Search code examples
vb.netobfuscationsmartassembly

.NET Obfuscation [SmartAssembly]

Just a quick question in relation to SmartAssembly and .NET applications. - I am experimenting with the software at the moment and it seems to be obfuscating code but My.Settings is still visible in plain text?

So previous to obfucating my code (using .NET reflector) I could literally see almost everything. Including the My.Settings class containing lots of info such as passwords, ip's, MySQL connection strings etc..

So I obfuscated the code using RedGate's SmartAssembly and sure enough all the classes/functions etc appeared with random symbols, however several items (again including My.Settings) remained untouched?

SmartAssembly Screenshot enter image description here

Obfuscated result in .NET reflector enter image description here

Solution

  • There are limitations to what most obfuscation tools can do, and this is one of them. Settings values are not stored as string literals or in backing fields, but as an attribute value:

    Global.System.Configuration.DefaultSettingValueAttribute("bar")> _
Public Property Foo() As String
    Get
        Return CType(Me("Foo"), String)
    End Get
    Set(value As String)
        Me("Foo") = value
    End Set
End Property

    VB/VS generates the Property getter/setter, but as you can see it uses an attribute to store the initial value as opposed to:

    Private _foo As String = "bar"

    In most cases there is no reason to hide the string content used in Attributes because they are usually instructions to the compiler about the class or property:

    <Description("Bar String")>
<DefaultValue("bar")>
<DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)>
Property BarString As String

    None of these Attribute literals needs to be hidden because most Attributes contains neither runtime data nor sensitive information. As a result, My.Settings is a fringe case and is the result of how it is implemented. Note that this only applies to the default, initial values you enter in the IDE. If you update them at runtime, they are not written back to the Attributes, but saved to a file.

    Since you have a trivial number of settings there, just write a small class to manage them yourself and save to a file in Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData)