4

Just a quick question in relation to SmartAssembly and .NET applications. - I am experimenting with the software at the moment and it seems to be obfuscating code but My.Settings is still visible in plain text?

So previous to obfucating my code (using .NET reflector) I could literally see almost everything. Including the My.Settings class containing lots of info such as passwords, ip's, MySQL connection strings etc..

So I obfuscated the code using RedGate's SmartAssembly and sure enough all the classes/functions etc appeared with random symbols, however several items (again including My.Settings) remained untouched?

SmartAssembly Screenshot enter image description here

Obfuscated result in .NET reflector enter image description here

Samuel Nicholson
  • 3,587
  • 3
  • 20
  • 37

1 Answers1

3

There are limitations to what most obfuscation tools can do, and this is one of them. Settings values are not stored as string literals or in backing fields, but as an attribute value:

Global.System.Configuration.DefaultSettingValueAttribute("bar")> _
Public Property Foo() As String
    Get
        Return CType(Me("Foo"), String)
    End Get
    Set(value As String)
        Me("Foo") = value
    End Set
End Property

VB/VS generates the Property getter/setter, but as you can see it uses an attribute to store the initial value as opposed to:

Private _foo As String = "bar"

In most cases there is no reason to hide the string content used in Attributes because they are usually instructions to the compiler about the class or property:

<Description("Bar String")>
<DefaultValue("bar")>
<DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)>
Property BarString As String

None of these Attribute literals needs to be hidden because most Attributes contains neither runtime data nor sensitive information. As a result, My.Settings is a fringe case and is the result of how it is implemented. Note that this only applies to the default, initial values you enter in the IDE. If you update them at runtime, they are not written back to the Attributes, but saved to a file.

Since you have a trivial number of settings there, just write a small class to manage them yourself and save to a file in Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData)

Ňɏssa Pøngjǣrdenlarp
  • 38,411
  • 12
  • 59
  • 178
  • 1
    This may sound dumb but I don't want someone to be able to read the file containing all my settings... – Samuel Nicholson Jul 02 '14 at 14:22
  • 2
    implicit in "manage them yourself" is to do whatever you want to hide the contents. options abound including a) encrypting the string values as they are set b) simple string scrambling c) serialize the file using a binary serializer d) save as text but encrypt the file – Ňɏssa Pøngjǣrdenlarp Jul 02 '14 at 14:25