Anatomy of a serialization killer

Posted by Brian Donahue on Simple Talk See other posts from Simple Talk or by Brian Donahue
Published on Sun, 19 Dec 2010 20:48:00 GMT Indexed on 2010/12/20 17:53 UTC
Read the original article Hit count: 557

Filed under:

As I had mentioned last month, I have been working on a project to create an easy-to-use managed debugger. It's still an internal tool that we use at Red Gate as part of product support to analyze application errors on customer's computers, and as such, should be easy to use and not require installation. Since the project has got rather large and important, I had decided to use SmartAssembly to protect all of my hard work. This was trivial for the most part, but the loading and saving of results was broken by SA after using the obfuscation, rendering the loading and saving of XML results basically useless, although the merging and error reporting was an absolute godsend and definitely worth the price of admission. (Well, I get my Red Gate licenses for free, but you know what I mean!)

My initial reaction was to simply exclude the serializable results class and all of its' members from obfuscation, and that was just dandy, but a few weeks on I decided to look into exactly why serialization had broken and change the code to work with SA so I could write any new code to be compatible with SmartAssembly and save me some additional testing and changes to the SA project.

In simple terms, SA does all that it can to prevent serialization problems, for instance, it will not obfuscate public members of a DLL and it will exclude any types with the Serializable attribute from obfuscation. This prevents public members and properties from being made private and having the name changed. If the serialization is done inside the executable, however, public members have the access changed to private and are renamed. That was my first problem, because my types were in the executable assembly and implemented ISerializable, but did not have the Serializable attribute set on them!
  1. public class RedFlagResults : ISerializable
  2.         {
  3.         }

The second problem caused by the pruning feature. Although RedFlagResults had public members, they were not truly properties, and used the GetObjectData() method of ISerializable to serialize the members. For that reason, SA could not exclude these members from pruning and further broke the serialization.

  1.  public class RedFlagResults : ISerializable
  2.         {
  3.                 public List<RedFlag.Exception> Exceptions;
  4.  
  5.                 #region ISerializable Members
  6.  
  7.                 public void GetObjectData(SerializationInfo info, StreamingContext context)
  8.                 {
  9.                                 info.AddValue("Exceptions", Exceptions);
  10.                 }
  11.  
  12.                 #endregion
So to fix this, it was necessary to make Exceptions a proper property by implementing get and set on it. Also, I added the Serializable attribute so that I don't have to exclude the class from obfuscation in the SA project any more. The DoNotPrune attribute means I do not need to exclude the class from pruning.

  1. [Serializable, SmartAssembly.Attributes.DoNotPrune]
  2.         public class RedFlagResults
  3.         {
  4.                 public List<RedFlag.Exception> Exceptions {get;set;}
  5.         }
Similarly, the Exception class gets the Serializable and DoNotPrune attributes applied so all of its' properties are excluded from obfuscation.

Now my project has some protection from prying eyes by scrambling up the code so it's harder to reverse-engineer, without breaking anything. SmartAssembly has also provided the benefit of merging so that the end-user doesn't need to extract all of the DLL files needed by RedFlag into a directory, and can be run directly from the .zip archive. When an error occurs (hey, I'm only human!), an exception report can be sent to me so I can see what went wrong without having to, er, debug the debugger.

© Simple Talk or respective owner