Serialization and Obfuscation in .NET

Question

I have a binary that I want to obfuscate and hand out to users. Let us assume I use an unobfuscated version of my binary to serialize data using the off-the-shelf .NET binary formatter. Could we then deserialize the data with the obfuscated binary?

I want to hand out obfuscated binaries along with serialized data. If the answer to the question above is yes, I could share the serialized data among the users. Otherwise, I would have to provide individual serialized data to each user.

Answer 1

There seems to be a confusion between the obfuscated binary and serialized data. If you serialize your class using default serializers, then the class name and property/field values are used as strings in that serialized data - so if you obfuscate your binary, then the serialized data using that binary will have the obfuscated names and your non-obfuscated binary will not be able to read the serialized data created by your obfuscated binary if you do any of the following:

1. Use Class renaming on your serialized class
2. Use Member renaming on your serialized class

Here are some options to work around this:

1. I have not used this for awhile, (so you'll want to verify it works in your situation) but if you are using the binary formatter, then you can control how the data is stored in the serialized file by providing constructors that handle the SerializationInfo and StreamingContext. If you google around for a sample you should find one (here is one I found: Serialize Objects to File). You may not find a lot of new articles out there on using this method since most people don't find it very interesting, however it really is the easiest way to specify how your class saves itself and repopulates itself using the binary formatter.

   In the constructor you have to implement, you use strings for key/value pairs to get serialized - in obfuscation those string will probably get encrypted (which is OK), and the property setting statement will get renamed and stay in sync with your obfuscated class/member names - so it should work for both obfuscated and non obfuscated assemblies.

2. Another option in to exclude the class you are serializing from the obfuscation and just encrypt the data file.

Answer 2

Misread the question. When the binary is obfuscated you need to be careful when class names/namespaces get changed etc. This will break not only between obfuscated/non-obfuscated binaries, but also between different versions generally.

This product apparently excludes classes that are marked as: http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm (This is not a recommendation, I have never used - you will have to test it and see if the cost is worth it).

Apart from that you could write a custom serializer depending on how much data you are serializing.

---

[Original Answer]

Why are you obfuscating the data? I can only imagine it's to prevent someone for editing it or to prevent someone from reading the content.

If it's to prevent someone from editing it then can I suggest you include a hash of the data, and then don't bother obfuscating it.

If it's to prevent someone from reading it then I suggest you encrypt the data instead after it's been serialised.

There are plenty of examples of both but if you would like an example let me know.