Skip to main content

Reverse Engineering

Applications built for .NET are highly susceptible to reverse engineering. These applications compile into Microsoft Intermediate Language (MSIL), an expressive, high-level instruction set. Because MSIL preserves significant metadata—including method names, variable names, and clear structural information—you can easily decompile it back into its original source code format.

The accessibility of your code through reverse engineering tools like disassemblers and decompilers creates several business and security risks:

  • Intellectual property exposure: Competitors can deconstruct your application to uncover proprietary algorithms and unique business logic.

  • Security vulnerabilities: Publicly visible code allows malicious actors to find and exploit security flaws or locate hardcoded sensitive data.

  • Software piracy: Reverse engineering enables unauthorized parties to bypass licensing mechanisms or remove copy protection.

To see for yourself how easy it is to reverse engineer .NET applications, follow along with the examples of using each type of tool on the GettingStarted sample (or on your own application).

Disassembling

Disassemblers are tools that translate compiled binaries into human-readable assembly code. The .NET Framework SDK ships with a disassembler, ILdasm, that translates .NET assemblies into MSIL assembly language.

Using ILdasm

  1. Type ildasm in the Developer Command Prompt for VS20xx shortcut in your Start Menu (or Visual Studio Command Prompt (20xx) for older versions of Visual Studio).

     Note: If Visual Studio is not installed, you can still use ILdasm by installing the .NET Framework SDK and finding ildasm.exe in the installation directory.
  2. Click File | Open and browse to the output of the GettingStarted sample in the Debug configuration (e.g. C:\dotfuscator-pro-samples\GettingStarted\bin\Debug).
  3. Select GettingStarted.exe.
  4. Click Open. A view of the disassembled assembly displays: 
    ildasm-before.png
  5. To compare the currently shown, un-obfuscated HelloWorld application to a version that was protected with Dotfuscator, start another copy of ILdasm.
  6. This time browse to the output of the sample built in the Release configuration (e.g. C:\dotfuscator-pro-samples\GettingStarted\bin\Release).
  7. Select GettingStarted.exe.
  8. Click Open.

ildasm-after.png

Notice that the un-obfuscated disassembly contains names of methods that are fairly understandable. For example, it is safe to assume that the ConverseButton_Click: void (object, class [mscorlib]System.EventArgs) method is called when the Converse button is clicked. Now look at the obfuscated version. Which method is called when the converse button is clicked? It is hard to tell.

Also notice the missing SaySomething method. Dotfuscator removed it because the method wasn't being used anywhere in the code.

Double-click the methods SayHello:string() from the original assembly and a:string() from the obfuscated assembly. These two methods are the same; however, when examining the disassembled IL code further, notice that the strings have been encrypted in the obfuscated version to make the code difficult to read.

For example, locate the following line in the un-obfuscated version:

    IL_0000:  ldstr      "Hello, my name is "

Now view the obfuscated version, and try to find the above string. If you're having trouble finding it, it's because it's encrypted and looks like the following:

IL_0000: ldstr bytearray (09 42 26 44 29 46 2B 48 26 4A 67 4C 6D 4E 22 50  
                          28 52 73 54 3B 56 36 58 34 5A 3E 5C 7D 5E 36 60  
                          12 62 43 64 )

You can imagine how confusing this can be for attackers who are trying to reverse-engineer the code, especially with more complex applications.

Decompiling

Reverse engineering isn't just limited to a small circle of technical folks who know MSIL Assembly Language. You can take it a step further and actually recreate the source code from an application by using a decompiler. These utilities can decompile a .NET assembly directly back to a high level language like C#, VB .NET, or Managed C++. There are many decompilers available to easily see the source of any .NET application.

Using ILSpy

ILSpy is a free decompiler.

To view a decompiled version of GettingStarted.exe with ILSpy:

  1. Download ILSpy.
  2. Extract the ZIP archive and run ILSpy.exe.
  3. In the ILSpy interface, open the File menu and select Open....
  4. Browse to C:\dotfuscator-pro-samples\GettingStarted\bin\Debug.

  5. Using the code tree, explore the contents of the assemblies. Note the resemblance to the original source code: private member and local variable names are preserved, and the control flow is essentially the same.

    ilspy-before.png

After Dotfuscator is used on GettingStarted.exe, ILSpy can still be used to view the protected version of GettingStarted.exe the same way. However, you will notice ILSpy errors decompiling our GettingStarted.exe sample application after it has been protected with Dotfuscator.

ilspy-errors.png

 Note: Even if ILSpy does not error decompiling the sample application, you can see that the code from the protected version of the application is still difficult to understand and reverse engineer. The code is much harder to follow due to the renamingcontrol flow, and string encryption applied to the application.

Using Reflector

Reflector is a commercial .NET decompiler. After protection from Dotfuscator, Reflector becomes much less effective for reverse engineering. Running Reflector against the obfuscated GettingStarted.exe file and trying to examine a method such as a() displays the following:

This item appears to be obfuscated and can not be translated.
Was this article helpful?
日本語