Command Line Reference
The Babel Obfuscator command line tool accepts different options. A double hyphen character prefixes each option. The following section will describe each option you can enter at the command line.
Miscellaneous
Those options are typically used to configure general obfuscation features or the way Babel Obfuscator deals with the target assembly.
--help [option]
Typing --help without any parameters will show the main help menu. When the parameter [option] is specified, Babel will display the extended help for the command specified. For example:
Prints the following information:
This shows a list of aliases admitted for the command, followed by the command usage and a short description.
--[no]logo
This option controls the display of the Babel Obfuscator copyright message at startup. The copyright message will not be shown if the optional prefix [no] is specified.
--license [path|env]
When the optional argument is not specified, it displays available license information. Optionally you can specify the license file path.
Alternatively, you can specify a search directory where Babel should look for the license file.
If you have a license key, you can use the env option to pass it to Babel as follows:
Here the BABEL_LICENSE_KEY is the Environment variable containing the license key.
--verbose <n>
Sets the console output verbosity level. Where <n> is a mandatory non-negative integer number. If 0 is specified, no messages are displayed during obfuscation. A number greater than 10 will make Babel show debug information.
--noconfig (@)
Skip loading the default configuration for command line values. If specified, all default values that are in the babel.exe.config file, are ignored:
--nowarn <warn list>
Suppress the notification of one or more warning messages. The <warn list> parameter represents a list of warning IDs separated by a comma character. Babel will silently ignore warning numbers passed to the nowarn option.
--[no]warnasinfo [warn list]
Specifies a list of warnings that should be downgraded to information messages. The [warn list] is an optional comma-delimited list of the warning IDs.
--[no]warnaserror [warn list]
Specifies a list of warnings that should be treated as errors halting the obfuscation process. The [warn list] is an optional comma-delimited list of the warning IDs.
--[no]statistics [file]
Whether to generate obfuscation statistics, which can either be logged at the end of the program or saved to a file if specified.
The following additional options are available:
By enabling full obfuscation statistics, additional method information like CYC (Cyclomatic Complexity) is collected. This could cause resource consumption, especially when processing assemblies with many types.
--[no]agent (a)
This option enables or disables the obfuscation Agent. When enabled, the agent performs a static analysis of the code to prevent renaming or obfuscation of target assembly symbols that could otherwise cause malfunctions in the obfuscated application.
--assemblyname <option>
This option provides flexibility in determining the name of the target assembly. The available options are:
The default behaviour is nochange. It means that the assembly name will not be changed from its original value. If you don't specify any --assemblyname option, this will be the behavior.
--[no]satellite [assembly]
Enables, [no] disable the processing of satellite assemblies. If the optional parameter [assembly] file is specified, treat the specified assembly file as a satellite assembly of the target assembly.
--addsearch <path>
Adds the specified directory <path>, to the list of folders where Babel searches for referenced assemblies.
The parameter <path> can be a wildcard expression to match a set of directories. The following special characters can be used to make a wildcard expression:
*
matches any number of any characters including none
?
matches any single character
**
matches any directory recursively
[a-z]
matches one character from the range given in the bracket
[!ab]
matches any characters that are not in the given bracket
The following special strings can be combined into the path expression for the currently searched assembly:
:assemblyname:
searched assembly name
:assemblyversion:
searched assembly version
:assemblypublickeytoken:
searched assembly public key token
This option can be entered multiple times.
--quickrule <rule>
Enter a quick rule definition. A quick rule can be used instead of an XML rule when the user wants to configure the obfuscation process without having to make an XML rule file.
Quick rule syntax:
Where:
feature
Is the name of the targeted feature
[=exclude]
Can be specified to disable the feature
[regex]
Is an optional regular expression used to filter the symbols. By default, the obfuscator will take all symbols.
[access]
Set the visibility of the symbols that should be processed and can be one of the following values: Public, Protected, Internal, Private, All (default All)
[target]
Specifies the symbol kind. Admitted values are: Classes, Delegates, Structures, Interfaces, Enums, Events, Methods, Properties, Fields, StaticFields, Resource, All (default All)
The quickrule switch can be entered multiple times. Quick rules will be processed in the order they are encountered at the command line and before the processing of any XML rule.
