How to obfuscate WPF assemblies using obfuscation software for .NET Framework 2.0

I’ve read many posts over the Internet which are stating that it is currently impossible to obfuscate WPF assemblies. Well this is partially true.

Here is what you can do to partially protect your .NET Framework 3.0 code:
In order your code to continue to work properly you must exclude from the obfuscation at least the names of your WPF window and user control classes. You can leave in the obfuscation the variables, methods, events, etc. declared in the codebehind unless you use some of them in your markup. If this is the case you must exclude those too.

Note that by doing this you will not obfuscate the XAML code itself, but only the codebehind. Your markup can still be viewed with some disassembly tools (for example Lutz Roeder’s .NET reflector and the BamlViewer add-in).

5 replies
  1. Tom J
    Tom J says:

    Can you suggest an obfuscation tool that will allow you to exclude the items you listed? More detail would be very helpful. Thanks!

    Reply
  2. Tom J
    Tom J says:

    BTW, there is another problem that you didn’t address. Usually if you want to obfuscate a solution that has multiple assembly (i.e. EXE and one or more DLL’s) you’re told to first merge them with ILMerge. ILMerge can’t merge WPF assemblies. I’ve discussed this with the ILMerge author, but he says that he doesn’t have time to rework ILMerge at the present time.

    Reply
  3. Peter Staev
    Peter Staev says:

    Greetings Tom,

    I’m using Xenocode Community Edition 2006. It gives you the option to select which classes you want to obfuscate. It’s really useful. But I think that other obfuscating software gives you this option too.

    Regarding your second question – I know that it is recommended. But the only reason that it is so is that by obfuscating your assemblies the obfuscation app creates some overhead for each assembly. So if you have one assembly you’ll have less overhead in size. But recommended does not mean obligatory 😉 Our company has a public application that consists of multiple obfuscated assemblies (using Xenocode Community Edition 2006) and it works perfect. So I guess until they make ILMerger to work with WPF we have to live with the additional size overhead.

    Hope I was useful in my answers!

    Reply
  4. Himangi
    Himangi says:

    Crypto Obfuscator ( http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm ) has excellent support for WPF assemblies. For WPF/SilverLight projects, you can specify the path where the XAML files for the currently selected assembly are located. Crypto Obfuscator will analyze the XAML files and automatically exclude classes/methods/properties from
    obfuscation. This eliminates to a large extend the need to manually exclude entities from obfuscation and saves a great amount of time.

    Reply
  5. Christian
    Christian says:

    Hi,

    I just wanted to inform you that obfuscation of XAML and BAML code is now possible.

    At Creatix we have today released the 1.0 version of CodeFort, an obfuscation tool which is able to obfuscate .NET, WPF and Silverlight assemblies, and even rename identifiers inside of XAML and BAML code. This makes it for the first time ever possible to obfuscate 100% of a WPF or Silverlight Application's types and members.

    You can learn more about the obfuscator and download the CodeFort Freeware Edition at: http://www.codefort.org

    Best regards, Christian

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *