![](\"https:\/\/farm3.static.flickr.com\/2609\/4108966580_0725e8a388_o.png\")
\n \n<\/p>\n
\n \n<\/p>\n
Programs. They start off in the IDE as nothing more than a blank page, then (with the blood, sweat, and toil of programmers and many sleepless nights) they turn into volumes of monospaced text, a standing testament to the dedication of programmers and the way they work. Then from the myriads of the source code and the magic of the compiler comes the executable file, the fruit of all the efforts. No one really sees the actual work that went into it: all they see is a file that runs and a program that works.\n<\/p>\n
Well, that’s the way it’s supposed to go. But with Java and .NET, it doesn’t really work that way. These frameworks\/virtual-machines rely on the concept of virtual machines, compiling to Byte Code (Java) or MSIL (.NET). What looks like<\/em> an executable file is actually source code being passed on to the framework for translation and execution. So your source code is never safe, and it’s never really compiled.\n<\/p>\n We’ve been using .NET for our programs at NeoSmart Technologies for years now, and we’ve never really come across this as a problem, simply because our software’s always been and always will be freeware. However, in recent months we’ve seen some of our more popular programs like EasyBCD<\/a> being decompiled and its source-code stolen left and right by those that don’t know any better. So we set off looking for the best obfuscation tool for the job, and found much more than what we were looking for.\n<\/p>\n <\/p>\n We were originally looking for an obfuscation tool, but then we found {smartassembly}<\/a> by Cachupa (screenshots!<\/a>) is much more than that. It’s a relatively name compared to the other \u201cbig names\u201d in software obfuscation, but in our testing, it’s the very best tool for the job; designed to impress, easy to use, incredibly powerful, and very intelligent (for lack of a better word) in the way it addresses and overcomes the various issues regarding the complete optimization and protection of .NET Assemblies.\n<\/p>\n We contacted Cachupa and were given a full license so we could test all of {smartassembly}’s features, and we have to say – we’re very impressed.\n<\/p>\n {smartassembly} isn’t just the best obfuscator we’ve tested,1<\/a><\/sup> but also an all-in-one optimization, deployment, and improvement tool; offering a range of nifty tools and features that contribute to performance enhancements, better error tracking, and most importantly of all: the best obfuscation we’ve come across.\n<\/p>\n The remainder of this review is broken-up into 3 sections: Optimization<\/strong><\/a>, Obfuscation<\/strong><\/a>, and Deployment<\/strong><\/a>. And of course, there’s a Conclusion<\/strong><\/a> as well.\n<\/p>\n <\/p>\n <\/strong>Although we came across {smartassembly} while searching for the best obfuscation tool, we’re most impressed in some of the amazing improvements to .NET assemblies in terms of optimization and performance in our test runs. Throughout this review, we’ve focused on getting a real-world look at things, and for this section, we just put our EasyBCD<\/a> through the motions, and were duly impressed.\n<\/p>\n Memory Usage Enhancements<\/strong>\n<\/p>\n {smartassembly} has a couple of excellent features aimed at improving the memory usage of your .NET assemblies. There are a couple of options that can be enabled, but first, here’s a before-and-after:\n<\/p>\n {smartassembly} uses several different techniques to bring down the memory usage.\n<\/p>\n We asked the developers of {smartassembly} for some of the specifics, and they told us that by default the CLR reserves a ton of memory for .NET assemblies – whether or not they request it. So {smartassembly} intelligently detects when the CPU is idle (or thereabout) and increases or decreases the amount of reserved memory<\/a> for your assembly according to its requirements – “automated” GC in a sense, except that memory may or may not have ever been in use. In that same vein, {smartassembly} (with the benefit of literally having access to your source code thanks to the way .NET is designed) marks any and all classes that don’t have any detectable “child” classes inheriting from them as “sealed” thereby reducing the amount of memory and CPU used by the CLR during run-time to determine what functions should be made available to other classes and libraries.\n<\/p>\n Improved Size and CPU Requirements<\/strong> One of the unique techniques used by {smartassembly} to improve the performance of .NET assemblies involves not loading all of the required dependencies {smartassembly} also takes a heuristics approach with regards to detecting unused code and dependencies, then simply cutting them out of the compiled software<\/a>. Depending on the exact make-up of your program, this has several improvements including securing as-of-yet unimplemented code from prying eyes (think of all those Easter Eggs!), decreasing the executable assembly’s file size, and improving memory usage. General Improvements<\/strong>\n<\/p>\n {smartassembly} has one more feature that can make a real difference: it can merge all dependencies and libraries that your application relies on directly into your own code. Then when the time comes to apply the above-mentioned improvements, all those bulky libraries that you only use a function or two from are suddenly subjected to intense filtering and pruning. If you’re using some heavy UI libraries (like DevEx), this can be a real God-send. Besides the drastic improvements to the size of your application, this leads to snappier code and easier deployment – no need to muck around with dependencies in your package manager.\n<\/p>\n <\/p>\n Obfuscation: it’s what brought us to {smartassembly} in the first place. While {smartassembly} isn’t in the market as just an obfuscation utility, we feel it really shines here. We’ve tried almost all other .NET Obfuscation utilities, from Remotesoft’s Salamander, Pre-Emptive’s DotFuscator, 9Rays, Spice, XenoCode, CodeVeil, .NET Reactor, and just about everything else in-between. There are tools like Salamander that are mainly decompiling utilities that give you “immunity” from themselves, stuff like DotFuscator which claim to have tons of advanced options that we just can’t seem to locate, and others that do a decent all-around job. But nothing really stacks up like {smartassembly} in our testing.\n<\/p>\n We obfuscated EasyBCD using the maximum protection<\/a> – which isn’t really recommended because of certain possible incompatibilities especially for library authors – and set off to try to decompile the now-obfuscated code in dozens of decompiling suites and services.\n<\/p>\n But that’s not all the protection {smartassembly} has to offer, so we didn’t just stop right there. Anyone using secret strings (passwords, secret URIs, swear words for method names, etc.) should know the danger of having obfuscated code but fully-legible text – that’s where the string encoding features<\/a> come in. We’re not exactly sure what encryption techniques\/ciphers are being used by {smartassembly} to encode the passwords in the executable then decode them on-the-fly during runtime nor were we able to find out – but it seems secure enough for most purposes. We ran Syser Debugger (version 1.8) and tried to intercept a password we knew beforehand but weren’t able to get to it – but we didn’t lose any sleep over it either, so don’t take this to the bank.\n<\/p>\n The most interesting obfuscation technique we saw used in {smartassembly} isn’t so much obfuscation<\/em> as it is out right deception<\/em> – but when someone is trying to steal your source code (and the gallons of blood and sweat that come along with it), we doubt you’ll spend any sleepless nights feeling guilty about the moral consequences of placing false metadata<\/a> in your assemblies codebase. It seems that {smartassembly} is capable of adding a tiny bit of code to baffle ILDASM and any other ILDASM-dependant decompilers. Certain decompilers flagged the assembly as “non-.NET” though we’re not sure if {smartassembly} actually adds any non-managed code to the final assembly or not.\n<\/p>\n Trying to Decompile EasyBCD…<\/strong>\n<\/p>\n Once we applied all these layers of security to EasyBCD 1.6 (no, you can’t see it yet!), we set off trying to crack the security we just put in place. We tested {smartassembly}’s obfuscation techniques against the following tools:\n<\/p>\n It passed. 2 of the tools failed to even recognize EasyBCD as a .NET assembly (while the others assured us it was). The rest showed weird combinations of non-letters, arrows, and other gibberish nonsense.\n<\/p>\n We’ve finally a found a tool that as-advertised, no beating around the bush or promising the sky. Event RemoteSoft’s Salamander with it’s “de-obfuscate(turn any obfuscated code into recompilable format)” [sic] feature failed to do its magic. We’re duly impressed. Of course, any security tool worth its salt should feature some sort of strong-key signing<\/a> – fully compatible with the .NET 2.0 Framework standard, of course.\n<\/p>\n <\/p>\n One of {smartassembly}’s “more marketed” features is the unhandled exception handler. Confused? It does just what it’s name implies!\n<\/p>\n Everyone has seen the annoying pop-up messages that appear when an application crashes in Windows XP+. It claims it’s going to “inform Microsoft” and “let you know” when a solution is found. As developers, we’ve never been contacted by Microsoft (or even anyone claiming to be<\/em> Microsoft) telling us our application crashed and asking us to fix it. So {smartassembly} lets you take matters into your own hands.\n<\/p>\n Instead of calling up Microsoft’s own error-reporting agent and just wasting bandwidth all around, {smartassembly} can configure your application<\/a> to use its own servers to report unhandled exceptions<\/a>. When you purchase a license key, you’re given an account on Cachupa server which accepts (any number of) exception reports and lets you see a log of all errors. And if you created a PDB debug file when you created your {smartassembly}-optimized program, you can use that to view a stack trace.\n<\/p>\n The {smartassembly}-optimized error-reporting client logs the exception with the remote server, and from your own PC you can use your {smartassembly} install to browse recent exceptions – just like an email client. If you generated the PDB file (and no reason why you shouldn’t), you can use the combination of the stack trace, detailed bug reports (together with the platform and configuration) to fix just about anything.