De-serialization of data seralized before obfuscation

.NET obfuscator and automated error reporting

Moderators: Luke Jefferson, melvyn.harbour, dom.smith

De-serialization of data seralized before obfuscation

Postby smuda » Sun Jan 08, 2012 4:06 pm

Hi!

We have an object that we create in a software (which isn't obfuscated), serialize and save to disk. This is then distributed to the clients and is supposed to be de-serialized.

When there is no obfuscation (for example when only embedding the assembly handling this) it works fine.

However, adding the two assemblies involved to merging, even without obfuscation and flow control, it breaks the deserialization function since it cannot find the assembly referenced in the file.

What would be "best practices" to handle this scenario?

Best Regards,

John
smuda
 
Posts: 18
Joined: Sun Jan 08, 2012 3:12 pm
Location: Sweden

Postby Brian Donahue » Tue Jan 10, 2012 10:56 am

Hi John,

The normal procedure is to work out which classes need to be serialized, then mark them with the Serializable attribute. If you mark the type [Serializable], then SmartAssembly will not rename it or make it private. If the type gets renamed or access modifier changes to private, then this will break the serialization process.
Brian Donahue
 
Posts: 6668
Joined: Mon Aug 23, 2004 10:48 am

Postby smuda » Tue Jan 10, 2012 9:16 pm

Hi Brian,

All classes serialized are marked with the Serializable attribute already and when we created the serialized data the assemblies were strong signed.

When I use reflector on the merged assembly I can see all the classes with the Serializable attribute. When I'm testing they are unobfuscated and there is no control flow obfuscation.

Is there a "redirection functionality" which is supposed to handle redirection from the original filename and public key to the new assembly?

Best Regards,

John
smuda
 
Posts: 18
Joined: Sun Jan 08, 2012 3:12 pm
Location: Sweden

Postby Simon C » Wed Jan 11, 2012 11:00 am

Unfortunately, this is an artefact of the .NET serialization system. By merging the assemblies defining the serialized classes into another you are changing the assembly identity. To .NET, a serialized instance of [AssemblyA]MyNs.MyType is completely different to [AssemblyB]MyNs.MyType.

In your case, the solution would be to create a SerializationBinder to map between the two assemblies in the merged assembly.
Simon C
 
Posts: 140
Joined: Tue Feb 26, 2008 4:56 pm
Location: Red Gate Software

Postby smuda » Sun Jan 22, 2012 6:57 am

Hi!

Just wanted to say that using a SerializationBinder worked perfectly.

Code: Select all
class LicenseInfoDeserializationBinder : SerializationBinder
{
   public override Type BindToType(string assemblyName, string typeName)
   {
      if (assemblyName.StartsWith("OriginalFilenameWithoutExtension"))
      {
         // When the type being deserialized originates from original assembly
         // redirect do current assembly, since it is the same
         // but obfuscated
         assemblyName = Assembly.GetExecutingAssembly().FullName;
      }

      // For each assemblyName/typeName that you want to deserialize to
      // a different type, set typeToDeserialize to the desired type.
      var typeToDeserialize = Type.GetType(String.Format("{0}, {1}",
                                                          typeName, assemblyName));

      return typeToDeserialize;
   }
}


Thank you for your help!

Best Regards,

John
smuda
 
Posts: 18
Joined: Sun Jan 08, 2012 3:12 pm
Location: Sweden


Return to SmartAssembly 6

Who is online

Users browsing this forum: No registered users and 0 guests