混淆 Silverlight XAP
我想知道有什么有效的方法来隐藏我们的 Silverlight 代码。 我知道有一些混淆器可用,但看起来人们也可以破解它。 有人在这方面取得过成功吗?
I am wondering any efficient way to hide our Silverlight code. I know there are some obfuscators available but it looks like people can hack that too. Anybody have any success on this front?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
不可以。客户端浏览器必须能够读取代码,因此它是可破解的。
No. The client browser must be able to read the code, therefore it is hackable.
这是一篇关于如何混淆 xap 文件的简短文章
http://www.rudigrobler.net/博客/obfuscating-silverlight
Here is a short article on how to obfuscate a xap file
http://www.rudigrobler.net/Blog/obfuscating-silverlight
您可以通过在执行期间下载应用程序的模糊片段(例如使用 MEF)来使潜在黑客的工作复杂化。 不用说,如果您的应用程序足够大,这样可以加快启动时间而不是妨碍用户体验,那会很有趣。
它不会阻止勇敢的黑客获取您的代码(目前没有任何方法可以阻止这种情况,因为 Silverlight 插件必须能够执行它),但这种做法会使他的任务变得非常复杂。
阻止浏览器缓存 XAP 是没有用的,就像使用 HTTPS 一样,因为攻击者使用像 firebug 这样复杂的东西来获取 XAP 比在浏览器缓存中查找它或使用中间人攻击要容易得多。
我想,如果您有很大的动力,您可以:
它不会阻止攻击者获取您的代码,但他必须分析您的初始(混淆的)xap 以了解解密代码,获取密钥,获取加密的(也混淆的)动态加载的 XAP ,解密它,然后设法对其进行解密,然后了解它如何将其自身插入到应用程序中。
它与使用 HTTPS 不一样,因为这里的加密和解密过程是在应用程序中完成的,因此像 firebug 或 fiddler 这样的工具变得毫无用处。
下摆。 没有什么可以阻止任何人阅读您的代码。 但你可以让它不值得他花时间。 您不必使用这里的所有想法,我相信您可以找到其他想法,但请确保实施这些措施也值得您花时间。
不管怎样,写这个很有趣:p
You could complicate the potential hacker's job by downloading obfuscated fragments of your app during execution, using MEF for instance. Needless to say that it's interesting if your application is big enough so that this astuce speed up startup time rather than hindering the user's experience.
It won't prevent a valorous hacker from getting your code (in the hand no method can prevent this, as the Silverlight plugin must be able to execute it), but the astuce will complicate his task greatly.
preventing the browser from caching the XAP is useless, like using HTTPS, as it's far easier for the attacker to use something as complicated as firebug to get the XAP than looking for it in the browser cache or using a Man in the Middle Attack.
I imagine that if you had lot of motivation, you could:
It won't prevent the attacker from getting your code, but he will have to analyse your initial (obfuscated) xap to understand the decryption code, get the key, get the encrypted (obfuscated too) dynamic loaded XAP, decrypt it, then manage to unobfuscate it, then understand how it plugs itself in the application.
It's not the same as using HTTPS, because here the encryption and decryption process is done in the application so that tools like firebug or fiddler become useless.
Hem. Nothing can prevent anyone from reading your code. BUT you can make it not worth his time. You don't have to use all the ideas here and I am sure that you can find others, but make sure that implementing such measures are worth your time too.
Either way, it was rather funny to write this :p
您确实无法隐藏传输给客户端的任何内容。 如果人们想弄清楚,他们就会的。
您需要将任何专有代码放在客户端计算机无法访问的后端中。
You really can't hide anything that gets transmitted to the client. If people want to figure it out, they will.
You need to put any proprietary code in your back-end where client machines can't get at it.
托管 silverlight 应用程序的页面上的 Pragma No-Cache 将阻止浏览器缓存 xap,而是通过从 Web 服务器流式传输来读取它。 这将使偷看者更难获得 xap。 混淆会使事情变得更加困难。
还要确保应用程序托管在 https 中,并在主应用程序之外进行身份验证。 这样 xap 流就会在下行过程中被编码。
Pragma No-Cache on the page hosting the silverlight application will prevent the the browser from caching the xap, instead it will read it by streaming from the web server. That will make it harder for peeps to get the xap. Obfuscation will make it harder still.
Also make sure the app is hosted in https, have authentication take place outside the main application. This way the xap stream is encoded on the way down.
您无法隐藏(至少不能隐藏)XAP 文件。 但你可以混淆它们。 混淆并不是一个明确的答案,但它是一个开始,可以提供很好的保护。
You cannot hide (at least not non-trivially) XAP files. But you can obfuscate them. Obfuscation is not a definitive answer, but its a start and can give pretty good protection.