This study investigates the effectiveness of code obfuscation techniques in impeding attackers’ comprehension of malicious logic and examines whether quantitative code complexity metrics can predict their impact on attack success rates and time-to-compromise. Through a controlled user study, it systematically evaluates, for the first time, the cumulative defensive efficacy of multiple obfuscation techniques—including control-flow flattening, string encryption, and virtualization—using both quantitative measures (e.g., comprehension time, success rate) and qualitative feedback (e.g., cognitive load assessments). It establishes an empirically validated link between objective complexity metrics (e.g., cyclomatic complexity, AST depth) and subjective attack difficulty. Results show that multi-layered obfuscation significantly increases attacker comprehension time (average +217%) and that certain metrics—particularly control-flow entropy—effectively predict attack failure probability. The work provides reproducible, evidence-based guidance for obfuscation strategy selection and software protection evaluation.

Evaluating the effectiveness of software protection is crucial for selecting the most effective methods to safeguard assets within software applications. Obfuscation involves techniques that deliberately modify software to make it more challenging to understand and reverse-engineer, while maintaining its original functionality. Although obfuscation is widely adopted, its effectiveness remains largely unexplored and unthoroughly evaluated. This paper presents a controlled experiment involving Master's students performing code comprehension tasks on applications hardened with obfuscation. The experiment's goals are to assess the effectiveness of obfuscation in delaying code comprehension by attackers and to determine whether complexity metrics can accurately predict the impact of these protections on success rates and durations of code comprehension tasks. The study is the first to evaluate the effect of layering multiple obfuscation techniques on a single piece of protected code. It also provides experimental evidence of the correlation between objective metrics of the attacked code and the likelihood of a successful attack, bridging the gap between objective and subjective approaches to estimating potency. Finally, the paper highlights significant aspects that warrant additional analysis and opens new avenues for further experiments.