How do Delphi, WPF .NET Framework, and Electron perform compared to each other, and what’s the best way to make an objective comparison? Embarcadero commissioned a whitepaper to investigate the differences between Delphi, WPF .NET Framework and Electron for building Windows desktop applications. The benchmark application – a Windows 10 Calculator clone – was recreated in each framework by three Delphi Most Valuable Professionals (MVPs) volunteers, one expert freelance WPF developer, and one expert Electron freelance developer. In this blog post, we are going to explore the IP Security metric, which is part of the Functionality comparison used in the whitepaper.
What is IP Security in a deployable application?
How secure is the intellectual property of the source code in a deployable project? After businesses invest resources into their projects, they face the challenge of putting their product into the hands of the public while protecting the code and techniques that produce revenue. This qualitative metric evaluates the ability of a user to access source code via decompilation.
Intellectual property protection is fundamentally important to long-term business plans. If a product solves a new problem or utilizes a novel technique, the developers should understand how their choice of framework affects IP vulnerability. Delphi programs compile into platform-native machine code rather than intermediate code. Decompilation using free tools can recover the GUI form but only yields assembly code for the logic. IP security is more tenuous in WPF. Decompiling executable and library files with free tools results in recognizable C# business logic and nearly recognizable XAML text. Finally, Electron has the most significant problem – it gives away source code with each installation by default. Electron application code can be recovered with a simple text editor – a function of how the framework is structured – but can be somewhat obfuscated using third-3rd party tools. Available decompiler tools and their results when applied to each framework’s calculator application are listed below.
The goal of this decompilation exercise was to determine the feasibility of retrieving both the UI and the original code from each framework’s calculator application using open-source or free tools. The frameworks assessed were Delphi VCL, Delphi FMX, WPF (C#), and Electron (with Angular).
When the Delphi VCL and FMX calculators were decompiled, all UI elements were successfully extracted and the logic code was presented as assembly. This exercise did not extract function and procedure structure, but it may be possible.
Decompiling the WPF calculator yielded the UI elements and mostly recognizable C# code. WPF .NET Framework applications use a known MSIL (Microsoft Intermediate Language) format that is easy to disassemble and decompile. Dependent assemblies can easily be extracted. Resources can easily be extracted. .NET Reflection can be used to extract information about a .NET assembly. The entire contents can be extracted including the classes, methods, code, and resources from an assembly. An advanced decompiler can reconstruct almost the exact structure of your code including for/while loops, if statements, and try catch blocks. Literal strings can easily be extracted. Finally, calls to methods and properties to external assemblies can be extracted.
Let’s take a look at each framework.
Can Delphi applications be decompiled?
Delphi compiles to native machine code, eliminating much of the source code structure and metadata necessary for accurate decompilation and interpretation. Decompilation using a tool like DeDe will provide full details about the UI but only assembly code for the logic/back-end.
- DeDe – one of the most popular Delphi decompilers.
- Interactive Delphi Reconstructor – a decompiler for Delphi executables and dynamic libraries.
- MiTeC DFM Editor – a standalone editor for Delphi Form files (*.dfm) in both binary and text format.
Can WPF .NET Framework applications be decompiled?
WPF compiled to a Windows desktop application is converted to .dll and .baml files. Decompilation back to recognizable C# and near-perfect XAML is possible through 3rd party tools. Microsoft includes a community edition of Dotfuscator with Visual Studio but its license is for personal use only. Professional solutions for .NET obfuscation range from hundreds to thousands of dollars. There are also extra steps involved to protect an application with an obfuscation tool.
- WPF StylesExplorer – a WPF .baml decompiler and tool to explore .baml resources.
- Snoop WPF – a tool to spy/browse the visual tree of a running WPF application without the need for a debugger.
- JetBrains dotPeek – a .NET decompiler and assembly browser.
Can Electron applications be decompiled?
Electron source code is packaged and deployed to the end-user’s system. Unless a developer uses third-3rd party tools to obfuscate code, the source code can be read verbatim using a simple text editor or by unpacking with a tool like asar.
- TextPad – a general purpose text editor for plaintext files.
- asar – a simple file uncompressed concatenation archive format packing and unpacking tool.
Overall, Delphi provides the most assured long-term outlook, best intellectual property security, and easiest in-house customization at the cost of a one-time commercial license purchase. WPF’s can be decompiled with ease in it’s default setup and requires extra steps and tools to obfuscate it’s code. Electron also can be decompiled with ease in it’s default setup. It requires extra steps and tools to obfuscate the code. An uncertain long-term outlook and relying on corporate sponsorships and community support for additional development are detrimental.