2023-08-15

On the "Dotfuscator" tool by PreEmptive Solutions


I am giving this tool a try at work, and I am encountering a great many problems with it. I decided to publicly document my findings.

  • You launch their GUI application by going to the "Tools" menu of Visual Studio and selecting "Preemptive Protection - Dotfuscator Community". At first it seems like nothing happens, but the application does appear a couple of incredibly long seconds later.
  • Every single time you launch their GUI application you are presented with their "Dotfuscator Community Registration" dialog, which you have to cancel in order to proceed. Every. Single. Time.
  • While looking at the front page of their GUI, there are no fewer than 3 nags visible to buy:
    • One that says "Try Dotfuscator Professional"
    • Another that says "Evaluate Dotfuscator Professional now"
    • And one more which says "A new version of Dotfuscator is available. Upgrade Now", which, as I will show, is a lie to trick you into visiting their web site.
  • Upon every single startup of either the GUI or the command-line it says "a newer version is available, please download it from the downloads page of our website". So, if you want to ignore the newer version, you can't, you will always be pestered to download the newer version.
  • Obviously, it calls home, but it did not first ask for permission to call home.
  • If you go to the downloads page of their website to download the latest version, the only downloads available are for versions of Visual Studio that are older than the latest version, which is 2022, which is what I am using, and which is what Dotfuscator came bundled in.
  • They do not say what the latest version number is on their web site, so you cannot compare it against the one you already have.
  • I downloaded the latest version they offered on their web-site, and when I tried to install it, it said that it cannot find any compatible version of Visual Studio to install itself into. So, the "newer version is available" message is just a damned lie to lure you into visiting their website.
  • Each time you launch their GUI application, it says "Dotfuscator1.xml" on its titlebar, which is the filename of the configuration file I created, but it has not loaded that file, because the "Inputs" page is empty.
  • Furthermore, it shows an asterisk next to the filename, meaning that the file has been modified, even before I have performed any actions that would have modified it. (And if I exit their GUI application, it does not ask whether I want to save any changes.)

    As it turns out, this "Dotfuscator1.xml" is just the default settings filename that it uses so that it does not start completely empty, and it is just a coincidence that it has the same name as my actual configuration file. This explains a lot of the observed behavior, but the fact still remains that this is the default settings filename, so my first settings file is likely to have this name, and then things are bound to get mighty confusing, because "Dotfuscator1.xml" will sometimes refer to the default unsaved settings file, and sometimes it will refer to my actual settings file.

  • Their GUI application remembers the size and position of its main window only on the primary monitor; if you move it to another monitor, next time it starts it will appear on the primary monitor again.
  • The user interface of their GUI application is clunky, inelegant, nonsensical, and results in a very poor user experience. As a small example, on the "Inputs" tab they show a red exclamation mark next to every single one of my DLLs, but they don't give the slightest hint as to what the exclamation mark means or why it is being shown.
  • The Dotfuscator1.xaml file generated by their GUI application is completely unusable because it contains absolute pathnames.
    • You have to manually edit the file to convert them to pathnames relative to the root of the solution.
    • Of course, in doing so, you will be blatantly disregarding the auto-generated comment at the top of the file which says that to edit this file, you supposedly have to use their GUI application.
But it is okay, we live in the 3rd millenium, we do our builds on continuous build servers, so all of our build tools are command-line tools, and nobody cares about their crappy GUI application.

So, let's use the command-line tool, shall we?
  • If you try to use the command-line tool, it says:
  • "You must register Dotfuscator Community in order to execute command line builds. Run the Dotfuscator GUI which will explain how to register."

    So, the "community edition" product name is marketing deceit; this is not a "community edition", this is a completely useless advertisement of a product. It becomes an evaluation version once you have completed registration, where "registration" is a euphemism for personal information phishing.

    So, in order to proceed we have no option but to register.

    So, let's register, shall we?

    • Their "Dotfuscator Community Registration" dialog says "PreEmptive Solutions will notify you by email with news, updated products and services (you may opt-out of being contacted)." There is no checkbox to control whether this will happen; you are just being informed that it will happen. So, beware, you are being opted-in.
    • Their "Dotfuscator Community Registration" dialog has a "Read our online privacy policy" link.
      • If you click that link, it takes you to some "Policies & Procedures" page, it does not take you to their privacy policy page.
      On that "Policies & Procedures" page, if you search among the many links that are completely unrelated to privacy, you might find a link which says "Privacy Policy under Privacy Shield".
      • The contemptible disgrace known as the "EU-US Privacy Shield" was declared invalid by the European Court of Justice on 16 July 2020.
    • Their software shows me a "Serial Number" but in the e-mail that they sent me they call the same thing "license key" instead.
    • Their software asks me for a "Confirmation Code" but in the e-mail that they sent me they call the same thing "confirmation number" instead.
    • After registration, each time you launch their command-line tool, it displays the following message:
      "For personal use only. Please refer to the EULA distributed with The Software for details"
      Indeed, on their "Command Line Interface" page they have a "License Restrictions" section which states:
      "The Dotfuscator Community license expressly prohibits the use of the product by commercial organizations for anything other than personal research and education. If you would like to use Dotfuscator on commercial projects, please consider evaluating Dotfuscator Professional."
      Again, further proof that the "Dotfuscator Community" product title is nothing but a euphemism for "limited evaluation version"; in other words, marketing deceit.
    • Both the "for personal use only" and the "newer version available" messages keep appearing even if you supply the /q (quiet) flag, so there is no way to suppress them.
    • When the command-line tool encounters an error, including normal usage error, it often displays not just an error message, but also a stack trace. This tells me that the tool is still at a highly experimental and immature stage of development.
    Furthermore, the class names and method names in the stack trace are obfuscated, so they are doubly useless.
    • The command-line tool may also fail with error messages that are extremely cryptic and completely unhelpful.
      • For example, on one occasion where a nuget package sources server was unavailable, the dotfuscator command-line tool failed with the following:
    "Metadata Root has bad signature at 219f8"
    • In their Dotfuscator.xml configuration file they make use of guids and other hashes, which render it extremely hostile to humans.
      • For example:
    <inputassembly refid="1639ab18-0eb8-4c8c-ba6c-9eab6d8a740d">
    <referencerule rulekey="{6655B10A-FD58-462d-8D4F-5B1316DFF0FF}" />
    • While running, the commandline tool spews out an incredible amount of messages. A few of those messages are useful, for example the ones about each output file that it creates; the rest, which is 99.9% of them, are entirely useless.
    • If you use the /q (quiet) flag, the only messages that are suppressed are those few useful ones; the 99.9% of entirely useless messages are still spewed.
    • A great many lines of output spewed out by the command line tool are prefixed with the string "[Build Output] ", which is a statement in direct conflict with fact: this is definitely not build output, this is obfuscator output.
    • If you run the command-line tool without any options, it gives usage information. The usage information says that it supports a /p=outdir=<directory> option. This option has absolutely no effect.
      • If you run the command-line tool with the /?? option to see the "extended" options, there is another /out:<directory> option, and that one works.
    • The tool systematically utilizes silent failure.
      • As a result, it either issues no error messages where it should, or it issues misleading error messages. Both of these behaviors constitute sabotage against the developer.
      • For example:
        • If it cannot find one or more of the input assemblies specified in the configuration, it will not complain at all. This means that I may be under the impression that a certain assembly is being obfuscated, while in fact it is being shipped to customers completely unobfuscated, due to a simple spelling mistake, and the tool did not give me the slightest warning or hint that this is happening.
        • If all input assemblies are missing, then it says "There are no assemblies to process. Stopping the build." The problem here is that the message suggests that I invoked the tool without giving it any work to do, while in fact I did invoke the tool with specific work to do, which was not done.
    • Within the torrent of output lines that are prefixed with "[Build Output]" no distinction is made between lines that are frivolous spam which has to be filtered away and lines that contain error messages, such as "no assemblies found to process". Thus, in order to avoid missing any error messages, we are forced to see all the frivolous spam every single time we launch the tool.
    • So, after all this, I could verify that I can use the tool from my build server, and that name mangling works. But what about code mangling, otherwise known as flow control obfuscation? Well, as it turns out, that is beyond the scope of the "Community" edition; you have to buy the "Professional" edition if you want to have that.

