Reverse engineering tools for .NET applications
The set of tools for .NET reverse engineering is very different from classic tools used for the reversing of native x86 / x64 applications in PE (Windows EXE/DLL Portable Executable) or ELF (Linux Executable and Linkable Format) formats.
Different code architecture forced to create a whole range of dedicated tools for .NET executable files, I will try to present some of them that may be useful in software reversing.
What’s the purpose of a decompiler? .NET applications are compiled to a pseudo-code in CIL (Common Intermediate Language) format. When run, it’s interpreted, jitted, and executed by the .NET runtime library. With a decompiler, you can transform this pseudo-code back to high-level code in your chosen or favorite language, e.g. C#, VB#, etc.
The new king on the .NET reverse engineering playground. An all-around tool that supports decompilation, simple deobfuscation, modification and debugging of .NET applications.
It has it all. You can even edit any .NET compiled code in its high-level C# form, it will recompile it and replace the patched method. You can recompile entire projects into Visual Studio compatible source code solutions.
What’s most important, it’s frequently updated and it’s free to use.
Homepage — https://github.com/0xd4d/dnSpy
For years it was the first and basic tool that most reverse engineers used for .NET applications reversing, the famous .NET Reflector.
It was the best-known decompiler and not only because thanks to the whole number of plugins it allows e.g. to modify binary files (Reflexil plugin), debug applications (Deblector plugin) and many other activities related to code analysis.
Recently .NET Reflector lost its popularity because the project was free from the beginning, but after it was taken over by Red Gate Software (by the way, the creators of the SmartAssembly obfuscator, from which one can come up with a conspiracy theory that they wanted to restrict access to one of the most popular application analysis tools) and initial assurances about maintaining its free status, after some time it was transformed into a commercial version, with the cheapest license for $35 (now it’s, even more, $100 to be exact).
Free decompiler from Telerik, rather for undemanding users, because the number of available options (or lack of them) will not knock you on your knees, you cannot even look through the code in the form of IL, not to mention other things, there are only decompiler and reference search engine.
It’s also worth mentioning about this tool, although my experience shows that it’s rather little used, it’s a Microsoft .NET binaries disassembler included in the .NET SDK and delivered with Visual Studio.
It allows viewing the file structure and disassembling to the transition code, so it is not as handy for analysis as dnSpy or .NET Reflector.
Simple Assembly Explorer
This is another disassembler and editor, but more advanced than the IL DASM, with a lot of options to easily modify the IL code, copy instructions, cut out, all very handy, it’s been my favorite when it comes to modifying .NET binary files for some time.
SAE has a plug-in system and a built-in deobfuscator, which can be useful for analyzing protected applications.
If you want to learn the basics of programming in IL, modify binaries quickly, and efficiently this is the ideal tool.
Dis# is a relatively unknown decompiler, perhaps due to the fact that it is a commercial tool, the project hasn’t been updated for a long time, but it can be treated as a curiosity as it has some interesting features like a built-in deobfuscator, code editor allowing to easily rename functions, variables, etc.
Homepage — http://netdecompiler.com
My observations and experience show that most of the analysis related to .NET can be solved statically (as opposed to native applications), but also here it may be useful to debug the code being executed.
Dotnet IL Editor (DILE)
Dile is an easy to use debugger for .NET applications, a bit like the Visual Studio debugger.
Homepage — http://sourceforge.net/projects/dile/
For .NET there is an equivalent PEiD called DNiD.
It now detects most of the protections used for .NET applications.
Download — DNiD.v0.11-Rue.rar (384 kB)
Process & memory dumpers
.NET applications are nowadays rarely distributed in a pure form after compilation because thanks to tools such as dnSpy it is practically equivalent to open source distribution and in most cases, obfuscators are used for protection purposes.
Some of the obfuscators, in addition to modifying the IL code, “wraps” the whole application into a native x86/x64 code loader, which usually decrypts the entire .NET assembly and only loads it into memory in decrypted form.
This form of protection does not allow the use of .NET tools and requires that the loaded .NET assemblies are first dumped from memory for further analysis.
.NET Generic Unpacker
The project was developed by Daniel Pistelli (he worked for some time on the famous IDA disassembler at HexRays), a generic as the name suggests a dumper that can detect an image of the .NET executable file in memory despite an external native loader.
Homepage — https://ntcore.com/?page_id=353
The easy-to-use dumper, which also has support for dumping several types of security features from file memory, can generally handle most native security features.
Download — DotnetDumper.zip (66 kB)
Apart from dedicated dumpers, classic memory search methods work equally well, e.g. in OllyDbg for .NET signatures of applications (e.g. “_CorExeMain” strings).
Memory dump fixers
After the .NET file has been dumped from the memory, it is often unusable for analysis in tools such as the .NET Reflector, this is due to changes most often made by obfuscators to make analysis even more difficult. The images of files that have been dumped in this way should be fixed.
Download — Universal_Fixer.zip (31 kB)
Project site — http://forum.tuts4you.com/topic/25376-universal-fixer/
The number of obfuscators available on the market is huge, I can safely say that it outstrips the number of security tools available for native applications. Due to such a massive attack, deobfuscators were created for many tools, often integrated and supporting many types of security.
de4dot is the most known .NET deobfuscator for many types of protections. Its development has been abandoned, but since it’s open-source and a solid base for future developments of any .NET deobfuscator, it has been modified and improved by independent developers and you find many new flavors supporting new protections.
You can download the original version from — https://github.com/0xd4d/de4dot/downloads
The current state of the .NET protections may initially be frightening and discourage further analysis (with many advanced obfuscators using virtualization), but as you can see there are many tools that can make our lives easier.
I deliberately didn’t describe here ready-made unpackers, which can be easily found by yourself, because they don’t always work, and then it’s worth knowing how to cope without their help.
If I come across any interesting tool I will add it to the article, and if you know something interesting to analyze the .NET application — describe it in the comments and I will be happy to add a description to the article.
Many more reversing tools, some rare ones
More complete list of reverse engineering tools, also for native x86/x64 binaries, with many alternative versions and some rare gems available in my article: