3

Is there an obfuscation tool that can work well on the exe and pdb files that result from a dotnet core single file publish?

I am using dotnet core single file publish with the command: dotnet publish -r win-x64 -c Release /p:PublishSingleFile=true. This works great in giving me just two neat files an exe and a pdb file, which I am able to give to a client to run my application.

However, I am still concerned about its ability to be decompiled.

I tried using ILSpy and JustCompile on both the files and they luckily could not be decompiled with these tools. Is it then that my files are safe, or it is that the tools have not yet caught up?

If the latter, what obfuscation tool can I use to protect these files? I attempted to use Obfuscar which did not work specifically on the single file publish outputs, the exe and pdb.

Any suggestions on the obfuscation tools to use for this?

Keisha W
  • 686
  • 6
  • 17
  • "the tools have not yet caught up?" Yes, this. A current (3.x) single file is basically a compressed file containing your assemblies as well as the .NET Core runtime. The first time you run it, it will uncompress itself into another directory. Try running your tools against that uncompressed version. – omajid May 19 '20 at 18:43
  • But the compressed version is what I will be handing over to the client. If I run it against the uncompressed version, like with Obfuscar, this just gives me other uncompressed dlls. But this would not affect the single file publish output i.e. the exe and the pdb files I'm giving to a client. – Keisha W May 19 '20 at 20:05
  • I think you misunderstand me: the single file *is* the compressed version. It will uncompress itself when you run it on the client's machine. – omajid May 19 '20 at 21:43
  • I get that, but just to be clear. I don't have access to the client's machine when the application runs and is uncompressed. Therefore how can I obfuscate my files, then use single file publish to compress them, then when it runs on the client's machine it will be obfuscated. Is there a solution that flows like that? – Keisha W May 19 '20 at 21:54
  • Oh. Sorry, I dont have answer to the right tool for the job here. I was just pointing out that the current tools not working on single-publish don't necessary mean that your code is beyond recovery. – omajid May 19 '20 at 21:55

3 Answers3

4

Disclosure: I work for the Dotfuscator team at PreEmptive.

We have tested and verified that Dotfuscator Professional handles this scenario on both .NET Core 3 and .NET 5. Specifically, you must use Dotfuscator Professional's MSBuild integration, which is now our recommended method of using Dotfuscator Professional for new projects. However, Dotfuscator will not update .pdb files on .NET Core or .NET 5, so you will not be able to debug builds which use Dotfuscator (e.g., Release builds). You should not ship .pdb files to untrusted users.

Joe Sewell
  • 6,067
  • 1
  • 21
  • 34
1

You can decompile .NET Core self-contained executables if you manually unpack them: Can .Net Core 3 self-contained single executable be decompiled?

You would have to run the obfuscator as part of the build process, before the individual assemblies are compressed into the single file. That's probably possible if you add a custom MSBuild target that executes the obfuscator, and use the BeforeTargets attribute to integrate it at the correct point in the build process. But I haven't looked at the .NET core build system in detail.

Daniel
  • 15,944
  • 2
  • 54
  • 60
  • I did some work in https://github.com/obfuscar/obfuscar/issues/301. On this, the problem is that even though the dll is obfuscated on checking. When check the temp folder after running the .exe the .dll is still not obfuscated. – lastlink Sep 29 '20 at 17:47
  • 1
    having progress, finally may publish here. need to copy to the **obj/Release** folder for it to be included in the Single Published file. – lastlink Sep 29 '20 at 20:53
1

You can use Obfuscar.
Use it in obj directory after target Compile and then copy obfuscated files to directory.(replace with original files)

john
  • 11
  • 2
  • A lot of bugs. For example it will obfuscate the `IDisposable.Dispose` which implements in your internal class, this make your application broken. – huang Jun 15 '21 at 12:12
  • 'copy obfuscated files to directory" what directory do I copy the files to? – UnAlpha Sep 15 '22 at 00:06