator was used. That's because each obfuscator uses different techniques to obfuscate assembly and because of this, if you analyse the output, the application would be obfuscated in a way that is specific to obfuscator.
As you said, some obfuscation methods are irreversible like obfuscating the names. There are also some obfuscation that will be always reversible and we can only make them harder to reverse like obfuscation of strings in the application (we can make it hard to analyse but in the end the application will have to resolve them in run-time, so if the application can get them then any de-obfuscator can simulate what an application will do in run-time and get this string also).
If you are worried then, unfortunately, there is always the possibility of reversing some forms of obfuscation and for .NET applications, for someone that knows what they are doing it is not that hard to analyse even the obfuscated assembly.
Add comment
Please sign in to leave a comment.
I have noticed that SA adds a few new classes in the "SmartAssembly" namespace to my binary, and also a "Powered by SmartAssembly ..." assembly attribute, but those are pretty trivial to hide or rename. Are there any other traces of SA in the processed dll?