Switching Vendors is Satisfying
Update 3: End the tyranny of buggy obfuscation products and poor technical support. Use Obfuscar instead.
Update 2: I no longer recommend using Remotesoft's products.
Update: As it turns out, RemoteSoft isn't immune to edge cases, and their response time for service is worse then Xenocode's.
We have been using XenoCode for obfuscation on my current project. It worked very well, and I would recommend it, but due to certain problems we have had [1], we were not able to upgrade beyond their second service pack.
Whenever we tried upgrading, even with identical xenocode project files, we would start getting TypeLoadExceptions because some of the obfuscated methods were missing implementations. I sent email to their tech support, and they were always very helpful, but they were unable to solve the problems and we would always revert to the last known working xenocode version due to project time constraints.
We switched over to the 2.0 framework soon after the release of VS.NET 2k5, and quickly discovered that the old xenocode release we used did not support the new platform. Our only choice was to upgrade to xenocode's new product, XenoCode Postbuild 2006.
Upon switching to postbuild, we found that we still had the same problems we have had with the later versions of their products. I again contacted their tech support, and even sent code samples. They determined where the problem was and promised an update that would fix it, near the end of the year.
In the meantime, I had turned off obfuscation in our build processes. As we near the end of our cycle, I decided to turn it back on and see how their latest updates fared against our code.
It did not work, and I sent more email to their tech support. I also began trying alternate obfuscators.
My favorite of the bunch is the Remotesoft .NET Obfuscator. They allow downloads of a trial version (after our xenocode experiences, I would not have considered it otherwise). Their GUI tool doesn't have the world's best interface, but their obfuscator is a console app intended to integrate seamlessly into an automated build process (they developed it with that in mind, and it does so). Rather than use their UI, I edited the xml configuration file directly, and managed to get it working for our project pretty quickly.
It does not have as many features as xenocode, but the obfuscation itself is better and the resulting executables are smaller and faster. It does not do string encryption, but that always caused problems with xenocode, and it is probably better for us to do in our code anyway. It also does not do control flow obfuscation, but that slows down our exes (and we have already manually obfuscated the control flow in parts where it is needed).
I am fascinated by their output. They use what they call "massive overloading." In one of our exes, there were 2695 unique names (methods, props, classes, etc.). In the obfuscated version of the same exe, there are only 1010 unique names...methods and properties have been massively overloaded, and most are now called A, a, B, or b.
It's pretty neat, and it makes decompiled code very difficult to follow. Xenocode's output gave each token a unique hash value (like 8d82af32b2). Massive overloading is much more confusing: a single class may have 5 props named A, and another 10 methods also named A...
The licenses are priced reasonably. It's $799 for five developers, compared to xenocode at $399 for a single developer license. I have recommended that we purchase it.
1. Please note, I believe these problems are due to some tricky bits in our code...edge cases for sure. Do not discount XenoCode's software, it will probably work for you.