如何在混淆和调试版本之间保持反序列化兼容性?
我正在尝试让 {smartassemble} .NET 混淆器与我的系统一起使用。 我目前将用户数据存储在一系列序列化字典类中,然后反序列化这些类以取回数据。 我已经忽略了程序集版本信息,只是因为那样会让生活变得痛苦。 该代码改编自MSDN:
//to avoid cross-versioning problems
public sealed class CrossVersionDeserializationBinder : SerializationBinder {
public override Type BindToType(string assemblyName, string typeName) {
Type typeToDeserialize = null;
typeToDeserialize = Type.GetType(String.Format("{0}, {1}",
typeName, assemblyName));
return typeToDeserialize;
}
}
问题是,现在我的混淆应用程序将忽略版本控制信息,但无法读取非混淆应用程序保存的数据,反之亦然。 我们需要一个非混淆版本来调试应用程序,所以这对我们来说是一个相当大的阻碍。 有什么办法可以解决这个问题吗? 我不应该混淆数据类吗? 这似乎是一个相当大的安全漏洞。
I'm trying to get the {smartassembly} .NET obfuscator to work with my system. I currently store user data in a series of serialized dictionary classes, and then deserialize those classes to get the data back. I'm already ignoring assembly version information, just because that way making life a pain. That code is adapted from MSDN:
//to avoid cross-versioning problems
public sealed class CrossVersionDeserializationBinder : SerializationBinder {
public override Type BindToType(string assemblyName, string typeName) {
Type typeToDeserialize = null;
typeToDeserialize = Type.GetType(String.Format("{0}, {1}",
typeName, assemblyName));
return typeToDeserialize;
}
}
Problem is, now my obfuscated app will ignore versioning information, but can't read data saved by the non-obfuscated app, and vice versa. We'll need to have a non-obfuscated version in order to debug the application, so this is a pretty big showstopper for us. Any way to get around this problem? Should I just not obfuscate the data classes? That seems like a pretty large security hole.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
也许考虑一个不依赖于类型和字段名称的序列化器? 例如, protobuf-net 是一个二进制序列化器,但使用数字标签集(通过针对每个成员的属性)。 这意味着:
例如:
这里,
1
是标识文件中成员的所有内容。 这里的关键是它是基于契约的,因此可以稍后使用不相关的类型进行反序列化:(这很好,因为混淆保留了元数据,IIRC)。
将此与其他基于契约的序列化程序(例如
XmlSerializer
或DataContractSerializer
)进行对比 - 您将被迫将成员名称放入属性中,这几乎会渲染毫无意义的混淆:Perhaps consider a serializer that isn't tied to the type and field-names? For example, protobuf-net is a binary serializer, but uses numeric tags set (via an attribute) against each member. This means:
For example:
Here, the
1
is all that identified the member in the file. The key here is that it is contract-based, so can be deserialized later with an unrelated type:(which is fine since obfuscation preserves metadata, IIRC).
Contrast this to other contract-based serializers (such as
XmlSerializer
orDataContractSerializer
) - where you would be forced to put the member-name in the attributes, which would pretty much render obfuscation pointless:首先,混淆并不能提供安全性。 所以,你可能要考虑放弃它,就这样。
我看到的两个选项是:
由于混淆不会带来任何好处,所以我会选择#1。
Obfuscation doesn't provide security in the first place. So, you may want to consider dropping it, period.
The two options I see are:
Since you gain nothing by obfuscating, I'd go with #1.