Obfuscator User Guide

Obfuscator is designed to protect applications created in VFP6-9 environment against

reverse engineering. This is achieved by changing the names of variables, properties, procedures,
functions, methods and objects. As a result, the object source obtained by decompilation is much
less readable and harder to understand.
Capabilities & Limitations
Due to the method used for storing the information in compiled VFP files it is impossible
to completely automate the obfuscation. For a number of reasons some identifiers cannot be
changed.
1. Names of entities external to the application being obfuscated (e.g. databases, tables,
cursors, files, etc.) cannot be changed.
2. Names used in string expressions cannot be changed. This is a severe limitation since
names as string expressions are often used as arguments in function calls such as Type, Evaluate,
PemStatus, and methods calls such as AddProperty, AddObject, etc., as well as in
macrosubstitutions.
3. Obfuscation of names that also are VFP reserved words is not recommended.
4. Obfuscation of names such as Option1, Option2, Page1, Page2, Command1,
Command2, etc. is not recommended either since these are the names of the objects aggregated
in base classes Optiongroup, Pageframe, Commandgroup.
5. Names that occur in the IN clause of DO statements are stored as strings and therefore
cannot be obfuscated.
6. In case the name fits one of the criteria above, it becomes impossible to obfuscate
application-wide, even if one of the instances of it does not fit the same criteria. E.g., if you have
a variable named Var and there is a table with field named Var as well the variable in question
cannot be obfuscated. There is one exception to this rule: if the variable is declared as local it
may be obfuscated as long as the field with the same name is not used in the module (procedure,
function or method) where the variable is declared.
Due to all of this obfuscation is not a simple procedure and requires human intervention,
attention to detail and, obviously, careful testing of obfuscated application afterwards.
Using the Program in Interactive Mode
When Obfuscator is launched without command line arguments the main window is
opened where all the options needed must be set. To obfuscate a file you must first enter the
name of the file that should be obfuscated into the Source file name textbox, or choose it from
the file list using the button to the right of the textbox. The name of the file to be created should
be entered in a similar way (using Target file name textbox). You may also use the arrow button
that copies the contents of the Source file name textbox into the Target file name textbox.
After that you must choose the files that local variables should be obfuscated in. You can
either choose the appropriate file types (FXP, SCX, VCX), or choose a file with the list of files
where local variables should be obfuscated. If in addition you check the Manually edit list of
files to be obfuscated checkbox then during the obfuscation a window with the list of files to be
obfuscated will appear giving you an opportunity to add or remove the files manually. There is
an option to save this list to a file after editing.
Next step is choosing the local variables to be obfuscated. You may choose to obfuscate all
local variables, all local variables matching a mask, or all local variables except those matching
the mask. The mask should be in the format used for masks in the LIKE string comparison
operator. You may also enter a list of masks separated by semicolons.
Note: Variable is considered to be local if it is declared using either local or lparameters
statement. There is one exception to this rule. These statements are parsed only till the first
occurrence of an array declaration. All variables declared after the first array declaration are not
considered local. This behavior is due to the fact that expression defining the number of elements
in an array may potentially be very complex and would be difficult to properly parse.
As the next step you must choose a processing method for other names in the application.
There are two options: you may choose to either not to obfuscate them at all or obfuscate them
using the information from the list provided by the user. If the Manually edit list of names to be
obfuscated checkbox is checked (option Don’t obfuscate other names will be changed to
Obfuscate names manually selected from list automatically if you check that checkbox) then
during the obfuscation a window with the list of all the names found in application except names
of local variables will appear. For every variable in this list you must choose one of seven
options: N – the name will not be obfuscated (this is the default option), V – the name will be
obfuscated as a name of public or private variable or non-visual class property, P – the name will
be obfuscated as a name of a property of a visual class or form, O – the name will be obfuscated
as a name of an object of a visual class or form, F – the name will be obfuscated as a name of a
function, procedure or method of a non-visual class, M – the name will be obfuscated as a name
of a method of a visual class or form, B – the name will be obfuscated as a name of a function or
procedure called using a file name. The number of names in an application may be huge, so it
would be wise to save the information entered to a file using the Save namelist button in order to
reuse this list next time.
All the options selected in the main window may be saved to a configuration file by
clicking the Save config button. Next time you launch Obfuscator you may load a saved
configuration using the Load config button. The configuration files may also be used when
running the program from the command line.
After all the options are set, click the Obfuscate button. As a result an obfuscated copy of
the file will be saved using the file name entered into the Target file name textbox. If the
contents of Source file name and Target file name textboxes are identical, the original file will be
overwritten with the obfuscated copy (make sure to have a backup copy in this case). If an error
arises during the obfuscation, you will receive a message and the target file will not be created.
Running the Program from the Command Line
When running the program from the command line use the following command line
format:
Obfuscator Configuration_file_name
where Configuration_file_name must be a name of the file, written as a configuration file from
the obfuscator main window when running in interactive mode. Note that the Manually edit list
of files to be obfuscated and Manually edit list of names to be obfuscated options will be ignored
when running Obfuscator from the command line.
General Recommendations on Using Obfuscator
First time you use Obfuscator you should try to obfuscate local variables only. In this case
you must exclude only the variables used in Type and Evaluate function call and
macrosubstitutions, as well as variables that the same name as some other objects (this obviously
does not apply if you use the Hungarian notation). You shouldn’t try the obfuscation of anything
but the names of local variables until you have succeeded with obfuscating the local variables. In
more complicated scenarios the most important guideline is: if you are not certain what to choose
as the obfuscation type for a name, you should choose the N option – do not obfuscate.
If you have a decompilation tool (e.g., Refox), you may take a look at the decompiled
source to see the result of obfuscation. Sometimes it is possible to find the reason why the
obfuscated application does not work correctly running the decompiled source in IDE.
Obfuscated applications are in proper VFP format, so it may be further protected from
decompilation by any protection tool you may have.

Please send your comments, suggestions and bug reports to obfuscator@grada.lv. The
author will be grateful for any feedback. All received messages will be read with great attention
and, if possible, used to improve future versions of obfuscator.