Obfuscate a clickOnce Application with ConfuserEx

Question

I'm actually trying to obfuscate a ClickOnce application.

My Obfuscator is ConfuserEx. Il followed these steps :

1. Click the Publish Wizard..\Publish Now button on your project properties. This will automatically build your project on Debug/Release folder. I use it since it also creates the files used in ClickOnce. We will use those files later.
2. Open Confuser and Drag-Drop files On the Debug/Release folder that you want confuser to work on.
3. This will create a Confused folder (using the default output directory settings) with the obfuscated assemblies.
4. Copy all dependencies/files (if any) required by your project to run to the just create "Confused" folder.
5. You project should now work with the obfuscated assemblies. I ran the program just to make sure. :D
6. Copy the .manifest file from your Debug/Release folder to the Confused folder and Edit it using MageUI.
7. On the "Files" section of MageUI, locate the Confused folder(may already be selected) and check the option to put .deploy on your files and click "Populate".
8. Your project files would be renamed to *.deploy
9. Save the .manifest file and sign it with the *TemporaryKey.pfx created when you published your project (This should be on your project folder).
10. Copy the .application file from your Debug/Release folder to the Confused folder and Edit it using MageUI.
11. On the "Application Reference" section of MageUI Click "Select Manifest.." and select the .manifest file you saved on step 6.
12. Save the .application file and sign it with the *TemporaryKey.pfx.
13. Lastly, this maybe optional, just copy the setup.exe and the publish.html files on publish folder to the Confused folder.

Regarding this topic :

https://confuser.codeplex.com/discussions/428378

Unfortunately, I get the following error when I try to install the ClickOnce app afterwards :

Cannot handle redirect from HTTP/HTTPS protocols to other dissimilar ones.

The stacktrace is as following :

System.Net.HttpWebRequest.GetResponse() System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

The URL I'm trying to download is in https, is that the problem ? Should I put all in http ?

Answer 1

Following Thordax instruction @ step 3,

Once your code is sufficiently obfuscated (you can check your obfuscation with tools like ILSpy), sign your executable and/or your DLL with a code signing certificate, or with a temporary PFX (usually created when you first published your clickonce application). I'm currently using signtool.exe to do so.

you need to use the sign tool like this: cd C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool

Then sign the exe like so

signtool.exe sign /td sha256 /fd sha256 /f pathtoyourcert.pfx /p password pathtoyourconfusedexe

Answer 2

This is pretty old now, but I would like to mention there is an extension in Visual Studio to use ConfuserEx, and it works with ClickOnce:

ConfuserEx Tools for Visual Studio

ConfuserEx for Visual Studio integrates the free and open source ConfuserEx protector into Visual Studio for easy automatic obfuscation of release builds and ClickOnce applications.

Answer 3

To have an obfuscated ClickOnce application, follow these steps :

1. Compile your project and publish it using Visual Studio (Right-click on project > Publish)

A. Obfuscation steps

2. After publishing it, Use ConfuserEx (either GUI or CLI) then obfuscate your executable and/or your DLL in a specific folder (i.e: MyProject\Confused)

3. Once your code is sufficiently obfuscated (you can check your obfuscation with tools like ILSpy), sign your executable and/or your DLL with a code signing certificate, or with a temporary PFX (usually created when you first published your clickonce application). I'm currently using signtool.exe to do so.

4. Still in your "Confused" folder, rename the obfuscated and signed files from .exe to .exe.deploy and from .dll to .dll.deploy

5. Go to your published folder (in my case, it's a network folder, like this :

\\network_disk\ClickOnceApp

6. Copy/Paste the .deploy files by the ones found in the most recent Application Files folder

\\network_disk\ClickOnceApp\Application Files\ClickOnceApp_x_x_x_x

B. Re-Signing manifests and .application files

7. Open the manifest of your app with MageUI. In my case :

\\network_disk\ClickOnceApp\Application Files\ClickOnceApp_1_0_0_42\ClickOnceApp.exe.manifest

FYI, MageUI can be found here :

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mageui.exe

Click on "Save" to sign the manifest (use Code Signing certificate or your temporary PFX as before), it will automatically see the change of the .exe.deploy and .dll.deploy files and recalculate the right file hash.

8. Still with MageUI, open the file

\\network_disk\ClickOnceApp\Application Files\ClickOnceApp_1_0_0_42\ClickOnceApp.application

On the Application References menu, click 'Select a manifest' and choose the recently modified manifest. Sign your .application file by saving it (as in step 7)

9. Do the same for the following file :

\\network_disk\ClickOnceApp\ClickOnceApp.application

Now your ClickOnce application contains obfuscated code, and can be downloaded using ClickOnce process.

---

Notes :

• Personnally, I had to use ConfuserEx in command line (ConfuserEx.CLI.exe), because I have to obfuscate a single part of my code. Obfuscating all of it would return many errors regarding assembly and loading of WinForms.
• Using it in command line allows developer to use Declarative Obfuscation, and consequently, obfuscate only some critical parts of the code.
• I ended creating a script that automates those steps. I'm still using mageUI.exe to sign both manifest an application files, but you can use mage.exe to sign those files in command line (I didn't try it yet).