如何在混淆和调试版本之间保持反序列化兼容性?

发布于 2024-07-13 03:48:44 字数 810 浏览 6 评论 0原文

我正在尝试让 {smartassemble} .NET 混淆器与我的系统一起使用。 我目前将用户数据存储在一系列序列化字典类中,然后反序列化这些类以取回数据。 我已经忽略了程序集版本信息,只是因为那样会让生活变得痛苦。 该代码改编自MSDN

//to avoid cross-versioning problems
public sealed class CrossVersionDeserializationBinder : SerializationBinder {
    public override Type BindToType(string assemblyName, string typeName) {
        Type typeToDeserialize = null;

        typeToDeserialize = Type.GetType(String.Format("{0}, {1}",
            typeName, assemblyName));

        return typeToDeserialize;
    }
}

问题是,现在我的混淆应用程序将忽略版本控制信息,但无法读取非混淆应用程序保存的数据,反之亦然。 我们需要一个非混淆版本来调试应用程序,所以这对我们来说是一个相当大的阻碍。 有什么办法可以解决这个问题吗? 我不应该混淆数据类吗? 这似乎是一个相当大的安全漏洞。

I'm trying to get the {smartassembly} .NET obfuscator to work with my system. I currently store user data in a series of serialized dictionary classes, and then deserialize those classes to get the data back. I'm already ignoring assembly version information, just because that way making life a pain. That code is adapted from MSDN:

//to avoid cross-versioning problems
public sealed class CrossVersionDeserializationBinder : SerializationBinder {
    public override Type BindToType(string assemblyName, string typeName) {
        Type typeToDeserialize = null;

        typeToDeserialize = Type.GetType(String.Format("{0}, {1}",
            typeName, assemblyName));

        return typeToDeserialize;
    }
}

Problem is, now my obfuscated app will ignore versioning information, but can't read data saved by the non-obfuscated app, and vice versa. We'll need to have a non-obfuscated version in order to debug the application, so this is a pretty big showstopper for us. Any way to get around this problem? Should I just not obfuscate the data classes? That seems like a pretty large security hole.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

淡墨 2024-07-20 03:48:44

也许考虑一个不依赖于类型和字段名称的序列化器? 例如, protobuf-net 是一个二进制序列化器,但使用数字标签集(通过针对每个成员的属性)。 这意味着:

  • 序列化根本不与程序集版本绑定
  • 字段名称信息不在序列化文件中
  • (通过上述)代码是否被混淆并不重要
  • (并且)文件无法使用轻松打破混淆(尽管数据可能仍表明意图,除非加密)

例如:

[ProtoContract]
public class Foo {
    [ProtoMember(1)]
    public string Bar {get;set;}
}

这里,1 是标识文件中成员的所有内容。 这里的关键是它是基于契约的,因此可以稍后使用不相关的类型进行反序列化:(

[ProtoContract]
public class a12 {
    [ProtoMember(1)]
    public string a {get;set;}
}

这很好,因为混淆保留了元数据,IIRC)。

将此与其他基于契约的序列化程序(例如 XmlSerializerDataContractSerializer)进行对比 - 您将被迫将成员名称放入属性中,这几乎会渲染毫无意义的混淆:

[DataContract]
public class a12 {
    [DataMember(Name="Bar")]
    public string a {get;set;}
}

Perhaps consider a serializer that isn't tied to the type and field-names? For example, protobuf-net is a binary serializer, but uses numeric tags set (via an attribute) against each member. This means:

  • serialization isn't tied to the assembly version at all
  • the field name information isn't in the serialized file
  • (by the above) it won't matter whether the code is obfuscated
  • (and) the file can't be used to trivially break the obfuscation (although the data might still suggest intent unless encrypted)

For example:

[ProtoContract]
public class Foo {
    [ProtoMember(1)]
    public string Bar {get;set;}
}

Here, the 1 is all that identified the member in the file. The key here is that it is contract-based, so can be deserialized later with an unrelated type:

[ProtoContract]
public class a12 {
    [ProtoMember(1)]
    public string a {get;set;}
}

(which is fine since obfuscation preserves metadata, IIRC).

Contrast this to other contract-based serializers (such as XmlSerializer or DataContractSerializer) - where you would be forced to put the member-name in the attributes, which would pretty much render obfuscation pointless:

[DataContract]
public class a12 {
    [DataMember(Name="Bar")]
    public string a {get;set;}
}
墨洒年华 2024-07-20 03:48:44

首先,混淆并不能提供安全性。 所以,你可能要考虑放弃它,就这样。

我看到的两个选项是:

  1. 不要混淆这些类型。 这将使事情顺利进行。
  2. 编写您自己的序列化器代码。

由于混淆不会带来任何好处,所以我会选择#1。

Obfuscation doesn't provide security in the first place. So, you may want to consider dropping it, period.

The two options I see are:

  1. Don't obfuscate those types. This will make things just work.
  2. Write your own serializer code.

Since you gain nothing by obfuscating, I'd go with #1.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文