Reverse engineering tools for .NET applications

Bartosz Wójcik
Jul 16 · 7 min read
Image for post
Image for post

The set of tools for .NET reverse engineering is very different from classic tools used for the reversing of native x86 / x64 applications in PE (Windows EXE/DLL Portable Executable) or ELF (Linux Executable and Linkable Format) formats.

Different code architecture forced to create a whole range of dedicated tools for .NET executable files, I will try to present some of them that may be useful in software reversing.

Decompilers

What’s the purpose of a decompiler? .NET applications are compiled to a pseudo-code in CIL (Common Intermediate Language) format. When run, it’s interpreted, jitted, and executed by the .NET runtime library. With a decompiler, you can transform this pseudo-code back to high-level code in your chosen or favorite language, e.g. C#, VB#, etc.

The new king on the .NET reverse engineering playground. An all-around tool that supports decompilation, simple deobfuscation, modification and debugging of .NET applications.

It has it all. You can even edit any .NET compiled code its high-level C# form, it will recompile it and replace the patched method. You can recompile entire projects into Visual Studio compatible source code solutions.

Image for post
Image for post
dnSpy debugger in action

What’s most important, it’s frequently updated and it’s free to use.

Homepage — https://github.com/0xd4d/dnSpy

For years it was the first and basic tool that most reverse engineers used for .NET applications reversing, the famous .NET Reflector.

Image for post
Image for post
.NET Reflector

It was the best-known decompiler and not only because thanks to the whole number of plugins it allows e.g. to modify binary files (Reflexil plugin), debug applications (Deblector plugin) and many other activities related to code analysis.

Recently .NET Reflector lost its popularity because the project was free from the beginning, but after it was taken over by Red Gate Software (by the way, the creators of the SmartAssembly obfuscator, from which one can come up with a conspiracy theory that they wanted to restrict access to one of the most popular application analysis tools) and initial assurances about maintaining its free status, after some time it was transformed into a commercial version, with the cheapest license for $35 (now it’s, even more, $100 to be exact).

Homepage —https://www.red-gate.com/products/dotnet-development/reflector/

Add-ins — https://www.red-gate.com/simple-talk/dotnet/net-tools/using-net-reflector-add-ins/

Free decompiler from Telerik, rather for undemanding users, because the number of available options (or lack of them) will not knock you on your knees, you cannot even look through the code in the form of IL, not to mention other things, there are only decompiler and reference search engine.

Image for post
Image for post
Telerik JustDecompile

Homepage— www.telerik.com/products/decompiler.aspx

It’s also worth mentioning about this tool, although my experience shows that it’s rather little used, it’s a Microsoft .NET binaries disassembler included in the .NET SDK and delivered with Visual Studio.

Image for post
Image for post

It allows viewing the file structure and disassembling to the transition code, so it is not as handy for analysis as dnSpy or .NET Reflector.

Image for post
Image for post

Simple Assembly Explorer

This is another disassembler and editor, but more advanced than the IL DASM, with a lot of options to easily modify the IL code, copy instructions, cut out, all very handy, it’s been my favorite when it comes to modifying .NET binary files for some time.

Image for post
Image for post

SAE has a plug-in system and a built-in deobfuscator, which can be useful for analyzing protected applications.

Image for post
Image for post

If you want to learn the basics of programming in IL, modify binaries quickly, and efficiently this is the ideal tool.

Homepage — https://github.com/wickyhu/simple-assembly-explorer/releases

Dis# is a relatively unknown decompiler, perhaps due to the fact that it is a commercial tool, the project hasn’t been updated for a long time, but it can be treated as a curiosity as it has some interesting features like built-in deobfuscator, code editor allowing to easily rename functions, variables etc.

Image for post
Image for post

Homepage — http://netdecompiler.com

Debuggers

My observations and experience show that most of the analysis related to .NET can be solved statically (as opposed to native applications), but also here it may be useful to debug the code being executed.

Dile is an easy to use debugger for .NET applications, a bit like the Visual Studio debugger.

Image for post
Image for post

Homepage — http://sourceforge.net/projects/dile/

For native applications, the basic identifier is PEiD and a more frequently updated Protection ID (and several others).

For .NET there is an equivalent PEiD called DNiD.

Image for post
Image for post

It now detects most of the protections used for .NET applications.

Download — DNiD.v0.11-Rue.rar (384 kB)

Process & memory dumpers

.NET applications are nowadays rarely distributed in a pure form after compilation because thanks to tools such as dnSpy it is practically equivalent to open source distribution and in most cases, obfuscators are used for protection purposes.

Some of the obfuscators, in addition to modifying the IL code, “wraps” the whole application into a native x86/x64 code loader, which usually decrypts the entire .NET assembly and only loads it into memory in decrypted form.

This form of protection does not allow the use of .NET tools and requires that the loaded .NET assemblies are first dumped from memory for further analysis.

The project was developed by Daniel Pistelli (he worked for some time on the famous IDA disassembler at HexRays), a generic as the name suggests a dumper that can detect an image of the .NET executable file in memory despite an external native loader.

Image for post
Image for post

Homepage — https://ntcore.com/?page_id=353

The easy-to-use dumper, which also has support for dumping several types of security features from file memory, can generally handle most native security features.

Image for post
Image for post

Download — DotnetDumper.zip (66 kB)

Apart from dedicated dumpers, classic memory search methods work equally well, e.g. in OllyDbg for .NET signatures of applications (e.g. “_CorExeMain” strings).

Memory dump fixers

After the .NET file has been dumped from the memory, it is often unusable for analysis in tools such as the .NET Reflector, this is due to changes most often made by obfuscators to make analysis even more difficult. The images of files that have been dumped in this way should be fixed.

Image for post
Image for post

Download — Universal_Fixer.zip (31 kB)

Project site — http://forum.tuts4you.com/topic/25376-universal-fixer/

Deobfuscators

The number of obfuscators available on the market is huge, I can safely say that it outstrips the number of security tools available for native applications. Due to such a massive attack, deobfuscators were created for many tools, often integrated and supporting many types of security.

de4dot

de4dot is the most known .NET deobfuscator for many types of protections. Its development has been abandoned, but since it’s open-source and a solid base for future developments of any .NET deobfuscator, it has been modified and improved by independent developers and you find many new flavors supporting new protections.

Image for post
Image for post

You can download the original version from — https://github.com/0xd4d/de4dot/downloads

Summary

The current state of the .NET protections may initially be frightening and discourage further analysis (with many advanced obfuscators using virtualization), but as you can see there are many tools that can make our lives easier.

I deliberately didn’t describe here ready-made unpackers, which can be easily found by yourself, because they don’t always work, and then it’s worth knowing how to cope without their help.

If I come across any interesting tool I will add it to the article, and if you know something interesting to analyze the .NET application — describe it in the comments and I will be happy to add a description to the article.

Many more reversing tools, some rare ones

More complete list of reverse engineering tools, also for native x86/x64 binaries, with many alternative versions and some rare gems available in my article:

🔥 Reverse Engineering Tools Review

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store