    So, let's give "Dotfuscator professional" a try, shall we?

    • In the confirmation e-mail that I received when I registered my "Community" edition there was a link to "Visit My Account". When I click on this link, it takes me to a page which asks for a user-name and password. However, when I registered, they did not say anything about any user-name nor password; I just received a "confirmation code". This is mighty confusing, annoying, and frustrating. So, it appears that I am going to have to register again, this time with a user-name and password.
    • After registering again, and clicking on "Try Dotfuscator Professional", and filling in their mandatory survey form, and receiving the installer, and installing it, I am presented with a "Click here to activate Dotfuscator" dialog. So, besides "registering" in order to try their useless advertisement, and then "registering" again in order to start a free trial of their actual product, I now have to "activate" the free trial. This was done by entering a key that they sent me by e-mail.
    • From the looks of it, if I decide to continue using this product after the trial, I am going to have to purchase what they call a "Build License". This build license will have to somehow be added to the build server, which I am not in control of, and will have to somehow be updated each time the build server changes; we will see about that when we get there.
    • Neither on their web-site, nor during the entire process of starting the free trial, do they seem to mention how long this free trial lasts. It might be one month, it might be one week, it might be one day. They just don't say. It is a secret.
    • Nowhere in their communications do they seem to mention how much their product costs. It might be 100 bucks, it might be 1000 bucks, it might be 10000 bucks. The only thing they say is "Request a Quote", which to me means a few things:
      • They are going to be eyeballing me and tailoring their price according to how deep they estimate my pocket to be.
      • Someone else will get a different price, which is unfair.
      • I might get a different price if I bargain, which I hate.
      • They are an inefficiently run company that relies on salesperson labor.
    • On their "Request a Quote" page they have a spelling mistake, "Xamarian" instead of "Xamarin".
    • Their "Request-a-quote" page does not work. When I click the "submit" button, the button becomes slightly faded out, and nothing else happens. Of course I had to waste my time reloading the page, re-filling all of my information, re-solving the captcha, and re-submitting the form 3 times before deciding that it just does not work. So, PreEmptive Solutions is proving to be very good at one thing: wasting my time.
    • They called me. On the phone. Just at the exact moment that their request-a-quote page was proving to be a fiasco, my phone rang. It was a guy from France, speaking with a thick French accent, allegedly making a follow-up call after my registration. I would bet that their seemingly out-of-order request-a-quote page contained just enough functionality to alert him that I tried to use it. I asked him how much it costs to have a license for one team, one application. He said €4250 euros per year. I also asked how long the evaluation lasts, he said that it is 14 days. Since they are not posting this information on their web site, I am taking the liberty to post what they said to me in person. You might get different answers. The date today is 2023-08-16. When I run the tool, it says "Your subscription expires in 15 days."
    • During the evaluation I was able to determine that the tool does actually work; if used correctly, it does those things that I would want from such a tool:
      • It can be used as a command-line tool on a build server.
      • It provides code mangling that is so strong that the reverse-engineered code produced by ILSpy does not compile, and even if it did compile, my guess is that it would probably not run.
      • It provides name mangling, not only within individual assemblies, but also across assemblies if requested. (Mangling of public identifiers.)
      • The tool also has many other features, for example string encryption.

    No comments:

    Post a Comment