Obfuscator for .NET Core Single Publish Files

Asked 19/5, 2020 at 16:46 Answered 10/11 at 18:40

.net-core obfuscation .net-core-publishsinglefile

Is there an obfuscation tool that can work well on the exe and pdb files that result from a dotnet core single file publish?

I am using dotnet core single file publish with the command: dotnet publish -r win-x64 -c Release /p:PublishSingleFile=true. This works great in giving me just two neat files an exe and a pdb file, which I am able to give to a client to run my application.

However, I am still concerned about its ability to be decompiled.

I tried using ILSpy and JustCompile on both the files and they luckily could not be decompiled with these tools. Is it then that my files are safe, or it is that the tools have not yet caught up?

If the latter, what obfuscation tool can I use to protect these files? I attempted to use Obfuscar which did not work specifically on the single file publish outputs, the exe and pdb.

Any suggestions on the obfuscation tools to use for this?

Aghast answered 19/5, 2020 at 16:46 Comment(6)

"the tools have not yet caught up?" Yes, this. A current (3.x) single file is basically a compressed file containing your assemblies as well as the .NET Core runtime. The first time you run it, it will uncompress itself into another directory. Try running your tools against that uncompressed version. – Aestivate 19/5, 2020 at 18:43

But the compressed version is what I will be handing over to the client. If I run it against the uncompressed version, like with Obfuscar, this just gives me other uncompressed dlls. But this would not affect the single file publish output i.e. the exe and the pdb files I'm giving to a client. – Aghast 19/5, 2020 at 20:5

I think you misunderstand me: the single file is the compressed version. It will uncompress itself when you run it on the client's machine. – Aestivate 19/5, 2020 at 21:43

I get that, but just to be clear. I don't have access to the client's machine when the application runs and is uncompressed. Therefore how can I obfuscate my files, then use single file publish to compress them, then when it runs on the client's machine it will be obfuscated. Is there a solution that flows like that? – Aghast 19/5, 2020 at 21:54

Oh. Sorry, I dont have answer to the right tool for the job here. I was just pointing out that the current tools not working on single-publish don't necessary mean that your code is beyond recovery. – Aestivate 19/5, 2020 at 21:55

I can confirm that the latest version of ILSpy (9 preview 2) can now read the exe from a publish. – Kaffraria 10/9 at 19:7

Disclosure: I work for the Dotfuscator team at PreEmptive.

We have tested and verified that Dotfuscator Professional handles this scenario on both .NET Core 3 and .NET 5. Specifically, you must use Dotfuscator Professional's MSBuild integration, which is now our recommended method of using Dotfuscator Professional for new projects. However, Dotfuscator will not update .pdb files on .NET Core or .NET 5, so you will not be able to debug builds which use Dotfuscator (e.g., Release builds). You should not ship .pdb files to untrusted users.

Maynord answered 3/12, 2020 at 14:47 Comment(0)

You can decompile .NET Core self-contained executables if you manually unpack them: Can .Net Core 3 self-contained single executable be decompiled?

You would have to run the obfuscator as part of the build process, before the individual assemblies are compressed into the single file. That's probably possible if you add a custom MSBuild target that executes the obfuscator, and use the BeforeTargets attribute to integrate it at the correct point in the build process. But I haven't looked at the .NET core build system in detail.

Rusticus answered 20/5, 2020 at 14:8 Comment(2)

I did some work in github.com/obfuscar/obfuscar/issues/301. On this, the problem is that even though the dll is obfuscated on checking. When check the temp folder after running the .exe the .dll is still not obfuscated. – Subsistent 29/9, 2020 at 17:47

having progress, finally may publish here. need to copy to the obj/Release folder for it to be included in the Single Published file. – Subsistent 29/9, 2020 at 20:53

You can use Obfuscar.
Use it in obj directory after target Compile and then copy obfuscated files to directory.(replace with original files)

Envenom answered 13/2, 2021 at 1:24 Comment(2)

A lot of bugs. For example it will obfuscate the IDisposable.Dispose which implements in your internal class, this make your application broken. – Towardly 15/6, 2021 at 12:12

'copy obfuscated files to directory" what directory do I copy the files to? – Muticous 15/9, 2022 at 0:6

As @john mentioned I use the Obfuscator from "obj" folder and it works:

First I install the Obfuscar.GlobalTool nuget with this command "dotnet tool install --global Obfuscar.GlobalTool --version 2.2.40" in the Nuget Package Manager Console.

Then I configure my obsfuscar.xml that we should add in the root of the project:

  <?xml version="1.0" encoding="utf-8" ?>
<Obfuscator>
    <Var name="InPath" value="obj\Release\net8.0-windows\win-x64\" />
    <Var name="OutPath" value="obj\Release\net8.0-windows\win-x64\Obfuscated\"/>
    <Var name="LogFile" value="$(OutPath)obfuscated-log.txt" />
    <Var name="RenameProperties" value="true" />
    <Var name="RenameEvents" value="true" />
    <Var name="RenameFields" value="true" />
    <Var name="KeepPublicApi" value="false" />
    <Var name="HidePrivateApi" value="true" />
    <Var name="UseUnicodeNames" value="true" />
    <Var name="HideStrings" value="true" />
    <Var name="OptimizeMethods" value="true" />
    <Var name="SuppressIldasm" value="true" />
<!-- I add this because I have been troubles with that dependency -->
    <AssemblySearchPath path="C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.2\ref\net8.0\" />
    <!-- Add here all files that you want to obfuscate -->
    <Module file="$(InPath)myApplication.dll"/>
</Obfuscator>

Then I configure and event in mi .csproj file:

<Project>
<!-- Your project configuration -->
    <Target Name="PostBuild" AfterTargets="PostBuildEvent">
        <Exec Command="obfuscar.console obfuscar.xml" />
        <Delete Files="your-path\obj\Release\net8.0-windows\win-x64\DatabaseObjectMerger.dll" />
        <Copy SourceFiles="your-path\obj\Release\net8.0-windows\win-x64\Obfuscated\DatabaseObjectMerger.dll" DestinationFolder="your-path\obj\Release\net8.0-windows\win-x64\"/>
    </Target>
</Project>

An then I execute this command: "dotnet publish -c Release -r win-x64 --self-contained -p:PublishSingleFile=true"

Teleost answered 10/11 at 18:40 Comment(0)

Recommended topics

Hot tags