JsonConvert.DeserializeObject() returns unknown object when assembly is obfuscated

Question

i have an C# solution which contains two projects, one is main application and another is license project. Project is working smoothly. i have used json to serialize the license detail. now i need to do obfuscation on my licensing project to make it safe from frauds or hackers. I have used Dotfuscator for obfuscation purpose. i have used below's line to deserialize the license details received by application. xmlDocument.LoadXml(xml); details = xmlDocument.SelectSingleNode("/license/details"); licenseDetails = JsonConvert.DeserializeObject<LicenseDetails>(details.InnerText);

this line returns unknown object I after obfuscation but it was working good before obfuscation.

return value before obfuscation

licenseDetails == Shared.Licensing.Client.LicenseDetails

return value after obfuscation

licenseDetails = I

My XML file is

<?xml version="1.0" encoding="utf-8"?> <license> <details>{"Product":"Outlook Templates","ProductVersion":"1.0.0.0","Username":"Demo","Serial":"1fKxUCJylsm+qVUccjUn8gYNVgDc4pE5OuqYs48vkaQ=","RegistrationDate":"\/Date(1326202832909+0200)\/","ExpirationDate":"\/Date(1330387200000)\/","PayloadEntries":[{"ValueType":2,"EntryName":"MaxNumProviders","Operation":1,"EntryValue":"3"},{"ValueType":2,"EntryName":"MaxNumQuick","Operation":1,"EntryValue":"5"},{"ValueType":2,"EntryName":"ExpirationDaysOffset","Operation":1,"EntryValue":"30"}]}</details> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>c/BK0YOhnW8cXUGxTJx3mpWQj1U=</DigestValue> </Reference> </SignedInfo> <SignatureValue>gWYcpr3OBhUoiPEFyWskgoRcDw5rO2RWNbMulXSXg2tsKWebEFqgptCUfr7JRvvSjm4kALyvU7mZviJI/peJWmJC69gs7QDMEOWLvrOa0TL1qyO5K5onCBZopJUdrPE0PJCVYRacasI3DvTOSo+IDEOSFVpEWZNcERhB6ZkOFrU=</SignatureValue> </Signature> </license>

I don't know what does go wrong during obfuscation.

Answer 1

You'll have to exclude the properties of LicenseDetails exposed by JSON from renaming.

Alternatively, if you don't want to expose those names, you could manually convert from Json to your LicenseDetails text in a way that doesn't involve reflection. You could use something like this I think:

var json=new JObject(details.InnerText);
var license=new LicenseDetails();
license.Product=json["Product"];
license.ProductVersion=json["ProductVersion"];
....

Note it requires a lot more work though doing it manually like this.

Answer 2

Obfuscation implies that all of the existing names are changed, to obscure the meaning and intent of the code (smart and motivated people can still figure out what the code does, it just involves more effort).

Serialization typically depends on naming conventions to match the input with properties on the target object. Since the latter have been renamed, you need to provide an explicit map of names to your serialization engine. This typically works by annotating all serialized properties with attributes, where each attribute specifies the serialized name of the property. This information allows the serializer to e.g. map the "RegistrationDate" input to the property "I1i" (as an example obfuscated name for what was probably also called "RegistrationDate" before obfuscation). Consult the documentation for your serialization engine to see how you configure this.

However, you should note that these attributes and their values are readily available to people inspecting your assembly, and you are therefore in truth gaining very little by obfuscating the code. In fact, I would argue that it is a complete waste of your time, since even obfuscated code can usually be decompiled to fairly sensible C#.