Is .NET code obfuscation really worth it?

Question

From what I've read, code obfuscation isn't really that hard to "crack", and it will only delay the inevitable. In that case, what is it's purpose?

If someone really wants to steal your source they can.

If someone needs to view your source code for harmless/helpful purposes they can't.

You probably shouldn't be storing anything sensitive in the code, so that shouldn't be an issue.

If you don't obfuscate, you're still not providing the full source code, so you could sell a "source code license".

The funny thing is, the only code that I have ever seen obfuscated is terrible code that has bugs in it. The only reason I need to look at the code is to figure out what the problem is and what I can do to fix it.

For example, I need to replace some of the images in ASPDotNetStoreFront. When looking for the location of the tags, I found that they were contained within compiled code. CRAP. So I figured I would decompile the code, to find out which img tags to replace via Regex. I tried to view the source code to see what images could possibly come from the given compiled method, and reflector can't handle it, I presume because of obfuscation. I don't really have time to go looking around for de-comilers/de-obfuscators.

Answer 1

I think its worth it. The cost to you is virtually nothing, and you make the hacker's life much harder. Even if they crack it, you have the satisfaction of knowing you wasted anywhere from several hours to several weeks of their lives. Just because a lock isn't perfect doesn't mean you don't lock your doors.

Answer 2

Only if your project is a long-running and would take someone a great deal of time to implement is it worth it. This is of course an opinion here, but I haven't found an obfuscated .Net DLL yet that I couldn't figure out what's going on using only Reflector.

It's a deterrent, nothing more. If the cost of someone reverse engineering your code is greater than the cost of implementing it themselves, that's the only legitimate case I see for it, but if someone wants to see how your code ticks, it's not very good at preventing that.

One common case I see a lot is how you produce and/or decrypt a license key. Anyone that's motivated to figure this out and dig in reflector for you salt/decryption methods isn't going to be stopped by obfuscation, I'd dare to say it won't really slow them down much either.