Rename all public symbols inside the target assembly:
Disable string encryption within the ACME namespace:
Enable code encryption for the ACME.Licensing class:
--dbghelpdlldir <path>
This option runs on Windows OS only and configures the path to the dbghelp.dll, allowing Babel Obfuscator to load debug symbols from the Microsoft Symbol Server.
--trace <regex>
Enables obfuscation tracking for symbols whose full name signature matches the specified regular expression. This option can be used to debug regular expressions.
Trace the method named MyMethod and log debugging information about its obfuscation status.
--randomseed <seed>
Set the seed used to initialize the Babel Obfuscator random number generator. It can be set to have a deterministic obfuscation. The parameter <seed> can be any hexadecimal string.
--use <key=value>
Set additional Babel Obfuscator options as key-value pairs.
Examples:
Output debugging information related to all XAML resources having a name starting with Panel
Tag the obfuscated assembly with the [BabelObfuscator] attribute.
Force Babel Obfuscator to use TripleDES encryption algorithm
The experimental option can also accept a list of obfuscator features, including "all" which allows using new obfuscation algorithms not yet released for all .NET platforms.
When experimental features are enabled in Babel, it is important to note that the obfuscation tool will not verify if the platform-specific requirements are met. This means that all the obfuscations configured will be executed regardless of whether they are appropriate for the target platform. It is essential to keep in mind that enabling experimental features can increase the risk of errors and may affect the application's performance. Therefore, it is recommended to use experimental features cautiously, preferably only in a testing environment, and with a thorough understanding of the potential risks involved.
--[no]isobfuscated [action]
Whether to detect if the target assembly is already obfuscated. Admitted actions are:
warn: raise a warning and continue processing the target assembly.
exit: exit without processing the target assembly
This option can be useful in a build scenario where there is the possibility that the target assembly is processed a second time. Babel parses the symbol names to see if the assembly has already been obfuscated. However, there are some cases where the analysis could give an incorrect result. In this situation, it is better to tag the assembly with the BabelObfuscator attribute using the tagassembly option of the --use command line switch.
Input Files
The Input Files section includes options that provide external files to Babel Obfuscator containing additional configurations or data necessary to perform some specific operation.
--keyfile <file>
Set the strong name file to re-sign the obfuscated assembly and localized resource DLLs. Babel Obfuscator supports Strong Name Key (.snk) and Personal Information Exchange (.pfx).
if a Personal Information Exchange file is used, add the command line option --keypwd to specify the .pfx file password.
--keyname <container>
Use this option to re-sign the application if the key pair is stored in a key container. The mandatory <container> parameter represents the key container name used to re-sign the obfuscated assembly and localized resources DLLs.
--keypwd <password>
Specifies the password requested by a Personal Information Exchange (.pfx) file to re-sign the obfuscated assembly. When the password is not specified from the command line, Babel will require the user to enter the proper password during the obfuscation process.
--rules <file>
Set an XML rule file used by Babel to configure the obfuscation process. This option can be specified multiple times. Rule files will be processed in the order they are entered on the command line.
--mapin <file>
Set the input XML obfuscation map file that will be used to obfuscate the names of referenced symbols. This option can be specified multiple times.
--project <file>
Specify an obfuscation project file.
--stacktrace <file>
Deobfuscate stack trace file. This option requires passing a text <file> containing the obfuscated stack trace and a set of XML mapping files to deobfuscate the stack trace content.
Output Files
Babel Obfuscator options to set output filenames.
--output <file>
Set the output file path for the obfuscated target. If this option is not provided, the obfuscated target will be saved into the BabelOut subdirectory of the original assembly folder.
--pdb <file>
Set the output PDB file path. This option can be used when the --debug option is enabled.
--pdbpwd <password>
Set debug information file password. The password will encrypt the source code file names stored inside the PDB.
--logfile <file>
Send the Babel Obfuscator output messages to a log file.
--mapout [file]
Set the output file name for the XML obfuscation map. If the optional parameter [file] is not provided, Babel Obfuscator will name the XML map file as the original assembly name, adding the extension .map.xml.
--makeproject [file]
Creates an MSBuild project file from the entered command line. If the optional parameter [file] is not provided, Babel Obfuscator will save the project file into the BabelOut subdirectory.
Plugins
Plugins are additional components that extend the functionality of Babel Obfuscator. They allow for adding or modifying obfuscation features, enabling greater customization and control over the obfuscation process. (see Encrypt Plugin)
--plugin <file>
Set Babel Obfuscator plugin file path. This option may be specified multiple times.
--argument <key=value>
Set plugin argument as key-value pair. This option may be specified multiple times.
Merge and Embed Assemblies
Assembly merging involves combining multiple assemblies into a single primary assembly. Babel Obfuscator performs this operation by merging and obfuscating all the assemblies specified after the primary assembly in the command line.
--[no]copyattrs [regex]
When this option is enabled, all the assembly-level attributes of each input assembly are copied into the target assembly. An optional regular expression can be specified to merge duplicate attributes that match the given regular expression.
--embed <assembly>
Babel Obfuscator can embed multiple dependency assemblies into the target assembly. The embedded assemblies are compressed and encrypted. Embedding can simplify the deployment and reduce the size of the software. It can be used instead of merging when there is no need to fully obfuscate the dependency assembly.
This option can be specified multiple times.
--[no]internalize
When enabled, all public types in merged assemblies will have their visibility restricted to internal (Friend VB).
--[no]jsonmanifest
Enable ([no]disable) handling of dependencies manifest (default: enabled). Babel Obfuscator can update .deps.json manifest file of the target assembly when merging dependencies.
Renaming
These commands can be used to configure symbol renaming.
--[no]types (t)
Whether to enable types renaming.
--[no]events (e)
Whether to enable events renaming.
--[no]methods (m)
Whether to enable methods renaming.
--[no]parameters (r)
Whether to enable the method's parameters renaming.
--[no]properties (p)
Whether to enable properties renaming.
--[no]fields (f)
Whether to enable field symbols renaming.
--[no]xaml [key=value]
If enabled, symbols used in XAML or BAML resources are renamed. This option can accept optional key-value pairs specified as <key>=<value>.
Accepted key values are:
--[no]virtual [key=value]
Whether to rename virtual members such as methods, properties, and events. This option can accept optional key-value pairs specified as <key>=<value>.
Accepted key values are:
--[no]overloaded [key=value]
When enabled, Babel Obfuscator uses the same name for two or more methods of the same type whenever CLR rules permit. Key-value pairs can optionally be entered to select which overloading to apply.
Accepted key values are:
--[no]flatns (n)
When enabled, all renamed types are moved into the global namespace. This flattens the namespace hierarchy and no namespace information is embedded into the obfuscated assembly.
--[no]unicode [char set]
If enabled, the names are replaced with unreadable Unicode strings. With Unicode normalization disabled, all the obfuscated names are made by strings of lowercase characters taken from the Latin alphabet. Optionally the user can specify the character set used to generate obfuscated names.
--namelength <n>
Set the minimum name length of renamed symbols. Optionally key-value pairs can be entered to fix the minimum length of types, methods, properties, fields and events separately.
--nameprefix [prefix]
Set the name prefix of renamed symbols. Optionally key-value pairs can be entered to set the prefix of types, methods, properties, fields, events and parameters separately.
The special value $Name is replaced with the original symbol name. Typically the $Name prefix can be used to debug renaming issues.
--[no]xmldoc [file|regex]
Whether to update the target assembly XML documentation by filtering out all renamed symbols. Optionally the XML document file path or a regular expression can be specified. If the file name or the regular expression matches the XML documentation file name of a merged assembly. In that case, the XML document of the merged assembly will be merged into the XML document of the target assembly.
Control Flow Obfuscation
Control flow obfuscation involves transforming the code of a method, thereby obscuring its execution path and making the resulting flow much more complex and difficult to comprehend.
--[no]controlflow
Used to alter the method control flow. Key-value pair <key>=<value> can optionally be entered to configure code scrambling.
Accepted key values to produce verifiable IL code:
To produce unverifiable IL code:
This option can be specified multiple times, for example:
--iterations <n>
Set the number of iterations used in the control flow obfuscation algorithm. Setting the number of iterations to 0 will disable control flow obfuscation. As n increases, an increasing number of irrelevant branch instructions are inserted in each method.
