{"id":3097,"date":"2010-09-06T10:18:00","date_gmt":"2010-09-06T09:18:00","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/3097-decompiling-silverlight.html"},"modified":"2010-09-06T10:18:00","modified_gmt":"2010-09-06T09:18:00","slug":"decompiling-silverlight","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/3097-decompiling-silverlight.html","title":{"rendered":"Decompiling Silverlight"},"content":{"rendered":"<p>A Silverlight application is a .NET application. Most developers will be aware of this; but it is worth noting that whereas ASP.NET code executes on the server and is not normally available for download, Silverlight code is downloaded to the client and can easily be decompiled. It is almost as easy to view as JavaScript code in the browser.<\/p>\n<p>If you want to investigate this, the first thing to do is to find the .xap file which contains the Silverlight application. You will likely find this in your browser cache, or you can download it directly from the web site hosting the application. If you have out-of-browser Silverlight apps, they are usually located at:<\/p>\n<p>C:\\Users\\[username]\\AppData\\LocalLow\\Microsoft\\Silverlight\\OutOfBrowser<\/p>\n<p>Copy the .xap file somewhere convenient, and rename it to have a .zip extension. Then extract the files. The result looks something like this:<\/p>\n<p><a href=\"http:\/\/www.itwriting.com\/blog\/wp-content\/uploads\/2010\/09\/image9.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"http:\/\/www.itwriting.com\/blog\/wp-content\/uploads\/2010\/09\/image_thumb9.png\" width=\"404\" height=\"256\" \/><\/a> <\/p>\n<p>Next, you need a .NET decompiler such as <a href=\"http:\/\/www.red-gate.com\/products\/reflector\/\" target=\"_blank\">Redgate .NET Reflector<\/a>. Run Reflector and open a .dll file containing application code. Select a method, and Reflector does its best to show you the code. It does a good job too:<\/p>\n<p><a href=\"http:\/\/www.itwriting.com\/blog\/wp-content\/uploads\/2010\/09\/image10.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"http:\/\/www.itwriting.com\/blog\/wp-content\/uploads\/2010\/09\/image_thumb10.png\" width=\"404\" height=\"267\" \/><\/a> <\/p>\n<p>The purpose of this post is not to encourage decompiling other people\u2019s code, but rather to make the point that even though Silverlight code is \u201ccompiled\u201d, it is trivial to read it \u2013 just in case anyone thought it was a bright idea to store passwords or other authentication secrets there.<\/p>\n<p>The solution is to never to put anything security-critical in client-side code. Second, you can use an obsfuscator such as <a href=\"http:\/\/preemptive.com\/products\/dotfuscator\/overview\" target=\"_blank\">dotfuscator<\/a> to make the decompiled code harder to read.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Silverlight application is a .NET application. Most developers will be aware of this; but it is worth noting that whereas ASP.NET code executes on the server and is not normally available for download, Silverlight code is downloaded to the client and can easily be decompiled. It is almost as easy to view as JavaScript &hellip; <a href=\"https:\/\/www.itwriting.com\/blog\/3097-decompiling-silverlight.html\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Decompiling Silverlight<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,67,77,80,94,96],"tags":[104,810,825,849,955],"class_list":["post-3097","post","type-post","status-publish","format-standard","hentry","category-net","category-professional","category-silverlight","category-software-development","category-visual-studio","category-web-authoring","tag-net","tag-security","tag-silverlight","tag-software-development","tag-visual-studio"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/3097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=3097"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/3097\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=3097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=3097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=3097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}