\n<\/p>\n While we haven’t encountered the need for this particular feature with EasyBCD and our other applications which generally don’t have many issues, but when they do<\/em> fail they fail at a low-level (leaving the user helpless!) and don’t fire up exceptions, we can easily imagine circumstances under which this feature becomes absolutely essential – especially when dealing with millions of users running an uptime-critical application like a Instant Messaging client or a web server.\n<\/p>\n <\/p>\n {smartassembly} is an amazing utility, and belongs in any serious programmer or organizations arsenal when it comes to proper development, deployment, and bug tracking\/cyclic-feedback.\n<\/p>\n There are a couple of things that might throw off a newcomer to {smartassembly}, chief of which is the interface. It’s innovative and easy-to-use, but to someone coming to {smartassembly} from another obfuscation suite or even straight out of the Visual Studio IDE, it’s radically different.\n<\/p>\n It doesn’t offer much control to the end user with regards exactly what gets obfuscated and what doesn’t, which obfuscation techniques are used and where they’re employed, but the end result is just great.\n<\/p>\n Unlike some of the other applications we tested, {smartassembly}-obfuscated programs couldn’t be re-compiled from decompiled source, and it really did protect our intellectual investments – so far as we tested it at any rate. More importantly, the final obfuscated result run properly and without a hitch. When we obfuscated EasyBCD with XenoCode and CodeVeil, we were surprised to find out the executable file didn’t even run – with XenoCode it errored out before the Windows Form could even be generated, and with CodeVeil it gave an unhandled exception right afterwards.\n<\/p>\n {smartassembly} is definitely competitively-priced. Not many other obfuscation and optimization suites are priced in the sub-$500 range, and certainly nothing that preforms this well. Yet for the casual developer, 400 USD can seem like a hefty price to pay for some peace of mind – but that’s .NET for you… Another quirk in {smartassembly} other than the lack of fine-control is the build times. While it optimizes applications pretty fast, if you opt to use the “Dependency Embedding” and “Dependency Merging” features with certain large libraries<\/ins> you’ll find that your P4 can easily sit there producing the final assembly for around 30 minutes easy.3<\/a><\/sup> But that’s a small price to pay for the performance enhancements for your users, the peace-of-mind knowing your code (and gallons of sweat and blood) is safe from prying eyes and greedy hands. Hopefully future versions will feature improvements to the output engine’s compiling speed.\n<\/p>\n \n<\/p>\n All in all, we give {smartassembly} 9 stars out of 10. If only {smartassembly} had an extra bit of fine-tuning that give it the final push it needs to be a perfect 10\/10.<\/strong><\/p>\n Compared with Pre-Emptive Software’s DotFuscator, Remotesoft’s Salamander, CodeVeil, XenoCode, and more ↩<\/a><\/p><\/li> We misread this data in particular – it’s actually $399 a user for up-to 4 users, then it’s a discounted rate<\/a>. ↩<\/a><\/p><\/li> In attempting to merge & embed the DXperience UI Library, {smartassembly} proved to take quite a bit of time. But for all other libraries the process was snappy and finished in well under 2 minutes. According to {smartassembly}’s developers this was a one-time quirk. ↩<\/a><\/p><\/li><\/ol>","protected":false},"excerpt":{"rendered":" Programs. They start off in the IDE as nothing more than a blank page, then (with the blood, sweat, and toil of programmers and many sleepless nights) they turn into volumes of monospaced text, a standing testament to the dedication … Continue reading {smartassembly} & Optimization
\n<\/h3>\n![](\"https:\/\/farm3.static.flickr.com\/2650\/4108966704_01d72d8dd9_o.png\")
<\/a> ![](\"https:\/\/farm3.static.flickr.com\/2630\/4108966670_7b4036b1b9_o.png\")
<\/a>\n<\/p>\n
\n \n<\/p>\n<\/p>\n
\n \n<\/p>\n
\n
<\/a>of the main application at once. This is similar to inline vs. external functions in C++, except the dependencies – once requested – are expanded into the memory-space and then have the same performance as the main application itself. Effectively, this is an intelligent compromise between performance and bloat, especially in large applications that rarely have all options activated at once. In our tests, it depends on the size (and quantity) of the external libraries and dependencies being used by the application in question, but by only loading the main assembly into the memory then dynamically decompressing the dependencies (packed with a mild compression algorithm) as one-time occurrence can end up with a huge performance benefit.\n<\/p>\n
\n \n<\/p>\n<\/p>\nObfuscation Techniques & Security in {smartassembly}
\n<\/h3>\n\n
Handling Unhandled Exceptions – The Right Way
\n<\/h3>\n![](\"https:\/\/farm3.static.flickr.com\/2702\/4108200471_41ae8aaa95_o.png\")
<\/a>\n<\/p>\n
\n \n<\/p>\n<\/p>\n![](\"https:\/\/farm3.static.flickr.com\/2644\/4108966532_97cc9a8a62_o.png\")
<\/a>\n<\/p>\nFinal Thoughts on {smartassembly}
\n<\/h3>\nOne more nice thing about the {smartassembly} pricing is that you can have up to 4 developers using the same license without paying a penny more – that’s more than what we can say for most other software development suites out there.<\/del>2<\/a><\/sup>\n<\/p>\n