Skip to main content
Version: 2023.2

4.11. Serialization Tuning

4.11.1. Overview

Serialization can be defined as the process of storing the state of an object to a storage medium. There are two main kinds of serialization available in .NET:

  • XML serialization
  • Binary serialization

This chapter covers the binary serialization.

Binary serialization is often used in application state persistence, offline caches and remoting communication. .NET platform has rich services that allow to perform binary serialization of objects within several lines of code. All serializable classes and structures are marked with [Serializable] (or <Serializable()> in VB.NET) custom attribute, so .NET runtime is aware about serialization-ability of every class and structure.

4.11.2. Binary Serialization and Obfuscation

.NET serialization services use reflection to retrieve the data of the serializable objects. That means that obfuscator should take some precautions when it tries to obfuscate serializable elements. Eazfuscator.NET uses the safest approach by default — all serializable classes, structures and fields are automatically excluded from symbol renaming. This guarantees that obfuscation has the minimal impact on application functionality and interoperability. At the same time, this approach has one drawback — all serializable elements are too obviously visible during reverse engineering.

4.11.3. Self-Interoperability

Sometimes absolute interoperability of binary serialization is not required for an application. It's a very common situation when application serializes and deserializes the objects by itself, so no other applications are meant to have an access to the serialized data. If latter is the case then it is possible to improve the obfuscation of serializable elements in your application by using self-interoperable serialization.

4.11.4. Non-stable Self-Interoperable Serialization

If serialized data do not leave the boundaries of the application process then non-stable binary serialization can be used instead of fully interoperable one. This kind of serialization is called non-stable because the names of serializable elements are changed on every obfuscation of the application. Technically, non-stable serialization is achieved by enabling the renaming of serializable elements, so they are not excluded from symbol renaming process anymore.

To enable non-stable self-interoperable serialization, you should apply specially formed attribute to your assembly. In order to do that, you can use the instructions below.

Instructions on enabling non-stable self-interoperable serialization

  1. Open obfuscatable project inside the IDE

  2. Add new source file to the project and call it ObfuscationSettings.cs (for C#) or ObfuscationSettings.vb (for Visual Basic .NET). You may prefer to use another name instead of ObfuscationSettings.cs or ObfuscationSettings.vb

  3. Fill ObfuscationSettings.cs with the following content (C#):

    using System;
    using System.Reflection;

    [assembly: Obfuscation(Feature = "rename serializable symbols", Exclude = false)]

    For Visual Basic .NET, fill ObfuscationSettings.vb with the following content:

    Imports System
    Imports System.Reflection

    <Assembly: Obfuscation(Feature:="rename serializable symbols", Exclude:=False)>

4.11.5. Stable Self-Interoperable Serialization

Stable serialization should be used when the serialized data can leave the boundaries of the application process. This kind of serialization is called stable because the names of serializable elements stay the same between the obfuscations of the application. Some obfuscator vendors use the term incremental obfuscation when they want to say that symbol names remain the same between several obfuscations. Technically, stable serialization is achieved by encrypting the names of serializable elements with a password. The encryption algorithm is the same as in symbol encryption.

To enable stable self-interoperable serialization, you should apply specially formed attribute to your assembly. In order to do that, you can use the instructions below.

Instructions on enabling stable self-interoperable serialization

  1. Open obfuscatable project inside the IDE

  2. Add new source file to the project and call it ObfuscationSettings.cs (for C#) or ObfuscationSettings.vb (for Visual Basic .NET). You may prefer to use another name instead of ObfuscationSettings.cs or ObfuscationSettings.vb

  3. Fill ObfuscationSettings.cs with the following content (C#):

    using System;
    using System.Reflection;

    [assembly: Obfuscation(Feature = "encrypt serializable symbol names with password 'XXXXXX'", Exclude = false)]

    For Visual Basic .NET, fill ObfuscationSettings.vb with the following content:

    Imports System
    Imports System.Reflection

    <Assembly: Obfuscation(Feature:="encrypt serializable symbol names with password 'XXXXXX'", Exclude:=False)>
    Note

    Change XXXXXX with your password. Keep the password in secret.

    Passwords with a greater length are more preferable than short ones. Longer passwords have a better informational entropy thus greatly improving cryptographic strength of the encrypted data. It's suggested to have a password which at least consists of 8 characters. A password can contain script variables.

Tip

If you use symbol encryption and want to use the same password for the stable serialization then apply "encrypt serializable symbol names with password" instead of "encrypt serializable symbol names with password 'XXXXXX'" token at the custom attribute shown above.