Obfuscate your Silverlight application with Dotfuscator

Page update date :
Page creation date :

About Dotfuscator

Dotfuscator is an obfuscator that makes source code difficult to read when applications written with the .NET Framework are disassembled. Dotfuscator is available in both free and paid retail versions that come with Visual Studio.

The free version is only available with many limited features and the assumption that Visual Studio is running, but anyone with Visual Studio installed can use it. The paid version has many powerful obfuscation features that are not available in the free version, but it may be annoying that it is offered at a price that is difficult for the general public to afford.

Dotfuscator may have different features, pricing, and editions depending on the version, so please refer to the following website for details.

Dotfuscator

Parsed code

As mentioned above, applications created with the .NET Framework can easily read the original source code by disassembling, but what actually happens is that when you disassemble an assembly file as shown in the figure, most of the original source code such as namespaces, class names, and method names can be reproduced.

解析されたコード

Obfuscation procedure

Start by creating the Silverlight application as usual and doing a Release build. Here, we are creating an application that only places two buttons.

Release ビルド

In the Bin\Release folder of the folder where the project is located, type . xap" is a package file that summarizes the programs and files used in Silverlight applications.

XAP ファイル

Actually, this file is compressed and compiled as a ZIP file, so the extension is ". zip".

拡張子を .zip に変更

It has been changed to a ZIP file.

ZIP ファイル

When you open the file, it contains a manifest file and a DLL. This DLL is the compiled version of the program that runs as an application.

By the way, the DLL file is also placed in the Release folder when it is built, so this time we will obfuscate this file.

ZIP ファイルの中身

From the Visual Studio menu, select Tools, and then select PreEmptive Dotfuscator And Analytics.

When starting for the first time, the "License Agreement" dialog will be displayed, so read the contents carefully, check "Yes, I accept the license agreement." and click the "OK" button.

PreEmptive Dotfuscator And Analytics を選択

The PreEmptive Dotfuscator And Analytics CE starts.

PreEmptive Dotfuscator And Analytics CE

Select "Inputs" from the tree on the left and click the "Add Input" button.

入力の追加

Select the DLL file that you generated during the build.

ビルドで生成した DLL ファイルを選択

Select the DLL file you added and uncheck Library Mode > XAML Conversion.

If "Library mode" is checked, classes and methods defined in public will not be obfuscated.

If "XAML conversion" is checked, classes defined in XAML will be obfuscated, but depending on how you create it, it will cause a startup error, so if it occurs, please uncheck it.

「ライブラリ モード」「XAML の変換」のチェックを外す

Basically, all classes, methods, properties, and variable names are obfuscated, but if you do not want to obfuscate a specific namespace or class due to serialization, select "Rename" from the tree on the left, select the "Exclude" tab, and check the target namespace or class.

難読化の除外

Under Built-in Rules, make sure Fields for Silverlight and WPF UserControls is checked. Checking this will make the UserControls field obfuscated and will run successfully. You can uncheck it if it seems to work correctly even after obfuscating.

Silverlight および WPF UserControls のフィールド

When you are finished, click the "Build Project" button from the toolbar.

プロジェクトのビルド

If there are changes to the project, the project save confirmation dialog will be displayed, so click "Yes" to save.

プロジェクト保存確認ダイアログ

The project is called ". xml" file. Obfuscated files are saved in the same location.

プロジェクト保存

Wait for the build to complete as it starts. Note that the larger the program, the longer it takes to build. When it looks like the figure, the build is complete.

The message field shows the progress of the build and a brief result such as how obfuscated it was.

ビルド完了

If you select Results from the tree on the left, you can see details about how the class and method names have changed.

Under the class and method names, there will be a Dotfuscator icon and names such as "a" and "b", which will be the obfuscated name. By changing the class name or method name to a meaningless name in this way, even if it is disassembled, it can make the contents of the source code difficult to read.

難読化結果

The obfuscated file is created in a folder called "Dotfuscated" in the folder of the .xml file saved in Save Project. In addition to the obfuscated file, a "Map.xml" file has been created, but this is the result of obfuscation and is not used.

難読化したファイル

If you disassemble the obfuscated file, you can see that some class and method names have been changed to "a" or "b".

This time, the default project created was obfuscated almost as it was, so I think there is an image that it is not so obfuscated, but I think that the effect of obfuscation becomes clearer because the number of classes etc. increases as the project grows.

As an aside, . NET Framework libraries and are not subject to renaming because they are assemblies that are already installed on Windows, for example.

難読化したコードの解析

Silverlight does not use DLLs as-is, so they are packaged as XAP files. As mentioned at the beginning, a XAP file is just a change in the extension of the ZIP file, so it creates a ZIP file by collecting the files contained in the XAP file and the obfuscated DLLs.

Creating a ZIP file can be done using standard OS features.

ファイルを ZIP 化

A ZIP file is created.

ZIP ファイル

The extension is changed to '. xap" and if the file name is different, change it to the original package file name.

Place the XAP file in a distribution location.

XAP ファイルに変更

Please check the operation and see if it works properly.

If it does not start, check until it works normally by reducing the obfuscated code. Note that Silverlight often gets stuck in XAML-related matters.

動作確認

Although the instructions are not listed here, if you want to sign a program, build it in a delay-signed state, obfuscate the assembly, and then re-sign. Even if you obfuscate it while it is signed, the signature code attached at the time of build and the signature code after obfuscation will not match, so you will not be able to start it.

In this article, I have listed the steps for the free version, but if you use the paid version, you can perform more complex obfuscation and prevent disassembly itself. However, obfuscation has the potential to cause various adverse effects, so when obfuscating is made, it is necessary to consider whether it will work properly from the beginning of design.