I've started toying with the proper Dotfuscator project settings to give me a workable, yet relatively-secure-as-possible package for deploying to private beta testers and the Marketplace. A great starting point for this journey could be found here: http://weblogs.asp.net/bsimser/archive/2010/12/31/dotfuscator-deep-dive-with-wp7.aspx.
Before we start, my project includes a number of 3rd party controls like AppBarUtils, MVVMLight, Funq, and my favorite IrcDotNet (which is the source of this post). The instructions say to use your XAP file as input so we'll follow that. On the far right-hand side of the
Input Files toolbar is
Transform XAML/BAML resources in all assemblies. Click this to turn it off primarily to be thorough. I believe this affects MVVM because it tries to rename Xaml internals that are data bound. Follow the instructions on the
Settings->Global Options screen to set
Disable Control Flow and
Disable Renaming to No to enable them.
Now click the
Build Project toolbar button to build your project. If your XAP includes a signed assembly, you'll be greeted with the following message:
Warning: The strong named input assemblies (or assembly)
<TempDirectory>IrcDotNet.dllwere not resigned. You will need to sign these dotfuscated assemblies manually.
My first instinct was to go to the
Settings->Signing screen, and enable
Re-sign Strong Named Assemblies and point it to IrcDotNet.snk. If you do that you're met with a different message:
Running sn.exe /q /R
Warning: Password protected Strong Name files are not supported sn returned 1. Build Error.
This is the end of the line as far as automation goes. The only recourse is to sign the assembly manually as the original warning states. If you do not resign this file before deployment, your app will not startup properly. Once code hits that signed assembly it simply will not function.
My first approach was to go to the
Control Flow tabs and exclude every assembly other than my own. This produces the same result. Assemblies are reassembled regardless of whether or not any options are applied.
My preferred approach is to go to the
Input tab, right click on each 3rd party assembly and click
Exclude assembly from package. This has a lovely UI effect of removing everything from the screen and pausing while Dotfuscator works its magic. The added bonus? This happens every assembly. The bare minimum would be to only remove those signed assemblies but I took it all the way and removed all 3rd party dlls. These are all open source frameworks so obfuscating them isn't necessary.
Build Project again and the app starts! Inspecting the result in IL Spy gives me a runtime error on decompile, meaning control flow is on and teh IP iz protectordez. My app also uses localization and
Smart Obfuscation automatically disables renaming for my localization resources so no extra legwork is needed to exclude them.
In summary if you don't need to obfuscate 3rd party assemblies, simply exclude them from the
Input tab rather than trying to exclude them in the individual obfuscation tabs.
Ilasm is still ran on the assemblies which triggers the need to re-sign them.