--[no]invalidopcodes [mode]
Use this option to emit invalid MSIL op-codes. This will stop some reflection tools from inspecting the IL method body.
Activating this option will result in the obfuscated assembly being non-verifiable by Intermediate Language (IL) verifiers. It is important to note that code that is not IL verifiable cannot run on x64 operating systems and, therefore, this option should not be enabled if the obfuscated assembly targets x64 platforms.
The optional parameter [mode] enables different invalid opcodes configurations:
Encryption and Protection
Options targeting advanced obfuscation features like string and code encryption.
--[no]msilencryption [regex]
Whether to enable Code Encryption for methods matching the optional regular expression or obfuscation rules defined in XML rules files. This option can be specified multiple times.
--[no]stringencryption [name]
Whether to enable encryption of user strings. An optional parameter name can be specified to select the encryption algorithm used.
Accepted algorithm names are:
--[no]valueencryption [key=value]
This option enables the encryption of inline constant values and arrays. Key-value pair <key>=<value> can optionally be entered to enable or disable the encryption of some defined types.
Accepted key values are:
--[no]ildasm
When enabled, the System.Runtime.CompilerServices.SuppressIldasmAttribute is added to the target assembly to prevent the Microsoft MSIL Disassembler: ILDASM (Ildasm.exe) from disassembling the obfuscated target.
--[no]reflection
Whether to enable the emission of invalid metadata to stop reflection-based tools.
--[no]resourceencryption [key=value]
Whether to enable managed resource encryption. When enabled, all the embedded resources are compressed and encrypted. Key value pairs can be optionally entered to specify additional settings.
Accepted key values are:
--[no]proxy [type][;regex]
Whether to enable the generation of proxy calls to external/internal methods. The optional parameter [type] can have one of the following values:
Optionally the user can enter a regular expression to match the method signature that should be proxied, for example:
--[no]tamperingdetection
Whether to enable anti-tampering protection.
--[no]antidebugging
Whether to enable anti-debugging protection.
Code Generation
These options concern some code optimizations that Babel Obfuscator can add to the target assembly.
--addreference <assembly>
Add or retarget an assembly reference to the target assembly. Example:
Retargets all System references to portable assemblies. This option can be specified multiple times.
--[no]cleanattrs <regex>
Whether to enable the removal of unwanted attributes. The <regex> parameter is a regular expression that matches the unwanted attribute type's full name. This option can be specified multiple times.
--[no]constremoval
Whether to enable the removal of constant fields. Any reference to a constant field will be replaced by its constant value whenever possible.
--[no]deadcode [regex]
Whether to enable Dead Code Removal. When enabled, removes all methods, properties, fields and events that are not reached by any coding pattern. An optional entry point can be specified through [regex] to define where to start the search.
--[no]debug [source]
Whether to enable the emit of the debugging information and generate a PDB debug symbol file for the obfuscated target. A debug symbol store can optionally be specified.
--[no]disgregateremoval
Whether to enable the removal of property and event metadata information, leaving only properties and events accessor methods.
--[no]enumremoval
Whether to enable the removal System.Enum types. Any reference to an enum field will be replaced with its constant value whenever possible.
--[no]inlineexpansion
Inline code expansion will allow a method call to be replaced by its own code at the point where the call is made.
--[no]instrument [regex]
Whether to enable, code instrumentation. An optional regular expression can be specified to target the fully qualified members that should be instrumented.
Fully qualified members have the following syntax
[NamespaceName].[TypeName]::[MethodName]
Example:
This option can be entered multiple times.
--[no]emptymethods
Whether to add instrumentation code to methods with an empty body.
--moduleinitializer [method]
Add module initializer code. Optionally a static method signature with no parameters can be specified, which will be called after the module loads.
Where priority can get an integer value which defines the order that babel will call initializer methods. Babel adds its initializer methods with a default priority set to 100. Initializers with a priority of less than 100 will be called first.
--[no]seal
When enabled seal all non-public classes that are not used as base classes in an inheritance hierarchy. Declaring a class as sealed can improve method call performance by preventing the Just-In-Time (JIT) compiler from walking the method's virtual table, where possible.
Last updated