Decompiling Silverlight 2 Apps – Enter the XAP

Sun, March 9, 2008, 10:40 AM under Silverlight
When you build a Silverlight 2 application, you compile your source files (inc. XAML and embedded resources) into assemblies (dlls). Those assemblies (plus any 3rd party ones plus MS assemblies that are not part of Silverlight) are then collected together along with a manifest into a packaged archive – or in other words, a ZIP file. Except, the extension is changed to be a .XAP (pronounced "ZAP"). The benefits of packaging everything into a XAP should be obvious but in case they are not, Pete has discussed that on his blog (inc. screenshots). Note that if your web server is on IIS (prior to version 7) you need to register that MIME type. As an aside, my web server happens to be Apache (shocking I know!) and I had to configure nothing – it just worked.

So, if I had given you a Winforms EXE file you wouldn't ask me for the source code, you would probably just pass it through your favourite decompiler and you've got it all. Same with Silverlight apps: if I point you to my web page that is running a Silverlight app (e.g. the one from this post) all you have to do is:

1. View HTML source, e.g. for this:

2. Locate the tag that points to a XAP file and copy the full path, e.g. ClientBin/DemoIntegration.xap

3. Use that path to "Save As" the xap file locally.

4. Rename the XAP file to ZIP and explode it to get the DLLs inside.

5. Party away by tossing the DLL(s) to the decompiler, e.g. Reflector.

Obviously authors of serious SL apps may not condone that behaviour, but feel free to do it with all of mine, for example the DeepZoom/MultiScaleImage that I have now updated to also use mouse wheel.
Sunday, March 9, 2008 7:02:00 PM (Pacific Standard Time, UTC-08:00)
Nice tip. The ability to view source on HTML pages is one of the things that has made the web great. I'm glad we can still do the same thing when we see a great Silverlight app and wonder "how did they do that".
Monday, March 10, 2008 5:11:00 AM (Pacific Standard Time, UTC-08:00)
There's a Reflector plug-in for Silverlight 1.1 that did all this for you.

Can't imagine it'll be long before that's updated to 2.

Wednesday, March 12, 2008 2:44:00 AM (Pacific Standard Time, UTC-08:00)
Is it possible to protect your .XAP file against this 'feature'?

Thursday, March 20, 2008 11:13:21 AM (Pacific Standard Time, UTC-08:00)
Dave: Agreed :)

Mike: Nice one!

Sander: Not that I know of. Once someone gets your managed assemblies it is the same .NET story that has been there from the start (obfuscation etc)...
Tuesday, April 15, 2008 5:23:11 AM (Pacific Daylight Time, UTC-07:00)
Note to Self: I mentioned above "resources" but it turns out referencing these things is not as straightforward so I had to read the manual (RTFM). For future reference here are two good links:
1. MSDN Reference on Resources

2. Blog post on Resources
Monday, May 25, 2009 11:31:01 PM (Pacific Daylight Time, UTC-07:00)
The ability to view source on HTML pages is one of the things that has made the web unstable. Millions of people using the easy way, copying and pasting blocs of codes "as is" instead of trying to understand how it works...
Comments are closed.