Reverse engineering tools for .NET applications

The set of tools for .NET reverse engineering is very different from classic tools used for the reversing of native x86 / x64 applications in PE (Windows EXE/DLL Portable Executable) or ELF (Linux Executable and Linkable Format) formats.

Different code architecture forced to create a whole range of dedicated tools for .NET executable files, I will try to present some of them that may be useful in software reversing.

Decompilers

dnSpy

It has it all. You can even edit any .NET compiled code in its high-level C# form, it will recompile it and replace the patched method. You can recompile entire projects into Visual Studio compatible source code solutions.

dnSpy debugger in action

What’s most important, it’s frequently updated and it’s free to use.

Homepage — https://github.com/0xd4d/dnSpy

.NET Reflector

.NET Reflector

It was the best-known decompiler and not only because thanks to the whole number of plugins it allows e.g. to modify binary files (Reflexil plugin), debug applications (Deblector plugin) and many other activities related to code analysis.

Recently .NET Reflector lost its popularity because the project was free from the beginning, but after it was taken over by Red Gate Software (by the way, the creators of the SmartAssembly obfuscator, from which one can come up with a conspiracy theory that they wanted to restrict access to one of the most popular application analysis tools) and initial assurances about maintaining its free status, after some time it was transformed into a commercial version, with the cheapest license for $35 (now it’s, even more, $100 to be exact).

Homepage —https://www.red-gate.com/products/dotnet-development/reflector/

Add-ins — https://www.red-gate.com/simple-talk/dotnet/net-tools/using-net-reflector-add-ins/

Telerik JustDecompile

Telerik JustDecompile

Homepage— www.telerik.com/products/decompiler.aspx

IL DASM

It allows viewing the file structure and disassembling to the transition code, so it is not as handy for analysis as dnSpy or .NET Reflector.

Simple Assembly Explorer

SAE has a plug-in system and a built-in deobfuscator, which can be useful for analyzing protected applications.

If you want to learn the basics of programming in IL, modify binaries quickly, and efficiently this is the ideal tool.

Homepage — https://github.com/wickyhu/simple-assembly-explorer/releases

Dis#

Homepage — http://netdecompiler.com

Debuggers

Dotnet IL Editor (DILE)

Homepage — http://sourceforge.net/projects/dile/

Protection identifiers

DNiD

It now detects most of the protections used for .NET applications.

Download — DNiD.v0.11-Rue.rar (384 kB)

Process & memory dumpers

Some of the obfuscators, in addition to modifying the IL code, “wraps” the whole application into a native x86/x64 code loader, which usually decrypts the entire .NET assembly and only loads it into memory in decrypted form.

This form of protection does not allow the use of .NET tools and requires that the loaded .NET assemblies are first dumped from memory for further analysis.

.NET Generic Unpacker

Homepage — https://ntcore.com/?page_id=353

DotNetDumper

Download — DotnetDumper.zip (66 kB)

Apart from dedicated dumpers, classic memory search methods work equally well, e.g. in OllyDbg for .NET signatures of applications (e.g. “_CorExeMain” strings).

Memory dump fixers

Universal Fixer

Download — Universal_Fixer.zip (31 kB)

Project site — http://forum.tuts4you.com/topic/25376-universal-fixer/

Deobfuscators

de4dot

You can download the original version from — https://github.com/0xd4d/de4dot/downloads

Summary

I deliberately didn’t describe here ready-made unpackers, which can be easily found by yourself, because they don’t always work, and then it’s worth knowing how to cope without their help.

If I come across any interesting tool I will add it to the article, and if you know something interesting to analyze the .NET application — describe it in the comments and I will be happy to add a description to the article.

Many more reversing tools, some rare ones

🔥 Reverse Engineering Tools Review

Developer behind PELock software protection system, author of reverse engineering articles.