Obfuscation is to code as front door is to your home. Thats right, it’s hard to find a single home that doesn’t have a door. Why is that? Because, without a front door any one can come inside your home and look around. They may also find some of the things you have in your home interesting and may even decide to take them without even your permission.
Code (applications) are the same way. They are just like your home. After all, you spend so much time and energy building it. But 90% of all applications are not obfuscated. Why? I think it’s because of lack of information. I bet a lot of programmers think it is complicated, time consuming and expansive.
In this blog post I am going to try to demystify obfuscation. In particular, I will be talking about obfuscating Silverlight applications using Eziriz’s .Net Reactor.
First of all it is very important to obfuscate Silverlight applications. Two reasons: 1. They are web based and anyone that has access to them can run them. 2. They run on the client. Very easy for the user to get their hands on all the dlls. This is different than let’s say ASP.net where code executes on the server and only the html is sent down to the client.
Lately i have been trying out different obfuscation tools to obfuscate Silverlight applications. I have tried RedGate’s Smart Assembly, Eziriz’s .Net Reactor and Babel.net. All three are paid, however the last one has a lighter version for free. All three are good however, in this post I am going to be talking about my experience with Eziriz’s .Net Reactor.
I say Eziriz’s .Net Reactor is one of the best obfuscation tools around. It let’s you fine tune your obfuscation at a very granular level. It uses various obfuscation techniques to protect you code. here are some of the key techniques it utilizes:
- Standard obfuscation – renaming types and members
- Anti ILDASM – suppresses decompilation
- NecroBit – another Suppresses decompilation technique
- Anti Tempering – prevents assembly modification
- Control Flow obfuscation – turn code in spaghetti code without alerting the functionality
- String encryption – encrypts hard coded strings inside the code
Along with those, it also offers the following:
- creates a mapping file for you to deobfuscate the stack traces from an obfuscated application.
- compresses and encrypts resources within your application.
And best for last for all the Silverlight developers out there. It works directly with the xap files.
Now, to demystify obfuscation:
Myth 1: Obfuscation is complicated. False. It didn’t require me to write a single line of code. It didn’t even require me to alter the way i build my application.
Myth 2: It’s time consuming. False – Using .Net Reactor, it took me less than 5 minutes to obfuscate my application.
Myth 3: It’s expansive. False – most developers out there know of DotFuscator. And yes they are very expansive. But i think i got the same results from .Net Reactor which only costs $179.
How i obfuscated my application using .Net Reactor:
Step 1: Built and then published my Silverlight application to staging as usual.
Step 2: Fired up .Net Reactor.
Step 3: Clicked the ‘Open’ button, and pointed to my xap file on the staging
Step 4: It already had checked the following options: Anti ILDASM, Obfuscation and string encryption. I additionally checked NecroBit and Control Flow Obfuscation.
Step 5: Clicked the ‘Protect’ link on the side menu bar. It took less then a minute and obfuscation was done.
Step 6: Navigated to Staging: .Net Reactor had already created a secure folder for me where the obfuscated version of xap file was. I copied that file and replace the original xap with it.
Step 7: Moved staging to production and i was done.
I tested the obfuscation by opening it up in reflector and guess what, it couldn’t even open those files. Awesome.
My experience with .Net Reactor has been great. I found this product to be one of the best obfuscation tools out there, specailly for Silverlight. And at a price point of $179, I think if it’s not the cheapest then it’s definitely one of the cheapest.
Eziriz’ .Net Reactor: http://www.eziriz.com/dotnet_reactor.htm
I am evaluating .NET Reactor for my Silverlight obfuscation. I have the demo version of 4.3.1.0, but I’m not getting the same results that you did. Perhaps this is because I’m not using a fully-licensed copy yet.
Following the steps that you list in your post, I get a new XAP file but only the primary assembly is obfuscated. None of the other assemblies (third-party or mine) are obfuscated.
I guess I would expect Reactor to obfuscate all the assemblies that you select on the Files tab and re-package the XAP with the obfuscated assemblies. In my case, it appears that only the main assembly gets obfuscated and re-packaged, and the other selected assemblies are obfuscated and placed in their own folder. Apparently, this means that I have to re-package the XAP manually; which is doable, but not preferred.
Did you have the same results with your use of .NET Reactor?
I had the same experience as Integragreg initially. However, I was able to figure it out. After selecting my .xap as the “Main Assembly,” I clicked Add under “Additional Files” and selected my .xap file again. At that point, all the other packaged assemblies were added, and I just removed the ones I didn’t want to be obfuscated.
I didn’t find anything in the help or a forum somewhere; it was a lucky guess. Hopefully this’ll help someone.